In an overlooked incident this month, attackers broke into a vendor serving major banks in Brazil and used their access to steal 1 billion reais (around USD $180 million).
What makes this interesting is that the attackers immediately onramped the fiat into crypto and disappeared.
In ye olden days of yore, theft of fiat meant playing by the rules of fiat--centrally-controlled and reversible transactions. (Consider the 2016 Bangladesh SWIFT heist, in which most of the funds were recovered.)
That means that the security of the traditional financial sector optimized for risks with reversible financial impact.
In Web3 we must manage security risk of fungible, irreversible money with no central controller or censor, a vastly more expensive and difficult security challenge.
Where web2 businesses and traditional financial institutions historically managed security with regulatory risk at the top of mind, in web3 we must manage security risk with extralegal criminals and nation-state adversaries who can fail without consequences and who can win and thumb their noses at us.
This incident should be a wake up call to TradFi. Web3 security is eating web2 security. Our threat model is now your threat model.
Welcome to the party.