2018 was not a kind year for the cryptocurrency world. Valuations plummeted in a long drawn out “Crypto Winter” bear market. The top ten programs may have lost only 80% in total market capitalization, but other lesser-known brands lost 90% and more over this frigid period. Estimates are that nearly 1,000 companies shut their doors, either through lack of funds, poor business planning, or because they were outright frauds. Exchange compromises continued unabashed, as professional hacking gangs filled their coffers with illicit loot. Recently released fraud reports assess the damage at nearly $2 billion.
One aspect of blockchain technology is that it is a public record that purportedly cannot be changed, thereby providing an accurate audit trail of all transactions within the system. We used the word “purportedly” because we found out during the last year that such a thing as a “51-percent attack” exists, where if some group can take control over a majority of the network nodes, it can modify the blockchain record. This type of attack is rare, since the power necessary is considered to be a deterrent.
51-percent attacks do not go undetected. They are like a broadside, where crooks fire a major salvo, move quickly to secure their trappings, and then disappear in the smoke before it clears. Ignoring this threat, the blockchain record is immutable, and due to this fact, research firms with the computing power and software wherewithal can analyze the historical record and ferret out details and patterns worthy of further scrutiny. Chainalysis and CipherTrace are two such companies that have completed major crypto research projects and are now reporting their results. Their reports reveal a chilling storyline of never ending compromises of unprepared crypto exchanges and a steady stream of fraudulent Initial Coin Offerings (ICOs).
Billions have been lost in both cases in this nascent industry. The criminal element of our society can always count on the greed of investors to do them in, a fact borne out by so many investors throwing billions at any project that remotely sounded like it had anything to do with cryptocurrencies. Greed and the fear of missing out (“FOMO”) were the primary causes, as fraudsters laughed all the way to the bank. Blockchains, by their nature, only provide limited information like from and to addresses, a date and time stamp, and amount. The ownership of an address for the most part is anonymous.
Exchange compromises, however, seem preventable, as long as technology is applied in a correct manner. The crypto ecosphere is filled with incredible talent, predominantly IT entrepreneurs and programmers, who are NOT security professionals. Exchanges sprung up across the planet, as independently owned enterprises, to meet investor demand, but there were no common standards or defined security protocols to dictate resource allocations. Many exchanges, unfortunately, were under-resourced and chose to neglect vital safeguards. Hacking criminals basically had a “Swiss cheese” firewall to overcome, and they have with a vengeance.
Crypto enthusiasts continue to hope for institutional investors to jump onboard the crypto train in big numbers, creating an avalanche of volume increases and an instant rebirth of the value appreciation trends that dominated 2017. There are a number of positive developments slated for 2019 that involve major institutional players laying groundwork for the eventual “avalanche”, so to speak, but banks and hedge funds will not come as long as fraud is a major component of the crypto eco-system. Something must be done to restore confidence in the system, but that effort will take time and resources.
What were the details of recently released crypto fraud analyses?
CipherTrace and Chainalysis are two research firms that monitor the blockchain space. Each company released their recent analyses of various aspects of crypto data trends for 2018, some of which began in 2017. Each company also approached the task at hand in different ways. The former chose to document actual known events and then confirm the data independently. As a result, CipherTrace states that its total figures are conservative at best, since many crimes go unreported. Chainalysis, on the other hand, analyzes data flows in the historical blockchain record for trends and pattern recognition.
CipherTrace reported that $1.7 billion in losses were absorbed by investors and crypto enterprises, the former being the primary victims since compensation programs and insurance are rare. Occasionally, exchanges have tried to reimburse their customers. The bankruptcy trustee for the infamous Mt. Gox tragedy is suspected of selling its remaining tokens in the marketplace. CipherTrace attributes $950 billion to exchange compromises and the balance to scams, including anything from phishing and social media scams to fraudulent ICOs and Ponzi schemes. The $950 billion figure does seem “light”, since another firm had determined that hacking losses were $978 billion after only three quarters into the year. Certainly, there were more losses to follow.
Their report noted: “The $1.7 billion number only represents stolen digital assets the firm was able to validate themselves, and they have little doubt that the true number of crypto asset losses is much larger.” The firm’s CEO, Dave Jevans, added: “Cryptocurrency criminal activity continues to evolve and accelerate. Fortunately, pending global legislation will hamstring many criminals, global gangs, and terrorist groups by greatly reducing their opportunities to launder. These tough new laws will drive bad actors to not only innovate but also flock to jurisdictions with weak regulatory oversight.”
