Evolve Hack Highlights Blockchain's Transparency Benefits

Cybercrime is a business, and many cybercriminals are in it for the money. For this reason, financial organizations are a major target for cybercriminals due to their access to large sums of money and large amounts of personal customer data. In addition to customers’ financial account data, banks commonly have a range of personally identifiable information (PII) collected in the course of verifying their customers’ identities or determining their eligibility for loans and other financial services.

As a result, cybersecurity should be a major priority for the TradFi institutions entrusted with this data and the responsibility to collect it. However, recent security incidents demonstrate that some financial institutions are not living up to these responsibilities.

Evolve is a financial institution that is a partner of the bankrupt Synapse and a supporter of other fintech companies such as Affirm, Mercury, and Stripe. In June 2024, Evolve publicly disclosed a security incident and received an enforcement action from the Federal Reserve Board.

These events were triggered by a ransomware attack by LockBit, which stole large volumes of sensitive information and demanded a ransom from the organization. When these demands weren’t met, as much as 33 TB of sensitive data from Evolve’s systems was publicly leaked.

This incident revealed numerous deficiencies in the organization’s IT and security policies, including plaintext storage of:

• Customer PII (names, dates of birth, etc.)

• Social Security Numbers (SSNs)

• Account information

• KYC data (including images of identity cards)

• Card PANs

• Wires

• Settlement files

Insecure, plaintext storage of this type of data would be a major issue in any organization. However, this is particularly egregious in a financial institution, which is granted a high degree of trust and operates in a highly regulated space.

This breach came on the heels of an investigation by the Federal Reserve that found that Evolve “engaged in unsafe and unsound banking practices by failing to have in place an effective risk management framework for those partnerships” it had with various fintech companies. However, this investigation — and the resulting order for Evolve to improve its IT and security practices — didn’t uncover or resolve Evolve’s numerous IT and security failures.

In the wake of the incident, several of Evolve’s partners made statements about the impact of the breach on their customers. However, these were largely reassurances that these effects were minimal. For example, Affirm’s advice was largely to treat it as business as usual, despite the fact that the breach contained full PANs for Affirm cards and transaction-level data regarding its users.

TradFi systems and processes are famously opaque. For example, a wire transfer takes days and costs about $25 when it could be completed in moments and for pennies.

The recent Evolve hack and similar security incidents demonstrate that this lack of transparency has a significant negative effect on security. The security errors demonstrated by Evolve should never have survived a compliance audit. However, they managed to persist long enough for LockBit to discover and exploit these flaws.

In cybersecurity, it’s an established best practice not to rely on “security by obscurity,” hiding vulnerabilities in the hope that an attacker won’t find them. However, organizations like Evolve clearly were doing just that. While practices such as plaintext storage of highly sensitive information would be frowned upon by any security professional — as well as Evolve’s customers and partners — the issue was only discovered after cybercriminals gained access and revealed these issues in the worst possible way.

Blockchain solutions and DeFi have their flaws. Major hacks are a regular occurrence, resulting in high-value losses.

However, blockchain solutions have never been accused of a lack of transparency. On the blockchain, everything stored on the digital ledger is publicly visible, an essential feature for decentralized, trustless validation of blockchain transactions.

While this transparency can have its downsides, it also means that DeFi solutions lack many of the hidden risks associated with TradFi. Users who interact with a smart contract can learn exactly what data it is collecting, how it is using it, and how it is secured. The same is not true of TradFi, where customers must rely on the organization itself and its regulators to ensure that their private data is properly protected.

Another advantage of blockchain and DeFi is that it largely doesn’t require or collect the types of sensitive information that was exposed in the Evolve breach. On the blockchain, identity is managed using blockchain addresses and digital signatures, which are not private or sensitive information. Only when interacting with TradFi — at exchanges with KYC requirements — does DeFi collect — and need to secure — the types of data that Evolve breached.

Often, the TradFi space will criticize DeFi for its lack of security and regulation. This is especially true after a major, preventable hack has occurred.

However, the Evolve breach makes it apparent that DeFi isn’t the only part of fintech with a security problem. Fintech organizations ignoring basic security best practices obviously exist, and they’re putting their customers, partners, and the industry as a whole at risk.

Blockchain and DeFi were created to disrupt the financial industry, and the transparency that the blockchain ledger and smart contracts bring seem critical. As DeFi projects grow more decentralized and reliant on on-chain governance, security risks like those hidden by TradFi become more apparent and fixable.

Halborn believes that DeFi security depends on comprehensive security testing and mature security programs. For help with managing the security risks of your DeFi project, get in touch with Halborn.