DEV Community

Cover image for Interview With James Bachini on Combating Phishing Attacks in Crypto
Deniz Tutku
Deniz Tutku

Posted on • Originally published at

Interview With James Bachini on Combating Phishing Attacks in Crypto

The first quarter of 2024 seemed to be fairly "typical" in terms of hacks and attacks, but the co-founder of CertiK notes that phishing attacks have reached "alarming levels." In its quarterly security report "Hack3d," CertiK emphasized that the damage from this attack reached $239 million, even though only 26 incidents occurred.

To shed some light on the fight against phishing, as well as on blockchain development and new trends, we asked the blockchain developer James Bachini to share his expert opinion.

Will you tell us a little about your background, and what initially drew you to blockchain development? What inspired you to pursue a career in this field?

I got interested in crypto through Bitcoin in 2017. I thought I might be able to mine it through a browser, which didn't work but led me to a good understanding of the technological benefits.
I then discovered smart contracts on Ethereum and was drawn to the opportunity to create permissionless code on a decentralized network. I started writing and making videos about blockchain development, emerging DeFi tech, and the crypto space. Today I manage my portfolio and do a bit of consultancy and Solidity development work to keep in touch with the industry.

Which of your projects are you most proud of, and which one was the most successful?

I started a project called JSEcoin in the early days, which was a standalone blockchain built on NodeJS. It ultimately failed because we were never able to raise funds or attract significant attention during the bear market that followed the crash in 2018. I still think a JavaScript smart contract platform would be attractive to web2 devs who want to dabble in web3.

What trends in blockchain development do you see in the following years?

I think and write a lot about how I think the future will play out in the blockchain sector. Bitcoin I think has already matured into a respectable asset class, but I think we will see more focus in the future on its lack of counterparty risk and the merits of decentralization rather than it being viewed as a speculative risk asset.

Ethereum will evolve to become the world computer, and eventually maybe even compete with cloud computing. It will become easier, cheaper, and faster over time for web developers to store and manipulate data on the Ethereum network.

I think the main net we know today will become a legacy chain of chains, and "Ethereum" for the masses will be an interconnected network of enshrined roll-ups. For users, it will just work, with a seamless user experience. DeFi will evolve too, and I'm sure we will see new experimental technology in the space and wider tokenization of assets.

We see that smaller L2 solutions are outperforming large networks in terms of the number of developers. Although Ethereum and Solana remain the leaders, many investors are paying attention to Celestia, Near Protocol, Polygon, WhiteBIT Coin, and others. Why do you think this trend is taking place?

These projects are very proactive in promoting their technology through grants and hackathons, which I think helps broaden adoption somewhat and encourage a growing dev community.

What are the biggest challenges blockchain developers regularly face, and how can they overcome them?

Smart contract bugs that lead to loss of customer funds are what keeps us up at night. More could be done to create effective self-auditing tools and improve automated checks at compile time. Security audits and bug bounties should become more affordable over time for teams that want to bypass the VC funding route.

Vitalik Buterin recently voiced the possibility of integrating blockchain technology with artificial intelligence. What do you personally think about AI implementation into Web3? Is it just a futuristic buzz, or a key to new opportunities? How will the market benefit/lose from such integration?

I see it differently, to the extent that AI in its current form requires lots of computation across large data sets. Blockchain technology thrives on low computation on tiny data sets like small ledgers etc. Whenever I hear about a project that's putting AI on the blockchain, I tend to be skeptical.

I haven't come across any promising crossovers between the technologies to date, although there must be some use cases out there. The one exception is perhaps machine learning in trading systems, but these often only play a tiny part in the signals part of a larger system designed around risk management.

As a blockchain developer, can you explain the technical aspects of phishing attacks, particularly how attackers exploit vulnerabilities in the system to target crypto users?

The worst ones I've seen are the sponsored ads in Google, which place a duplicate site on top of the real site when you Google popular DEX brands and DeFi protocols.
Users need to be very careful with the domain names and double-check what they are signing in MetaMask.

There are lots of scams for trading bots as well. If something sounds too good to be true, it always is. There's no easy money in trading and arbitrage and the people that do well are usually technically gifted. If someone is offering a trading bot that makes thousands of dollars a day, question their motivation for releasing that code.

What are some of the common techniques and methods used in phishing attacks against blockchain and cryptocurrency platforms, and how can developers address these vulnerabilities?

It's very hard for developers to prevent phishing attacks at the DApp level. Perhaps more could be done by wallet devs and moderator teams on social media and search engines. Overall, as a community, we need to educate users to help them identify when something is a phishing attack.

As blockchain technology continues to evolve, what advances or innovations do you expect in the area of security protocols and tools to combat phishing attacks?

Some form of crypto-specific search engine or directory would be very useful. Defillama has built one, I believe, but it's not widely used. Might be an idea to work on in the future. Perhaps we could use AI to aggregate content and filter anything malicious 🤣

What advice would you give to someone aspiring to become a developer?

Learn JavaScript first, then if you want to get into web3 learn Solidity. There's a great resource called "Crypto Zombies", which is a gamified learning resource for beginners. I make a lot of follow-along tutorials for building things in DeFi on my blog and YouTube channel.

Always build on the test net first, so the funds you are experimenting with aren't real. Learn as much as you can about security, the best developers I know are proactive about learning smart contract security. Overall, just enjoy the opportunity we have with this emerging technology and the capabilities it offers developers.

Recommendations for Defending Against Phishing Attacks

The most important thing in the fight against phishing attacks is to use protection methods and be able to recognize fraudulent emails.
That's why it's always important to:

  • Check the spelling of domains before entering your data
  • Use strong and unique passwords
  • Enable two-factor authentication
  • Do not click on suspicious links

Attackers most often send fraudulent emails on behalf of websites or cryptocurrency exchanges. Several signs indicate that an email is fraudulent:

  • Scammers usually emphasize the urgency of action or attract attention by offering a reward for participation.
  • The message contains misspelled URLs
  • The email asks you to provide or confirm personal information, such as financial information or a password
  • The message is written with spelling or grammatical errors
  • In addition, some companies, such as Binance, WhiteBIT, and KuCoin, have an additional method of verifying the authenticity of the email using anti-phishing, which signals that the email came from these companies.

By knowing how to recognize attacks, you can better protect yourself and your data. Remember: Forewarned is forearmed.

Top comments (0)