Hacking of crypto-asset exchanges and losing access to accounts
66. Crypto-asset exchanges enable people to use fiat currency to buy crypto-assets, such
as Bitcoin.101 Crypto-asset exchanges can be custodial and non-custodial. Custodial
crypto-asset exchanges hold crypto-assets on behalf of their customers whereas noncustodial crypto-asset exchanges do not have custody of customers’ money. In these cases,
customers have complete ownership of their money and are responsible for its security.
David Raw, Deputy Director of Banking and Credit at HM Treasury, told the Committee
it is the custodial exchanges that are at a greater risk of being hacked.102 To hack a noncustodial exchange would be to hack the blockchain itself, which, as far as is known, has
not yet been successfully done.
67. Several custodial crypto-asset exchanges have been hacked and customers’ cryptoassets have been stolen.
For example, on 28 February 2014 Mt Gox, a Japanese Bitcoin
exchange, filed for bankruptcy after announcing that it may have lost all of its investors’
virtual coins, after its computer system was hacked.103 More recently, over the weekend
commencing 9 June 2018, South Korean exchange Coinrail suffered a cyber-attack which
caused a loss of approximately 30 per cent of the crypto-assets traded on the exchange.104
68. Martin Etheridge, Head of Notes Operations at the Bank of England, noted the
importance of distinguishing between the hacking of crypto-asset exchanges and the
hacking of the blockchain:
This reinforces the need for a distinction between the underlying technology
and the tokens themselves, because people will tell you how resilient and
secure distributed ledger technology is but, when you look at the system that
is currently in operation, it is not the distributed ledger that is being hacked;
it is the custodians [i.e. the custodial wallet providers and exchanges] that
are being hacked.
69. When asked why crypto-asset exchanges appeal to hackers, Izabella Kaminska,
Editor of the Financial Times Alphaville, argued that the characteristics of crypto-assets
and the underlying technology incentivises and facilitates their theft:
On the hacking point, it is important to put this in lay terms. What we
have here is the creation of a bearer asset.
We hear a lot about how amazing
it is that the blockchain is immutable. The downside of immutability is
that if somebody steals your asset it continues down the chain, unless we
start to blacklist said coins that have been stolen.
[…] In terms of what we
are talking about physically, we are talking about [crypto-asset owners’]
capacity to remember a very complicated string of numbers [which] is what
gives you access to your funds. It is all about how securely those numbers
can be kept.
[…] If a criminal finds your string they have full access. By the
time it has gone and been spent you have lost access. You are only as secure
as your own capacity to remember those numbers.
[…] The real weak point
is the user 70. When asked how crypto-asset exchanges can mitigate the risk of hacking, Iqbal
Gandham, Chair of Crypto UK and Managing Director of eToro, explained that by
keeping customers’ details offline, greater security can be achieved. He said:
We at Crypto UK have created a self-regulatory code of conduct, one aspect
of which is that any member exchange needs to keep 90plus per cent of
customer currency in cold storage, so not connected to the internet, to avoid
[hacking]. People are moving their assets, they are disconnecting them
from the internet. They are also now insuring any assets that are connected
to the internet. It is very difficult to get insurance, because the insurance
products have not matured enough, but they are working to address these
concerns.107
71. Obi Nwosu, Chief Executive Officer of Coinfloor, elaborated on the concept of cold
storage further:
[An individual’s] private key, the stamp for authorising [a transaction], can
be kept online, in what is known as hot storage, on an internet-connected
device, or it can be kept in cold storage, offline, on a device that is not
connected to the internet. It would be created offline, stored offline and
used offline. That is known as cold storage. This is important, because every
single successful hack of an exchange has always involved the hot element.108
[…] This is the equivalent of money in your purse versus money in a bank
vault. One is online, available for other people to access, while the other is
money offline and behind various security
72. However, Ms Kaminska argued that the use of cold storage highlights the inefficiencies
of the crypto-asset exchanges, and creates market liquidity issues:
Cold storage has been put forward as a solution here, but we need to
recognise what that actually means. It means total inefficiency. There is
something called a security access paradox, insomuch as if it is secure it is
not accessible, and if it is accessible it is not secure. When everything is in
cold storage, it is very difficult to maintain the liquid availability of funds to
manage things in real time
73. When asked if exchanges had mechanisms for compensation in the event of a hack
and subsequent loss of crypto-assets, Mr Nwosu stated that most exchanges did not have
any mechanisms for compensation at this stage.111
74. An additional risk that consumers may not be aware of came to the attention of the
Committee during the inquiry relating to the storing and access to passwords of cryptoasset platforms. The Committee has heard of instances where customers that have lost
their passwords (and consequently access to their accounts) and have been told by the firm
that runs their account that the passwords cannot be restored. For example, in response
to a customer who had forgotten their password and recovery phrase, Blockchain, a noncustodial software platform that provides wallets to customers, stated that “your recovery
phrase is the only way to restore access to your wallet if you forget your password.”112 Thus,
there is no recourse for customers who have lost their password and recovery phrase.
75. Investors typically access and invest in crypto-assets through exchanges. A number
of these have been hacked, with customers losing significant amounts of money as a
result.
76. There is no collective deposit insurance scheme to compensate investors in the
event of a hack, nor do individual exchanges generally have arrangements in place to do
so. The risk of hacking associated with crypto-assets may not be something investors
in conventional assets have experience of, and therefore they may not be well placed to
judge this risk. It constitutes further evidence that crypto-assets are particularly illsuited to retail investors.
77. There have also been instances of investors losing access to their crypto-assets
when they have lost their passwords to their accounts with exchanges or crypto-asset
platforms. Exchanges and crypto-asset platforms have subsequently been unable
to recover their customers’ details, so customers are locked out of their accounts
permanently. This often unexpected outcome for investors is a stark contrast against
how customers of banks, and other regulated financial services firms, are treated when
they have forgotten their details.