Crypto’s so secure, they said. So trustless, so safe. You are your own bank. Well, now the bank’s been robbed and you’ve turned to Decrypt, perhaps the only thing there is left to trust in this broken world.
Perhaps someone hacked into your exchange account and bled your account dry; perhaps you sent crypto to someone posing as someone else, perhaps the company you invested in turned out to be a scam, and made off with the cash?
You’re not the only one: According to a 2019 report on cryptocurrencies by security company Kaspersky, almost a fifth (19 percent) of survey respondents said they’d been hacked on exchanges, and a further 15 percent said they were victims of cryptocurrency fraud.
We’ve quizzed lawyers, security experts, and world-class academics for their advice on what to do when your crypto’s been stolen—and gathered the accounts of victims so you can learn from their experiences.
Act fast to trace your stolen cryptocurrency
“The quicker you can act, the better,” Benjamin Sauter, a partner at Kobre & Kim law and a veteran of crypto theft cases, told Decrypt. Wait too long, and you’ll give thieves more time to transfer assets to cold storage, to send funds to less favorable exchanges or to send them through tumblers to mix them up, all of which makes the funds harder to trace. “The more sophisticated you are, and the less sophisticated the thieves are at laundering the assets, the better chance you have,” said Sauter.
If the funds sit in an exchange, Sauter said you’d better get on the phone with the exchange quick, and ask them to kindly freeze the funds. With luck, the exchange will comply, buying you some precious time. Unfortunately, you might have to cough up some of your remaining cash to a lawyer, who can flash their teeth at the exchanges to freeze the funds, or convince a court to issue an order for them to be frozen. If you’re completely out of pocket, Sauter said that asking the exchange yourself is worth a try.
Identifying crypto thieves
To have the legal system recover your cryptocurrency, you first need to know who stole it. You’d potentially be able to freeze funds against John Doe or Persons Unknown, legal terms for a court case brought against someone you don’t know, but according to Marc Jones, a partner at Stewarts Law in the UK, “In general, to enforce an order requiring fraudsters to pay damages or handover stolen property, ultimately you’ll need to know who they are.”
Luckily, as Jones reminds us, “One of the benefits of any blockchain currency is you can see where coins have gone.” If a coin’s gone through an exchange, then it’s easy to work out who the wallet holder belongs to. Exchanges have know your customer (KYC) checks, which require users to provide identification to the exchange in order to register. From there you can get a court to order the exchange to reveal the thief’s identity.
But hold on, what if the exchange holder is just some punk middleman? When funds enter an exchange, the money is dispersed throughout to provide liquidity, so it’s difficult to trace who owns what. And what about mixers, another common method for people to scramble the identity of coins, programs whereby funds are mixed together to obscure the identity of tokens?
First, don’t lose hope, because mixers aren’t necessarily effective; a 2015 paper by Korean computer scientists showed that the popular Helix mixer wasn’t as good as everyone thought it was. The scientists could identify the relationships between the input and output addresses of the Helix mixer with over 99 percent accuracy.
Second, there are companies -like Chainalysis, whose customers include the FBI and ICE – committed to finding and tracing stolen crypto funds. For a couple of thousand dollars a pop, these companies trace the flow of stolen crypto through public keys, and then use complex data analysis to work out who owns the wallets. For instance, if a fraudster gave some stolen bitcoin to their friend, and that friend posted their bitcoin wallet address online, it’s fairly obvious whodunnit.
Getting your stolen cryptocurrency back
Jones knows how to get his clients out of a bind. In a landmark UK court case, he represented Liam Robertson, who owns a huge crypto asset management firm and was defrauded of 100 Bitcoins earlier this year. Robertson had agreed to invest in a crypto project over the phone. It turned out that a hacker had tapped the line, and sent an email to Robertson asking for Bitcoin, spoofing the sender’s address to pretend he was the executive from the project that Robertson planned on investing in. But Robertson’s lawyers convinced the court to issue an asset preservation order on 80 of the Bitcoins which went to Coinbase, freezing the funds. Why care? Jones got the High Court to admit that Bitcoin was “property”.
