Cryptocurrency Exchanges Are Increasingly Roiled by Hackings and ChaosDan Wasyluk discovered the hard way that trading cryptocurrencies such as bitcoin happens in an online Wild West where sheriffs are largely absent.
Wasyluk and his colleagues raised bitcoins for a new tech venture and lodged them in escrow at a company running a cryptocurrency exchange called Moolah. Just months later the exchange collapsed; the man behind it is now awaiting trial in Britain on fraud and money-laundering charges. He has pleaded not guilty.
Wasyluk's project lost 750 bitcoins, currently worth about $3 million, and he believes he stands little chance of recovering any money.
"It really was kind of a kneecapping of the project," said Wasyluk of the collapse three years ago. "If you are starting an exchange and you lose clients' money, you or your company should be 100 percent accountable for that loss. And right now there is nothing like that in place."
Cryptocurrencies were supposed to offer a secure, digital way to conduct financial transactions, but they have been dogged by doubts. Concerns have largely focused on their astronomical gains in value and the likelihood of painful price crashes. Equally perilous, though, are the exchanges where virtual currencies are bought, sold and stored. These exchanges, which match buyers and sellers and sometimes hold traders' funds, have become magnets for fraud and mires of technological dysfunction, a Reuters examination shows, posing an underappreciated risk to anyone who trades digital coins.
Huge sums are at stake. As the prices of bitcoin and other virtual currencies have soared this year – bitcoin has quadrupled - legions of investors and speculators have turned to online exchanges. Billions of dollars' worth of bitcoins and other cryptocurrencies - which aren't backed by any governments or central banks - are now traded on exchanges every day.
"These are new assets. No one really knows what to make of them," said David L. Yermack, chairman of the finance department at New York University's Stern School of Business. "If you're a consumer, there's nothing to protect you."
Regulators and governments are still debating how to handle cryptocurrencies, and Yermack says the U.S. Congress will ultimately have to take action.
Some of the freewheeling exchanges are plagued with poor security and lack investor protections common in more regulated financial markets, Reuters found. Some Chinese exchanges have falsely inflated their trading volume to lure new customers, according to former employees.
There have been at least three dozen heists of cryptocurrency exchanges since 2011; many of the hacked exchanges later shut down. More than 980,000 bitcoins have been stolen, which today would be worth about $4 billion. Few have been recovered. Burned investors have been left at the mercy of exchanges as to whether they will receive any compensation.
Nearly 25,000 customers of Mt. Gox, once the world's largest bitcoin exchange, are still waiting for compensation more than three years after its collapse into bankruptcy in Japan. The exchange said it lost about 650,000 bitcoins. Claims approved by the bankruptcy trustee total more than $400 million.
In July, a federal judge in Florida ordered Paul Vernon, the operator of a collapsed U.S. exchange called Cryptsy, to pay $8.2 million to customers after he failed to respond to a class-action lawsuit. The judge ruled that 11,325 bitcoins had been stolen but did not identify the thief. "This is no different than bank robbers in the Old West," said David C. Silver, one of the plaintiffs' attorneys. "Cryptocurrency is just a new front." Vernon could not be reached for comment.
Another challenge for traders: government intervention. This month, Chinese authorities ordered some mainland Chinese cryptocurrency exchanges to stop trading. The order, however, did not apply to exchanges based in Hong Kong or outside China, including those affiliated with mainland Chinese exchanges.
So-called "flash crashes" – when cryptocurrencies suddenly plummet in value – are also a threat. Unlike regulated U.S. stock exchanges, cryptocurrency exchanges aren't required to have circuit breakers in place to halt trading during wild price swings. Digital coin exchanges are also frequently under assault by hackers, resulting in down times that can sideline traders at critical moments.
On May 7, traders on a U.S. exchange called Kraken lost more than $5 million when it came under attack and couldn't be accessed, according to a class-action lawsuit filed in Florida. During the incident, the suit alleges, the exchange's price of a cryptocurrency called ether fell more than 70% and the traders' leveraged positions were liquidated. They received no compensation. The exchange declined to comment on the lawsuit. In a court filing, it asked for the case to be dismissed and said the claims should be decided by arbitration.
Another two flash crashes occurred this year on the U.S. exchange GDAX. The exchange said it compensated traders who lost money.
Not surprisingly, many banks are leery of cryptocurrency exchanges and some have refused to deal with them. At a bank investor conference this month in New York, Jamie Dimon, chief executive of JPMorgan Chase, called bitcoin "a fraud" and predicted it will "blow up."
Boycotts by banks can make it impossible at times for exchanges to process wire transfers that allow customers to buy or sell cryptocurrencies with traditional currencies, such as dollars or euros. In March, Wells Fargo stopped processing wire transfers for an exchange called Bitfinex, leaving customers unable to transfer U.S. dollars out of their accounts, except through special arrangement with the exchange's lawyer. Wells Fargo declined to comment.
Dealing with the banks "is a constant and ongoing challenge," said Bitfinex Chief Executive Jean Louis van der Velde. "Citizens and businesses being treated like criminals when they are not, including myself." He declined to say which banks Bitfinex is now using.
In part, banks say they are concerned about the due diligence cryptocurrency exchanges do on their customers to guard against money laundering, criminal activity and sanctions violations. While regulators require banks to verify who their customers are, some cryptocurrency trading platforms have performed minimal checks, Reuters found.
Internal customer records reviewed by Reuters from the BTCChina exchange, which has an office in Shanghai but is stopping trading at the end of this month, show that in the fall of 2015, 63 customers said they were from Iran and another nine said they were from North Korea - countries under U.S. sanctions.
