Shaun Young is a Solicitor and Moses Akanmu is a Trainee Solicitor at law firm Royds Withy King. The authors have made this a UK-centric piece looking at UK case studies and laws.
As we see the popularity of cryptoassets increase, they are moving into the mainstream of finance and commerce. We have already seen some major retailers start to adopt digital currencies as a form of payment, for example, Microsoft, Expedia, Shopify, Etsy, Phillipp Plein, Whole Foods (owned by Amazon), Paypal, and Lush. Well-known British shops such as Tesco, Sainsbury’s, Marks & Spencer, John Lewis, Asda, and Argos have also begun accepting gift cards via Bitpay.
It is estimated that 3.3m people, 5% of the United Kingdom’s total population, currently own cryptocurrency (according to a TripleA study), and this figure is expected to continue to grow.
Wider adoption does, however, come with associated risks, and more users mean a greater reward for unscrupulous hackers looking to gain access to users’ digital wealth.
This is highlighted by the recent cases in which hackers managed to steal USD 600m from the decentralized finance (DeFi) platform PolyNetwork (a platform facilitating the swapping of tokens between multiple blockchains); and hackers stole USD 100m from a leading Japanese cryptocurrency exchange Liquid (with operations spanning across 100 countries and servicing millions of users).
Both of these cases display the lack of safeguards that exist within the crypto space.
What can users and platform providers do to protect these cryptoassets, and are these measures enough?
Firstly, what steps are the platforms themselves taking:
- Insurance – Coinbase offers crime insurance that protects a portion of digital assets held across their storage systems against losses from theft, including cybersecurity breaches. However, their policy does not cover any losses resulting from unauthorized access to users’ personal Coinbase or Coinbase Pro account(s) due to a breach or loss of credentials, and their terms and conditions make it clear that it is a user’s responsibility to ensure a strong password and maintain control on login credentials.
- Offline storage - As a security measure, Coinbase stores 98% of customer funds offline.
- The process:
- Sensitive data that would normally reside on Coinbase servers are disconnected entirely from the internet;
- Data is then split with redundancy, AES-256 encrypted, and copied to FIPS-140 USB drives and paper backups; and
- Drives and paper backups are distributed geographically in safe deposit boxes and vaults around the world.
- 2-Step Verification on all accounts – alongside username and password, users are required to enter a code from their mobile phone (additional layer of security).
These security measures are hardly exhaustive, with hackers managing to sidestep many of these. As such, platform providers will generally look to “contract-out” of liability to the maximum extent permitted by the law through exclusions in their terms and conditions.
The former would likely give rise to the Courts considering the Consumer Rights Act 2015 and its exclusions of liability permitted by law. Whist for a business user the Court would likely utilize the Supply of Goods Act 1979 or Unfair Contract Terms Act 1977 to examine the extent of a platform's liability. These legislations are generally less robust.
With the above in mind, users should also be quizzed upon steps that they can take to mitigate the risks of people managing to gain access to their cryptoassets. Such steps include the following:
- Using a cold wallet also known as offline or hardware wallets;
- Using secure internet, avoiding public Wi-Fi and making use of a VPN for added security;
- Maintaining multiple wallets – there are no limits to how many wallets an investor can have – diversifying cryptocurrency portfolio across multipole wallets, in the same way as people may hold their money in several different banks, investments or saving accounts to spread risk;
- Changing passwords regularly;
- Securing personal devices – anti-virus and firewall.
Despite the steps above, hackers are still getting the better of these measures in some instances, and whilst preventative steps can be taken, there is no substitute for the victims of a theft to have a legal right of recourse against the perpetrator.
Whilst there is no clear regulatory or legal framework in place in the UK as of yet, we are starting to see a greater willingness for an institutional understanding and approach to cryptoassets, highlighted by concerted efforts of the Cryptoassets Taskforce, HM Treasury, Financial Conduct Authority (FCA), and Bank of England to establish a universal approach to cryptoassets and distributed ledger technology.
The Courts have also recently adjudicated on matters such as AA v Persons Unknown  EWHC 3556 (Comm) and Elena Vorotyntseva v Money-4 Limited t/a Nebeus.Com, Sergey Romanovskiy, Konstantin Zaripov. In both cases, the victims of theft were able to assert a proprietary right in the cryptoasset, and thereby make use of equitable remedies available to them.
These steps are promising, and as the uptake in use of cryptoassets continues to grow, one hopes that the development of common law in this area, when coupled with a more developed understanding being developed by mainstream financial institutions, will help to counter the risk of increasing cyber-attacks.