UK law firm on cryptos and where to find them
Sam Roberts is a Senior Associate at law firm Cooke, Young and Keidan, with a particular focus on fintech disputes and the application of psychology to dispute resolution. Here he advises on the reality of crypto theft, and how to locate it.
While the recent asset preservation order (APO) over stolen cryptocurrency in Robertson v Persons Unknown is encouraging for businesses dealing in cryptos, businesses must know what they are up against in trying to trace stolen cryptoassets. Businesses accepting payment in cryptos should also be aware of what they might be in for if they get tangled up in frauds.
The English Court has always been a friend to victims of fraud trying to trace their stolen assets. Worldwide freezing and disclosure orders are invasive tools that can give victims wide-ranging access to information and put recalcitrant respondents in prison. The Court has shown itself to be adaptable and pragmatic in the face of a fraud occurring in a new medium.
Liam Robertson, a sophisticated trader in Bitcoin, was the victim of a spear-phishing attack who lost 80 bitcoin from his wallet, first to a new address and then to an address belonging to the well-known crypto exchange, Coinbase. The Court granted Mr Robertson an APO, which prohibits the onward transfer of the stolen bitcoin.
Robertson should be a stark reminder of the importance of robust security. Unlike with traditional bank payments, there is no stopping payments in cryptos. No one is monitoring the network for fraud or going to compensate victims under legislation. No one will force network users to adopt prudent security standards. For anyone serious about investing in cryptos, private keys, the alphanumeric string that allows cryptos to be spent, must be guarded with a level of security bordering on paranoia. Equally, however, private keys are also irrecoverable once lost, so businesses must learn to balance accessibility and durability.
An even greater technical challenge is what to do if good security isn’t good enough and, like in Robertson, a theft occurs. Tracing through a public blockchain is both easier and much more difficult than a traditional asset-tracing exercise. It’s easier because the ledger of transactions from address to address is immutably readable by anyone. Browser services offer real time visualisation services showing every payment ever made.
A significant caveat to this is however the use of tumbling and mixing services. These are effectively laundering operations which will accept a transfer from an address and spin it off into tiny fractions to any number of new destination addresses (unlike bank accounts, anyone can generate any number of new bitcoin addresses at any time – the available number of addresses is in practical terms limitless). Following the WannaCry ransomware attack in 2017, the ransomed bitcoin moved into tumblers and then percolated across the network.
The flipside to this legibility is, of course, anonymity – and it does no good to a victim of fraud if assets can be traced for eternity but never recovered. Currently, the only ways to unmask a crypto fraudster are with luck, or very advanced mathematics.
The luck element involves following stolen cryptos through the blockchain into a legitimate business, ideally a crypto-exchange. Exchanges like Coinbase are, insofar as they provide traditional payment services, regulated. They are obliged by legislation to collect KYC on their customers and this information – names, addresses and photo ID – is highly valuable to victims. However, dozens of retailers now accept payment in bitcoin too. If a fraudster uses stolen bitcoin to pay for goods, then the retailer should have a delivery address and potentially a genuine name. One day, crypto thieves might be caught buying fried chicken and spiced lattés with bitcoin from KFC and Starbucks. Particularly sloppy thieves might even advertise their bitcoin addresses online.
The mathematical approach involves probabilistic analysis to map public bitcoin addresses to IP addresses, which in theory means that a fraudster is just one court application against his ISP away from being unmasked. However, these methods have only reached an academic stage so far and require a string of monitoring nodes to have been set up around the globe before the fraud occurs.
The use of mixers can also conceivably be negated through disclosure applications. It is difficult to see a Court wanting to help them much when they positively invite money laundering. There may be jurisdictional issues in enforcement, but equally, presumably none wants to become the next Bestmixer.io, which was shut down by European authorities in May 2019 for facilitating financial crime. This is unlikely to identify a fraudster, but it should tell a victim which threads to follow.
What all of this should tell Fintechs is that, in a crypto fraud, information is incredibly powerful to a victim, and even more than in a ‘traditional’ bank payment fraud, claimants will be looking to all manner of businesses for intelligence. Popular exchanges, ISPs, fried chicken outlets and everyone who has so much as glanced at a bitcoin can expect to find defrauded claimants knocking at their doors.
