In this session, you will learn about the following notable cases of exchange hacks and fraud:
- 2014 Mt Gox hack
- 2022 FTX collapse
- 2016 Bitfinex hack
- 2020 KuCoin hack
You will also learn about the following concepts:
- Poor risk management and rehypothecation, through Celsius Network
- Disappearance and succession planning, through Quadriga
- Insider trading, through Coinbase
Since Bitcoin’s inception in 2008, the interest in Bitcoin and other digital currencies has grown significantly. Between 2010 which saw the very first exchange created which made it simpler to trade bitcoin, to the now arguably saturated marketplace for cryptocurrency exchanges, inadequate governance at cryptocurrency exchanges and other centralised crypto institutions has manifested in poor consumer outcomes. In this article, we explore some of the most notable cases of hacking, theft, poor risk management and fraud to date, highlighting the need for greater transparency in this space and stronger investor protections.
Exchange Hacks and Frauds
As of 12 January 2023, there have been 50 reported exchange hacking events, aggregating to approximately US $3.4 billion (at the time of the respective hacks) stolen. Of these, 19 hacks were conducted in 2019 alone, and the most recent hack was in November this year when Bahamas-based crypto exchange, FTX, had $600 million stolen. The most common hack took the form of infiltrating the private keys used to access the exchange’s hot (i.e. online) wallets that store users’ cryptocurrencies. This has led to funds becoming lost and unrecoverable, with many exchanges having to shut down or file for bankruptcy as a result.
The Biggest Casualty: Mt Gox
To date, the largest and arguably most notorious crypto exchange hack occurred in 2014, when Tokyo-based Mt Gox, the largest bitcoin exchange in the world at the time, lost almost 850,000 bitcoin, with 750,000 of these belonging to users, and 100,000 belonging to itself. The exchange was first launched in 2010 by US programmer Jed McCaleb and expanded rapidly, eventually being bought by French developer Mark Karpeles in 2011. At its peak in 2013, Mt Gox was responsible for 70% of all bitcoin transactions worldwide.,
On 7 February 2014, Mt Gox first announced on its website that it halted withdrawals, then suspended all trading, before the company went completely offline on 24 February. Four days later, the company filed for bankruptcy protection in Japan and filed for bankruptcy in the US on 9 March. Though this all seemed to suddenly unfold over the period of a month, subsequent investigations suggest that the hack had been going on undetected for years, revealing that the private keys to Mt Gox’s wallet were unencrypted and had been stolen back in 2011. The hacker had supposedly been stealing bitcoin gradually from users’ accounts as the company remained unaware, with insiders citing the reason for the exchange not having realised earlier being mismanagement and a lack of organisation. The company’s CEO, Mark Karpeles, was arrested in 2015, and served one year of jail time for embezzlement and breach of trust charges, but was only found guilty of data manipulation charges, for which he did not have to serve any jail time.
Unsurprisingly, the hack, which constituted approximately 6% of all bitcoin supply at the time, caused Bitcoin’s price to fall over 36% from February to the end of March and in April, Tokyo District Court ordered the company into liquidation. Since then, only 200,000 bitcoin were able to be recovered, having been found in a ‘forgotten’ wallet held by the company. Whilst approximately 34,000 bitcoin were liquidated by Mt Gox’s trustee, Nobuaki Kobayashi, in 2018 to secure approximately US $400m for distribution to creditors, the rest has remained held for creditors until now. In a letter sent out to creditors in July 2022, Mt Gox’s Rehabilitation Trustee, attorney-at-law Nobuaki Kobayashi, indicated they would start paying out creditors at the end of August 2022; however payments were postponed as the deadline for the repayment method selection and registration was subsequently deferred until 10 March 2023.
The most notable recent example of poor governance by an exchange occurred in November 2022, when FTX, which was the second largest crypto exchange at the time in terms of trading volume market share behind Binance, lost over $8 billion USD worth of customer funds., The exchange was launched in 2019 by Sam Bankman-Fried, who also founded cryptocurrency trading firm Alameda Research.
The saga began on 2 November, when it was reported that Alameda Research’s balance sheet was highly illiquid, largely composed of the FTT token (the governance token of its sister exchange, FTX). This apparent conflict of interest led to a sell off of the FTT token. Following speculation that Binance would acquire FTX, which did not eventuate, allegations were made that FTX had lent over half of its customer funds to Alameda Research for them to trade in direct contravention of its terms of service.
The contagion effect from these events led to the price of Bitcoin plummeting to a two-year low of USD $15,480. More recently it has been reported that over $5 billion USD of customer assets have been recovered. However, it is unknown how, when or if these funds will be distributed amongst creditors.
Another victim to hacking was Bitfinex, a popular Hong-Kong based exchange. Hackers used malware to control an executive’s computer and increased the transaction limit of 2,500 bitcoin to steal 119,756 bitcoin from the exchange. News of the hack had a significant impact on the price of Bitcoin, which at the time plunged by 20% before gradually recovering. It was never determined how the hackers were able to access Bitfinex’s servers or what location they operated from, as they wiped the memory of the server after the hack.
Unlike Mt Gox, Bitfinex survived the hack. To reduce the risk of a similar hack in future, operational risk management was improved, implementing a requirement that in order to approve transactions larger than the 2,500 limit, a video call between their custodian, BitGo, and an employee need first be conducted. As for the stolen funds, Bitfinex spread the loss across all its customers, meaning each user lost 36% of their holdings. Users were given the option to trade shares in Bitfinex’s parent company for users’ entitlement to any assets that might in future be recovered, however only 0.023% were located, which were distributed to affected users in 2018.
