No amount of doodles, numbers, and letters in your password can help recover your Bitcoins stored on a crypto-exchange if it happens to get hacked. However, the main target here is not your crypto-wallet, but exchanges. Data breaches have a devastating effect on not just the platform, but also the users whose data has been compromised. Hence, cybersecurity has become an increasingly hot topic and it’s no surprise, why.
Cryptocurrency exchanges, both small and large, have been at the frontlines of this not-so-silent war that has been going on for quite some time now. However, what effect do proper crypto-regulations have on the ability of exchanges to fight this war? Well, there’s no one answer, but case studies will be pretty useful to speculate about one.
The curious case of Mt. Gox
It’s really a tradition to talk about one of the most notorious hacks in the history of the cryptocurrency industry. In mid-2011, a hacker successfully accessed the credentials of Mt. Gox’s auditor. Wasting no time, the hacker transferred over 2,600 BTC to another address. Despite this, the exchange survived for three more years and handled roughly 70% of all Bitcoin transactions, only to realize that the hacker was slowly taking away Bitcoin from users all these years.
While recovery of some 200,000 Bitcoins did little to improve all the bad press, the exchange’s, and by extension, the industry’s tattered reputation was made worse by the fact that CEO Mark Karpelès was found guilty of deliberately meddling with financial records in an effort at a cover-up.
The case leads one to ponder. Would stricter crypto-regulations have arrested some of the developments that transpired in the case of Mt. Gox? Maybe. Maybe not. While it is evident crypto-regulations weren’t the rage then, it is pertinent to compare Mt. Gox with the cases of those exchanges that value their cyber-security more highly. It is also pertinent to check cyber-security against geographical dispositions.
Are United States-based crypto exchanges better at their game?
In recent times, however, the United States’ exchanges have managed to keep trouble at bay, at least better than their Asian counterparts.
Like everything, alas, this was a process. Technology around the world is evolving and so have cyber-threats and cyber-security. The United States did take its own sweet time realizing that.
A Timeline [2011-2019]
Well-known U.S-based cryptocurrency exchange, Poloniex, lost 97 BTC in a hack back in 2014. While it soon reimbursed the stolen coins, it also implemented continual automatic auditing of the entire exchange and also bolstered the security of all servers. Further, exchange redesigned the way commands are processed so that an exploit such as this one would be impossible to execute.
That wasn’t the only case of a Bitcoin meltdown. While a few platforms did manage to dust off and get back to business, many of them succumbed or pulled off exit scams under the camouflage of external breach. The following chart, which shows hacks in crypto-platforms over a period from 2018-2019, has been incorporated with data from CryptoSec and SelfKey.
Let’s look at last year’s numbers. There were 12 cryptocurrency exchanges that got hacked in 2019, out of which most were based out of Asia, 8 precisely. There were 3 South Korean exchanges that were compromised while the same for Singapore stood at 3. Vietnam and Japan, each had 1 crypto platform which was hacked.
There was one high profile hack that stole the show last year, however. It was New Zealand-based Cryptopia. The now-defunct crypto-exchange was the target of a $16 million theft which continued for two weeks after its detection until the exchange managed to regain control of its wallets.
After Cryptopia, it was Binance. The Malta-based exchange is one of the most popular and trusted platforms in the crypto-industry, only this time, the funds weren’t ‘SAFU.’
None of these exchanges were U.S-based. At least in 2019. Apart from Poloniex in 2014, other crypto-platforms such as Gemini, Kraken, Changelly, itBit, etc. have never been compromised.
This doesn’t mean there haven’t been attempts by bad actors. Coinbase was targeted once, however, it managed to thwart what it called, “a sophisticated, highly targeted, thought out attack” using “spear phishing/social engineering tactics and, most importantly, two Firefox 0-day vulnerabilities.”
2020 – the year so far
Two major breaches happened in the first quarter of 2020 – decentralized finance [DeFi] platform, bZx, was attacked twice, and Italy-based Altsbit’s massive hack cost it 6,929 BTC of the total 14,782 held.
Many would agree that we have had better years than this one. Five months into the year, four of which had gone down fighting the pandemic, it seems like even hackers have taken a break.
But, what can we gather from the above charts? There were no American exchanges that got hacked last year and we can safely say, not until press time either.
In fact, according to a study titled, ‘Cyber-Attacks and Cryptocurrencies,’ cybersecurity firms in the U.S respond more actively to cyber-attacks leading to safer crypto-trading environments. Additionally, it also noted that the U.S spends more wealth in cyber-security, when compared to other countries.
