would this job listing at a multibillion dollar crypto company make you raise your eyebrows and wonder if the company posting it was recently hacked?

[michel_cryptadamus]

Digital Currency Group (DCG), the most important and at one time one of the most valuable companies in the American cryptocurrency economy (and maybe the entire world's crypto economy), has been in a world of shit lately because of the collapse of Genesis Trading and Genesis Capital (https://cryptadamus.substack.com/i/89744331/ω-the-war-of-the-whales-bro-will-set-upon-bro ), one of the 3 jewels in its corporate crown (and also one of the only subsidiaries that actually made money - the others are Coinbase and Grayscale / GBTC) what with owing at last count somewhere between $2 to 4.5 billion to various parties including $900 million owed to retail users of Gemini, the Winklevoss's twins startup that it was refusing to pay. Here's the job posting. Also worth knowing that 69 people work at grayscale and roughly 100 at parent company DCG. Grayscale managed GBTC (an ETF full of bitcoins that can never come out) and DCG is like a holding company that owns pieces of  basically everything.

Here's why that job posting is one that at least raised my eyebrows because you might (not super high confidence, just so we're clear) post such a job listing after a major security breach:

"actively searching" usually means one of these things:

1. a contract or board member required it (ok)
2. someone just turned in their resignation (prolly ok depends on the reason for the resignation)
3. someone had to be fired (not ideal)
4. you never had anyone in the role before and now you really need them ASAP (bad)

"link designs to outcomes/operational effect" is concerning because

1. suggests there was some kind of previous design but it did not result in the desired outcome

"cloud security standards" is ominous because for any company formed in the last 10 years:

1. company data is all in the cloud including keys¹ and so on. with the right SSH/AWS credentials attackers have literally everything.
2. a startup finding out it did too little too late as far as designing (and enforcing) a set of security protocols for employees is an extremely common, x10 for rapidly growing startups run by rich and overconfident 25 year old men. i can almost basically guarantee you that the "security protocol" started out as security keys¹ in a shared google doc.
3. a lot of startups that get hacked are companies run by 5 people that make shit like dog toys. DCG would be literally the most targeted company in the world.
4. almost all catastrophic breaches of companies formed in the last ~8 years are cloud data breaches and so are most catastrophic breaches of companies formed more than 8 years ago

"technical risk assessment" is ominous because

1. suggests you may have misassessed some risks in the past

"4 months ago" is concerning because:

1. the LastPass breach happened in August 2022 (AKA a little before 4 months ago)
2. The Apple security breach - the major one that meant that all iPhones and Macs on the planet could be easily compromised via a 0 click attack - was announced in late August. Odds that DCG bros weren't using iPhones? you tell me. And again, DCG would be among the most targeted institutions in the world. even i got hacked at that time (which is, indirectly, how I ended up here) and i was only talking about crypto on the internet for like a month at that point. point being: if they had time for me they definitely had time for every single employee at DCG/Grayscale/etc, all of whom happily identify themselves on LinkedIn.
3. After the FTXplosion people started to ask Grayscale to show the world the wallet addresses where it was holding all these billions of dollars of bitcoin. Grayscale firmly refused (https://cryptadamus.substack.com/i/85344275/ω-one-of-the-largest-pools-of-investor-owned-bitcoin-in-the-world-the-grayscale-bitcoin-trust-is-refusing-to-tell-anyone-where-all-the-bitcoins-are) citing fictitious "security concerns" with letting anyone know their public wallet addresses. I know enough to know this is kind of a ridiculous thing to state as a reason. (FWIW theoretically the coins are custodied in some way that somehow involves Coinbase)

the stuff that's not there is ominous because:

1. Grayscale is a financial company managing a publicly traded instrument (GBTC). While I'm not familiar with the specifics of running an ETF there are usually absolutely scads of regulations about compliance that come with handling money²and usually a whole lot more that come with being a publicly traded stock. these regulatory requirements are usually attached to certain laws, e.g. Sarbanes-Oxley or Dodd-Frank or whatever. if they were hiring for that kind of security they would say so. but they're not -CISSP is a legit certification but not for that kind of thing.

i would also call generally concerning stuff like:

1. a multi billion dollar company where the best engineers will be drawn from the pool of people willing to risk the reputational damage of working in crypto
2. most of the employees will not even be engineers, they will be finance bros. probably finance bros that got fired for or never hired at places like JPMorgan Chase or Bank of America. let's just say that getting them to consistently follow security protocols is gonna be a challenge.
3. most of those employees who are not engineers will be making contact with digital assets.

Curious if this crowd agrees.

ps I crossposted this to r/AskNetsec: https://www.reddit.com/r/AskNetsec/comments/103sz1w/would_this_job_listing_at_a_multibillion_dollar/

𝛀 𝛀 𝛀 𝛀 𝛀 𝛀 𝛀 𝛀 𝛀 𝛀 𝛀 𝛀 𝛀 𝛀 𝛀 𝛀 𝛀 𝛀 𝛀 𝛀

¹ the "not your keys not your coins" kind of keys
² rules about storing credit cards are for instance one thing i'm vaguely familiar. the regulations are basically so rugged that no one stores credit cards, they hire special companies that store their hard drives in like atomic bomb shelters with 7 kinds of enormous locks to store their customers' credit cards for them. obviously DCG is not processing payments but the point is that government requirements can be kind of extreme.

Edited January 5, 2023 by michel_cryptadamus

[michel_cryptadamus]

particularly ominous is the word 'define' in front of 'cloud security standards' and the word 'create' in front of technical risk assessment and acceptance...

[NeonPayload]

Honestly I think it's pretty wierd, kind of like how Uber needed to hire a entire security team after the CISO got fired for paying the ransom as a bug bounty.

If it's just one person I wouldn't think it's that big of a deal it there is only one security job posting, you'd think that it was just that guys fault. I don't know though.