Web 3 and blockchain: what role will cybersecurity play? Venture capitalists, cryptocurrency startuppers, engineers and dreamers are developing Web 3 (or Web 3.0) on blockchain and cryptocurrencies. A new frontier that is more democratic, decentralized, independent and ideal for data repossession.

The race towards Web 3 has begun. By now, only investors and pioneers of the new tech frontier are describing the future Web 3.0 more open and democratic, free from censorship, built on blockchain and decentralized protocols. In fact, Web 3 promises to be more inclusive, competitive, independent and able to allow everyone to reappropriate data and perhaps monetize anything on the Internet.

What is Web 3? 

Experts call Web 3.0 or Web 3 a crypto-internet based on the blockchain. Web 3 is a decentralized network, thanks to the use of blockchain, the technology on which cryptocurrencies are founded. Web 1.0 offered content that could not be modified by the user, Web 2.0 led to user-generated content: Web 3.0 would like to provide users with the whole control of services and infrastructure. 

How does Web 3 work? 

It wants to be a network in which contents and services no longer reside on servers and platforms that belong to companies, but are spread homogeneously on the network.

Thanks to democratic participation, users could finally monetize data sharing. In fact, user-generated content (UCG) would remain in the hands of the legitimate authors, and would no longer belong to platforms such as Tik Tok, Instagram and YouTube. 

In Web 3, devices would no longer connect to central servers, but to distributed ledgers across the network on which all desired information is located, without having to find data on any company’s servers. 

If until now the blockchain has included cryptocurrencies, smart contracts, Defi and Nft could then include all the services of the network. 

Web 3 and blockchain: Defi and NFT 

Web 3 will include applications that already existed on blockchain, such as Defi (decentralized finance) and Nft, unique digital copies of anything. 

In fact, we know that blockchain has also made possible automating traditional financial functions like lending or trading. The first Ethereum applications to gain widespread adoption were decentralized finance (DeFi) applications such as Compound, Maker, and Uniswap.

In DeFi, financial functions are handled by fully automated protocols that are owned and operated by decentralized communities instead of centralized companies. 

DeFi has attracted the money and attention needed to jumpstart the growth of Web 3, even if Web 3 isn’t just about money and cryptocurrencies: during 2021, entrepreneurs expanded the ideas started with bitcoin and DeFi to games, media, marketplaces, and even social networks thanks to a new concept: non-fungible tokens (NFTS).

These are blockchain-based records that uniquely represent digital media objects including art, videos, music, games, text and code. NFTS can have code attached to them to do almost anything that ensures the original creator receiving royalties from sales. So, blockchain can support many other applications besides money and finance. 


What are the implications for Cybersecurity? 

What new Cybersecurity threats might arise from these new technologies? And what are the risks? Let’s analyze some of them and some attack techniques: 

  • Service unavailability that would make Blockchain-based services unusable 
  • Internet unavailability 
  • Fraudulent manipulation of Blockchain 
  • Theft of digital wallets 


A Sybil attack

The attempt to control a peer network by creating multiple fake identities, in which one person attempts to take control of the network by creating multiple accounts, nodes, or computers.

To outside observers, these fake identities appear to be unique users. However, behind the scenes, a single entity controls many identities simultaneously.

As a result, that entity can influence the network through additional voting power in a democratic network or through echo chamber messages in a social network. 

Information theft

Users may expose themselves to strangers while feeling “safe,” putting their real-life assets at risk and allowing malicious actors to appropriate a great deal of sensitive information such as personal documents, banking details, household information. 


An hacker could take advantage of public information found online to impersonate third parties and get them to release personal information. Moreover, any kind of action could be done by exploiting the identity of the victim, who would also face legal consequences even if he is not directly responsible. 

Cryptocurrency theft

As Metaverse is connected to the world of cryptocurrencies and NFTs, this makes it a greedy prey for hackers ready to get hold of wallets and access keys of Metaverse citizens. Let’s just think about the attack suffered by the gallery owner Todd Kramer, whose works worth 2.2 million dollars have been stolen in the last months, raising the attention of the online community on this kind of transaction. 

Human joystick

It is possible to control users in the Metaverse and move them to a position in physical space without their knowledge. In this way, the hacker could also bring the user to a specific point in the virtual space putting him physically in danger. 

“Chaperone” attack

Involves changing the boundaries of a user’s virtual environment undoing all the security boundaries built up until then. It could be used to make a virtual space appear smaller or larger, or to prevent other users from helping victims identifying authentic real-world boundaries during an immersive session, e.g. using VR technology. 

Web 3 and blockchain: How to protect yourself and be safe in the Metaverse? 

We still do not know what are the possible vulnerabilities of this virtual reality as we are talking about something that has yet to be fully explored. At the moment, we can just mind about some best practices to get away from possible risks. 

In fact, in the Metaverse as well as in other services it is necessary to ask ourselves some simple questions: if the service is free, what are the personal data that the service is collecting, who receives these data and with whom they are shared. In addition, password stuffing (the lazy practice of reusing the same password on multiple services) should be avoided.

In fact, adopting a password manager that can store our credentials on multiple devices is always useful, as it’s turning on the Do Not Track configuration to tell third-party services that we don’t want to be tracked.

Finally, it’s important to be careful about what we share: a piece of content could represent a problem from a privacy point of view and damage our security. It’s good to remember that any information we actively share on public platforms and social media could be a starting point for social engineering attacks. 

At Ermes – Intelligent Web Protection, we design and develop innovative technologies to fully protect our users by recognizing, detecting, preventing, and blocking all forms of clickjacking attacks, as well as many other click interception attacks and malicious practices.