The lack of a standardized set of regulations for the cryptocurrency is one of the industry’s most notable issues. Depending on where a cryptocurrency exchange (or another kind of crypto-related business) is established, entirely different sets of regulations apply.
For companies that choose to set themselves up in places like Seychelles or St Martius, the laws are pretty lax; they nay have more freedom to innovate and experiment with new kinds of products and services without the government getting in the way. Companies that establish themselves in places like the US, however, may have a host of regulatory hurdles to cross every time they launch something new.
There are a few places in the world that have developed something in between–a regulatory environment that was designed specifically to support the cryptocurrency industry; because the industry is so new, these places are by far the minority.
However, they do still exist–Japan is one of them. The country has a relatively well-developed set of regulations for the cryptocurrency industry, and a licensing process for cryptocurrency exchanges. And it seems that industry participants within the country are eager to comply with the laws–roughly 110 exchanges are currently in the process of applying for a license.
In theory, Japan’s regulatory environment should promote a culture of better-than-average cybersecurity and safety on exchanges. But in practice, this hasn’t necessarily been the case–last year, Japan-based cryptocurrency exchange Coincheck was hacked for $530 million, the largest cryptocurrency hack in history; just last week, Bitpoint was hacked for $32 million, one of the largest hacks the year so far.
Could it be that increased regulatory scrutiny doesn’t really protect against cryptocurrency hacks (and other kinds of crypto-related crime)?
And in facing the aftermath of a cryptocurrency hack–a problem that didn’t even exist eleven years ago–how can an exchange help its customers (and save its reputation) if regulators aren’t doing an adequate job of helping them?
Koji Higashi: “I don’t think it’s a reasonable assumption that being regulated by the FSA closely ensures safety of exchanges”
Of course, it could be argued that the Bitpoint hack was a minor incident compared to the Coincheck hack–in terms of size, it was.
Koji Higashi, the founder of Koinup and renowned analyst, pointed out to CoinTelegraph that Bitpoint was also a relatively small target in terms of trading volume.
“According to this website which tracks and compares BTC stock trading volume in Japan, Bitpoint ranks just 7th and their reported BTC trading share is just 2.5% in June,” he said. “From that standpoint, this incident was minor compared to the Coincheck and Zaif [(another cryptocurrency exchange)] hacks and thus it’s possible that the incident may have a minimal impact on the regulation.”
And sure, perhaps a much higher amount of money could have been stolen if the exchange had not fixed the issues that were described in a Business Improvement Order sent in the months before the hack by the Japanese Financial Services Agency, the regulatory and law enforcement body responsible for issuing licenses to cryptocurrency exchanges.
But $32 million is still nothing to sniff at, especially when the fact that the majority of the stolen funds–$23 million–belonged to users.
Therefore, it could also be argued that the increased oversight from the FSA in Japan has not actually really made the space any safer.
“I don’t think it’s a reasonable assumption that being regulated by the FSA closely ensures safety of exchanges,” Higashi said. “After two major hack incidents that took place in Japan, the FSA tightened the enforcement significantly to prevent any more hacks, but they are by no means security experts.”
It could be that the FSA is more concerned with preventing other kinds of financial crime “…As far as I understand, their main focus seemed to be more on KYC/AML,” Higashi said.
And in fact, this focus on AML/KYC could arguably be causing exchanges to divert resources that could be used to improve cybersecurity measures in order to beef up protections against money laundering. Higashi explained that “in some situations, I have heard before that their scrutiny is the reason to put pressure on exchanges financially and lose its focus on security.”
After a hack: what then?
So if regulators aren’t the best resource for oversight and assistance when it comes to security, then what is an exchange to do after a hack has occurred?
Pauline Shangett, Chief Communications Officer at non-custodial cryptocurrency exchange ChangeNow, told Finance Magnates that the first step is to transfer money out of the exchange’s hot wallets. “You have a wallet that’s been compromised, and money’s leaking off of it; you have to save whatever you can.”
Law enforcement officers are contacted as soon as possible–enlisting authorities is still necessary for legal purposes, although national cybersecurity law enforcement bodies may vary in their effectiveness.
After this, an exchange will also begin its own kind of “reconnaissance”. But what might that look like on a practical level?
