How secure are digital assets?
Simply sign up to the Cyber Security myFT Digest -- delivered directly to your inbox.
What are the security risks to digital assets?
Any holder of digital assets must take steps to safeguard them, and there are a range of options with varying levels of security. Owners of crypto assets must also be as vigilant about scams and hacks that target them personally as they would be with traditional money.
Best protection methods depend on how a user stores assets, and with which institutions, as both security and reliability differ widely in this burgeoning field. Over the past 10 years, there have been 126 big breaches, totalling $3.1bn, of crypto “wallets” (see below) and exchanges, according to data compiled by Crypto Head, an industry intelligence site. The average breach has cost about $25m. Bitcoin, the most popular cryptocurrency, remains the most targeted digital asset.
Where should I hold my digital assets?
Digital asset holders need their unique “private key”, a long password that serves a similar purpose to a bank-card PIN to unlock access to their crypto. It is vital not to lose or forget this private key. Decentralised digital assets are not guaranteed by banks and will not have a password reset hotline, meaning it is almost impossible to recover digital keys once lost. According to Chainalysis, a blockchain data provider, more than $100bn in bitcoin may have been lost in this way.
The keys — and therefore crypto — can be kept in online or mobile wallets, known as hot wallets. This makes it easier to access funds swiftly — say, for traders who want to connect quickly to exchanges, brokers or other services. Indeed, many cryptocurrency exchanges offer online digital wallet services that link seamlessly to their trading systems.
This is, however, the least secure method of holding crypto, leaving digital assets more vulnerable to hackers. In 2014, Mt.Gox, then the world’s biggest cryptocurrency exchange, filed for bankruptcy after losing more than $450m, largely in bitcoin, when hackers allegedly stole its hot wallet private keys.
Today, some large exchanges, such as Coinbase, have added protection for investors in the form of crypto insurance. If an individual’s password is compromised, they will lose their funds forever. But if, for example, the company itself is hacked or breached, the insurance will cover the losses for the user.
Are there more secure options?
Yes. The most popular alternative is what is known as cold storage — a device that is not connected to the internet. Hackers would typically need access to that device, as well as any associated passwords or codes, to steal crypto assets.
Cold storage options to control digital assets that do not involve intermediaries include physical USB keys, specific offline computers or sophisticated hardware wallets — small USB-like devices that are designed to be impenetrable by hackers and can cost several hundred dollars.
Cryptocurrency exchanges, particularly the largest ones, increasingly offer cold storage custody options. Other specialist third-party services go to even greater lengths to protect customers’ crypto assets by, for example, holding private keys in vaults with human guards.
In southern England, Vo1t, which was bought last year by crypto trading company Genesis, has an underground bunker patrolled by ex-military personnel, according to Forbes. The servers are rigged to delete digital assets stored on them if intruders trigger any hidden trip switches (Vo1t has back-up servers in other countries). Other services offering military-grade protection, such as Prosegur Crypto, use biometrics, including facial recognition and thumb prints, for clients to access their digital assets.
Are there other risks?
On top of attacks on digital asset exchanges and custodians, hackers have been able to exploit the nascent code of new crypto initiatives in the growing field of decentralised finance (DeFi). About $1.1bn in attacks have occurred in this area in the past 10 years, according to Crypto Head.
One such digital heist this year targeted Poly Network, a decentralised trading network that developed a computer protocol allowing users to transfer tokens tied to one blockchain to a different network. Hackers stole about $600m worth of cryptocurrencies, one of the largest ever such thefts, through a flaw in the protocol itself.
Finally, crypto frauds remain the biggest form of crime by which digital asset holders lose funds. Losses stand at nearly $15bn over the past decade, according to Crypto Head, or $364m on average per fraud. The largest crypto fraud to date was the $4bn OneCoin Ponzi scheme, which had billed itself as a new cryptocurrency. Ruja Ignatova, its Bulgarian founder, has been on the run from law enforcement agencies since 2017, though she was charged in absentia in 2019 for securities fraud. Last year, the PlusToken Ponzi scheme defrauded millions of investors of some $2bn in total, according to Chainalysis.
Becoming a victim of a fraudulent project is always possible where scammers are highly convincing and sophisticated. But investors are advised always to carry out due diligence and explore the “white paper” and other documentation about any digital asset initiative.
For the latest news and views on fintech from the FT’s network of correspondents around the world, sign up to our weekly newsletter #fintechFT