- KR1 on building a better crypto network
- Cryptocurrency Focus: Coinbase - the Global Digital Wallet
- Crypto specialist Copper on why institutions haven’t bought into crypto
- Read the latest issue of FinTech, here.
More so than with a bank payment fraud, victims may also be looking to third party ‘enablers’ for compensation. Unlike with banks, public blockchain transactions are irreversible without a private key for the receiving address, or more than 50% of the entire network agreeing to reverse it. It is also impossible to enforce a judgment in bitcoin against a third party – unlike a bank balance, the balance of a wallet isn’t owed to the defendant and cannot be intercepted by the judgment creditor. Together, these might mean that a court order requiring a defendant to return the stolen cryptos might go unheeded. If the third party wrapped up in the fraud turned a blind eye to it (perhaps not that difficult to prove if the third party were a mixing service), then it might find itself liable to compensate the victim in damages, even if it never received the stolen cryptos. These businesses are also likely to be seen by claimants as having “deep pockets”, making them attractive targets.
Altogether, the Robertson case shows that the English Court will not allow cryptos to move in a lawless vacuum. But as positive as it is to see the courts doing their bit, both despite this, and because of it, significant risks exist to businesses operating in this space on the right side of the law.
Zafin: Banking is now in the era of the tech ecosystem
The development of tech ecosystems is placing the future of post-COVID banking in jeopardy. At a time when Big Tech can replicate the functions of traditional financial institutions, what can banks do to retain a grip on the market?
John Smith, EVP Ecosystem at Zafin, has a few ideas. A SaaS cloud-native product and pricing platform for financial institutions, Zafin is preparing the next generation of banks to cope with this precise challenge.
Smith is responsible for the strategic and tactical management of the company’s ecosystem, including the creation of new business models to support growth and differentiation. We asked him four questions:
Q. Have the events of the pandemic caused an irreversible shift in the digitalisation of banks? If so, is COVID the sole cause or are there other factors?
It’s a great question and one that I am asked a lot. Without a doubt, the COVID-19 pandemic has driven a significant shift in the acceleration of digital. In fact, I’ve seen some estimates show there to have been as much as four to six years of digital adoption growth since the initial lockdown started.
While the pandemic may be the primary reason for this growth, two other drivers include fintech disruption and the high costs of operating a traditional retail bank. Both of these factors have caught the attention of banking executives as they set their minds on accelerating digital transformation with a focus on high return, low risk.
Q. Some commentators believe banks must learn from Big Tech in order to survive. Do you agree? Please expand.
I agree completely; we’re living in the era of the ‘ecosystem’. All the seismic shifts we’re seeing in technology, be it aggregation, embedded finance, DeFi or hyper-personalisation are all enabled by the foundation of an ecosystem.
When financial institutions work with a strategic partner like Zafin, which has made the strategic investments in a best-in-class ecosystem, they’re able to capitalise on opportunities more quickly and safely, and will be better positioned for growth now and at the other side of the pandemic.
Q. What are currently the obstacles to adopting Open Banking? Is it more likely to 'take off' in some regions rather than others?
I would argue that Open Banking has been in the US for some time and will only continue to grow there. By definition, Open Banking is about the secure sharing of financial information that customers are aware of and have authorised. Under that definition, we’re seeing aspects of this well underway even though its full potential remains to be seen.
Third-Party Providers are a natural outcome of Open Banking, whereby they can create propositions beyond what a bank normally does to enable banking functions such as payments, borrowing, saving and so on. Once again, some of these are already present through industry-led initiatives, whereas regions such as the EU have taken the pathway of regulation such as PSD2.
The industry-led initiatives we’ve seen in the US have also had the added advantage of guard-rails that regulatory bodies like FFIEC and CFPB provide. There are also other technology-led initiatives such as API definitions that are set out through the FS-ISAC.
I would argue the future of Open Banking in North America will be through the natural evolution of the guidelines and API definitions that have been published, as well as the natural progression of industry initiatives.
Q. Are there any other bank tech trends you'd like to discuss?
Coreless banking. Zafin has been pioneering some of the work around externalising functions out of the legacy core to drive a more ‘fintech nimble’ bank, while not having to deliver a ‘heart and lungs’ core bank replacement.
Real life examples of this include moving some of the core functions of a banking system, such as product and pricing to a platform like Zafin. Origination, onboarding, KYC, risk, and compliance are all other examples of externalising banking functions for added agility.