Blockchain Vulnerabilities ' Crypto Hacks, Blockchain Forensics And Legal Challenges

• Published date: 23 November 2021
• Subject Matter: Finance and Banking, Technology, Financial Services, Fin Tech
• Law Firm: McCarthy Tétrault LLP
• Author: TechLex Blog and Barry B. Sookman

It is often assumed that blockchain based digital currencies and applications are safe and secure. In fact, blockchain ecosystems including cryptocurrencies such as bitcoin and Ether, smart contracts that power a plethora of transactions, and blockchain exchanges have many vulnerabilities. Like many other financial systems, blockchain based systems are subject to all manner of hacks, frauds scams, and vulnerabilities. They happen at the speed and anonymity of the Internet. There are, understandably, numerous legal challenges when it comes to obtaining civil remedies for these Internet based crimes. This is as true, and perhaps even more so, for blockchain hacks, scams, and frauds as it is for a whole host of other Internet crimes and wrongs.

I had the pleasure yesterday to participate in a McCarthy Tetrault Masterclass on the subject of "Blockchain vulnerabilities - crypto hacks, blockchain forensics and legal challenges." The other two panelists were Ari Redbord from TRM Labs and Ana Badour, partner and co-head of McCarthy Tetrault's Fintech Group. Ari, Ana, and I discussed the hacks, frauds, forensic tools and countermeasures that are being used by lawful authorities and businesses to address blockchain vulnerabilities. Ana and ARI also provided an overview of regulatory measures being adapted to address legal issues associated with digital currencies including FATF guidance, AML legislation, Travel rules, OFAC sanctions against particular cryptocurrency exchanges, and FinCEN guidance on cybercrime and ransomware. I also talked about the availability and practicality of using civil remedies to address losses from the use of blockchain based systems and some recent OSFI developments that could impact blockchain applications.

Below are some prepared materials I drew upon in my talk on blockchain vulnerabilities - crypto hacks, blockchain forensics and legal challenges.¹

Blockchain vulnerabilities, hacks, frauds and scams

There are trillions of dollars invested in blockchain based digital currencies. Bloomberg recently estimated that the cryptocurrency market is now worth more than U.S. $3 trillion. There are well recognized financial risks associated with cryptocurrencies volatility. But, this has not seemed to have dampened the market for these items.

The technical vulnerabilities associated with blockchain are not as widely recognized. Blockchain is often touted as being secure, immutable and "unhackable". There are, however, many vulnerabilities associated with cryptocurrencies and their ecosystems, some human and some technical. This should not be surprising. We can learn a lot from history. As Jesse James showed in the wild west, Charles Ponzi showed us in 1920, and as hackers show us day in and day out, no matter how secure a financial institution, financial application, or financial asset is, someone will try to find a way to steal it, defraud or trick people out of it, or hack it. Sadly, the same is true with digital currencies.

While losses from hacks and vulnerabilities are hard to estimate, by one account hackers have stolen nearly $2 billion worth of cryptocurrencies in the two year period between 2017-2019. Some hacks are by lone hackers, but many are by sophisticated cybercrime organizations. According to a recent article In the MIT Security review, the hype that these assets are unhackable are "dead wrong". According to the article:

In short, while blockchain technology has been long touted for its security, under certain conditions it can be quite vulnerable. Sometimes shoddy execution can be blamed, or unintentional software bugs. Other times it's more of a gray area-the complicated result of interactions between the code, the economics of the blockchain, and human greed. That's been known in theory since the technology's beginning. Now that so many blockchains are out in the world, we are learning what it actually means-often the hard way. ²

A comprehensive article on the subject confirmed the many vulnerabilities associated with blockchain technology saying:

Blockchains are relatively new and there are countless news stories of people losing money through compromises in the components of blockchain ecosystems. Blockchain technologies are not invulnerable and have actually many known vulnerabilities, just as with any software..³

Another recent article came to the same conclusion stating:

Until recently, blockchains were seen as an "unhackable" technology powering and securing cryptocurrencies - but that's no longer the case.

In other words, forget what you heard from Bitcoin boosters - just because information or currency is on a blockchain doesn't necessarily mean that it's more secure than any other form of storage.