The compromises of exchanges seem to never end, perhaps, due to what Chainalysis was able to piece together from the transaction ledger. Per one report: “At least $1 billion of total exchange hacking losses to date are the result of two separate hacking gangs, each with its own modus operandi and individual personality. One gang acts with haste and a sense of urgency, while the other waits until publicity has faded before cashing out. In both instances, each firm disguises their movement of funds by layering the activity among multiple exchanges and utilizing as many as 5,000 transfer transactions before converting to fiat currency for ready withdrawal.”
Blockchain experts admit that they can put alerts on specific addresses where stolen loot resides, but crooks have learned to move quickly to cover their tracks by layering transactions, sometimes to the extent of 5,000 transfers, as noted above. Chainalysis explained that, “A successful laundering scheme involves ‘placing’ criminal funds into the financial system, moving them around or ‘layering’ to avoid detection, and then ‘integrating’ those funds into the real economy, usually through a business, to make them look like legitimate profit.”
Security professionals speculate that these hacking gangs are actually syndicates funded by national states, which heavily fund the activity and provide expertise from national intelligence agencies, as well. The Lazarus Group is known to be affiliated with North Korea, for example, and is the leading suspect behind many of these attacks. Going forward, experts have provided the following warning: “Nation-states increasingly view cyberwarfare as a cost-effective component of geopolitical and economic competition. Many will enlist and fund the efforts of cybercriminal gangs to create chaos, steal intellectual property, and profit from fraud and extortion by breaching personal data.”
As long as these criminal exploits are profitable and targets remain easy to come by, we should not expect any serious decline in these activities in the near-term future. Jevans of CipherTrace clarifies: “It’s definitely not going to slow down. It’s still a massive multi-billion-dollar business and has gotten more sophisticated and bigger — what we’re seeing in 2018, we’ll see through 2019.”
What are a few notable examples of exchange breaches and how did they occur?
It is not difficult to find significant examples of major thefts in the hundreds of millions of dollars in the crypto exchange arena. There are over 250 exchanges, spread out over the globe by the latest estimates, and only a few of these have been “hack-proof” to date. Although few details are ever disclosed, the truth of how these breaches occur is actually quite simple.
The wiser exchanges have always stored private keys and as much as 98% of account balances in what is called “cold storage”, an area that is not connected to the Internet or internal operating systems. External procedures permit a release of funds when the investor seeks to trade, transfer, or withdraw. When the investor has direct access to his funds, they reside in a “hot wallet”, awaiting his orders, but also available to a crook that has penetrated the exchange’s firewall. Once stolen, the race is on to transfer and layer the confiscated tokens and eventually convert them to fiat currency.
The most famous exchange compromise was Mt. Gox in 2014. At that time, this Tokyo-based exchange was the largest in the business, but it was hacked to the tune of $473 million in Bitcoins. The bankruptcy trustee is still trying to close this dour chapter in the annals of crypto-land. The latest news is that an independent analysis suggests that the trustee may have dumped remaining Bitcoin assets on the market in early 2018 in order to raise $310 million.
There are small to medium-sized hacks, too, but the large ones continue to grab large press headlines, as you might expect. In early 2018, Coincheck was the big story. In late January on a Friday, the COO for the exchange announced that $533 million in NEM coins had gone missing, having been moved from a “hot wallet” to other addresses. The CEO later cited staff shortages and technical difficulties, as the reasons. Exchanges were alerted of the addresses where the ill-gotten gains resided, but two months later, the crooks were able to move the funds without detection.
A word about ICO fraud
Exchange compromises can occur in an instant, but it may take months to convert stolen funds to actual fiat. Even though addresses are known, tracking on the blockchain becomes exceedingly complex after a few months time. ICOs, however, may span a period of months to years before the full extent of the fraud becomes known.
Initial funding may take place over years, then the development effort suspiciously closes its doors or the management team disappears with the loot in the dead of night, an “exit scam”, as it were. However and whatever the method employed, the result is the same – huge losses for investors, in the billions of dollars. Investors are advised to curb their greed and perform extra due diligence before investing.
The cryptocurrency industry has its work cut out for it – police the prevalence of fraud in its midst or submit to government authorities for oversight and its consequences. Either option will take time and resources, but something must change.