Types of threats
As blockchain technologies reduce the friction for decentralization of financial infrastructure and other new use cases, they also represent an attractive target for threat actors who leverage the nascent security controls of the evolving industry.
Theft of private keys. Many cryptocurrency holders keep their keys in hot (software) or cold (physical hardware) wallets. Whoever holds the private keys controls the crypto asset. The security of the keys is as good as the security of the person or entity that holds them.
The immutability of the blockchain makes on-chain transactions irreversible, in contrast to transactions in the traditional financial system, which relies on intermediaries of financial institutions who can freeze funds and cancel transactions.
Even when a third-party exchange holds custody of keys on behalf of users, hackers have penetrated systems to steal funds. In March, for example, hackers compromised the private keys associated with the Axie Infinity crypto game and stole over $ 600 million worth of cryptocurrencies. The U.S. Treasury Department linked the attack to the state-sponsored Lazarus Group of North Korea and listed the address of the wallet used to steal funds on its Specially Designated Nationals List.
Exploitation of the software. Traditional banks are no stranger to software exploits. Now, hackers are turning to cryptocurrencies. Many crypto hacks in the past year have exploited vulnerabilities in the code used to process smart contracts or underlying cryptographic software.
In the Poly Network attack, for example, a hacker exploited a smart contract vulnerability that allowed them to change administrative permissions for executing blockchain transactions, allowing hundreds of millions of cryptocurrencies to be stolen.
Scams and frauds. Scammers have defrauded tens of thousands of consumers for more than $ 1 billion in cryptocurrencies since 2021, according to the Federal Trade Commission. Such scams offer false investment opportunities, prey on those who seek love or involve the impersonation of legitimate business. Rug pulls are another scam where a creator will sell tokens, raise funds, promise a future launch, but then flee with the funds.
Legal risks and practical advice
Regulatory scrutiny. Regulatory actions following software vulnerabilities have been initiated with some frequency outside the cryptocurrency industry.
Equifax, for example, agreed with the FTC, the Consumer Financial Protection Bureau and 50 state attorneys general for more than $ 500 million for failing to fix software vulnerabilities.
Regulators are now focusing on the cybersecurity controls of the cryptocurrency industry. President Joe Biden’s March 2022 Cryptocurrency Executive Order directs the government to “prioritize[e] … safety [and] fight illicit exploitation “of digital resources.
The FTC is monitoring crypto scams, foreshadowing potential imminent enforcement actions. The New York Department of Financial Services recently pointed out that the cybersecurity controls provided by traditional financial institutions apply to crypto assets under the jurisdiction of DFS.
In August, the Office of Foreign Assets Control sanctioned the Tornado Cash mixer, allegedly used to launder $ 7 billion from crypto hacks, after sanctioning Blender.io earlier this year. These OFAC actions create compliance challenges for entities that may have interacted with sanctioned blockchain addresses or platforms.
Law enforcement priorities. The DOJ’s efforts in the cryptocurrency industry this year have already led to its biggest financial seizure ever: $ 3.6 billion in cryptocurrency tied to a 2016 hack of the Bitfinex virtual currency exchange.
On June 30, the Justice Department also announced charges against six defendants allegedly involved in an illegal NFT scam and an initial fraudulent coin offering. The FBI, on the same day, added “Cryptoqueen” to its list of ten most wanted fugitives based on an alleged $ 4 billion fraud scheme involving “OneCoin”.
In light of the focus on regulation and law enforcement, organizations would be cautious in developing policies and procedures for incident investigation, remediation and response.
Identifying risks and documenting a response plan can prepare an organization to act quickly and efficiently when an incident occurs. The $ 600 million Axie Infinity hack illustrates the benefits of optimizing detection and response, as the six days that elapsed before the attack was discovered resulted in additional losses.
Due to the difficulties in tracking transactions, cooperation with law enforcement can also pay off. Following the cooperation of the victims, the Department of Justice and the FBI recovered the funds exchanged via blockchain in the context of the ransomware.
Private sector cooperation can also help. There are several vendor-built and community-driven tools to report malicious cryptographic hacks and attacks, and private sector efforts have led to successful law enforcement action against criminal hackers.
Civil litigation requests. Security incidents also expose crypto platforms to litigation risk. Litigants alleged that cryptocurrency exchanges were negligent in not preventing unauthorized account transactions or identifying criminal proceeds that malicious actors would have moved through an exchange.
Traditional businesses also face the risk of litigation following cryptocurrency hacks.
Two major cell phone providers, for example, have faced cases where their alleged negligence resulted in SIM swapping attacks that stole millions of cryptocurrencies.
Takeaways for cryptocurrency companies
Hackers are reaping billions of dollars in profits by attacking crypto organizations.
Regulators have long focused on enforcing against companies with inadequate cybersecurity protections and are ready to take such actions into the cryptocurrency context.
Given the wide-ranging threats, crypto organizations should focus on building the foundation of robust cybersecurity processes and innovations.
This article does not necessarily reflect the opinion of The Bureau of National Affairs, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Write for us: Guidelines for the author
About the author
Alex Iftimie is partner and co-chair of Morrison Foerster’s Global Risk + Crisis Management practice group. He is a former national security officer with the Justice Department. It is based in San Francisco.
Michael Burshteyn is an attorney at Morrison Foerster in San Francisco. He is an external consultant to cryptocurrency companies, discusses cryptocurrency and data security disputes, and previously founded a cybersecurity startup.