How to tackle cyber hacks on crypto exchanges

LSE law graduate Hui Ting Tan considers the case for reform

In the past year, there have been a spate of hacking attacks on cryptocurrency exchanges, which are exchanges which allow people to trade digital currencies such as Bitcoin and Ethereum. Last September, a hacker managed to take out $610 million (£460 million) worth of customers’ coins from Poly Network, a Japanese cryptocurrency exchange.

Interestingly, the hacker returned all of the stolen assets, claiming that the hack was just an attempt to highlight the vulnerabilities in Poly Network’s system. When the heist was discovered, Poly Network immediately published the addresses to which the digital assets had been transferred, and asked centralised crypto exchanges to stop all asset flows stemming from the specified addresses. Tether, a stablecoin operator immediately froze $33 million of the stolen assets, while other major exchanges such as Binance agreed to look into the matter. In the meantime, internet sleuths sprung quickly into action to piece together information about the hacker. A cyber security firm called Slowmist even claimed to have personal information relating to the hacker, such as the hacker’s IP address and email information.

Regardless of whether the hacker’s motivations can be taken at face value, what is evident is that identifying errors in the code of a crypto exchange is one thing, but actually laundering those ill-gotten gains into money in the real world is another. Due to the transparency of the blockchain technology upon which the cryptocurrencies are built, every transaction in the digital markets is publicly transparent on blockchains, and as proponents of De-Fi (decentralised finance) like to argue, this creates a crowdsourced imitation of a self-regulating banking system.

What are the inherent or systemic problems with having a self-regulatory banking system however? For one, how do you draw the line between an ethical “white hat” hacker, who is just exploiting a bug in the system, and a self-interested criminal? There is of course an argument distinctive to the De-Fi and blockchain context. The unique strength of an open-sourced technological system is that improvements to the system itself are built upon community improvements and ingenuity. On the other hand, what is clear is that ethical hacking cannot be without scope. No ethical hacker would risk the assets or data of thousands of users. One might imagine that if every firm that were a victim of a hack were to legitimise these actions by labelling these acts as “whitehats”, then ethical hacking would be devoid of any meaning.

What I find more concerning is the notion that criminality and the commensurate level of punishment can be outsourced to a private company, like Poly Network. Hypothetically, imagine if a group of armed robbers organised a traditional bank heist, and was able to steal a significant sum of money, which it eventually returned, although it had broken numerous criminal laws along the way, such as criminal trespass, common assault, and other public crimes. Let’s imagine as well that the bank is unable to print or obtain more money, and was thus compelled to offer the robbers criminal immunity and a monetary reward if the money was returned. That the money eventually came to no harm is irrelevant, it would even be irrelevant if the armed robbers were not eventually found to be guilty of those accompanying crimes. In my opinion, what is problematic is the idea that a private company is able to arbitrarily dictate the criminality of a hack, or to even ‘whitewash’ a criminal hack for commercial reasons.

Things haven’t ended on a sour note because the assets have been returned, but shouldn’t it be time to consider the implications if a similar situation were to happen again? What happens then if a significant number of consumers of a hugely popular crypto-asset exchange were to lose their life savings through the brilliance of an unscrupulous hacker? What are the legal protections available to consumers, and how robust is the regulatory and compliance regime in place to prevent crypto-assets from being laundered?

From a consumer protection perspective, there are unsurprisingly no guarantees of reimbursement in a largely unregulated sector. In fact, a “haircut” has become a term used to describe partial compensation in the wake of a cyber-attack. For example, in the wake of a hack on Bitfinex (£) in August 2016, which caused a loss of 120,000 Bitcoin, worth around $75 million at the time, its users faced a 36% haircut regardless of whether they held any Bitcoin.

In terms of Anti-Money Laundering (AML) and Know-Your-Customer (KYC) regulation, the UK Financial Conduct Authority (FCA) is the regulator of crypto-asset companies in the UK. Crypto-asset companies have to comply with the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017, which includes the requirement of having to be registered with the FCA in order to continue business. The FCA also introduced a Temporary Registration Regime for firms that had applied to be registered before, but whose applications were still being processed. As it turns out, the FCA had to extend the deadline for the Temporary Registration Regime (for existing businesses when the requirement was first announced) to 31 March 2022, due to the unprecedented number of firms which could not meet these requirements (£) and had to withdraw their applications. Since the need to register with the FCA was introduced in January 2020, only five companies have successfully registered with the regulator. In short, the issue isn’t really that of a lack of regulation, but that the sector as a whole has yet to catch up in terms of cyber-security and AML practices.

This seems to suggest therefore that there is a good chance that retail investors and consumers of such crypto-asset exchanges are using products with significant cybersecurity risks. The need to raise regulatory standards therefore seems like a natural answer. On the other hand, it has been argued that stricter regulatory rules only drive criminals towards exchanges in jurisdictions with looser regulatory requirements. However, as pointed out by Michael Philipps (£), chief claims officer at cyber insurance group Resilience, these exchanges usually have lower liquidity, which makes the laundering process more difficult. If what we are concerned about is preventing large-scale hacking heists amongst the most widely used exchanges in the UK, then imposing a level of regulation commensurate with the increased level of risk makes sense.

The other libertarian counter-argument would be to argue that investment decisions are personal commercial decisions that inherently involve some level of risk, and that excessively regulating these exchanges would not prevent the ignorant, the gullible, or the fearless from similar decisions that would be equally risky or dangerous. One’s right to plunge one’s entire life savings into Bitcoin should be zealously guarded, no matter how crazy such a decision may seem, so the argument goes. However, I think a distinction needs to be made between raising regulatory standards to better inform consumer choice, and banning these exchanges outright. The desire for the UK to grow into a global fintech hub should also be balanced with the consumer risks inherent to these platforms. The priority should not be to discourage the flourishing of fintech businesses and start-ups, but to ensure that any crypto-asset exchange legitimately operating in the UK measures up to a rigorous and sufficient AML/KYC regulatory regime, which would in turn protect consumers.

The reality of course is that while the FCA continually warns retail investors that they risk losing all their money by transacting on these unregulated exchanges, there will always be those who choose to ignore these warnings. But by actively regulating these exchanges and presenting a stark choice between the legitimate and the unregulated, retail traders on unregulated exchanges would have to take stronger ownership of their personal choices, and whatever risks these choices may entail.

Hui Ting Tan is a law graduate and LLM student at the LSE. He is an aspiring commercial solicitor.