Reflections on Advanced Persistent Threats (APT) for Digital Assets and Multi-Agent Collaboration for On-Chain Firewalls

Author Bio: Wang Dejia, Ph.D. in Mathematics from the University of Wisconsin-Madison, member of the Jiusan Society, Senior Engineer; inventor of the Spacetime Code, author of "Identity Crisis" and "Digital Identity"; previously responsible for overall design and product development at departments of companies such as ORACLE, VISA, and IBM; founded Tongfudun Company in 2011 upon returning to China, serving as Chairman and CEO.

Preface

This year's Token2049 coincided with the National Day holiday, giving more time for reflection during the exhibition. The event was as bustling as ever. As a professional with deep security roots, I am delighted by the market's prosperity, but still affected by the constant emergence of security incidents. I have been thinking about how to build a safer and more stable future for the industry. This reflection comes both from the exhibition experiences and the team's practical exploration in artificial intelligence and digital assets. Here is this article, presented for your reference and discussion.

"National-Level Hackers": A New Battlefield for Digital Asset Security

According to analysis by blockchain forensic company Elliptic, since 2017, hacker groups such as the Lazarus group have stolen over $6 billion in cryptocurrency, with over $2 billion stolen in 2025 alone, setting a historical record. These illicit proceeds have been confirmed by the United Nations and multiple intelligence agencies, becoming a key source of funding for North Korea's nuclear weapons and ballistic missile development programs. Faced with professional, systematic, and financially driven threats, traditional static defense systems based on signature codes and rule libraries are no longer sufficient. A security paradigm shift driven by artificial intelligence and agent technologies is quietly reshaping the defense boundaries of digital assets.

The current situation of digital asset security has undergone a fundamental transformation. The scale, subjects, and impact of threats have exceeded the scope of traditional cybersecurity, rising to the level of national-level confrontation. Threat actors have evolved from disorganized criminal groups to professional hacker organizations supported by state power. Groups like North Korea's Lazarus represent "national-level hackers," whose attacks have clear strategic objectives: stealing digital assets to fund military expenses, especially nuclear weapons and ballistic missile research. Their attack methods are highly systematic, forming a complete attack chain from social engineering through fake high-paying IT job offers to directly extracting keys via hardware wallet vulnerabilities.

This situation has given rise to the concept of "Advanced Persistent Threat" (APT) in the digital asset field. Compared to traditional APTs in cybersecurity, APTs in the digital asset domain have three more severe characteristics: first, the stakes are more direct, with attack targets directly locking onto large amounts of transferable financial assets, resulting in a high return on attack investment; second, the attack chains are shorter and faster, as once a private key is compromised or a contract is breached, assets are instantly lost, leaving an extremely short response window; third, the attack methods are highly customized, targeting high-net-worth individuals and corporate executives with long-term, precise social engineering attacks, deeply integrating human weaknesses and technical vulnerabilities.

Security Paradigm Shift Driven by AI

Facing this evolved form of APT, the defense paradigm must be reformed. Artificial intelligence and agent technologies have become an inevitable choice, stemming from their fundamental logic aligning deeply with the characteristics of the digital asset world in the following aspects:

n A transparent data world is the best battlefield for AI: the activities in the digital asset world are essentially global and data-transparent—every on-chain transaction, address association, and behavioral sequence are traceable and analyzable structured data. This provides an excellent training ground and application scenario for AI, especially machine learning and graph neural networks. AI can perform pattern mining and correlation analysis that humans cannot achieve in such massive data.

n The shift from "rule-driven" to "behavior-driven": Traditional firewalls rely on known vulnerability signatures, representing a static "rule-driven" defense. In contrast, AI models can learn patterns of normal and malicious behavior to detect previously unseen, highly disguised attack methods, achieving dynamic "behavior-driven" defense. This capability enables effective responses to threats such as social engineering and zero-day exploits, which traditional rule-based systems struggle to cover.

n The leap from "passive response" to "active prediction": The speed and brevity of APT attacks require the defense system to have preemptive intervention capabilities. AI can establish a "behavior baseline" for each address by analyzing massive on-chain data, identifying and alerting anomalies in real-time when hackers initiate suspicious transfers, thus making the leap from "post-event tracing" to "real-time blocking" and even "pre-event prediction." This proactive prediction ability is critical for addressing national-level APTs.