In fact, the same qualities that make blockchain technology so secure may also be the source of several unique vulnerabilities - a stark reminder that despite the hype, cryptocurrencies can't entirely sidestep the vulnerabilities of any other banking systems.⁴

One group of researchers recently concluded, as "distributed ledger software by nature, blockchain inevitably has software issues." They found, among other things, by studying the bitcoin, Ethereum, Monero, and Stellar blockchains that some blockchain modules related to consensus, wallet, and networking were "highly susceptible to vulnerabilities".⁵

As with every other financial system, there are opportunities for fraud. One vector is fraud associated with online marketplaces. An Ontario example involved the downfall of crypto asset trading platform QuadrigaCX (Quadriga). It resulted from fraud committed by Quadriga's co-founder and CEO Gerald Cotten. Clients entrusted their assets to Quadriga, which provided false assurances that those assets would be safeguarded. In reality, Cotten spent, traded and used those assets at will. Operating without any proper system of oversight or internal controls, Cotten was able to misuse client assets for years, unchecked and undetected, ultimately bringing down the entire platform and losses to customers of $169 million. Approximately $115 million of the losses arose from Cotten's fraudulent trading on the Quadriga platform. He opened Quadriga accounts under aliases and credited himself with fictitious currency and crypto asset balances which he traded with unsuspecting Quadriga clients. He sustained losses when the price of crypto assets changed causing a shortfall in assets to satisfy client withdrawals. He covered this shortfall with other clients' deposits, in effect, operating a Ponzi scheme. Cotten also lost an additional $28 million while trading client assets on three external crypto asset trading platforms without authorization from, or disclosure to, clients. He also misappropriated millions in client assets to fund his lifestyle.⁶

There are other types of fraud cases as well. For example, in the U.K. case, Ion Sciences vs Persons Unknown and Others,⁷ Ion and its Director were induced by persons unknown to transfer bitcoin in the belief that they were investing in a legitimate initial coin offering (ICO), but later discovered that the recipient was a scam. They transferred '577,002 in the form of some 64.35 bitcoin to the fraudster's Coinbase account in the belief that they were making investments in real cryptocurrency products. A substantial part of the bitcoin transferred or their traceable proceeds ended up at accounts held by the the Binance and Kraken exchanges.

Private key security attacks are also a known means of allowing malicious actors to steal cryptocurrencies. A private key allows individuals to access funds and verify transactions. An attacker who has discovered a vulnerability in an elliptic curve digital signature algorithm, for example, can recover a user's private key. If a private key is stolen, it is difficult to track any related criminal activity and recover the relevant blockchain asset.⁸

There are several examples of private key security attacks. A recent one involved the cryptocurrency exchange Cryptopia, a New Zealand exchange that operated globally. In January 2019 Cryptopia's servers were hacked and private keys held by the exchange were used to transfer cryptocurrencies to an undisclosed external exchange. Somewhere between 9 and 14 per cent of its cryptocurrency was stolen, valued at around NZD $30 million. Cryptopia temporarily suspended its operations and eventually was put into liquidation. The case resulted in a lengthy decision by a New Zealand Court in Ruscoe v Cryptopia Limited (in liquidation) [2020] NZHC 728 (8 April 2020), which had to decide how the remaining assets of the exchange should be distributed as between account holders and unsecured creditors. The court decided that cryptocurrencies were property and that Cryptopia was a trustee of separate trusts, one for each cryptocurrency with the beneficiaries being all account holders holding currency of the relevant type.

Another example of a private key security attack was described in the U.K. case, Fetch.AI Lrd & Anor v Persons Unknown Category A & Ors [2021] EWHC 2254 (Comm) (15 July 2021). It involved fraudulent trading using a person's trading account with the cryptocurrency exchange Binance. It was perpetrated by unauthorized access to the plaintiff's private key. The hackers obtained access to the accounts maintained by the plaintiff and were able to trade the crypto assets in the account by adopting massive undervalues for the products traded with the result that, in the aggregate, losses totaling in excess of US$2.6 million were sustained over a very short period.

Hackers have also been known to steal the keys to cryptocurrency wallets.⁹

Of course marketplaces, like almost every other organization in Canada are subject to data breaches from a myriad of sources. One of the best known examples is Mt Gox, one of the first bitcoin exchanges which was based in Tokyo. During its heydays in the early 2010s, Mt. Gox was responsible for more than 70% of global bitcoin...