As cryptoassets gain prominence, they are making their way into the mainstream of finance and trade. We’ve already seen some of the world’s largest shops begin to accept digital currencies as a form of payment. For example, Microsoft, Expedia, Shopify, Etsy, Phillipp Plein, Whole Foods (owned by Amazon), Paypal, and Lush. Well-known British shops such as Tesco, Sainsbury’s, Marks & Spencer, John Lewis, Asda, and Argos have also begun accepting gift cards via Bitpay.
It is projected that 3.3 million people in the United Kingdom presently hold cryptocurrencies (according to a TripleA study), representing 5 percent of the country’s total population, and that this number will continue to grow in the future.
Wider adoption does, however, come with associated risks, and more users mean a greater reward for unscrupulous hackers looking to gain access to users’ digital wealth.
Examples include the recent cases in which hackers were able to steal USD 600 million from the decentralized finance (DeFi) platform PolyNetwork (a platform that facilitates the exchange of tokens between multiple blockchains); and hackers stole USD 100 million from Liquid, a leading Japanese cryptocurrency exchange (with operations spanning across 100 countries and servicing millions of users).
Both of these examples demonstrate the lack of safeguards that exist within the cryptographic domain.
What can users and platform providers do to safeguard these cryptoassets, and are these safeguards adequate?
Firstly, what steps are the platforms themselves taking:
- Insurance – Coinbase offers criminal insurance, which covers a portion of the digital assets stored on its storage systems against theft and cyberattacks.
However, their policy does not cover any losses incurred as a result of unauthorized access to users‘ personal Coinbase or Coinbase Pro account(s) as a result of a breach or loss of credentials, and their terms and conditions explicitly state that it is the user’s responsibility to ensure a strong password and maintain control over login credentials. - Offline storage – As a security measure, Coinbase stores 98% of customer funds offline.
- The process:
- Sensitive data generally stored on Coinbase servers is completely separated from the internet;
- The data is then duplicated, encrypted with AES-256, and copied on FIPS-140 USB devices and paper backups; and
- Drives and paper backups are geographically scattered in safe deposit boxes and vaults located all over the world.
- All accounts require two-step verification — in addition to their username and password, users must input a code from their mobile phone (additional layer of security).
These security measures are far from comprehensive, with hackers successfully circumventing many of them.
As such, platform providers will often seek to limit their liability to the utmost degree possible by law through the use of exclusions in their terms and conditions.
As of yet, there is little to no case law available to test the Courts resolve to impose liability on exchanges and crypto platforms incorporating such exclusions within their terms of use. The likelihood of the Court enforcing liability on a platform would largely depend on whether the platform user is regarded as a consumer or business user.
The former would almost certainly result in the Courts evaluating the Consumer Rights Act 2015 and its statutory responsibility exclusions. While a business user’s case would almost certainly be decided under the Supply of Goods Act 1979 or the Unfair Contract Terms Act 1977, the degree of a platform’s liabilities would almost certainly be determined under the Supply of Goods Act 1979 or the Unfair Contract Terms Act 1977. These statutes are, on average, less robust.
Keeping the foregoing in mind, individuals should also be questioned about precautions they can take to limit the risk of others gaining access to their cryptoassets. Among these steps are the following:
- Utilizing a cold wallet, alternatively referred to as an offline or hardware wallet;
- Using secure internet, avoiding public Wi-Fi and making use of a VPN for added security;
- Maintaining several wallets – there is no limit to the number of wallets an investor can have — spreading one’s cryptocurrency portfolio across multiple wallets, in the same way that people may hold their money in multiple banks, investments, or savings accounts to spread risk;
- Changing passwords regularly;
- Securing personal devices – anti-virus and firewall.
Despite the precautions outlined above, hackers continue to outwit these safeguards in some circumstances, and while preventative measures can be adopted, there is no alternative for victims of theft having a legal right of redress against the perpetrator.
Whilst there is no clear regulatory or legal framework in place in the UK as of yet, we are starting to see a greater willingness for an institutional understanding and approach to cryptoassets, highlighted by concerted efforts of the Cryptoassets Taskforce, HM Treasury, Financial Conduct Authority (FCA), and Bank of England to establish a universal approach to cryptoassets and distributed ledger technology.
AA v Persons Unknown [2019] EWHC 3556 (Comm) and Elena Vorotyntseva v Money-4 Limited t/a Nebeus.Com, Sergey Romanovskiy, and Konstantin Zaripov were also recently decided by the Courts. In both instances, the victims of theft were able to demonstrate a proprietary interest in the cryptoasset and so invoke available equitable remedies.
These are encouraging steps, and as adoption of cryptoassets increases, one expects that the formation of common law in this area, together with a more developed knowledge being formed by mainstream financial institutions, will help mitigate the risk of increased cyber-attacks.
