New risk rules for cryptocurrency exchanges will be put to the test with the latest hack on Japanese exchange Coincheck. Hackers stole US$660 million worth of NEM (its native cryptocurrency).
In the past eight years, more than a third of all cryptocurrency exchanges have been hacked. The total losses exceed US$1 billion. Because cryptocurrencies are almost untraceable, the rate of recovery after a hack is very low.
A number of countries (including Australia) have enacted legislative provisions to regulate the conduct of cryptocurrency exchanges. Regulators hope these will reduce the risk of attack and make operators more accountable for losses suffered by customers when an attack does occur.
These hacks don’t just expose gullible investors to risk. They mean funds could be flowing undetected into the hands of money launderers and terrorists.
While cryptocurrency exchanges may operate like banks, they are not regulated in the same way as banks. There is no depositor’s insurance and most exchanges remain unregulated.
Due to the almost anonymity afforded to users of Bitcoin and other cryptocurrencies, it is very difficult to trace missing funds. When a hack occurs, the attacker gains access to the virtual wallet operated by the exchange and then transfers the cryptocurrency to their own virtual wallet.
The Coincheck Hack
The Japanese exchange Coincheck hack dwarfs an earlier hack on Bitcoin exchange platform Mt Gox in 2014, which saw the theft of US$480 million worth of Bitcoin.
The operator of Mt Gox, Mark Karpeles was arrested and jailed for his role in the collapse. At the time Mt Gox was the world’s biggest Bitcoin exchange.
He was charged with falsifying records and embezzlement, but there were no laws in place at the time to regulate the Mt Gox exchange and its trade in Bitcoin.
So as to bring virtual currency exchanges in line with international anti-money laundering and counter-terrorism financing measures, Japanese lawmakers enacted the Amended Settlement Act. Under these new laws, all exchanges operating in Japan must register and comply with rules. These rules include knowing their customers, employing sufficient staff, keeping balance sheets, and (critically) must keep all customers’ deposits in “cold storage” (that is, on a computer hard drive that is not accessible via the internet).
These new laws mean that when an exchange is hacked or collapses, operators can be made liable for the way that they managed their customers’ funds. Japanese authorities are threatening to prosecute the operators of Coincheck for their failure to comply with the new laws.
In their online apology, the operators of Coincheck have admitted that the hacked deposits were in a “hot wallet” (connected to the internet instead of being offline) and that this was due to “staff shortages”. Both of these failures to comply will give the Japanese authorities good reason to prosecute.
Close scrutiny of the accounts will be likely to reveal other irregularities. But this is little comfort for Coincheck’s investors. Coincheck has promised to return 90% of the lost NEM to its customers, but has yet to say how or when this will happen.
How would Australia’s regulator react?
Japan is not alone in its scramble to regulate cryptocurrency exchanges. Just this month, the Australian government announced the Australian Transaction Reports and Analysis Centre (AUSTRAC) will have new powers to monitor Bitcoin and other cryptocurrencies. New legislation also forces cryptocurrency exchanges to disclose details of investors and transactions.
The new laws are part of the government’s efforts to combat money laundering and terrorism financing. Exchanges will be required to identify customers more stringently and report suspicious transactions.
All transactions of A$10,000 or more must reported to AUSTRAC. The report must include the names of the customers conducting the transaction, the names of the the recipient of the proceeds of the transaction, and how the transaction was effected.
Any failure by an operator to comply with these laws would result in heavy fines and possibly imprisonment. However, as breaches are almost impossible to detect, enforcement of these laws depends on honesty of the exchange.
One way to detect reportable transactions is to monitor the size of the deposits made into the exchange’s bank account. However, individuals can create fake trading accounts and money-laundering syndicates breakup deposits into smaller amounts, so as to avoid raising suspicion.
Complying with AUSTRAC’s new regulations will be expensive for exchanges. With Australia’s new data breach notification laws coming into effect next month, gathering and securing sensitive information about customers and their deposits will be more onerous than ever.
The problem that faces regulators and investors is that the cost of compliance acts as a deterrent to registration. And because registration requires compliance, exchanges need to outlay significant capital before they start to trade. The sheer size of Coincheck’s losses indicates it was a high-volume exchange and yet, at the time of the hack, its registration was still pending.
Traditionally, when a foreign exchange collapses and is unable to return customers’ deposits, the regulator might prosecute the directors for operating without a licence, failure to comply with financial services regulations, or for insolvent trading. Insolvent trading, for example, attracts both civil and criminal sanctions.
When a cryptocurrency exchange is hacked, the operators and their customers are all victims, but the operators will be made liable for those losses. Under Australia’s current laws, a major hack of a cryptocurrency exchange will be met with similar challenges as those facing the Japanese authorities in the wake of the Coincheck theft.
Any investigation of an exchange could involve the Australian Securities and Investments Commission (ASIC), the Australian Taxation Office (ATO) and AUSTRAC. The level of scrutiny that would follow, could reveal a multitude of sins, including some that are unrelated to the hack.
For example, ASIC has the power to prosecute for insolvent trading, operating a Ponzi Scheme and breaches of financial services legislation. The ATO could investigate whether GST was being paid on trades.
Frustratingly for the customers and investors, seeing the operators punished does not reimburse them for their financial losses. Repaying deposits after a hack depends on whether the operators remain in the jurisdiction and have any funds of their own.