Share
Learning Outcomes
In this session, you will learn about the following notable cases of exchange hacks and fraud:
- 2014 Mt Gox hack
- 2022 FTX collapse
- 2016 Bitfinex hack
- 2020 KuCoin hack
You will also learn about the following concepts:
- Poor risk management and rehypothecation, through Celsius Network
- Disappearance and succession planning, through Quadriga
- Insider trading, through Coinbase
Introduction
Since Bitcoin’s inception in 2008, the interest in Bitcoin and other digital currencies has grown significantly. Between 2010 which saw the very first exchange created which made it simpler to trade bitcoin, to the now arguably saturated marketplace for cryptocurrency exchanges, inadequate governance at cryptocurrency exchanges and other centralised crypto institutions has manifested in poor consumer outcomes. In this article, we explore some of the most notable cases of hacking, theft, poor risk management and fraud to date, highlighting the need for greater transparency in this space and stronger investor protections.
Exchange Hacks and Frauds
As of 12 January 2023, there have been 50 reported exchange hacking events, aggregating to approximately US $3.4 billion (at the time of the respective hacks) stolen. Of these, 19 hacks were conducted in 2019 alone, and the most recent hack was in November this year when Bahamas-based crypto exchange, FTX, had $600 million stolen. The most common hack took the form of infiltrating the private keys used to access the exchange’s hot (i.e. online) wallets that store users’ cryptocurrencies. This has led to funds becoming lost and unrecoverable, with many exchanges having to shut down or file for bankruptcy as a result.
The Biggest Casualty: Mt Gox
To date, the largest and arguably most notorious crypto exchange hack occurred in 2014, when Tokyo-based Mt Gox, the largest bitcoin exchange in the world at the time, lost almost 850,000 bitcoin, with 750,000 of these belonging to users, and 100,000 belonging to itself. The exchange was first launched in 2010 by US programmer Jed McCaleb and expanded rapidly, eventually being bought by French developer Mark Karpeles in 2011. At its peak in 2013, Mt Gox was responsible for 70% of all bitcoin transactions worldwide.,
On 7 February 2014, Mt Gox first announced on its website that it halted withdrawals, then suspended all trading, before the company went completely offline on 24 February. Four days later, the company filed for bankruptcy protection in Japan and filed for bankruptcy in the US on 9 March. Though this all seemed to suddenly unfold over the period of a month, subsequent investigations suggest that the hack had been going on undetected for years, revealing that the private keys to Mt Gox’s wallet were unencrypted and had been stolen back in 2011. The hacker had supposedly been stealing bitcoin gradually from users’ accounts as the company remained unaware, with insiders citing the reason for the exchange not having realised earlier being mismanagement and a lack of organisation. The company’s CEO, Mark Karpeles, was arrested in 2015, and served one year of jail time for embezzlement and breach of trust charges, but was only found guilty of data manipulation charges, for which he did not have to serve any jail time.
Unsurprisingly, the hack, which constituted approximately 6% of all bitcoin supply at the time, caused Bitcoin’s price to fall over 36% from February to the end of March and in April, Tokyo District Court ordered the company into liquidation. Since then, only 200,000 bitcoin were able to be recovered, having been found in a ‘forgotten’ wallet held by the company. Whilst approximately 34,000 bitcoin were liquidated by Mt Gox’s trustee, Nobuaki Kobayashi, in 2018 to secure approximately US $400m for distribution to creditors, the rest has remained held for creditors until now. In a letter sent out to creditors in July 2022, Mt Gox’s Rehabilitation Trustee, attorney-at-law Nobuaki Kobayashi, indicated they would start paying out creditors at the end of August 2022; however payments were postponed as the deadline for the repayment method selection and registration was subsequently deferred until 10 March 2023.
FTX
The most notable recent example of poor governance by an exchange occurred in November 2022, when FTX, which was the second largest crypto exchange at the time in terms of trading volume market share behind Binance, lost over $8 billion USD worth of customer funds., The exchange was launched in 2019 by Sam Bankman-Fried, who also founded cryptocurrency trading firm Alameda Research.
The saga began on 2 November, when it was reported that Alameda Research’s balance sheet was highly illiquid, largely composed of the FTT token (the governance token of its sister exchange, FTX). This apparent conflict of interest led to a sell off of the FTT token. Following speculation that Binance would acquire FTX, which did not eventuate, allegations were made that FTX had lent over half of its customer funds to Alameda Research for them to trade in direct contravention of its terms of service.
The contagion effect from these events led to the price of Bitcoin plummeting to a two-year low of USD $15,480. More recently it has been reported that over $5 billion USD of customer assets have been recovered. However, it is unknown how, when or if these funds will be distributed amongst creditors.
Bitfinex
Another victim to hacking was Bitfinex, a popular Hong-Kong based exchange. Hackers used malware to control an executive’s computer and increased the transaction limit of 2,500 bitcoin to steal 119,756 bitcoin from the exchange. News of the hack had a significant impact on the price of Bitcoin, which at the time plunged by 20% before gradually recovering. It was never determined how the hackers were able to access Bitfinex’s servers or what location they operated from, as they wiped the memory of the server after the hack.
Unlike Mt Gox, Bitfinex survived the hack. To reduce the risk of a similar hack in future, operational risk management was improved, implementing a requirement that in order to approve transactions larger than the 2,500 limit, a video call between their custodian, BitGo, and an employee need first be conducted. As for the stolen funds, Bitfinex spread the loss across all its customers, meaning each user lost 36% of their holdings. Users were given the option to trade shares in Bitfinex’s parent company for users’ entitlement to any assets that might in future be recovered, however only 0.023% were located, which were distributed to affected users in 2018.