"Agent Armies": New Boundaries for Digital Asset Security

In practice, AI and agent technologies have the potential to build a multidimensional protection system from individual to national levels, from technology to operations, creating an "agent army" in the digital asset field.

At the personal level, AI agents act as "digital bodyguards." They monitor wallet activities 24/7, analyze contract risks in real-time when users accidentally click on phishing links and attempt authorization, and forcibly interrupt the operation. When detecting abnormal logins, they can automatically trigger delayed transactions or multi-factor authentication.

At the enterprise level, AI systems serve as "risk control officers." For exchanges, they can analyze deposit and withdrawal patterns in real-time, automatically identify suspicious accounts associated with known hacker addresses, and freeze them before money laundering is completed. Additionally, AI-driven vulnerability scanning tools can continuously audit platform smart contracts, offering speed and breadth far beyond manual efforts.

On a higher level, agent technologies are building an invisible "AI tracking network." By leveraging AI's graph computing capabilities, it can automatically map the flow of funds of hacker organizations, penetrate the layers of mixing services and cross-chain bridges, and link billions of stolen funds to the final withdrawal addresses, providing precise intelligence for global collaboration in fighting crime. Moreover, the "agent army" built on AI can enable intelligence fusion and collaborative defense. When a node detects a new attack method, its threat intelligence can be instantly synchronized across the entire network, achieving "one discovery, full network immunity."

It is worth noting that the future digital asset security defenses will no longer rely on single technologies or products, but on an ecosystem based on multi-agent collaboration. Through frameworks such as InterAgent, different functional security agents (such as threat detection agents, vulnerability audit agents, and on-chain tracking agents) can collaborate based on standardized protocols. Each agent has an independent digital identity and can perform task decomposition, dynamic collaboration, and automated response under the scheduling of smart contracts, upgrading security capabilities from fragmented, manual, and lagging modes to a unified, automated, and real-time core security capability.

From Theory to Practice — Guide to Building a "Blockchain Firewall"

A "blockchain firewall" centered on AI technology is an active defense system built through multi-agent collaboration, providing round-the-clock protection for digital assets.

The core capabilities of the blockchain firewall are first reflected in active prediction and real-time monitoring. Monitoring agents continuously analyze pending transactions in the blockchain memory pool and use graph neural networks to compute transaction patterns in real-time, allowing the system to identify malicious intent during the critical window before the attack is confirmed by the blockchain. Whether it is identifying related transactions with known hacker addresses or detecting new money laundering patterns, AI models can achieve accurate threat perception through behavioral analysis rather than fixed rules.

When an attack occurs, the blocking agents of the blockchain firewall demonstrate the key value of millisecond-level real-time blocking. Based on deep learning, the attack detection model can automatically trigger blocking mechanisms for high-risk transactions identified, intervening before the asset transfer is completed. This capability is particularly suitable for responding to threats such as DeFi protocol attacks and ransomware fund transfers, transforming the traditional "post-event tracing" into "real-time blocking." This AI-powered blockchain firewall essentially builds a digital immune system capable of continuous learning and self-evolution. It upgrades security protection from passive patching of vulnerabilities to proactive risk intervention, expanding from single technical protection to a full lifecycle security system covering "prediction - protection - detection - response," establishing a trustworthy security boundary for digital assets in the "dark forest" of blockchain.

Today, as national-level hacker organizations have made digital assets a strategic target, the evolution speed of the defense system determines the stability of the security boundary. Artificial intelligence and agent technologies are not just technological upgrades, but strategic necessities to combat APT threats in the digital asset field. They are redefining the boundaries of security—from code to behavior, from individual to nation, and from passive to proactive. Only by embracing this intelligent agent-driven security revolution can we build a solid and intelligent new defense line in the digital economy era.