“Security companies, ‘white hat’ hackers and customised tool makers are part of the main force that drives Web3 security,” said Mike Li, who left Chinese cybersecurity giant 360 Security Technology to found GoPlus Security in 2017.

Li likened his firm’s offerings to a decentralised version of the cybersecurity solutions offered by Russia’s Kaspersky Lab. The service allows any application on Web3 – the widely used term to refer to a World Wide Web decentralised through the use of blockchain and similar technologies – to use the GoPlus application programming interface (API) to flag blockchain addresses with red, yellow or green marks as a signal of a transaction’s risk level.

Since 2012, more than US$27 trillion in cryptocurrency has been stolen across 827 hacks identified by Xiamen-based blockchain security company SlowMist. Scams, flash loan attacks and contract vulnerabilities were the top three types of attacks.

SlowMist’s chief internet security officer Zhang Lianfeng said that since the company’s founding in 2018, he has seen more weaknesses emerge in Web3 security, but few improvements.

“With weak security awareness, users are still being attacked from left to right,” Zhang said. “Now on even more fronts, including decentralised finance, cross-chain bridges and NFTs.”

The constant reappearance of similar scams since 2020 inspired Shanghai-based software engineer Fun Liu, a former adtech worker, to build a security product at Eth Shanghai’s hackathon in May. The result was Scam Sniffer, a free Chrome browser extension for consumers that aims to tackle crypto scams on platforms including Twitter and Discord.

“I hope to equip regular users with the tools to protect themselves from scams,” Liu said. “Because of the anonymous and tamper-proof nature of blockchain, it’s becoming increasingly important, especially as users have limited tools.”

The extension is open source and available on GitHub, where Liu has also published a list of more than 1,700 blacklisted domains and some 300 blacklisted wallet addresses.

Extensions like this are meant to help individuals who may not have the resources of the businesses that most crypto services cater to.

“You can get an idea of the social class of the industry via security,” GoPlus Security’s Li said. “0.1 per cent of the richest people are using 99 per cent of security resources, whereas the other 99.9 per cent of people are barely protected. This is the status quo of Web3 security.”

Yet no security solution is flawless, and when users like Wu wind up getting scammed, China’s official stance on crypto has left people with few legal avenues for redress.

After years of crackdowns, Beijing clarified last year that all cryptocurrency trading in the country is illegal. Regulators have not been clear about whether digital assets like NFTs have any property protections, and regional courts have given conflicting decisions.

As a result, it is even more important for crypto users in China to be more responsible for their own security. To protect himself in the future, Wu said he has added security browser extensions, checks wallet addresses before transfers and does not trade when he feels unwell or unfocused.

“When I’m hacked, all I can do is swallow the pain,” he said.

Security professionals say it is important for individuals to take some action themselves. “Security has a so-called bucket effect, meaning one has to combine technical defences with human defences,” said SlowMist’s Zhang.

“When it comes to stolen funds, we advise victims to contact the police or security companies if the victim is held at fault,” he added. “If any theft is caused by the platform’s negligence, large platforms typically compensate their users.”

SlowMist has recently launched paid crypto-tracking services that can help with forensic inspection and investigations.

“It is especially important to improve the security awareness of individuals,” Zhang said. “Once that’s covered, it will work far better than a bunch of machines.”

Additional reporting by Xinmei Shen.