Digital Currency Group (DCG), the most important and at one time one of the most valuable companies in the American cryptocurrency economy (and maybe the entire world's crypto economy), has been in a world of shit lately because of the collapse of Genesis Trading and Genesis Capital (https://cryptadamus.substack.com/i/89744331/ω-the-war-of-the-whales-bro-will-set-upon-bro ), one of the 3 jewels in its corporate crown (and also one of the only subsidiaries that actually made money - the others are Coinbase and Grayscale / GBTC) what with owing at last count somewhere between $2 to 4.5 billion to various parties including $900 million owed to retail users of Gemini, the Winklevoss's twins startup that it was refusing to pay.Here's the job posting. Also worth knowing that 69 people work at grayscale and roughly 100 at parent company DCG. Grayscale managed GBTC (an ETF full of bitcoins that can never come out) and DCG is like a holding company that owns pieces of basically everything.
Here's why that job posting is one that at least raised my eyebrows because you might (not super high confidence, just so we're clear) post such a job listing after a major security breach:
"actively searching" usually means one of these things:
a contract or board member required it (ok)
someone just turned in their resignation (prolly ok depends on the reason for the resignation)
someone had to be fired (not ideal)
you never had anyone in the role before and now you really need them ASAP (bad)
"link designs to outcomes/operational effect" is concerning because
suggests there was some kind of previous design but it did not result in the desired outcome
"cloud security standards" is ominous because for any company formed in the last 10 years:
company data is all in the cloud including keys¹ and so on. with the right SSH/AWS credentials attackers have literally everything.
a startup finding out it did too little too late as far as designing (and enforcing) a set of security protocols for employees is an extremely common, x10 for rapidly growing startups run by rich and overconfident 25 year old men. i can almost basically guarantee you that the "security protocol" started out as security keys¹ in a shared google doc.
a lot of startups that get hacked are companies run by 5 people that make shit like dog toys. DCG would be literally the most targeted company in the world.
almost all catastrophic breaches of companies formed in the last ~8 years are cloud data breaches and so are most catastrophic breaches of companies formed more than 8 years ago
"technical risk assessment" is ominous because
suggests you may have misassessed some risks in the past
"4 months ago" is concerning because:
the LastPass breach happened in August 2022 (AKA a little before 4 months ago)
The Apple security breach - the major one that meant that all iPhones and Macs on the planet could be easily compromised via a 0 click attack - was announced in late August. Odds that DCG bros weren't using iPhones? you tell me. And again, DCG would be among the most targeted institutions in the world. even i got hacked at that time (which is, indirectly, how I ended up here) and i was only talking about crypto on the internet for like a month at that point. point being: if they had time for me they definitely had time for every single employee at DCG/Grayscale/etc, all of whom happily identify themselves on LinkedIn.
Grayscale is a financial company managing a publicly traded instrument (GBTC). While I'm not familiar with the specifics of running an ETF there are usually absolutely scads of regulations about compliance that come with handling money²and usually a whole lot more that come with being a publicly traded stock. these regulatory requirements are usually attached to certain laws, e.g. Sarbanes-Oxley or Dodd-Frank or whatever. if they were hiring for that kind of security they would say so. but they're not -CISSP is a legit certification but not for that kind of thing.
i would also call generally concerning stuff like:
a multi billion dollar company where the best engineers will be drawn from the pool of people willing to risk the reputational damage of working in crypto
most of the employees will not even be engineers, they will be finance bros. probably finance bros that got fired for or never hired at places like JPMorgan Chase or Bank of America. let's just say that getting them to consistently follow security protocols is gonna be a challenge.
most of those employees who are not engineers will be making contact with digital assets.
¹ the "not your keys not your coins" kind of keys
² rules about storing credit cards are for instance one thing i'm vaguely familiar. the regulations are basically so rugged that no one stores credit cards, they hire special companies that store their hard drives in like atomic bomb shelters with 7 kinds of enormous locks to store their customers' credit cards for them. obviously DCG is not processing payments but the point is that government requirements can be kind of extreme.
Question
michel_cryptadamus
Digital Currency Group (DCG), the most important and at one time one of the most valuable companies in the American cryptocurrency economy (and maybe the entire world's crypto economy), has been in a world of shit lately because of the collapse of Genesis Trading and Genesis Capital (https://cryptadamus.substack.com/i/89744331/ω-the-war-of-the-whales-bro-will-set-upon-bro ), one of the 3 jewels in its corporate crown (and also one of the only subsidiaries that actually made money - the others are Coinbase and Grayscale / GBTC) what with owing at last count somewhere between $2 to 4.5 billion to various parties including $900 million owed to retail users of Gemini, the Winklevoss's twins startup that it was refusing to pay. Here's the job posting. Also worth knowing that 69 people work at grayscale and roughly 100 at parent company DCG. Grayscale managed GBTC (an ETF full of bitcoins that can never come out) and DCG is like a holding company that owns pieces of basically everything.
Here's why that job posting is one that at least raised my eyebrows because you might (not super high confidence, just so we're clear) post such a job listing after a major security breach:
"actively searching" usually means one of these things:
"link designs to outcomes/operational effect" is concerning because
"cloud security standards" is ominous because for any company formed in the last 10 years:
"technical risk assessment" is ominous because
"4 months ago" is concerning because:
the stuff that's not there is ominous because:
i would also call generally concerning stuff like:
Curious if this crowd agrees.
ps I crossposted this to r/AskNetsec: https://www.reddit.com/r/AskNetsec/comments/103sz1w/would_this_job_listing_at_a_multibillion_dollar/
𝛀 𝛀 𝛀 𝛀 𝛀 𝛀 𝛀 𝛀 𝛀 𝛀 𝛀 𝛀 𝛀 𝛀 𝛀 𝛀 𝛀 𝛀 𝛀 𝛀
¹ the "not your keys not your coins" kind of keys
Edited by michel_cryptadamus² rules about storing credit cards are for instance one thing i'm vaguely familiar. the regulations are basically so rugged that no one stores credit cards, they hire special companies that store their hard drives in like atomic bomb shelters with 7 kinds of enormous locks to store their customers' credit cards for them. obviously DCG is not processing payments but the point is that government requirements can be kind of extreme.
Link to comment
Share on other sites
2 answers to this question
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now