In September of 2020, popular Singapore-based exchange, KuCoin, was subject to a hack which targeted its hot wallets, stealing approximately $280 million worth of Bitcoin and Ethereum. As the exchange stored a significant amount of its tokens in hot wallets accessible via the internet, the hackers only needed to obtain the private keys to transfer the funds. The exchange was able to recover 84% of the stolen funds with the help of law enforcement and other exchanges, whilst the remaining 16% was covered by insurance.
Poor Risk Management
The presence of crypto-based lenders has increased in recent years, with many companies claiming to operate not dissimilarly to a bank. However, unlike banks, which are strictly regulated and subject to regulatory capital requirements, crypto lenders are not, exposing them (and their customers) to a variety of risks, which if not managed properly can have extreme consequences. One such crypto lender, Celsius Network, gained notoriety in 2022 when it first froze withdrawals before soon filing for chapter 11 bankruptcy in July.
Prior to filing for Chapter 11 bankruptcy relief, Celsius Network’s website stated that they “use coins transferred by our customers as collateral for lending, rehypothecation, and other similar transactions”. But what is rehypothecation? To break it down, hypothecation describes an agreement where collateral is pledged to secure a loan. For example, when someone takes out a mortgage, they pledge their house as collateral, giving the bank the right to seize your house should you fail to repay the loan. Extending on this, rehypothecation would be if the bank uses your collateral (i.e. your house) as collateral for another lending transaction, which is considered a derivative based on the original agreement between you and the bank. As the original borrower, you now face the risk that the bank suddenly enters bankruptcy and cannot repay their new loan, meaning your house would be seized.
Succession Planning: Quadriga
Whilst the importance of security and cold (i.e. offline) storage is highlighted in many digital exchange hacks, it is not the only consideration. Succession planning is also imperative. Quadriga, a Canadian-based exchange which utilised cold storage, lost approximately CA $260 million in user funds when its CEO, Gerald Cotten, suddenly passed away as the only individual with the knowledge of the private keys needed to access them. He passed away in India while purportedly building an orphanage. There is some speculation that Mr Cotten had faked his death and taken the user funds for his personal use.
After Mr Cotten’s passing, attempts at recovering the information to the private keys were unsuccessful and the exchange struggled to repay 100,000 users. Unsurprisingly, the company became insolvent and had to seek creditor protection.
Insider Trading: Coinbase
In early 2022, a former product manager at Coinbase, one of the world’s biggest crypto exchanges, was charged in what was the first insider trading case within the crypto industry. The product manager, his brother and their friend were charged with wire fraud conspiracy. Allegedly, the product manager shared confidential information with the two men revealing upcoming announcements of tokens Coinbase planned to list on its exchange. The pair allegedly generated over US$1 million as a result of acquiring the assets and then trading them upon a rise in value following the listing announcements.
How Investors Can Protect Themselves
As highlighted by the multiple examples above, poor governance within the digital currency ecosystem has been rife and leads to poor outcomes for consumers.
Some of the risks facing investors in dealing with digital assets can be mitigated through the use of regulated investment vehicles that manage risks. For example, regulated financial products that track the price of bitcoin allow investors to gain exposure to bitcoin without the risks of self custody or using custodians and other service providers that are not licensed and subject to adequate regulatory oversight.
Greater disclosure for regulated financial products also provides key consumers protections as it allows them to make informed decisions on the investments they make and the risks they take in doing so.
Regardless of the means of exposure, investors that wish to invest in this asset class should conduct their own due diligence on each regulated product they are considering for investment and seek professional advice. However, the use of traditional finance, offering regulated products under established financial services laws, to bring digital assets to traditional markets is a key piece in bringing more robust governance to the space and consequently better outcomes for consumers and the broader crypto ecosystem.
Important Information: This material has been delivered to you by Monochrome Asset Management Pty Ltd (ABN 80647701246), Corporate Authorised Representative (CAR No. 128 6428) of Non Correlated Capital Pty Ltd (AFSL No. 499882, ABN 99 143 882 562), and has been prepared for general information purposes only and must not be construed as investment advice or as an investment recommendation. This material does not take into account your investment objectives, financial situation or particular needs. This material does not constitute an offer or inducement to engage in an investment activity nor does it form part of any offer documentation, offer or invitation to purchase, sell or subscribe for interests in any type of investment product or service. You should read and consider any relevant offer documentation applicable to any investment product or service and consider obtaining professional investment advice tailored to your specific circumstances before making any investment decision. A copy of the relevant Information Memorandum relating to a Monochrome financial product or service may be obtained by emailing email@example.com or by visiting www.monochrome.co.
Past performance is not necessarily indicative of future results and no person guarantees the future performance of any strategy, the amount or timing of any return from it, that asset allocations will be met, that it will be able to be implemented and its investment strategy or that its investment objectives will be achieved. This material may contain ‘forward-looking statements’. Actual events or results or the actual performance of a Monochrome financial product or service may differ materially from those reflected or contemplated in such forward-looking statements.
This material may include data, research and other information from third party sources. Monochrome makes no guarantee that such information is accurate, complete or timely and does not provide any warranties regarding results obtained from its use. This information is subject to change at any time and no person has any responsibility to update any of the information provided in this material. Statements contained in this material that are not historical facts are based on current expectations, estimates, projections, opinions and beliefs of Monochrome. Such statements involve known and unknown risks, uncertainties and other factors, and undue reliance should not be placed thereon.
Any trademarks, logos, and service marks contained herein may be the registered and unregistered trademarks of their respective owners. This material and the information contained within it may not be reproduced, or disclosed, in whole or in part, without the prior written consent of Monochrome.