Safeheron Surpasses $150 Billion in Total Transfers: Powering a New Global Financial Ecosystem with Self-Custody
Web3 Learning

How to Prevent Hackers From Stealing Private Keys From Your Servers?

By Safeheron Team
|

In the cryptocurrency realm, incidents of hackers infiltrating servers to steal wallet private keys are alarmingly frequent, inflicting substantial financial losses and privacy risks on users. Traditional wallet architectures, where private keys exist as single points of failure, are particularly vulnerable. Once a server is breached, private keys can be directly stolen. Recent cases, such as the Safe Wallet developer machine infection that led to a $1.4 billion loss for the Bybit exchange, underscore the gravity of this threat. Attackers can also steal account credentials or API keys to infiltrate cloud service infrastructures or deploy malicious code for targeted attacks, such as using phishing scripts, swapping wallet addresses, or deploying malicious plugins.

Over the years, the techniques used by hackers to attack cryptocurrency wallets have evolved in the following ways:

  • From Broad to Targeted Attacks: Hackers have shifted from wide-net phishing attacks to precise targeting of high-value assets.
  • Extended Attack Chains: Instead of directly attacking the end target, hackers first compromise related infrastructure or service providers.
  • Increased Complexity: Hackers employ multi-stage attacks, embedding malicious code within legitimate code to evade detection.
  • Persistent Presence: Hackers remain dormant for extended periods, waiting for the optimal moment to strike.
    Advanced hacking groups, such as North Korea’s Lazarus Group, have developed highly complex attack methods capable of bypassing conventional security measures to target specific high-value assets.

However, Safeheron has constructed a fortress capable of withstanding nation-state level attacks by integrating MPC (Secure Multi-Party Computation) with TEE (Trusted Execution Environment) and employing a robust multi-layered security model.

Safeheron’s Solutions

MPC Distributed Key Architecture: Sharding for Unparalleled Security

Safeheron employs advanced MPC protocols such as GG18, GG20, and CMP to generate three private key shards for each user. This cryptographic approach revolutionizes traditional key management by ensuring that the complete private key never appears in plaintext during its entire lifecycle—from generation to storage and usage—effectively eliminating the possibility of key leakage.

These three key shards are encrypted and stored separately on the user’s local device and in highly secure cloud services bolstered by TEE technology, forming a distributed and isolated security network. Hackers would need to breach multiple independent security systems simultaneously to gather all key shards, exponentially increasing the complexity and cost of an attack to the point of near impossibility.

Moreover, Safeheron implements a 3-of-3 threshold scheme, which requires all three shards to complete a signature. This eliminates the risk of single-key exposure and internal or external single-point attacks. The 3-of-3 scheme ensures that neither Safeheron nor third-party cloud providers can operate assets without user authorization, effectively preventing platform malfeasance. It also enables transparent multi-party governance within institutions, fully leveraging MPC’s advantages for transparent and decentralized fund management.

To meet the diverse needs of enterprise clients, Safeheron offers a professional MPC Node development kit, allowing users to customize MPC-TSS parameters and implementation plans according to specific scenarios, thus achieving a seamless integration of security and business operations.

TEE Hardware-Level Isolation: A Bastion for Key Shards

Safeheron encapsulates key shards within TEE based on Intel SGX technology, providing hardware isolation and protection of computing resources. This hardware-level security creates an impregnable digital fortress, storing encrypted key shards in an environment isolated from the main operating system. Even if hackers gain root access or deploy kernel-level attack tools, TEE ensures that key shards cannot be extracted from encrypted memory, effectively countering various advanced persistent threats (APTs), including memory injection, side-channel attacks, and cold boot attacks.

Additionally, Safeheron innovatively applies TEE technology to transaction Policy Engine and signing mechanisms, ensuring that sensitive user data and transaction rules are stored in tamper-proof hardware environments. All critical operations of an institution can only be executed within the TEE environment strictly according to predefined rules, eliminating any possibility of malicious modification or unauthorized access.

Furthermore, Safeheron implements remote attestation based on TEE, which further enhances the overall security of digital wallets by establishing an end-to-end verifiable trust chain. This provides institutional clients with security assurances comparable to traditional financial infrastructure, truly realizing a zero-trust security architecture.

Access Control: Restricting Private Key Access

Adhering to the principle of least privilege, Safeheron strictly limits access to private keys, ensuring that only authorized personnel can perform related operations. This ensures the traceability of sensitive operations and clarifies responsibilities. Offline authorization is used to invite team members, and encrypted channels ensure that unauthorized individuals cannot join the team on their own, effectively preventing social engineering attacks and identity theft. Additionally, enabling MFA (Multi-Factor Authentication) further strengthens login security by requiring users to provide multiple verification factors such as email codes, passwords, facial IDs, and fingerprints, creating multiple layers of security barriers and significantly increasing the difficulty for hackers to crack logins, effectively preventing unauthorized access to team resources and sensitive operations.

