In May, 2025, the Ethereum Foundation launched its Trillion Dollar Security Initiative. The Ethereum Foundation imagines a world where billions of people are “storing more than $1000 on-chain,” and where companies feel safe investing “1 trillion dollars inside of a single contract or application.” In this future, the Ethereum ecosystem would act as a fulcrum of the global economy, and any major disruption to the Ethereum blockchain would produce immeasurable costs in both real assets and economic havoc.

On October 20th, Amazon AWS experienced a major outage that originated in its US-EAST-1 data center and spread across 58 AWS services globally. Major websites went offline, including Coinbase. Core crypto services like the Coinbase, Ethereum, Base L2, and the MetaMask wallet were impacted by the outage. Data from Ethernodes shows that 2,368 Ethereum execution nodes, accounting for 37% of the total network, are hosted by a single provider - Amazon AWS. While the root cause of the AWS outage appears to be a DNS issue rather than a malicious actor, the far reaching impact of yesterday’s outage highlights AWS as a centralization risk in the crypto ecosystem. It also opens the discussion about what a determined, malicious actor could accomplish with an attack targeting cloud providers or other points of centralization in the Ethereum infrastructure.

Just a few weeks ago, Swissborg, which markets itself as “Europe’s #1 app for buying and selling crypto safely at low fees,” was drained of over $40 million dollars. While the vector of attack is almost pedestrian (a stolen key), what is fascinating about the incident is that the attackers were unusually patient. The attackers waited eight days after stealing the key before draining the funds. This patience is reminiscent of a far more dangerous type of attack: the Advanced Persistent Threat (APT). APTs are generally launched by state actors who are often building cyber weapons designed to create economic or civil disruption in their intended target. This motivation stands in stark contrast to the typical, economically motivated attacker who makes a business of cyber theft.

In 2010, the concept of an APT was thrust into the popular imagination via a suspected, successful collaboration between the US and Israeli governments to build a cyber weapon targeting Iranian nuclear centrifuges. The Stuxnet worm was coined by many as “the world’s first cyber weapon.” The worm stealthily spread across the Internet via a series of 0-day exploits in the Windows operating system. Since a USB-born exploit was amongst those exploited, Stuxnet was able to move laterally from connected systems to “air gapped” systems in the Iranian nuclear facilities - i.e. systems entirely disconnected from the Internet. Stuxnet was first detected when visiting inspectors from the Atomic Energy Agency noticed the widespread and catastrophic malfunction of the facility’s Siemens centrifuges. Stuxnet patiently and purposefully embedded itself in the control systems attached to the Siemens devices, and when the timing was “right,” the Stuxnet worm launched its attack.

In 2018, Bloomberg News reported a supply chain attack perpetrated by a special unit of the People’s Liberation Army. The PLA was able to successfully attack a major motherboard manufacturer by embedding tiny chips in motherboards from a Shanghai factory. Infected motherboards were shipped to more than 30 US companies, allegedly including Amazon AWS and Apple. While the infected hardware was never confirmed as the cause of any cyber attack, its intended purpose was the theft of economic and government secrets flowing through corporate, cloud, and government networks. Worryingly, this type of economic cyber weapon is a key aspect of China’s economic growth strategy, and the attack’s connection to broad, top-down, long-term economic initiatives should serve as a warning that traditional hacker economics do not apply to nation state actors.

The fundamental security mechanism of the Ethereum network relies on Proof of Stake consensus. In a Proof of Stake system, the economic cost of launching a destructive attack against the blockchain is significant enough that it is deemed infeasible to do so. However, as we have seen with the two examples above, economic incentives run orthogonal to the motivations of state actors who traffic in disruption and information rather than economic gain or loss. 

How a Blockchain Could Be Brought Down

The idea of a 51% attack is well-known to the blockchain community. The primary countermeasure against such an attack is the total value of staked ETH in the network. Manipulating the transaction flow of the network requires controlling 51% of the staked ETH, and at the current moment there is about 35.8 million ETH staked on the Ethereum network valued at approximately $160 billion. To assume control of the majority of the staked ETH (if you hold 0 today and the network stops growing) would require an additional $160 billion dollars, which is both economically prohibitive and difficult to accumulate without raising the suspicion of the Ethereum community.

However, there is another way to launch a disastrous 51% attack that would, if successful, afford the attacker the degree of control necessary to wreak economic chaos. Doing so requires an APT or, perhaps more accurately, a cyber weapon aimed at causing an extended denial of service for a large proportion of the nodes in the Ethereum network. Bringing a large number of validator nodes offline could trigger the inactivity leak mechanism in Ethereum, which rapidly drains staked funds from validator nodes that are offline so that the network can restore “finality” and continue normal operations. If a cyber weapon were able to simultaneously attack a large portion of the Ethereum network, such an attack could successfully disrupt the world economy, particularly if the Ethereum Foundation’s trillion dollar vision becomes a reality.