KuCoin
In September of 2020, popular Singapore-based exchange, KuCoin, was subject to a hack which targeted its hot wallets, stealing approximately $280 million worth of Bitcoin and Ethereum. As the exchange stored a significant amount of its tokens in hot wallets accessible via the internet, the hackers only needed to obtain the private keys to transfer the funds. The exchange was able to recover 84% of the stolen funds with the help of law enforcement and other exchanges, whilst the remaining 16% was covered by insurance.
Poor Risk Management
The presence of crypto-based lenders has increased in recent years, with many companies claiming to operate not dissimilarly to a bank. However, unlike banks, which are strictly regulated and subject to regulatory capital requirements, crypto lenders are not, exposing them (and their customers) to a variety of risks, which if not managed properly can have extreme consequences. One such crypto lender, Celsius Network, gained notoriety in 2022 when it first froze withdrawals before soon filing for chapter 11 bankruptcy in July.
Rehypothecation
Prior to filing for Chapter 11 bankruptcy relief, Celsius Network’s website stated that they “use coins transferred by our customers as collateral for lending, rehypothecation, and other similar transactions”. But what is rehypothecation? To break it down, hypothecation describes an agreement where collateral is pledged to secure a loan. For example, when someone takes out a mortgage, they pledge their house as collateral, giving the bank the right to seize your house should you fail to repay the loan. Extending on this, rehypothecation would be if the bank uses your collateral (i.e. your house) as collateral for another lending transaction, which is considered a derivative based on the original agreement between you and the bank. As the original borrower, you now face the risk that the bank suddenly enters bankruptcy and cannot repay their new loan, meaning your house would be seized.
This was analogous to the significant risks facing Celsius’s users; according to its Terms of Use, Celsius has the right to “pledge, re-pledge, hypothecate, rehypothecate, sell, lend or otherwise transfer or use any amount…and for any period of time.” Celsius claimed that it could charge as low as 1% APR interest on collateralised loans as it had “additional ways of making money using the collateral pledged”. Celsius took on considerable risk in order to provide the returns it promised to its users and had no insurance to cover customers’ deposited crypto-assets or Celsius' investment activities.
Consequently, Celsius was exposed to significant counterparty, liquidity and contagion risks. As markets tumbled in early 2022, these risks became amplified, and Celsius was unable to handle the large volume of redemptions, thus freezing withdrawals and ultimately having to file for chapter 11 bankruptcy., Since depositors had, by virtue of the Celsius Terms of Use, transferred the ownership of their assets to Celsius, and they therefore essentially became unsecured creditors in this situation.
Succession Planning: Quadriga
Whilst the importance of security and cold (i.e. offline) storage is highlighted in many digital exchange hacks, it is not the only consideration. Succession planning is also imperative. Quadriga, a Canadian-based exchange which utilised cold storage, lost approximately CA $260 million in user funds when its CEO, Gerald Cotten, suddenly passed away as the only individual with the knowledge of the private keys needed to access them. He passed away in India while purportedly building an orphanage. There is some speculation that Mr Cotten had faked his death and taken the user funds for his personal use.
After Mr Cotten’s passing, attempts at recovering the information to the private keys were unsuccessful and the exchange struggled to repay 100,000 users. Unsurprisingly, the company became insolvent and had to seek creditor protection.
Insider Trading: Coinbase
In early 2022, a former product manager at Coinbase, one of the world’s biggest crypto exchanges, was charged in what was the first insider trading case within the crypto industry. The product manager, his brother and their friend were charged with wire fraud conspiracy. Allegedly, the product manager shared confidential information with the two men revealing upcoming announcements of tokens Coinbase planned to list on its exchange. The pair allegedly generated over US$1 million as a result of acquiring the assets and then trading them upon a rise in value following the listing announcements.
How Investors Can Protect Themselves
As highlighted by the multiple examples above, poor governance within the digital currency ecosystem has been rife and leads to poor outcomes for consumers.
Some of the risks facing investors in dealing with digital assets can be mitigated through the use of regulated investment vehicles that manage risks. For example, regulated financial products that track the price of bitcoin allow investors to gain exposure to bitcoin without the risks of self custody or using custodians and other service providers that are not licensed and subject to adequate regulatory oversight.
Greater disclosure for regulated financial products also provides key consumers protections as it allows them to make informed decisions on the investments they make and the risks they take in doing so.
Regardless of the means of exposure, investors that wish to invest in this asset class should conduct their own due diligence on each regulated product they are considering for investment and seek professional advice. However, the use of traditional finance, offering regulated products under established financial services laws, to bring digital assets to traditional markets is a key piece in bringing more robust governance to the space and consequently better outcomes for consumers and the broader crypto ecosystem.
The content, presentations and discussion topics covered in this material are intended for licensed financial advisers and institutional clients only and are not intended for use by retail clients. No representation, warranty or undertaking is given or made in relation to the accuracy or completeness of the information presented. Except for any liability which cannot be excluded, Monochrome, its directors, officers, employees and agents disclaim all liability for any error or inaccuracy in this material or any loss or damage suffered by any person as a consequence of relying upon it. Monochrome advises that the views expressed in this material are not necessarily those of Monochrome or of any organisation Monochrome is associated with. Monochrome does not purport to provide legal or other expert advice in this material and if any such advice is required, you should obtain the services of a suitably qualified professional.
Related Articles
ESG Series - Governance Part 1: Bitcoin and Governance
Oftentimes within the Environmental-Social-Governance (ESG) framework, Governance can take a back seat to the Environmental and Social elements because they are seen as having farther reaching or more relevant impacts. On the other hand, some of the biggest disasters in human history, such as the Chernobyl Nuclear Accident, can be purely attributed to failures in governance. In general terms, governance refers to the process of how decisions are made and implemented.