Source: iStock /Jusun
- Shaun Young is a lawyer and Moses Akanmu is an intern at the law firm Royds Withy King. The authors have made this a British piece that looks at British case studies and laws.*
As we see the popularity of cryptoassets increasing, they are moving into the mainstream of finance and trading. We’ve already seen some major retailers start to adopt digital currencies as a means of payment, for example Microsoft, Expedia, Shopify, Etsy, Phillipp Plein, Whole Foods (owned by Amazon), Paypal and Lush . Well-known UK stores such as Tesco, Sainsbury’s, Marks & Spencer, John Lewis, Asda and Argos have also started accepting gift cards through Bitpay.
It is estimated that 3.3M people, 5% of the total UK population, currently own cryptocurrency (according to a TripleA study), and this number is expected to continue to grow.
However, wider adoption comes with risks, and more users means a greater reward for unscrupulous hackers who want to gain access to users’ digital assets.
This is underlined by recent cases where hackers managed to steal USD 600m from the decentralized financial platform (DeFi) PolyNetwork (a platform that facilitates the exchange of tokens between multiple blockchains); and hackers stole USD 100m from a leading Japanese cryptocurrency exchange (with operations in 100 countries and maintenance of millions of users).
Both cases show the lack of security precautions that exist in the crypto space.
What can users and platform providers do to protect these cryptoassets and are these measures sufficient?
First, what steps are the platforms themselves taking:
- Insurance – Coinbase offers crime insurance that protects some of the digital assets in their storage systems from losses due to theft, including cybersecurity breaches. However, their policy does not cover losses incurred as a result of unauthorized access to users’ personal Coinbase or Coinbase Pro accounts due to a breach or loss of credentials, and their terms and conditions make it clear that it is a user’s responsibility to ensure a strong password and maintain control over the credentials.
- Offline Storage – As a security measure, Coinbase stores 98% of customer funds offline.
- The process:
- Sensitive data, usually located on Coinbase servers, is completely disconnected from the Internet.
- The data is then split redundantly, AES-256 encrypted and copied to FIPS-140 USB drives and paper backups. And
- Drives and paper backups are distributed geographically in lockers and vaults around the world.
These security measures are hardly exhaustive, since hackers manage to bypass many of them. Therefore, Platform providers will generally seek to “exclude” liability to the maximum extent permitted by law through exclusions in their terms and conditions.
So far, there is little to no case law to consider whether the courts decide to impose liability on exchanges and crypto platforms that include such exclusions in their terms of service. The likelihood that the court will enforce liability on a platform largely depends on whether the platform user is considered a consumer or a business user.
The former would likely result in the courts reviewing the Consumer Rights Act 2015 and its legally permissible disclaimers. Whist for a business user, the court would likely use the Supply of Goods Act 1979 or the Unfair Contract Terms Act 1977 to investigate the extent of a platform’s liability. This legislation is generally less robust.
With this in mind, users should also be asked about steps they can take to reduce the risk of people gaining access to their cryptoassets. Such steps include the following:
- Using a cold wallet, also known as an offline or hardware wallet;
- Using a secure Internet, avoiding public Wi-Fi, and using a VPN for added security;
- Maintaining multiple wallets – there are no limits to the number of wallets an investor can have – Diversifying the cryptocurrency portfolio across multiple wallets, just as people can keep their money in different banks, investments or savings accounts to spread the risk;
- Changing passwords regularly;
- Securing personal devices – antivirus and firewall.
Despite the above steps, hackers still use these measures in some cases, and although preventive measures can be taken, there is no substitute for the victims of theft to have a right of recourse against the perpetrator.
Although there is still no clear regulatory or legal framework in the UK, we see a greater willingness for institutional understanding and an approach to cryptoassets highlighted by concerted efforts by the Cryptoassets Taskforce, the Treasury, the Financial Conduct Authority (FCA) and the Bank of England to establish a universal approach to cryptoassets and distributed ledger technology.
The courts have also recently about persons unknown on issues such as AA v  EWHC 3556 (COMM) and Elena Vorotyntseva v Money-4 Limited t/a, Sergey Romanovskiy, Konstantin Zaripov. In both cases, the theft victims were able to assert a right of ownership of the cryptoasset, thereby using equitable remedies available to them.
These steps are promising, and as acceptance of cryptoassets continues to grow, it is hoped that the development of common law in this area, coupled with a more developed understanding developed by mainstream financial institutions, will help counter the risk of increasing cyber attacks.