More than $14 billion worth of cryptocurrency was lost to cybercrimes in 2021, followed by billions more this year. These staggering losses underscore the need to understand and stay ahead of the security threats and legal risks facing the crypto industry.
Types of threats
As blockchain technologies reduce friction for the decentralization of financial infrastructure and other new use cases, they also present an attractive target for threat actors who exploit the industry’s nascent security controls. evolution.
Private key theft. Many crypto holders store their own keys in hot (software) or cold (hardware) wallets. Whoever holds the private keys controls the cryptographic asset. The security of keys depends on the security of the person or entity that holds them.
The immutability of the blockchain makes on-chain transactions irreversible, unlike transactions in the traditional financial system, which rely on financial institution intermediaries who can freeze funds and reverse transactions.
Even when a third-party exchange retains custody of the keys on behalf of users, hackers have penetrated systems to steal funds. In March, for example, hackers compromised private keys associated with the Axie Infinity crypto game and stole over $600 million in crypto. The US Treasury Department linked the attack to the North Korean state-sponsored Lazarus group and listed the address of the wallet used to steal funds in its list of specially designated nationals.
Operation of software. Traditional banks are no strangers to software exploits. Now hackers are turning to crypto. Many crypto hacks over the past year have taken advantage of vulnerabilities in code used to process smart contracts or the underlying crypto software.
In the Poly Network attack, for example, a hacker exploited a smart contract vulnerability that allowed him to alter administrative permissions for performing blockchain transactions, enabling the theft of hundreds of millions of crypto assets.
Scams and frauds. Scammers have defrauded tens of thousands of consumers out of more than $1 billion in crypto since 2021, according to the Federal Trade Commission. These scams offer fake investment opportunities, prey on those looking for a romantic relationship, or involve the impersonation of legitimate businesses. Carpet raffles are another scam where a creator will sell tokens, raise funds, promise a future launch, but then run away with the funds.
Legal risks and practical advice
Regulatory monitoring. Regulatory actions following software vulnerabilities have been taken with some frequency outside of the crypto industry.
Equifax, for example, has settled with the FTC, the Consumer Financial Protection Bureau and 50 state attorneys general for more than $500 million for failure to fix software vulnerability issues.
Regulators are now turning their attention to the crypto industry’s cybersecurity controls. President Joe Biden’s Crypto Executive Order of March 2022 directs the government to “prioritize[e] … Security [and] fight illicit exploitation” of digital assets.
The FTC is monitoring crypto scams, foreshadowing enforcement actions potentially to come. The New York Department of Financial Services recently pointed out that the cybersecurity controls expected of traditional financial institutions apply to crypto businesses under DFS jurisdiction.
In August, the Office of Foreign Assets Control sanctioned blender Tornado Cash, which was allegedly used to launder $7 billion worth of crypto hacks, after sanctioning Blender.io earlier this year. These actions by OFAC create compliance issues for entities that may have interacted with sanctioned blockchain addresses or platforms.
Law enforcement prioritization. The DOJ’s crypto efforts this year have already resulted in its largest financial seizure ever: $3.6 billion worth of crypto tied to a 2016 hack of virtual currency exchange Bitfinex.
On June 30, the DOJ also announced charges against six defendants allegedly involved in an NFT rug draw scam and fraudulent initial coin offering. The FBI on the same day added the “Cryptoqueen” to its Ten Most Wanted Fugitives list based on an alleged $4 billion fraud scheme involving “OneCoin”.
In light of the emphasis on regulation and enforcement, organizations would be prudent to develop incident investigation, remediation and response policies and procedures.
Identifying risks and documenting a response plan can prepare an organization to act quickly and effectively when an incident occurs. The $600 million Axie Infinity hack exemplifies the benefits of optimizing detection and response, as the six days before the attack was discovered resulted in additional losses.
Due to the difficulties in tracing transactions, cooperation in law enforcement can also bear fruit. Following the cooperation of the victims, the DOJ and the FBI recovered funds transacted via blockchains in the context of ransomware.
Private sector cooperation can also be helpful. There are several vendor-created and community-driven tools to report hacks and malicious cryptographic attacks, and private sector efforts have led to successful law enforcement actions against hackers.
Civil Claims. Security incidents also expose crypto platforms to litigation risks. The litigants alleged that the crypto exchanges were negligent in failing to prevent unauthorized account transactions or identifying criminal proceeds that malicious actors allegedly moved through an exchange.
Even traditional businesses face litigation risks from cryptocurrency hacks.
Two major mobile phone providers, for example, have faced cases alleging their alleged negligence led to SIM swapping attacks that stole millions of dollars in crypto.
Takeaways for Crypto Businesses
Hackers rake in billions of dollars in profit by attacking crypto organizations. Regulators have long focused on cracking down on companies with inadequate cybersecurity protections and are poised to take such actions in the context of cryptocurrency.
Given the wide range of threats, crypto organizations should focus on establishing a foundation of strong cybersecurity processes and innovations.
This article does not necessarily reflect the views of the Bureau of National Affairs, Inc., publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Write for us: guidelines for authors
Alex Iftimie is a partner and co-chair of Morrison & Foerster’s Global Risk + Crisis Management practice group. He is a former Justice Department national security official. He is based in San Francisco.
Michael Burshteyn is a partner at Morrison & Foerster in San Francisco. He has argued cases in federal and state courts in California, as well as federal courts in New York, Texas and Ohio.