Despite the excitement around all things crypto, the proliferation of cryptocurrency ventures is generating new cybersecurity risks. How governments and industry manage those risks may determine the future of the crypto market.
The craze around cryptocurrency has propelled the industry from the fringes of finance to the mainstream markets. Over 100 cryptocurrency exchanges have emerged, some with trading volumes over US$9bn per day. Mainstay financial data vendors such as Bloomberg and Thomson Reuters have begun to list cryptocurrency data. US investment bank Goldman Sachs is reportedly considering establishing a crypto trading desk. All of this points to the potential for crypto to become an increasingly accepted asset class. Even national governments from Venezuela to Sweden have begun preparations to issue state-backed cryptocurrencies.
Despite these developments, cryptocurrency’s novelty still produces uncertainty. Much of that uncertainty emphasizes crypto’s price volatility and the dearth of financial regulation in that space. Seldom discussed are the digital security risks inherent to a rapidly growing digital currency market.
The growing crypto market has generated an intensifying vector for cyber threats. This is especially with the frequency of Initial Coin Offerings (ICOs), a form of crowdfunding for crypto. The increase in ICOs and skyrocketing crypto values make those assets attractive targets for theft, fraud, or disruption by a variety of cyber-enabled criminals and state-sponsored actors – the most conspicuous of which is North Korea. Security vulnerabilities throughout the crypto market are enabling many of those malicious actors to be successful.
Even if blockchain is inherently secure, crypto offerings may not be
While cryptocurrency’s underlying blockchain technology offers unique security advantages, many cryptocurrency ventures themselves contain security vulnerabilities. Blockchain’s distributed, network-authenticated architecture limits hackable entrances and minimizes human error. Yet the software making up a cryptocurrency application still presents a viable target.
As ICOs rush to bring their cryptocurrency to market, many ventures lack incentives to ensure robust security is built into their software. In some cases a crypto venture’s security infrastructure and workforce is nonexistent, and developers may fail to engage in code reviews to identify vulnerabilities. All this makes penetrating cryptocurrency software easier.
Investor frenzy toward a proliferation of ICOs exacerbates cryptocurrencies’ lack of robust security infrastructure. By compromising vulnerable systems associated with a crypto startup, hackers can pretend to be the crypto venture’s administrators and target the ICO’s captivated participants with pre-sale offers of the currency. This was the case with the cryptocurrency-based talent acquisition application Experty. By accessing Experty software files, hackers were able to imitate Experty’s managers and scam the ICO’s interested participants into dishing out over US$150,000. This is not an isolated case: a report from EY on ICOs estimates that 10% of funds from ICOs are lost or stolen from successful hacking attempts.
Crypto exchanges are single points of failure
Crypto exchanges represent another point of vulnerability. The institutions that enable traders to buy and sell crypto often contain databases holding traders’ private keys to their crypto wallets, or even traders’ online wallets themselves.
This significance is not fully realized by several currency exchanges. Those institutions in question occasionally retain a similar dearth of security practices as the cryptocurrency ventures themselves. The hack of Japan-based crypto exchange Mt. Gox – one of the largest hacks on a crypto exchange to date – largely occurred due to the exchange’s disregard for basic security protocols such as code review and timely patching.
Even if an exchange does follow healthy security practices, it may rely on insecure cloud-based servers or third-party applications that introduce vulnerabilities outside its control. Weaknesses in basic internet protocols can also be exploited to reroute traffic from online crypto wallet services to criminals. EY suggests that US$2bn on average has been lost from successful hacks on crypto exchanges.
In addition to penetrating private key databases or online wallets, hackers may also use denial-of-service campaigns to overwhelm an exchange server and cause its online platform to crash. These campaigns can be particularly insidious against exchanges with high trading volumes or those offering a unique crypto asset. This is because crashing those exchanges’ servers for a period of time could create cryptocurrency price fluctuations that the perpetrators directly benefit from.
Humans are the weakest link
Irrespective of the security architecture of a crypto venture, error on the part of crypto traders may present the greatest vulnerability to the cryptocurrency market. Each individual transacting on a blockchain system possesses a unique private key to verify their crypto assets and validate their transactions. If a malicious actor accesses a user’s private key, they can easily breach a target’s crypto assets and send that currency to themselves.
