CoinCheck last week suffered the world’s largest crypto-theft. When it was revealed that the operators had been holding clients’ funds in a “hot wallet”, connected to the internet, as opposed to a remote “cold wallet”, it raised questions about how well crypto-operators are meeting regulator obligations.
According to commercial equity and disruptive technologies and the law lecturer at the University of Technology Sydney, Dr Philippa Ryan, corner-cutting in the crypto world is a “very, very big problem”.
“When they [CoinCheck] admitted that they were understaffed, and when they admitted that they had the funds that were hacked in a hot wallet, they were admitting to breaches of the rules that were set up by the regulator.
“They have been trying to get registered, and it's still pending registration. I think they were trying to do it properly and I think they've been naïve.”
Questioned on whether CoinCheck’s admission that funds were stored in a hot wallet signified a culture of corner-cutting, Dr Ryan said the “failure to meet any of the regulator’s minimum expectations” is part of the problem.
Continuing, she said: “The problem for any ICO [initial coin offering], or any exchange that has a hack or a collapse [is] they are going to be then put under the microscope.
“It's like a post-mortem is conducted on a dead body and they start to find other diseases, and this is the problem for anybody who's decided to make themselves known… [if they’re in the jurisdiction] they can be personally liable for the losses suffered by their customers.”
The problem for operators is that often the diseases regulators find aren’t related to the hack, she added.
What if it’s not even a hack?
Perhaps more sinister than poor storage, is the possibility of operators disguising embezzlement as a hack.
Pointing to the second-largest historical hack, the Mt. Gox 2014 hack, Dr Ryan noted that in the time since February 2014, Mt. Gox’s operator, Mark Karpeles has “basically gone into hiding”.
“He's now charged with embezzlement and other offences under both Japanese and American law in relation to his role.”
In the months following, Mr Karpeles claimed that he had forgotten about a wallet which held 200,000 bitcoins and said some funds would be refunded.
“I can sort of understand forgetting you had a wallet but 200,000? I'm not convinced at all,” Dr Ryan said.
While Mr Karpeles is now facing legal action, in many cases it can be difficult for regulators and authorities to track the funds or find the hacker. “Even if you can check out the address, and see where the money went before it then disappeared, I think it's very hard to work out who the malicious or nefarious actor is.”
Okay, can we make blockchain liable?
It’s a “really cool question”, Dr Ryan thinks. Noting that the European Union is currently looking into personhood laws for robots and autonomous vehicles, Dr Ryan said there are many other researchers considering how those policies would work for blockchain.
“The idea would be, register that blockchain network and make sure that it also is an entity in its own right, and then it either has provisioning for losses or it has insurance in place.
“I think that's the level of sophistication that's going to exist in due course.”