Moreover, teams can customize member permissions and transaction strategies according to their organizational structure and business process needs, creating a governance framework where responsibilities are clearly defined and balanced.

Internal teams can ensure that key transactions are only executed after multi-level approvals from management by setting up multi-dimensional policies such as transaction initiators, transaction amount thresholds, and time window restrictions. This forms a complete risk control system. In daily business operations, from routine transfers and contract deployments to asset allocation, the flexible TEE Policy Engine ensures that each member performs their duties, creating a complete audit chain of operations and preventing any unauthorized bypassing of review nodes or members from overstepping their authority.

Server Hardening: The Foundation of Security

As the core environment for digital wallets, server security is of utmost importance. Safeheron employs a series of measures to harden servers, including regularly updating system patches to fix vulnerabilities, closing unnecessary ports and services to reduce potential attack vectors, configuring firewalls (such as iptables) to restrict access to whitelisted IPs, and deploying intrusion detection systems (IDS) to monitor server activities in real-time. Any suspicious behavior triggers immediate alerts and countermeasures, effectively thwarting hacker intrusions and ensuring server stability.

Audited, Certified, and Compliant

Safeheron consistently adheres to rigorous audits and obtains market-recognized security certifications to ensure that its services are trustworthy.

Regular Security Scanning and Vulnerability Detection: Safeheron conducts regular server security scans to comprehensively inspect system configurations, software vulnerabilities, and network connections, promptly identifying potential security risks. These measures enable Safeheron to ensure server stability and promptly detect and fix any existing vulnerabilities.

Third-Party Penetration Testing: To further enhance system security, Safeheron engages professional third-party firms to conduct penetration tests. These firms simulate hacker attack methods to thoroughly test and assess the digital wallet system, identify vulnerabilities, and promptly rectify them. This "attack-to-defend" approach ensures that the digital wallet system remains in optimal security condition, effectively preventing potential threats.

Highest Security Compliance Standards: Safeheron has obtained multiple internationally recognized security certifications and adheres to strict audit processes to ensure the security and reliability of user assets:

  • Kudelski Security MPC Algorithm Audit: Safeheron‘s internal algorithm library passed the audit conducted by the renowned Swiss security audit firm Kudelski Security as early as December 2020, signifying that Safeheron has reached an internationally leading level in algorithm security.
  • Slow Mist Technology Regular Audits and Penetration Testing: Safeheron collaborates with Slow Mist Technology to conduct regular security audits and penetration tests, ensuring system security.
  • ISO 27001 and SOC 2 Type II Certifications: Safeheron has obtained ISO 27001 and SOC 2 Type II certifications, strictly adhering to and meeting the stringent requirements of internal audits, ensuring the integrity and standardization of the audit process.
  • Insurance Coverage: Safeheron has obtained two key insurances from Lockton: Digital Asset Custodial Risks Insurance and Professional Indemnity Insurance, comprehensively covering asset loss risks caused by external hacker attacks and internal operational errors.

Through these stringent audit and certification processes, Safeheron provides users with a secure, reliable, and compliant digital asset storage and management platform. Whether it is regular security scanning, professional third-party penetration testing, or internationally recognized security certifications, Safeheron ensures the security of user assets with the highest standards of compliance.

Enhancing Security Awareness

While technological measures are crucial, human security awareness is equally important. Safeheron conducts regular training and phishing drills to enhance employees’ ability to identify and respond to threats. By raising awareness of the importance of digital wallet security and equipping staff with essential knowledge and skills, Safeheron ensures that employees adhere to security protocols in their daily work, minimizing the risk of human error leading to security breaches.

Conclusion

Hackers’ attack methods have evolved from simple phishing attacks to complex, multi-layered, and multi-dimensional composite attacks. In the face of these challenges, Safeheron remains vigilant, continuously iterating and upgrading its security architecture. By leveraging innovative technologies such as MPC key shards, MPC-TSS, intelligent risk control systems, and real-time threat monitoring, Safeheron constructs a comprehensive security defense network to safeguard digital wallets. These technologies work in concert, not only effectively countering known threats but also preempting potential security risks to ensure the absolute safety of user assets.

Choosing Safeheron means opting for a secure, reliable, and trustworthy digital wallet solution. With an unwavering commitment to security and a deep understanding of user needs, Safeheron is dedicated to creating the safest digital asset management platform, ensuring that your digital asset management is both secure and convenient.

MPC wallet

Previous Next
SHARE THIS ARTICLE

Related Articles

We use cookies to optimize site functionality & application and give you the best possible experience.

For more information, please read our Cookie Policy. By choosing "Accept All", "Accept Preferences" or turning off the pop-up, you agree to the storage of cookies on your device to improve website navigation, analyze site traffic and provide customer service.

联系我们