What offensive actions could you do with $100M?
The answer: yes
The recent Bybit hack is great example of a highly sophisticated cyber-attack motivated by highly liquid money. It underscores how crypto-related companies need to scale their security energy to account for higher risk. The attackers made off with 1.4 Billion dollars in Ether cryptocurrency making it the largest "bank" heist in history so lets put ourselves in their shoes and think about the planning side of this kind of attack.
The threat actors probably didn't know exactly how much they would get at the outset just that an exchange like Bybit would have substantial reserves of 1 Billion+ USD. They also didn't know they would be successful and so we have to put the expectation value of the attack at around 10% of the final value. Using security energy orders-of-magnitude, we can estimate the attack to have an upper bound of 100 million dollars. Said another way, if you expect 1 in 10 such attacks to succeed with a 1 billion dollar payoff, you can spend up to 100 million on each one. (realistically even more since the chance of total shut down of such effort is low. You aren't spending that much money on a single critical path like with lower-tier attackers).
Reading through the incident report is a fascinating reminder of what's possible with high level threat actors as it involved manipulation of UI at key points in the crypto lifecycle in order to insert fraudulent transactions. The decentralized and highly liquid nature of cryptocurrency also means that once the transactions are signed, that's it. Traditional finance transfers are slow and cumbersome because of checks and these provide options for stopping payments. Physical assets like say stealing the gold at Fort Knox (ignoring the current theatrics) would require an enormous amount of logistics to move, store, sell, etc. Once a cryptocurrency transaction is signed and accepted by the network (seconds), that's it.
If your business involves transactions or storing crypto currency you must increase your security more than if this was another form of asset. The simple rule is to +1 target security energy if the majority of your companies business or asset holdings are cryptocurrency. If you were SE4 by raw ARR, you need to secure like SE5. The Bybit hack is a demonstration of a IE6 attack with 1 million man-hours of energy. Don't be the next victim caught in a mismatch of defensive energy vs attacker energy.
The influence energy tool I released on github helps identify which techniques are in play for each security energy level and will help focus defenses on what matters the most, not just what's in the headlines.