Private keys often fall prey to conventional cybersecurity threats. Phishing is the most common hacking tool in crypto markets, whereby malicious actors deliver malware to targets through communications platforms like email. If a crypto trader keeps their private key unsecured on their computer and lacks basic cybersecurity protocols, then opening up an infected email attachment can install malware aimed at stealing a user’s exchange passwords or private keys.
Malicious actors can also access traders’ private information by hijacking their sessions on online crypto exchanges. By penetrating an online exchange’s server, a malicious actor can feign the website session’s authenticity and trick a trader into handing over their credentials.
Furthermore, there is little to deter these hacks. Attribution of offensive cyber activity is often difficult. The pseudonymity or anonymity of cryptocurrency transactions makes it easy for malicious actors to steal crypto assets by dispersing them to a variety of exchanges or quickly converting them into other currencies.
Some crypto traders have resorted to storing their assets on hardware wallets instead of online exchanges, but that solution also has downsides. There are ways for malicious actors to penetrate hardware, and the physical hard drives that store crypto assets can be corrupted or lost.
Amid increasing security risks to crypto, maintaining trust is crucial
As the number of crypto ventures grow, so too will their digital security risks. Blockchain technology may offer intrinsic security advantages, but crypto projects have generated new security vulnerabilities. Those vulnerabilities will increasingly be exploited as investors flock towards prospects of large crypto returns and malicious cyber actors view crypto assets as an easy source of untraceable and unregulated capital.
Yet continued cyber-enabled fraud and theft of cryptocurrency can undermine the whole market altogether. It will erode the trust necessary for consumer adoption of crypto assets and further investment in their underlying blockchain technology. If the crypto market’s growth offers any value, its reputation will need to be protected so that capital is available for promising ventures that aren’t easily subject to fraud or hacks.
To a certain degree, the crypto industry is beginning to catch on. The crypto exchange Gemini recently partnered with Nasdaq’s market surveillance technology to identify trading misbehavior. Some advocates have called for better built-in cybersecurity protocols for crypto trading platforms. One such example is to authenticate a trader to their private key at every stage of the cryptocurrency transaction. All that is necessary, but the lure of quick crypto profits from the technology and finance communities alike may sufficiently disincentivize self-policing when it comes to cyber-enabled fraud and theft.
The scope of regulation will determine the success of crypto
Where crypto markets fail to improve their security posture, regulatory bodies will likely fill in. This is already beginning to occur in the US. Here, the Securities and Exchange Commission and Commodity Futures Trading Commission have respectively referred to cryptocurrency as a security and commodity. By applying existing regulatory regimes to crypto in this fashion, crypto institutions may have obligations to maintain cybersecurity policies and procedures that apply to the rest of the financial sector.
Other governments may establish regulations specifically directed at managing cryptocurrency’s risks. Crypto exchanges in Japan require licensing as well as adherence to specific cybersecurity guidelines, and can face punishments if breaches occur. The Philippines recently established a crypto economic zone where vetted crypto companies can operate.
Yet the risks of fraud and theft may also prompt governments to regulate cryptocurrency completely out of existence. South Korea and India have signaled their readiness to outlaw crypto exchanges. Some EU countries have pursued strict regulation or blacklisting of crypto markets. Even the EU’s upcoming data privacy regulation, the Global Data Protection Regulation (GDPR), may be incompatible with blockchain’s decentralized and immutable structure. China has interestingly clamped down harshly on cryptocurrency ventures and markets while still indicating its support for blockchain technology.
Either of these regulatory approaches presents benefits and downsides. Bringing crypto markets into the fold of mainstream financial regulations may indeed manage crypto’s security risks. However, any regulation imposed on cryptocurrency ironically undermines the decentralization and anonymity that draw consumers to the market in the first place.
On the other hand, a complete absence of regulation or standards around crypto might enable cyber-enabled theft and fraud to flourish. This will force governments to regulate cryptocurrency out of existence, perhaps stifling innovative ventures involving crypto or blockchain more broadly. The approaches governments and industry take towards managing crypto security risks may accordingly determine the extent and location of cryptocurrency’s future.