Americans are generally prohibited from conducting financial transactions with individuals in Iran and North Korea. Statements on BTCChina's website from 2013 and 2014 identify Bobby Lee, who holds American citizenship, as its chief executive and co-founder. Lee is currently CEO of BTCC, a separate Cayman Islands-registered cryptocurrency exchange company, according to a spokesman for the exchanges.
The spokesman did not respond to repeated questions from Reuters as to Lee's current role at BTCChina, and Lee did not comment on the issue. The spokesman said that BTCChina complies with Chinese law and "is run by a Chinese citizen, and its legal representative is also a Chinese citizen."
The spokesman originally said the exchange had "significantly strengthened" its compliance processes over the last two years, including "banning registrations from sanctioned countries such as Iran and North Korea. Our system still has some inactivated accounts from some sanctioned countries for audit and logging purposes." He said "most" of those accounts had never been used to trade.
He later said that BTCChina has never had any North Korean customers and "has had only one Iranian customer." The Iranian used a bank account in China, not Iran, "therefore all of that customer's transactions on our trading platform did not violate" U.S. sanctions, the spokesman said. He said "BTCC has never had and does not have any North Korean or Iranian customers."
The U.S. Treasury Department's Office of Foreign Assets Control in Washington, which enforces economic and trade sanctions, declined to comment.
In mid-2016, the Chinese exchange hired a compliance analyst to help monitor any suspicious activity on the trading platform. It selected Constance Yuan, then 23 years old, who told Reuters she had no prior formal training in compliance. On her LinkedIn page, she listed her title as "Senior compliance manager."
"I was a bit surprised," Yuan said of her hiring. "I felt I had no experience, and it was a pretty big responsibility." She said lawyers taught her on the job, which she recently left.
The spokesman for BTCChina told Reuters it has had a vice president in charge of compliance on its staff since 2013 and that person helped to develop a "robust" system to verify customers' identities.
Mickey Mouse identitiesBitcoin, the first digital currency to gain widespread acceptance, sprang up during the financial crisis about nine years ago. Its attraction, early proponents maintained, was that it offered a way to bypass banks and governments, and to conduct financial transactions more cheaply. Every transaction is validated and recorded on a public ledger called a blockchain that is maintained by a network of computers. While anonymous, the individual transactions are available for all to see on the internet. They are secured by cryptography, the computerized encoding and decoding of data.
Mike Hearn, an early bitcoin developer, said bitcoin was initially viewed more as a hobby than a serious alternative to traditional money. "People didn't really think it could take off and get big," he said. "It was a thought experiment that happened to have some code."
Though bitcoin turned out to generate huge attention and media coverage, it is still not widely used by ordinary consumers. Few retailers accept it, and processing transactions on the blockchain remains much slower than payment card networks, despite some recent technical changes.
The computer maker Dell, which announced in 2014 that it would accept bitcoin payments, has stopped "due to low usage," a spokeswoman said. At the U.S. online retailer Overstock.com, only a fraction of one percent of sales are transacted in bitcoins, according to the company.
"Most of the cryptocurrencies right now are more commodities than currency," said Dan Schulman, chief executive of payments company PayPal. "You trade them based on what you think will happen to their value. They're not really accepted by many merchants as a currency."
Instead, cryptocurrencies have proved attractive to those seeking anonymity.
Poloniex, a U.S. exchange, has allowed some customers to trade cryptocurrencies and withdraw up to $2,000 worth of digital coins a day by providing only a name, an email address and a country, Reuters found. In a statement, Poloniex said it "has spent considerable resources developing a culture of compliance and has systems in place to prevent users from abusing the platform."
The exchange isn't allowed to accept New York residents as customers because it lacks a state license to operate a cryptocurrency exchange. But Reuters interviewed two New York residents who had claimed that they lived elsewhere and were able to trade on Poloniex. A Poloniex spokesman said, "Any NY resident who submits false profile information in order to trade on our platform is in breach of our terms of service."
Informed by Reuters of the trading on Poloniex by New York residents, the state's Department of Financial Services said it would "take appropriate action." In a statement, the department said: "As New York's regulator of cryptocurrency, DFS will not tolerate any activity by unlicensed operators who attempt to conduct business in the state."
In June, a former U.S. federal prosecutor testified before Congress that criminals - including distributors of malicious code called ransomware, "large drug kingpins and serial fraudsters" - were increasingly using unregulated foreign exchanges that don't verify their customers.
"Criminals can open anonymous accounts, or accounts with phony names to fly under the radar of law enforcement," Kathryn Haun, a former assistant U.S. attorney, said at a congressional hearing. "Thus, we have received 'Mickey Mouse' who resides at '123 Main Street' in subpoena returns."
Haun left the Justice Department in May and joined the board of Coinbase, which runs the GDAX exchange. She told Reuters she was impressed with Coinbase's team and vision. A class-action lawsuit was filed last year against Coinbase on behalf of customers of the collapsed Cryptsy exchange. It claims that Coinbase converted bitcoins allegedly stolen from Cryptsy into about $8.2 million that was then withdrawn. Haun and Coinbase declined to comment on the case; in a court filing, Coinbase denied any wrongdoing.
In July, U.S. authorities shut down the website of the BTC-e exchange, one of the world's largest, and ordered it to pay a $110 million fine. The Treasury Department said it had "facilitated transactions involving ransomware, computer hacking, identity theft, tax refund fraud schemes, public corruption, and drug trafficking."
BTC-e required only a username, password and email address to open an account, authorities said.
Reuters was unable to contact BTC-e, whose base of operations was unclear, though it continues to have a website using a New Zealand domain name. It now forwards to a new exchange called WEX, which didn't respond to a request for comment.
full:
http://fortune.com/2017/09/29/cryptocurrency-exchanges-hackings-chaos/