The past few years have been a crisis for security in crypto. As the asset class has increased popularity, more and more security breaks have been highlighted and more institutions targeted.
The burgeoning industry is ripe with opportunity, but also with risk. Two incidents that highlight this lapse in security spring to mind.
Back in January 2018, Coincheck Japan was targeted, with attackers succeeding in stealing $530 million worth of NEM tokens from the crypto exchange. It is one of the biggest crypto exchange heists in the relatively short history of the industry and stands alongside the infamous attack on Mt. Gox, when around 800,000 BTC was stolen — a sum worth over $6 billion today.
Further back in February 2016, the Bangladesh Bank was targeted. Thieves tried to steal a total of $850 million via properly authenticated transactions in ordering the Federal Reserve Bank of New York to transfer the money through the SWIFT network. While “only” $101 million was transferred to final beneficiaries in the Philippines and Sri Lanka, this ended up resulting in a whopping total of $81 million successfully stolen during the incident.
What do these incidents have in common? The complacency of the victims — central banks and top crypto exchanges — and their management of security credentials (be it passwords or private keys) in giving access to the transfer of fiat money or cryptocurrencies.
The SWIFT network used for the Bangladesh Bank and other similar heists was not hacked, the users of the network were. The blockchains utilized to transfer the NEM out of Coincheck and the BTC out of Mt Gox were not hacked, the exchanges — i.e., the users of these blockchains — were. Their systems and credentials were so poorly protected that hackers were able to take control and impersonate their victims with ease.
The SWIFT community reacted to these events by reinforcing cybersecurity controls, by identifying the weakest players and by ensuring hackers’ modus operandi were shared among the community to prevent further incidents. Has the crypto industry done the same and learned from its mistakes? Probably not at the level this issue deserves. Will 2020 see more collaboration to prevent these incidents or to enable the recovery of stolen funds in case of successful hacks? The jury is still out.
In 2020, more education and awareness will be required. Exchanges, funds, projects, foundations, and all the other crypto players servicing underlying customers must put in place the proper transparent and secure processes around the safekeeping of the assets of their customers. Most will rightfully opt for the outsourcing of that critical task to third-party custodians whose job is to do precisely that.
This year will hopefully also be the year when digital asset service providers such as crypto exchanges and custodians will not only collaborate about the implementation of the Financial Action Task Force rules but also about the exchange of information on hackers’ modus operandi and blacklisting of addresses.
By the end of the year, the cashing out of hacked funds should be so difficult — thanks to a more formal collaboration between players — that thieves will be discouraged from targeting cryptocurrency organizations.
Beyond the adoption of the right established technology, it is only when common-sense operational and business practices — those of segregation of duty, focus on core activities and established risk management — are put in place that the digital asset industry will become mainstream. Today, it is not, and now you know why.