It’s not just the roller-coaster valuations that make cryptocurrency risky. It’s also the security issues.
Last week saw multiple major crypto hacks. One affected wallets mostly linked to solana coins, and another hit Nomad, a blockchain bridge where users exchange assets on different blockchains. The losses totaled about $200 million.
And these are just the latest hacks. So far this year, there’s been more than $1 billion stolen.
So, why is this industry such a target?
Josephine Wolff is an associate professor of cybersecurity policy at the Fletcher School at Tufts University. The following is an edited transcript of her conversation with Marketplace’s Meghan McCarty Carino.
Josephine Wolff: One of the things you worry about a lot with cryptocurrencies is there are a whole bunch of intermediary organizations and companies involved, and each one is building software that can potentially be breached. So you’ve got different organizations coming up with the blockchain ledgers that record these individual transactions. But you’ve also got companies building the wallets that hold people’s digital assets. And then you’ve got cryptocurrency exchanges. So each of these different kinds of layers of software in the cryptocurrency ecosystem creates an opportunity for breaching something and stealing money.
Meghan McCarty Carino: When we look at some of the big hacks that are known, do they have factors in common?
Wolff: If we look at the sort of big money-laundering breaches around cryptocurrency, often there’s a common thread of a cryptocurrency exchange that has failed to protect the credentials of its users effectively. So people are able to steal not just one or two passwords, but all of the passwords from a database. Or somebody has implemented the cryptocurrency wallets insecurely in a way that it’s possible for somebody to get in there and transfer funds out of those wallets without even needing the passwords and credentials that users would traditionally use, so I would say those are definitely two weak points — the wallets and the exchanges.
McCarty Carino: Why do you think we’ve seen cybercriminals seeming to target wallets and exchanges?
Wolff: I think two related reasons. One is that there’s a lot of money in this ecosystem. And the other is that there’s this almost total lack of regulation around most of these intermediaries. So you’ve got wallet providers, you’ve got cryptocurrency exchanges, you’ve got all of these folks who are sort of effectively playing the role of a bank, or at least part of what we traditionally rely on banks for, but without all of the oversight and regulation.
McCarty Carino: So what can companies in this ecosystem do to better protect themselves against these hacks?
Wolff: The big part of this that we’ve sort of figured out to a large extent for traditional banks and financial companies has to do with record-keeping. Things like know-your-customer laws, anti-money-laundering regulations, where if somebody comes in and says, “I want to open up a cryptocurrency account or wallet and transfer money into and out of it,” then institutions can say, “OK, we need some information about you. We need to see your ID, we need to keep records of certain large transactions or transactions in and out of the country,” stuff like that. It doesn’t prevent theft, but it does enable some kinds of policing and law enforcement after the fact to go back and say, “OK, if we’re trying to trace what happened here, do we have some records that enable that?” On the sort of blockchain and wallet side, a lot of this is actually about testing software security. It’s about trying to understand, “OK, the way I have written code to say, this is Meghan’s wallet, this is Josephine’s wallet, have I left any bugs in that code that are going to allow somebody to get in there and change who those cryptocurrency tokens are assigned to within this sort of software program that we’ve written? And that’s really traditional testing of software, hiring people to try to hack it, seeing if they can find any vulnerabilities. Taking your time with the development process, which, I think, is also often a big challenge in these cryptocurrency settings where things are moving really fast and people are always sort of trying to get ahead of the next thing.
McCarty Carino: Is there anything individual consumers can do?
Wolff: That’s pretty tricky. When we look at most of these hacks, it’s really not about whether individuals were using good passwords or are practicing good security hygiene, it’s really about whether or not the institutions that they trusted were doing a good job of securing their cryptocurrency wallets.
McCarty Carino: What is the current landscape look like for protections and government oversight? And how does it vary from country to country?
Wolff: There are some regulations, certainly in the United States, that apply to cryptocurrency exchanges. They’re required to comply with most traditional know-your-customer and anti-money-laundering regulations. However, different states have taken different approaches. Famously, New York state announced that they were going to require BitLicenses, and a whole bunch of other places have sort of tried to implement their own kinds of regulatory oversight to make sure that there’s less opportunity for cybercrime passing through these types of cryptocurrency exchanges. In other countries, we’ve seen very different approaches. China has taken an approach of basically, cryptocurrency is illegal — we don’t want anybody buying or selling it in our country. Russia has taken an approach of essentially, we’re not going to monitor anything that’s done in cryptocurrency exchanges, but we do want people paying tax on cryptocurrency income. And so there’s a taxation framework that they’ve been trying to develop for the past few years. And what this means is that you have sort of a very easy way to move money between countries and find the country where there will be the least concern about what you’re doing with your cryptocurrency that has been very beneficial to many cybercriminals.
McCarty Carino: Could more government oversight and regulation of the industry address some of these problems?
Wolff: I think it could. The challenge here is even if the United States could sort of get its act together and figure out how it wants to regulate cryptocurrencies, whether it wants restrictions, they would still have this big problem that, say, most of the big ransomware rings are based out of Russia and Eastern Europe. And that’s not a problem that any individual country can really solve by itself where there are so many different exchanges.
The Verge reports that one of the crypto systems targeted — Solana — said its own investigation showed no evidence that its protocol was breached and that only one type of user wallet was compromised.
Another hacking target, Nomad, offered a bounty for the stolen tokens, according to Bloomberg News. The company said anyone willing to return 90% of the hacked funds will not be prosecuted and can keep the remaining 10% as a reward.
We also aired a feature last month about state-sponsored crypto hackers in North Korea.
Wolff wrote for Slate earlier this year about probably the most famous alleged crypto hackers: a New York couple charged with laundering $4.5 billion worth. It’s a colorful story — one that, she wrote, feels like a “far-fetched movie plot.”
Aside from the astronomical sums involved, the accused had styled themselves as sort of crypto quasi-celebrities, sharing advice and amateur rap videos on social media. One of those videos is not exactly safe for work — think dance moves and language appropriate to the form.
It’s something else. Let me tell you.