A New Sheriff in the Wild West: How the Cryptocurrency Industry’s Failure to Neutralize Hacking Threats Has Rendered Federal Regulation a Necessity

Dan O’Dea, MJLST Staffer

In today’s financial world, few things are more captivating than the rapidly evolving cryptocurrency space. It has been a wild twelve months for the cryptocurrency industry, and specifically for Bitcoin owners. Bitcoin doubled its value in 2021 and peaked at just over $68,000/coin, only to erase nearly all of those gains when the crypto market crashed in January 2022. The crash was largely prompted by fears that the Federal Reserve would withdraw stimulus from the market by raising interest rates. In the process, the crypto market lost over $1 trillion in market value, and an asset class that many have called a “hedge opportunity” for investors against inflation crashed down with the stock market as a whole.

But extreme market volatility is not the only risk investing in cryptocurrency poses for its some 300 million investors. Hackers and thieves have been wreaking havoc on the Decentralized Finance (De-Fi) industry, with their latest exploit coming in the form of a $320 million theft of Ethereum from Wormhole, one of the most popular bridges linking the blockchains of the popular Ethereum and Solana coins. These blockchains are of great use, as they are capable of developing “smart contracts” to replace banks and lawyers in certain business transactions. Blockchain “bridges” like Wormhole are important facilitators for these contracts. Unfortunately, in the process, bridges like Wormhole have become a target for cyberattacks due to fundamental limits on their security as they house hundreds of millions of dollars of assets in escrow. This latest theft on Wormhole is not even the largest in the De-Fi crypto space’s history, where a $600 million theft from a platform called Poly Network takes the cake. Interestingly, the hacker’s goal in that theft was simply to open a dialogue with the platform about security issues on the blockchain, and ultimately all funds were returned. Attacks have not been limited to the platform level, as smaller-time thieves have turned to phishing scams and SIM Swap schemes (in which an individual misrepresents their identity to your cell phone provider in an effort to intercept dual-factor authentication messages and gain access to your crypto accounts) to steal from individual investors. Unfortunately, victims of the vast majority of cryptocurrency thefts are extremely unlikely to recoup their funds once they have been stolen, due to the anonymity afforded to wallet holders on the blockchain, who in some cases can reveal no identifiable details about themselves while transacting cryptocurrency.

It is important to note that when a cryptocurrency platform loses money, it is not the platform alone that incurs a loss. Rather, the clients whose accounts were pillaged by hackers bear the entire loss, or, if the platform collapses from the theft and liquidators are appointed, every user on the platform will bear the loss to some degree. So what recourse do the victims of cryptocurrency theft have? While Cryptocurrency platforms such as Coinbase attempt to educate users about the types of scams they may encounter, if a theft occurs, victims are usually on their own. While state prosecutor’s offices and federal enforcement agencies like the FBI will investigate and prosecute identifiable criminals, and individual plaintiffs can bring private civil actions against them, the largest challenge faced by victims of cryptocurrency theft is identifying the thieves in the first place. In an effort to identify perpetrators, both the FBI and private parties with deep pockets have begun to contract with private tech firms specializing in tracking down stolen crypto, such as CipherTrace. While working with a crypto-tracking firm gives an aggrieved individual the best chance of tracking down their thieves, it is still unlikely that the parties will ever be identified and funds ever recouped.

Security requirements are far from standardized across the crypto industry—true to its nickname, the “Decentralized Finance” (De-Fi) industry, operates essentially free from regulatory constraints in the United States. The Financial Industry Regulatory Authority (FINRA) has cautioned investors of the risks posed by cryptocurrency investments relating to hacking and volatility, but because the space is not subject to federal securities regulation requirements, investors often enter the world of cryptocurrency investing underinformed as to its true risks. The U.S. Securities and Exchange Commission (SEC) has begun to wade into the fray of regulating cryptocurrency platforms, most recently with the introduction of a proposal that some are calling a “trojan horse” regulatory tool to be wielded against the crypto industry. The proposal contains an expansive definition of the term “treasury platforms” that would likely allow the SEC to issue protocols for cryptocurrency and De-Fi platforms. The trojan horse notwithstanding, the SEC has been vocal about its plans to introduce formal regulatory guidelines and procedures for the cryptocurrency industry in the long term. Even the White House has waded into the crypto regulatory waters, with the Biden administration set to release an executive order designed to create a government-wide strategy to regulate the cryptocurrency industry that could release as soon as mid-February, 2022. The proposal comes on the heels of the FTC’s release of data showing cryptocurrency scams have skyrocketed, and as concern levels over crypto money laundering schemes rise.

While many have scoffed at the idea that the decentralized finance industry should be regulated, it is likely that the prospect of federal regulation actually represents a good thing for a cryptocurrency market that has been referred to as “The Wild West,” and that has drawn comparisons to the late 2000s subprime mortgage market. Federal regulation of the cryptocurrency industry will prompt new protocols for its platforms designed to enhance risk disclosures made to prospective crypto investors and strengthen the security measures protecting investments. Further, regulation is likely to prompt registration and reporting requirements that will make it easier to catch crypto thieves by providing greater information to law enforcement agencies. The crypto industry continues to prove it cannot protect itself from the threat of hacking, and investors are largely bearing the costs of these failures. Just as the SEC stepped in to protect investors from being burned by highly speculative and worthless securities in the 1930s, aiding its regulatory hand to the cryptocurrency industry in a non-burdensome manner should again provide investors with a new set of protections in 2022.