Shangett explained that some of the biggest allies that a hacked cryptocurrency exchange can have are other cryptocurrency exchanges that can use their own surveillance systems to track, report, and even retrieve stolen coins that a hacker is attempting to move through them.
In fact, ChangeNOW itself has managed to detect and report large amounts of cryptocurrency that hackers have attempted to “wash” through the exchange. “Washing” is the process of exchanging “dirty” (stolen) coins for “clean” ones that aren’t associated with crime.
LiquidApps’ Year-Long Token Generation Event Suggests the Future of FundraisingGo to article >>
“Basically, the info is spread thanks to close cooperation compliance by officers of lots of leading exchanges and crypto enthusiasts. Our staff is constantly monitoring various groups of crypto activists and exchange staff who deliver all of the info about the ongoing hacks–address lists and other of the other relevant info that might be helpful for us in order to stop the money that people are trying to wash through us.”
In other words, once a cryptocurrency address becomes associated with a hack, it is put on a “blacklist” that exchanges can use to detect attempts to wash coins.
Activists play an important role in post-hack reconnaissance
As Shangett said previously, much of this work is done by activists within the space. “For example, EOSPatrol [handles] EOS hacks, and there are also lots of activists within the XRP community that watch over funds that have been stolen.”
“Along with exchange employees themselves, [these activists] send us packs of addresses which they have blacklisted…then, if people try to execute exchanges on ChangeNOW using those addresses, the exchanges are stopped.”
Shangett explained that such cooperation system, unofficial though it may be, allows exchanges to react “as fast as possible and as efficiently as possible.”
For example, “an exchange got hacked, we got a list of addresses like five minutes later, and we make sure none of these addresses can be used on our service.”
Then, when the blacklisted addresses show up in new trades, “their exchanges are stopped and secured. Then, we retain the funds–freeze them–and then communicate with the exchange staff and law enforcement authorities on the next steps.”
This is one place where law enforcement’s role is essential–stolen funds should never be returned to exchange without a request from the government; this ensures that stolen funds aren’t sent to malicious actors and lost all over again.
A movement toward non-custodial exchanges could make exchange hacks a thing of the past
After the immediate damage is subdued, most legitimate exchanges will develop a plan on how to repay users who lost their funds.
And to its credit, BitPoint has already announced that affected users will be reimbursed by RemixPoint, its parent company. Finance Magnates previously reported that Remixpoint will pay them in crypto equivalents rather than fiat.
But this is one of the stickier areas of the cryptocurrency industry and the application of regulations to cryptocurrency exchanges: there is no one established way to ensure if or how users will be reimbursed in the event of a hack.
Some exchanges, including Binance, have set aside funds that can be sent to users who have lost their money; others rely on insurance to reimburse users, although ensuring cryptocurrency exchanges against hacks is still an extremely complicated and expensive process.
It is perhaps for this reason that cryptocurrency exchanges–both centralized and decentralized–are increasingly moving towards non-custodianship; in other words, more and more exchanges are adopting technical models in which they do not hold onto their users’ funds.
ChangeNow is one of these centralized non-custodial exchanges; as a decentralized exchange, the Liechtenstein-based Nash exchange is non-custodial by nature. But co-founder Fabio Canesin said that he believes that non-custodial models are the way of the future–and, interestingly, of the past.
in case u needed more reasons to self-custody…
over the past month
– Gatehub hacked for 10m
– Bittrue hacked for 4m
– Bitpoint hacked for 32m
– 0x susp after vuln found
not ur keys, not ur coins
— Josh Olszewicz (@CarpeNoctom) July 14, 2019
After all, this is how most traditional asset exchanges currently operate. “If you trade today on the NY Stock Exchange or on Nasdaq, they don’t have custody of the assets– there is a third party, a centralized custodian that holds the assets,” he told Finance Magnates in an interview last month.
For now, “if [a custodial exchange] has a security breach or the company has an internal problem, it’s all on them,” he explained. “But as we move to a more compliant and professional setup, I do think this will change.”
Perhaps then, exchange hacks won’t be such a sticky wicket for the industry; cybersecurity will always be a concern for the industry, but we could eventually live in a world where user funds lost to cryptocurrency exchange hacks could be a thing of the past.