JP Richardson, CEO of the self-custody crypto platform Exodus, has issued a strong warning to companies in the cryptocurrency space about the security risks of overly trusting in-house engineers without rigorous code reviews. He emphasized that, especially in a high-tech field like crypto, companies must not skip external code audits to ensure no malicious software is introduced into their systems.
In an interview at Token2049 in Singapore, Richardson highlighted the critical importance of implementing a second layer of security to oversee all code before any updates or upgrades are made. This precaution is vital in preventing attacks by malicious actors inserting harmful code into the software.
Richardson stressed that no matter how skilled an engineer may be, they should never be given unchecked authority to upload code without going through a strict review process.
“I think it really comes down to building a system so that if it does happen, your customers are still safe,” the Exodus CEO said.
This requires not only solid preparations but also operational resilience to ensure that risks do not compromise customer data and assets.
He made it clear that Exodus does not blindly trust any engineer, whether internal staff or external contractors.
“Our security team reviews all the code to make sure that it’s still safe as opposed to, oh, we just trust this engineer is a really good engineer; we don’t need to review this code,” Richardson confirmed.
One alarming trend Richardson pointed out is the rise of North Korean hackers using fake identities to infiltrate crypto companies by posing as job applicants.
“They’re both applying to companies or trying to get engineers at crypto companies to download fake resumes, fake malware to infiltrate these systems,” Richardson explained.
This warning is far from hypothetical. On August 16, blockchain investigator ZachXBT revealed a sophisticated network of North Korean developers who are earning as much as $500,000 per month working for major crypto projects, all while hiding their true identities. Recently, a group sought ZachXBT’s help after discovering they had lost $1.3 million from their treasury due to malicious code that had been unknowingly uploaded. The developers responsible were North Korean IT workers using fake identities.
On September 3, the FBI issued a warning that North Korean hackers are now targeting decentralized finance (DeFi) firms and crypto platforms through complex and elaborate social engineering campaigns. These attacks primarily aim to steal digital assets, with the scammers conducting extensive research on companies tied to crypto-related exchange-traded funds (ETFs).
Related news: