When investors store unsecured cryptocurrency accounts on the internet, it’s like leaving the bank vault open. That’s what a Chicago-based tech specialist learned after he was fleeced of $55,000 in bitcoin and other cryptocurrencies in various fraud schemes that made digital coins vanish from his accounts.
“I was horrified,” said the specialist, who insisted on anonymity. What made it worse, he said, was that he knows who did it -- “a professional colleague who has good software skills and portrayed to be a family-oriented person,” to whom he gave access to his accounts.
His case – which he has referred to the Securities and Exchange Commission -- is complicated by one of the main attractions of digital currencies such as bitcoin: They exist in a private, shadowy realm beyond the reach of most governments. They don’t fall under strict banking or brokerage industry laws, and securities regulators are having a hard time policing the technology, the exchanges and the issuers. The SEC, along with state securities watchdogs, have launched more than 200 probes, although they usually come on the scene too late to help defrauded investors.
Cryptocurrency theft is a growing problem. According to CipherTrace, cyberthieves stole some $1.2 billion in digital currencies in the past two years alone, noting that just during the first half of 2018 there was “a three-fold increase over the entire year of 2017. In addition, the FBI has reported an almost six-fold increase in the value of virtual currency in complaints from 2015 to 2017."
Bitcoin, which was invented in 2009 by a person or persons using the alias Satoshi Nakamoto, is the most famous form of cryptocurrency. Since then more than 1,000 other digital coins have been created – many of which are based on the Bitcoin model.
Cryptocurrencies are, basically, a form of money issued by a cyber community – not a central bank. This has made it especially popular among criminals who want hide their transactions and people who mistrust government. They are also attractive to speculators because the value of cybercurrencies can rise, and fall, dramatically.
That’s because the number of Bitcoins is fixed – only 21 million original bitcoins were known to be created – their value can fluctuate as they are traded like stocks. Investor enthusiasm has often been manic, with bitcoin prices alone soaring to around $20,000 (last year), although the currency has recently been valued around $3,800.
Depending upon your point of view, digital coins are either the latest gold rush or fool’s gold. The market for cryptocurrencies, despite its pronounced volatility, skyrocketed in 2017 due to the proliferation of new digital coin sales. “Initial Coin Offerings” (ICOs) raised more than $20 billion in the past year in nearly 1,000 offerings, reports Coinschedule.
In theory, cybercurrencies should be secure. Most transactions can be traced through a blockchain, which is a series of transparent ledgers shared by users. But cyberthieves have developed a series of alterations that can enable them, in certain circumstances, to make untraceable transactions.
In addition, promoters and exchanges may have lax cybersecurity measures, so thieves can pilfer cryptocurrencies from digital “wallets,” then transfer or launder the crypto cash. So even if you invest, your digital coin accounts may be hacked and stolen.
All told, more than $730 million in cryptocurrencies were stolen from exchanges in 2018, CipherTrace reported. That compares to $266 million lost in 2017. More than $540 million was ripped off from just two exchanges – Coincheck in Japan and Coinrail in South Korea. Exchange operators blamed the thefts on poor security in their “hot” wallets, or digital accounts connected to the internet.
How secure are these assets once investors take possession of them? Lisa Braganca, a former SEC attorney who specializes in securities fraud, had several potential clients approach her who have lost money they thought was safely deposited in cryptocurrency investments. One victim had $750,000 in digital currencies stolen from a coin exchange. The currency was transferred to an unknown address, then “mixed” so that the transaction was untraceable.
“By the time he [the victim] got to me,” Braganca said, “it was six to eight months and the delay worked in the favor of the thieves. Time passed and evidence was lost. I couldn’t represent him.”
Braganca suggested that a “forensic audit” of the victim’s computer, which could possibly track the transfer, could’ve helped solve the crime. “You need to have the computer checked for a virus, which could’ve been activated on a clipboard, [that] then changed the address of the currency account to which the crypto was transferred.”
She also said it is likely that dormant malicious code on the victim’s computer, also known as malware, could have triggered the rerouting to another account, with the funds then sent to a “tumbler” or “mixer” to make it untraceable.
Like most aspects of the cryptocurrency world, tumblers are unregulated and often operate outside of the U.S. They are digital scramblers, making it difficult for authorities to track transactions. Instead of being able to follow crypto transactions on the blockchain, Braganca said, a tumbler mixes up the stolen digital coins with many other digital coins and sends an equivalent amount minus a fee back to the sender. That makes tracing the stolen coins challenging, if not impossible for average investors.
Criminality in digital coins is nothing new, nor is the outright theft of cryptos. But the use of tumblers makes a difficult and unregulated market even more challenging. They thwart the open distributed ledger nature of blockchain technology, which is the core code of many cryptocurrencies. That makes laundering much easier.
“Most tumblers operate out of Asia,” said Tom Pageler, chief security officer for BitGo, a cryptocurrency services company. “They break cryptos up like a jigsaw puzzle. They’re a moving target.”
The markets are even more unstable and volatile because of wild and false claims many promoters make about the security of their investments, attracting new investors through age-old promises of getting rich quick with little effort.
“Fraud is rampant with guarantees that don’t exist,” said Dan Neves, a hedge fund manager in Austin, Texas, who invests in cryptocurrencies. “You don’t need mixers or tumblers to steal cryptos. Once you send your currency to some [online] addresses, it’s gone.” Neves, who favors regulation of the industry, said he’s in the process of obtaining the necessary licenses in Texas to pursue broker-dealer registration to sell cryptos directly.
Joe Rotunda, enforcement director for the Texas State Securities Board, said his agency has 100 ongoing probes into crypto operations, the most of any state regulator. The board has issued 17 cease-and-desist orders to 60 different parties who sell or promote cryptos, the majority of which involve trading.
Even if regulators fully step into the complex mire of crypto regulation, the authorities may not be able to impose the necessary layers of security needed to protect crypto assets in private wallets because many exchanges and dealers are beyond the territorial jurisdiction of U.S. and European regulators.
How can you protect yourself? Pageler said investors should get user and backup multi-signature security keys and deal with a firm that has strict cybersecurity policies that set limits on the velocity and amount of coin transfers.
The SEC and other agencies are also conducting probes, although it’s not known when or if there will be any robust state or federal regulation of cryptocurrencies. Until then, it’s not only “buyer beware,” but “guard your wallet” from cyberthieves.
“The possibility of hacks should play into promoter disclosures,” Rotunda said. “Investors may lose tokens and promoters must tell investors about their cybersecurity measures.”
John F. Wasik is the author of "Lightning Strikes" and 16 other books. He focuses on innovation, creativity and technology issues.