There are a few possible ways such an attack could work. The first version of the 51% attack follows this recipe: a well-funded, havoc-minded state actor slowly accumulates a network of Ethereum validators and, hence, staked ETH under its control. In normal operating conditions, these validators control a minority of the staked ETH and they generally behave well. The malicious actor(s) then launch a cyber weapon designed to bring a significant portion of the Ethereum validator nodes offline. If enough of the validator network (> 34%) is brought offline, finality can no longer be achieved and the offline nodes will rapidly lose their stake due to the inactivity leak mechanism. Once those funds are drained, even if the attacked validators come back to life, they no longer hold enough stake to participate in the Ethereum consensus mechanism and they are no longer relevant to the network. The remaining validator network is now much smaller, and the state actor could have accumulated enough stake to assume 51% control of the remaining network.

One possible implementation for such an attack would be a DDoS designed to exploit a 0-day vulnerability in the most prevalent Ethereum client - GETH. In the doomsday scenario documented here, an attack against GETH simply drains staking funds from the attacked validators causing major economic damage. However, the economic cost is entirely different if you combine such a widespread outage with an APT. While the diversification of Ethereum clients has improved dramatically over the last two years, it is still the case that >45% of execution clients in the Ethereum network run GETH.

A more subtle (but perhaps more troublesome) implementation approach would be to launch a DDoS via the supply chain to the supermajority of Ethereum nodes. For example, a 0-day exploit in the Linux operating system or one of its components could disrupt all nodes running on Linux, and ~80% of nodes run Linux. An attack against common Linux distributions such as Ubuntu or Debian could target a large majority of nodes while sparing the attacker’s nodes that are intentionally run on an alternative, lesser known, and patched version of the operating system. 

Similar scenarios could target any part of the supply chain, including cloud hosting providers and other supporting libraries that are universally relied upon by validator clients. Given that many Ubuntu nodes, for example, now execute unattended upgrades, a supply chain attack against the Ubuntu upgrade repositories would be a fruitful path to launching such a DDoS.

There is yet another attack outline that is even more troubling. In this scenario, the attacker aims to gain control over Ethereum consensus within the behavior parameters for consensus nodes. Such an attack could be implemented with a combined approach leveraging technical and non-technical vectors. At the moment, almost 20% of the execution layer nodes in the Ethereum network are in China, and almost 30% of the consensus layer nodes are in the US. Imagine if China were to reach a 30% accumulation of nodes in the consensus layer. Using offline pressure, the Chinese government could manipulate the vote pattern of Chinese-hosted nodes, and using a hardware supply chain attack like the one introduced at the beginning of the article, China could manipulate nodes on foreign soil. The nation-state actor could then manipulate 50% or more of the consensus layer nodes to order transactions in a way that favors its interests. Detecting such an attack would be far more difficult than a DDoS as there would be nothing obviously wrong with the functioning of the compromised validator nodes. If executed patiently, it would require a careful analysis of transaction flow over time to see that the consensus layer was being manipulated.

As we have learned at a smaller scale from the Swissborg attack, crypto hackers are becoming more patient. While thieves may measure their patience in days, or perhaps weeks, state actors can wait for months or years. In the scenarios outlined here, the only path to restore trust to the Ethereum ecosystem would be a hard fork at the social layer. While a hard fork has been done before in 2016, the amount of TVL and associated investor trust in the Ethereum ecosystem was exponentially less at that time. Were the same to happen now, between the period of chaos while the validator network ratified the hard fork strategy and the associated loss of confidence in the Ethereum security model, billions of dollars would likely be lost without any hope of recovery. While those funds might not accrue to any attacker in particular, the economic destruction at the heart of the attacker’s motivations would be achieved.

While these attack scenarios may seem outlandish, a worm spreading worldwide from Windows machine to Windows machine targeting air-gapped Iranian centrifuges also seemed outlandish in 2009, as did a pencil-tip sized chip embedded in server motherboards in 2018. Attacks are often considered impossible to pull off until it is too late. The purpose of presenting this attack scenario is to issue a call to action for the Ethereum community. Through a concerted effort by the Ethereum community, the over-reliance on GETH has gradually abated. This commitment to diversification should be implemented through the entire supply chain, including geographic locations, hosting providers, hardware providers, operating systems, and libraries.

The first step to diversification is good data, and while the data currently available is a starting point, it is both incomplete (16.9% of nodes run on an unknown operating system), and it is insufficient (all “Linux” flavors are in a single bucket). Enhancing data collection and visibility into true supply chain diversity would provide the basis for action. Visibility should be matched with funding from all interested parties to invest in true diversity.

Trillion dollar security is a brilliant vision for the Ethereum Foundation, and a worthy cause for the entire web3 community to pursue. However, as I have tried to illustrate, reaching that goal requires innovation and diversification far beyond the already amazing achievements of the Ethereum community. As a security provider, it is our role in the community to both stimulate the discussion and to participate in the solution. 

A bold vision for Ethereum merits a bold threat model, and it is our intention to bring that perspective to the blockchain security community so that we can collectively make that trillion dollar vision a reality.