Cyberport 2025: Inside Web3 Crime—From Phishing Scams to AI-Powered Fraud, What Comes Next?
April 08, 2025
At Cyberport 2025, one of the most forward-looking conversations unfolded under a topic as timely as it was sobering: the rise of Web3 crime.
Moderated by Isabel Shi, CEO and Co-Founder of Bitrace Tech, the panel brought together a powerhouse lineup of voices—Bonnie Ngan, Chief Inspector at the Cyber Security and Technology Crime Bureau (CSTCB) of the Hong Kong Police Force; Samuel Lok, Head of Compliance at HashKey Group; and Eugene Wong, Head of Risk & Compliance at Cobo.
Together, they represented a rare intersection of perspectives: law enforcement, regulated exchange, and crypto-native custodian. Their message was clear—Web3 crime is getting faster, smarter, and harder to track. And if the industry doesn’t evolve in sync, it's not just individual platforms at risk—it’s the future of digital finance.
Web3 Crime Is Local—and Global
Bonnie Ngan set the tone by grounding the discussion in data: over 2,500 crypto-related crime cases were recorded in Hong Kong in 2022, involving losses of more than HK$3.5 billion. These weren’t abstract hacks or faceless wallet drains—they reflected real victims walking into police stations across the city.
In response, the Hong Kong Police Force has taken proactive steps. “We now have a designated crypto investigation team,” said Bonnie. “Whether a victim walks into a station in Central or Tsim Sha Tsui, if it’s a crypto case, it comes to us.”
Their approach goes beyond reactive casework. By collaborating closely with exchanges like HashKey and blockchain security firms like Bitrace, CSTCB has developed the ability to trace transactions in real time and freeze illicit funds when they hit a virtual asset service provider (VASP).
“In 2024 alone, we processed over 780 stop-payment requests and froze HK$133 million in crypto assets,” Bonnie shared. “That wouldn’t be possible without strong industry support.”
When Wallet Design Isn’t Enough
Cobo’s Eugene Wong offered a perspective from the custodian side—and it started with a critical clarification: “Most people think security failures come from broken private keys or smart contract exploits. But in many cases, like the Bybit incident, there was no private key compromise. It was a UI manipulation.”
This, Eugene argued, is why wallet design must go beyond technology—it must include process, verification, and governance.
At Cobo, for example, an additional co-signing layer is used on top of Safe smart contract wallets. “We independently verify transactions by checking them against predefined rules from the Safe transaction database,” said Eugene. “This layer isn’t about convenience—it’s about resilience. It prevents a single point of failure.”
This aligns with a growing trend in wallet architecture: end-to-end auditing and logic-based transaction control. Whether institutions choose MPC wallets, custodial infrastructure, or hybrid models, the goal isn’t just storing assets—it’s enforcing behavior through security logic.
Regulated Exchanges: Built-In Guardrails
Representing the exchange side, Samuel Lok described how HashKey’s operations are shaped by Hong Kong’s rigorous regulatory framework.
“Only 2% of our assets are kept in hot wallets,” he said. “The remaining 98% are in cold storage, and hot wallets are fully insured.” Beyond that, HashKey has implemented traditional banking safeguards like three-person approval flows for transfers between hot and cold wallets—a "maker, checker, and observer" system.
HashKey also uses KYT (Know Your Transaction) screening both inbound and outbound transactions. “Every token that enters our system goes through pre-screening. Every outbound transaction is also checked,” Samuel emphasized.
One unique control: HashKey restricts transfers based on ownership—what Samuel called a “same-name” approach. “Users can only transfer to wallets that are proven to be theirs. That reduces risk from impersonation and third-party scams.”
The Human Factor: Scams, Romance, and Relentless Creativity
When the conversation turned to fraud, the stories grew both startling and familiar.
Samuel shared the case of a customer who walked into the exchange claiming Elon Musk had messaged her, asking for investment support. “We reminded her multiple times this sounded like a scam. But she insisted. We flagged the account and monitored it closely.”
For Bonnie, scams have become increasingly sophisticated—especially those involving fake investment platforms and malicious smart contracts. “We’ve seen local syndicates recruit operators in Hong Kong to run scam centers targeting overseas victims,” she said. “The smart contracts they use include hidden backdoors that allow them to drain staked assets at will.”
Eugene added a chilling layer: the role of chain-hopping and decentralized mixers in making fund tracing nearly impossible. In one case, he explained, scammers bridged assets via LayerZero, then used protocols like Railgun and Tornado Cash to obfuscate trails.
“This is the simplified version,” Eugene said. “In reality, it’s even more complex. That’s why prevention is key.”
A Call for Real-Time Collaboration
Across the panel, one theme emerged repeatedly: collaboration is no longer optional. Whether preventing phishing attacks, freezing hacked funds, or investigating cross-border fraud, time is of the essence—and trust between platforms, custodians, and the police can’t wait for paperwork.
Isabel noted that even in the Bybit case—a high-profile incident that galvanized rapid response—a large portion of ETH was ultimately laundered through OTC desks.
Samuel suggested the formation of an alliance between exchanges in Hong Kong to share intelligence and patterns. “We don’t need to wait for regulators to mandate this,” he said. “As service providers, it’s our responsibility.”
Eugene echoed that sentiment: “Scammers are already using AI to automate relationship-building in romance scams. Their playbooks are getting faster and more scalable. We need to match that speed with smarter defenses.”
Final Thoughts: What Comes Next?
In their closing remarks, the panelists offered a glimpse into the road ahead:
Bonnie: “My biggest challenge? Keeping up with the technology. The Web3 space evolves daily.”
Samuel: “You can’t launch new services without controls. Customer protection starts with operational discipline.”
Eugene: “AI-powered scams are just the beginning. As criminal tools become more accessible, we have to evolve our compliance stack just as quickly.”
Conclusion: Security Is a Shared Responsibility
The Web3 ecosystem is no longer defined by code alone—it’s defined by coordination. What emerged from this panel was a renewed sense of urgency and responsibility: that exchanges, custodians, regulators, and law enforcement must work together in real time, not post-incident.
As Eugene reminded the audience: “There’s no one-size-fits-all wallet. But there is one universal truth—your processes and partnerships matter as much as your protocols.”
Want to learn how Cobo’s WaaS platform can help your business stay ahead of the next Web3 threat?
👉 Book a demo today to future-proof your custody infrastructure.
