Billions of Dollars Stolen in Crypto Scams while U.S. Regulators Ponder Crypto Rules

The SEC, CFTC, Treasury and Congress are taking years to figure out if cryptocurrency is a commodity or a security, and which agency has regulatory jurisdiction over which digital assets.

Meanwhile, hackers have already stolen a staggering $3 billion from cryptocurrency bridges in high profile 2022 hacks, according to many industry reports.  And underreported is the fact that hundreds of millions of dollars have been stolen from consumers using bot-controlled scams that proliferate at the rate of about 15 new ones every hour.

Consider these newly released stats by crypto security startup Solidus Labs which reported substantial increases in small scale crypto scams, with the Binance Chain suffering the most amongst the 12 blockchains they analyzed

Source:  Solidus Labs: see definition of Rug Pulls here

• 188,525 – number of smart contracts scams detected on 12 covered blockchains as of October 10, 2022
• 15 – number of newly deployed scams detected by Solidus Threat Intelligence every hour
• 12% – percentage of all BEP-20 tokens on BNB Chain that are scams, the highest of any blockchain
• 8% – percentage of all ERC-20 tokens on Ethereum that exhibit fraudulent characteristics
• $910,000,000 – lower-bound estimate in today’s value of scam-related funds which flowed through centralized and/or regulated exchanges

Consumers are falling victim repeatedly to hundreds of thousands of small-scale automated scams, just like we see in the non-crypto world with automated phishing and account takeover attacks against various types of financial accounts.

But in the crypto world, there’s a key difference; users have absolutely no protections and rarely recover stolen digital assets.

Similarly, consumers have no regulatory protections from cryptocurrency exchanges that use their deposits to support high-risk crypto trades, that they don’t bother disclosing their depositors.  See CNBC: How the fall of Celsius dragged down Crypto Investors

All told, consumers who buy digital assets are victimized by malicious hackers AND corrupt service providers.

Regulators can change this situation and should: It’s their job is to Protect Consumers

The problem is that service providers have few incentives to beef up consumer protection. Cryptocurrency exchanges, NFT marketplaces, or DeFi protocols run by DAOs don’t lose the stolen money. Instead, the consumers do.  The only damage a service provider incurs is reputation loss or litigation against them (unless they held the stolen funds on their balance sheet).

History repeats itself, and if Web3 financial services follows the path of Web2 financial services adoption, service providers won’t implement fraud detection and security measures until regulators force them to. That’s what happened with Internet Banking in 2001 when the U.S. FFIEC banking regulator group issued Authentication in an Internet Banking Environment

That guidance was not issued until years after online banking fraud was rampant. And soon after the guidance came out, regulated financial service providers started deploying user authentication and fraud detection solutions that brought crime rates down significantly.

It is inevitable that consumers will have to wait for similar regulatory guidance to be issued before service providers invest in fraud and security controls that protect them. When they do, there is already a plethora of solutions from creative startups that can help solve these problems.  They just need to be deployed.

Solution Providers:

Here are sample solution providers in four broad categories that provide security, fraud and market manipulation controls:

The first three categories intersect and overlap as this is an emerging market and startups pivot and broaden their offerings to grow. Some of these startups have not yet launched.

1. Smart contract audits, monitoring (heavily used by DeFi organizations)

• Certik
• Peckshield
• Quantstamp
• ChainSecurity
• VeriChains
• Sharkteam

2. Blockchain analytics, intelligence, and forensics

These serve multiple use cases such as anti-money laundering, sanctions blocks, law and tax enforcement, user behavior analytics, investment strategies, fraud detection, customer retention and acquisition and more.

• Anchain
• Chainalysis
• Ciphertrace
• Elliptic
• TRM Labs

3. Smart contract, token risk & security assessment and monitoring

This category generally targets DeFi security and threat prevention, token and protocol investment risks, market manipulation, threat intelligence and more.  Law enforcement, regulators and hedge funds tend to use these solutions to investigate threats and operations of DeFi protocols.

• Solidus Labs
• Redefine
• Hexagate
• Coineuron
• Valid Network

4. Trusted/Confidential Computing

This category provides trusted and confidential computing environments to block hackers from the attack vectors and/or to support scalability of cryptographic operations.

• Anjuna Security
• Ingonyama

Market Outlook

The buyers for this market are thin right now; they generally constitute DeFi and crypto-native organizations that buy smart contract audits and prefer implementing most of the other security features themselves. Such buyers also rely on third party analytics services when they reluctantly implement OFAC sanction controls.

Other buyers of these security/fraud services include hedge funds and investors who want to assess the risk of DeFi and token investments.  One of the key problems with smart contracts is that when run on a truly decentralized chain, like Ethereum, they can’t be stopped. The investors can only watch the hacker in progress. But that in itself can be a good deterrent because if all the service providers work together, they can blacklist and block the hacker in near-real time from cashing out the stolen proceeds.

The mainstream market for digital asset security and fraud products is mainly driven by regulatory compliance that for now is restricted to AML and KYC rules.  Regulations — in the U.S. at least — do nothing to protect consumers from all the ‘bad’ things that can happen to them and their money.

So far the only thing that is clear on the regulatory front is that the SEC rules by ad hoc enforcement e.g. see SEC case against Kim Kardashian

Let’s hope that Digital Asset regulations and legal frameworks are coming soon. Many are working hard to make that happen.