The paper added,
“Cryptocurrency exchanges are more vulnerable to cyber-attacks in the non-US countries and in the presence of high economic uncertainty and less so if the industry sector is already being targeted”
If stats are to be taken into account, around 58% of the world’s digital security firms are based in the U.S. To top that, in the latest Global Cybersecurity Index [GCI] rankings, the United States was positioned second-best in terms of its “dedication” to cybersecurity with a “high” commitment on a global scale.
It would thus seem that American crypto-firms value their security. But, are local laws and regulations doing their part?
As criminals adapt to new technology, the laws cannot lag behind
In light of how decentralized and asymmetric the industry can be, regulations are crucial. But, how will regulations help platforms secure themselves from breaches?
In the case of banks and regulated industries, if your money is stolen, you can get it back. This is not the case when crypto-funds are stolen from an exchange. It’s gone forever.
The 2017 bull run was a case fueled by misinformed, get-rich-quick investors. But, the dynamics have clearly changed, and legitimate investors have now replaced the ones who anticipated their investments to “go to the moon.” Intense institutional trading was observed on the derivatives side.
With regulations in place, it might not be the decentralized utopia that was once imagined, but there will be an entity closely looking over the service providers in the space, thus will be able to detect any suspicious activity such as a transaction requests or fishy fund movements.
Proper regulations, with the implementation of AML and other necessary battle-tested infrastructure, will not only identify and guarantee action against malicious actors, but would also put in the effort for additional research and development in the sector.
This is a hot-button topic. For instance, Daniel Kim, Head of Revenue at SFOX, told AMBCrypto that while U.S regulations wouldn’t help crypto-exchanges from breaches or hacks, it will, however, “help protect consumers and investors in making sure their assets are safe and protected, ultimately easing any concerns for new market entrants and leading the way for adoption.”
Security, a second option?
But, regulations did not stop Japanese exchanges from being compromised, even after developing an intensive framework for crypto-asset businesses. The country is known for developing a licensing regime and regulatory apparatus dedicated to overseeing cryptocurrency exchanges.
The regulations were put in place three years after the infamous Mt. Gox. affair. However, that did not stop the hackers from breaching three other Japan-headquartered platforms, Coincheck and Zaif in 2018 and Bitpoint next year. The main reason for this failure, according to Thomas Glucksmann of Vice President of Global Business Development at Merkle Science was, in fact,
“..an overemphasis in regulatory framework on anti-money laundering policies and procedures, which burdened exchanges with extensive process, compliance-manual and human resource requirements instead of enforcing best practices for securing cryptoassets and preventing security breaches.”
The exec told AMBCrypto,
“When we look at other regulatory frameworks for cryptoasset businesses across the region, there is a similar focus on financial crime compliance whereas security is not given an equal amount of weighting, indicating that it may not be considered as important.”
He also clarified that the most “recent update to the frameworks in Japan does now require crypto-asset businesses licensed in the country to follow best practices for crypto-asset storage, as does the licensing regimes of Singapore and Hong Kong”. Glucksmann further said that for the most part, the culture around cybersecurity in Asia currently lags far behind that of the United States, adding,
“[In the US] the mentality around corporate cybersecurity is akin to warfare and many cybersecurity specialists employed by firms, including crypto-asset businesses come from military or intelligence backgrounds. Often the CISO, Chief Information Security Officer or CSO, Chief Security Officer is among one of the most important hires at US-based crypto-asset exchanges”
Talk about commitment
One of the biggest proponents of the self-regulatory model is the cryptocurrency exchanges, Kraken. And this platform has withstood the test of time.
Kraken is not a regulated exchange. In 2015, the New York Attorney General’s office declared that crypto-platforms operating within the state would need to comply with licensing procedures. This would mean that the state would have access to data of not only the platform, but also its customers, an idea that Kraken CEO Jesse Powell did not really like. He not only refused to give in but also pulled out of NY operations.
It has been nine years since Kraken was founded and seven years since it first opened its doors to traders. It does not have a single record of a breach.
So, it’s really a moot point, to regulate or to not, and what lies ahead is a lot of uncertainty. Only time will tell if the benefits of regulations outweigh the cons in the long run.
On one hand, there is Asia, in which countries like Singapore, South Korea, and Japan have a regulatory framework. These countries have all seen hacks in recent years.
On the other hand, its U.S counterparts have been comparatively safer. But, if security is not given utmost importance by regulators and precautions to protect customers from the most impenetrable online vulnerabilities are not given number one priority, what good are regulations? Alexander S. Blum, Co-founder & COO at Two Prime, told AMBCrypto,
“..intelligently crafted regulation that specifically addresses the security concerns salient to blockchain technologies would put structural safeguards in place that could also help.”