That makes it much, much easier for victims of crypto theft to get stolen funds back. Under English common law—one of the oldest and most revered legal codes—while a victim of fraud can sue a fraudster for damages, victims have a better chance of recovery if they can find and freeze their property wherever the fraudster has hidden it. But whether cryptocurrencies are “property” is a contentious issue. As we speak, a British legal taskforce is devoted to sorting this very issue out.
In the US, Sauter said there’s no such problem regarding the legal status of Bitcoin as “property.” Once you figure out who the person is and get a judgment against them, you can go and force that judgment against anything. “You could go try to collect the Bitcoin that was stolen; you could take it to his house and call the sheriff to put a boot on his Lamborghini and give you the Lamborghini…it’s not a problem.”
Sauter helped Elizabeth White, CEO of cryptocurrency asset management firm and luxury goods marketplace The White Company, recover millions of dollars worth of Ripple from now-defunct crypto exchange Cointal—which Sauter thinks was run by “essentially fraudsters”. According to a press release put out by The White Company last year, it was the first suit to rule that the misappropriated funds had to be returned to the plaintiff.
The thief worked with a Cointal employee to manipulate a transaction on the exchange. White agreed to transfer a large amount of Bitcoin to Ripple’s XRP tokens, but the thief pocketed the funds. “They took her money and were like, ‘Sorry, we’re not giving you your end of the transaction back’. And she was like, “What?”,” explained Sauter. White watched her money bounce around the world before it landed at Bittrex, an exchange that’s registered in the U.S. Then, Sauter’s lawyers served a subpoena to work out who owned the wallet, and got a judgment from the court. Because the judgment was against a person, they could use any means necessary to get the crypto back. And they did: White was awarded a total of $2.7 million, according to the press release. And “dozens of Cointal victims have come forward with similar experiences.”
It’s also worth checking if you have a right to sue the company responsible for the hacking. Jones tells Decrypt about an ongoing case against telecommunications giant AT&T, in which Bitcoin investor Michael Terpin had $23 million in Bitcoin stolen from him in a SIM card fraud. In response, he is suing AT&T for failing to protect him. “AT&T is therefore directly culpable for these attacks because it is well aware that its customers are subject to SIM swap fraud and that its security measures are ineffective,” reads the lawsuit.
No such luck for one victim, though. Kyle Asman, a founder of blockchain advisory firm BX3 Capital, was SIM-jacked, whereby a fraudster impersonated his identity to a mobile phone service provider. With your phone number, a fraudster has access to everything: that two-factor security system you secured your Coinbase wallet with? Useless. Asman said his crypto was stolen from a Coinbase wallet. “There is absolutely nothing they do to help you out—except freeze your account. Tracing wallets is next to impossible…I know a number of people who have been victims of SIM-jacking. Almost no one has been successful in recovering [stolen funds],” he told Decrypt.
So, swings and roundabouts.
How to protect yourself from crypto hacks
Now you know a little more about how to recover your stolen cryptocurrency, how to protect yourself from future attacks? Aleksey Malanov, Malware Expert, Anti-Malware Technologies Development at Kaspersky, has some ideas you might not have thought of.
Malanov suggested dividing your funds into “cold” and “hot” wallets. The “hot” wallet contains a small amount of the funds you need for everyday use, and access to it is automated. But Malanov advises that between 95-99 percent of your funds should be stored in a cold wallet that’s not connected to the internet and not automated—a hardware wallet such as a Ledger or Trezor, or a “paper wallet”. “In this case, unauthorized remote access to this wallet and, moreover, the compromise of private keys is excluded,” Malanov told Decrypt.
In conjunction with a cold wallet, Malanov suggested using a multi-signature wallet, like CarbonWallet or Xapo, where multiple people have to authorize a transaction for it to go through. In the same way that several people have to authorize a nuclear missile strike at the same time for the launch to occur, you can use an algorithm that would stop a single person from siphoning your funds. “The compromise of only one key also does not lead to loss of funds,” said Malanov.
And advice for crypto thieves? “Stop stealing crypto,” said the lawyer, Sauter. You heard it here first.