The ransomware attack on Colonial Pipeline hit the headlines in May. Colonial Pipeline decided to pay the hackers who invaded their systems nearly $5 million (75 bitcoins) to regain access. Over the next several weeks, the FBI traced the address of the wallet the criminals gave to Colonial to make the payment according to Bloomberg. At that point, federal law enforcement seized the assets, recovering 2.3 million worth of bitcoins transferred.
The FBI said in its request for a warrant that its investigators had in their possession the private key for that cryptocurrency wallet. How they obtained the private key which is closely held is unclear. One scenario is that hackers had made the choice to entrust the private key for their Bitcoin to a cryptocurrency exchange which was forced to hand over the funds to the FBI.
This incident is a reminder of the threat of cyber attacks on critical infrastructure in the U.S. and the use of crypto currency in ransomware attacks. Criminals favor Bitcoin and other cryptocurrencies because of the pseudo-anonymous nature of the technology, and funds in the wallet can be accessed only with a complicated digital key.
It can also serves as a case study of risks and controls of the cryptocurrency platforms that facilitate the trading of cryptocurrencies.
- Innovation in blockchain explorers, or crypto search engines, means that every transaction can be traced through the blockchain that underlies the technology. The digital ledger publicly records every transaction, with users identified by a string of characters called a “wallet address.” If a third party figures out a wallet’s owner, it can access that person’s entire transaction history.
- When the private key is held by in a custodial wallet of the exchange, the funds can be exposed to theft if the crypto exchange’s systems are compromised. Centralized cryptocurrency exchanges like Coinbase and Paypal hold onto the private keys associated with users’ wallets on the platform. Users then rely on the controls in place at the exchange when they leave their Bitcoin or cryptocurrency.
Crypto investors who are more sophisticated and security-conscious tend to keep their coins away from major trading apps, such as on ‘cold’ wallets and USB keys. In reaction, the fintech firm Square is reported to be developing non-custodial bitcoin hardware wallets to give investors sole control of their private keys and retain greater control of their cryptocurrency.
The boom in cryptocurrency investing has made the industry an attractive target for malicious hackers and thieves to go after and carry out frauds, scams and thefts. In 2018, cryptocurrency crimes hit $1.7B value, revealed CipherTrace’s annual Crypto Anti-Money Laundering and Crime Report. This figure soared by almost 165% year-over-year to $4.5B in 2019, before dropping to $1.9B in 2020.
A range of vulnerabilities affect crypto exchanges from operator error and security flaws to malware affecting hard drives in search of wallet credentials and private keys. This has led regulators to call for greater protection of customers and investors. Internal controls modeled on established financial institutions include robust verification of new accounts that complies with Know Your Customer (KYC) and Anti-Money Laundering (AML) rules. Since most cryptocurrency services and exchanges fall outside financial services regulations, standards of integrity and security are inconsistently followed.
On the internet you can even find examples of cryptocurrency exchanges advertising that they do not conduct KYC verification of customers, customers are allowed to keep their personal information to themselves. One such exchange is Binance, the world’s largest crypto exchange, based offshore. I note that Binance is currently under investigation by the U.S. Internal Revenue Service and the Department of Justice for money laundering and tax offenses.
A challenge for trading technology is to maintain the level of security, anti-fraud and other capabilities in keeping with greater volumes and types of transaction. Larger centralized crypto exchanges have had to tackle system outage issues amid extreme market volatility. They are deploying RegTech tools for advanced KYC/AML risk monitoring and analytics to achieve their risk management and compliance strategy.
Insiders fear that tighter internal controls and more regulation will deter innovation and push the business offshore. In recent study by Brian Feinstein and Kevin Werbach, Wharton professors of legal studies and business ethics, in their paper in the Journal of Financial Regulation, the authors argue that greater regulation of cyber platforms would not necessarily dampen enthusiasm for crypto or push trading to more laissez-faire countries. They studied trading activity at several exchanges worldwide following key cryptocurrency regulatory announcements. Good business drives out bad. As bad actors leave, legitimate investors, from day traders to major investment firms, become more prominent, they argue.
In conclusion, the Colonial Pipeline hack and FBI investigation have provided a case study of the systems and controls of crypto currency trading venues, particularly relating to the risks of security breaches, KYC/AML and custody of private keys. Exchanges and other platforms remain vulnerable, and security and compliance frameworks must continue to be made robust to prepare and defend against potential hacks and thefts of customer assets, and keep fraudsters and money launderers away. This can be a competitive advantage.