Back to all stories
A Shadowy Secret: Intelligence Infiltration of Web3 Projects

While the aim of our due diligence process is to assess risk and provide advisory services, it can also lead to interesting discoveries on off-chain happenings. CertiK recently uncovered indications that Iranian intelligence operatives could be actively attempting to infiltrate some crypto projects early in their development phase. In this article, our team of former law enforcement investigators and intelligence analysts share their findings and give their expert takeaways on how to preserve the integrity of the Web3 industry.

A Shadowy Secret: Intelligence Infiltration of Web3 Projects

How a Due Diligence Investigation Stumbled Upon an Undercover Government Operation

CertiK is a Web3 cybersecurity company that provides a wide array of security, research and due diligence services. As part of our advisory service, CertiK conducts in-depth Web3 security investigations and technical assessments on behalf of institutional investors, Fortune 500 companies, and crypto exchanges. While conducting an assessment for a specific Web3 project, CertiK investigators detected that some of the core developers were actively concealing their existence from us. Once discovered, the stealth development team eventually agreed to give us more information about their motive for hiding. In doing so, they told us a story with ramifications for everyone in crypto.

According to the project’s lead developer, soon after he launched his Web3 project in his home country of Iran, he was summoned to the local Islamic Revolutionary Guard Corps offices. Once on site, intelligence agents began by asking him to “cooperate” with them. The developer was reluctant to compromise the integrity of his project by giving up any degree of control without informing the community of such a measure. Unsurprisingly, the Revolutionary Guards were not impressed. They quickly progressed from firm requests to aggressive manipulation techniques. They held the developer for multiple weeks in solitary confinement in a room that measured just 2x1 meters: barely enough room to lie down. They combined this with a variety of persuasion techniques, aggressive interrogation, and threats.

The developer explained to us that it was very difficult for him to endure this mental torture over such an extended time period. While he was undergoing this, the intelligence operatives wanted him to keep working on his Web3 venture to maintain the facade that everything was going well while they retained ultimate control over the project.

After finally convincing the operatives that he was sufficiently “broken” and would continue to cooperate, they allowed him to return home. Instead of complying, the developer leveraged the resources of his network and on-chain assets to flee the country, obtain a new nationality, and start another Web3 project with other developers who fled the country for similar reasons. The developer explained that because of this defection, he could not return to Iran, and his team was now working in stealth mode in order to avoid potential extraterritorial retaliation.

A Credible Threat to Web3

According to our investigators, who have participated in multiple international undercover operations during their time in law enforcement, there is credibility to these reports. We also discovered a trend of several other developers working in stealth mode behind other Web3 projects due to similar concerns. These intelligence and investigative observations suggest there could be a systematic effort on the part of some intelligence services to infiltrate the crypto industry by targeting specific developers.

Our investigators noted the source’s claims were consistent with how unilateral undercover operations can be conducted by state actors to advance their national interests. In certain countries (including some that do not have a reputation for having a “repressive regime” like Iran) threatening to prosecute a software developer unless they become an active informant or agent is a common practice. Operatives call this the “flipping” tactic, as it consists of converting a potential adversary into a confidential informant. Our investigators added that these undercover operations are especially focused on encryption specialists, because the control of encryption-related technologies and applications is key to national security and sovereignty.

These findings suggest a fundamental risk for a number of people involved in crypto and Web3. In the short term, some software developers may face legitimate risks to their personal security. In the long run, once a state organization secretly gains control of a crypto project, they could use their leverage to access confidential data, insert intentional zero-day vulnerabilities, distribute malware, mobile backdoors, and use these integrated systems to conduct surveillance, censorship, extortion, or cause significant damage to specific targets in the future.

Preserving Web3 Integrity

It does not come as a surprise that state agencies are specifically targeting Web3 projects and attempting to infiltrate them. As new blockchain applications continue to gain adoption, they have become strategic targets for geopolitical influence and intelligence operations.

Web3 developers should consider the legal protections and potential risks they may face in the jurisdiction where they operate, particularly from state agencies and institutions.

From a cybersecurity standpoint, it is crucial for the Web3 industry to raise its standard for due diligence and risk management to preserve the integrity of the industry. The hidden risks associated with Web3 projects can have severe consequences for the security of individuals and organizations involved in or with these projects, including operational, reputational, and legal damage.

The anonymity and pseudonymity inherent to crypto is important to protect the security of users and developers worldwide. However, these features can also be exploited by repeat scammers to evade responsibility for their actions. A balance between privacy and transparency is crucial. CertiK’s KYC process keeps private information private while allowing teams to demonstrate their commitment to transparency.

We recommend that organizations seeking to engage with Web3 projects deploy due diligence efforts proportional to the cyber risks at stake. A comprehensive risk assessment can help organizations to detect potential issues and take appropriate measures to mitigate them. The CertiK expert advisory team is composed of 250+ seasoned security engineers, data scientists, intelligence analysts, and criminal investigators, and has acquired a unique expertise in working with over 3,700 Web3 projects on security matters over a five-year period. Not only is this team able to conduct in-depth risk assessments of Web3 projects or ecosystems, but they are also able to recommend and deploy ad-hoc cybersecurity measures, such as tailored technical audits, on-chain monitoring, penetration testing, bug bounty programs, and cyber-incident management programs.

Editor’s note: Due to concerns for the safety of our sources, some details have been intentionally modified and the report has been redacted of any detail that could lead to the identification of the alleged victims or their location. As part of our core mission to secure the Web3 world, CertiK is regularly contacted by victims of crypto crimes, and provides investigation reports to law enforcement authorities in order to support their effort to prosecute criminal operators.