How did a hack of the world’s largest cryptocurrency exchange Binance, fail to even raise an eyebrow among cryptocurrency traders?
Ona particularly balmy Saturday night in Singapore in February 2007, James Chang (not his real name), a compliance officer at a large multinational bank with regional headquarters in the island-nation was pouring over a stack of know-your-client (KYC) documents submitted to his department for a series of pending bank transfers.
As was his habit, Chang, a 40-year-old bachelor with a distinguished willow’s peak, was working the weekend shift at the bank, a time when the offices were quiet and when he could focus on the bank’s most challenging clients.
Tonight’s client was particularly iffy.
As Chang meticulously sifted through the various identification documents and attempted to corroborate the sources of the client’s funds, he gradually uncovered a web of convoluted holding and shell companies scattered across known and (as yet) unknown tax havens.
The more Chang dug, the more he became concerned that the client in question’s source of funds were not only uncertain, they were in all likelihood unknowable.
Picking up the phone, he dials the bank’s general counsel.
“Tom, Jim here…”
“I know who that is, I have caller ID remember?” interrupts a clearly irate and inebriated Tom, the bank’s general counsel.
“I’m going through the KYC docs you wanted for (redacted) and I noticed…”
“On a Saturday night? Jim you really need to get a life.”
“Yes, but anyway. What I wanted to tell you is that I have some concerns.”
“Can’t you tell me on Monday?”
“But the guys down in corporate want it approved for transfer on Monday.”
“Well then just approve it.”
“But that’s the thing. There are some issues with the client’s source of funds.”
Unseen by Chang, Tom, the 55-year-old general counsel at the bank, an Irish teetotaler who’s counting the days to his retirement, rubs his forehead in exasperation and exhaustion.
“Jim, what exactly do you think we do here at the bank?”
“We serve our clients.”
“Good, so we’re on the same page. Now ok the damn KYC documents. You’re not the one signing them anyway.”
“But Tom, don’t you think you should take a closer look?”
“Look, we give corporate what they want. If they don’t make money, we don’t get paid. Did you stop to think about how much in fees we’re going to get on this deal? Did you?”
“No, I hadn’t got to that level yet.”
“It’s 10% ok? Do you know how much the average fees on a transaction like this are? 1%. So that’s another 9% on top — 5% for the bank which eventually trickles down to you and me and another 4% to pay off the regulator if we get fined for breaching KYC regulations.”
“That’s the way it f*cking works ok? That’s how this sh*t works. So just do your f*cking job and ok the docs. It’s called the cost of doing business. You know that nice apartment you live in on Orchard Road? Your Mom’s expensive chemo in Florida? Who do you think pays for that? It’s the cost of f*cking business, just get it the f*ck done.”
Two seconds later, Chang is listening to a dial tone on the other end of the line.
Chang is slightly shell-shocked. His boss has never been in the habit of using expletives in the office and he notices that it might be the first time he’s heard Tom swear in the ten years that he’s been with the bank.
Chang knows that competition among banks has been fierce of late and that the usual KYC and anti-money laundering protections that were adhered to strictly in the past have grown more lax in recent times.
Chang figures that Tom must be under substantial pressure from their bosses to approve transactions to bring in fees. With little left to go on, he closes off the documents and submits them for final approval to Tom — just the cost of doing business.
The Cost of Doing Business
Which is why when Binance, one of the world’s largest cryptocurrency exchanges reported that hackers had stolen over US$40 million worth of Bitcoin earlier this month, the price of Bitcoin and other cryptocurrencies hardly moved in response to the news.
To be sure, what Binance has claimed was a “large scale security breach,” did not result in substantial losses for the cryptocurrency exchange.
Hacks at far lesser cryptocurrency exchanges have been much larger, from hundreds of millions of dollars worth of cryptocurrency to the billions lost at Mt. Gox, by some estimates over US$1.7 billion worth of cryptocurrencies have literally disappeared into the ether (pun intended).
And while the theft at Binance, considered one of the most secure cryptocurrency exchanges in the world demonstrates how not a single cryptocurrency exchange is infallible, the lack of response from cryptocurrency markets is probably more telling.
Considered the “cost of doing business,” cryptocurrency traders recognize and cater for the inherent risks of trading on cryptocurrency exchanges which both custody as well as facilitate the trading of digital assets.
Binance, as do other large cryptocurrency exchanges, cater for such events, with Binance confirming that stolen funds would be refunded through its emergency insurance account.
In a video posted on Twitter, Binance’s CEO, Changpeng Zhao, who is better known as “CZ,” described the incident as “a very advanced, persistent hacking effort.”
CZ added that trading would need to be halted “for a couple of hours here and there” to cater for system upgrades, adding that Binance had the funds to back the stolen amount,
“It does hurt very much but we are able to cover that. We are not short on funds right now.”
And perhaps, given the seeming regularity of cryptocurrency exchange hacks, traders have grown accustomed, perhaps even immune to the occurrence.
According to John Mullin, a cryptocurrency investor and blockchain consultant based in Hong Kong,
“People are quite used to exchange hacks. Markets didn’t move nearly as much as they would’ve one year ago if the same thing happened.”
The Correlation-Causation Conundrum
But as anyone with an elementary education in statistics will tell you, correlation does not imply causation.
For instance, just because I happened to sneeze at the time when you discovered you won the lottery, doesn’t mean that I caused you to win the lottery.
Similarly, just because cryptocurrency prices took a plunge last year at the news of exchanges being hacked does not necessarily imply that it was news of the hacking that caused the prices to plummet.
Yet whether it’s in the financial or cryptocurrency markets, soothsayers of every stripe are constantly on the lookout to pass off correlation as causation.
Given the lack of transparency and multiple data points surrounding cryptocurrencies, it would be a brave (or reckless) soul who would otherwise imply that the hacking of a cryptocurrency exchange caused a plunge in cryptocurrency prices — yet in the absence of any other plausible explanations, it’s easy to assume causation, despite little evidence to support such an assumption.
Part of this has to do with trying to find “reasons” for why things happen — which stems from our very human need to be perceived of as being “reasonable” or “rational” people.
So whether or not there is a clear causal link or even one which is verifiable is of secondary importance.
If someone offers an even remotely plausible explanation for causation, life is often too complicated or we’re simply too busy to investigate further.
Such an approach, while attractive from a scheduling point of view, is especially dangerous when applied to as unpredictable an asset class as cryptocurrencies.
Like it or not, cryptocurrencies fall under that distinct category of “alternative assets,” for which comparables and comparisons are few and far between.
Cryptocurrencies are “unconstrained assets,” the same way that works of art and classic cars are unconstrained assets — with no clear correlation (or causation) at this stage in their development, to the dollar or donuts.
Against this backdrop, that the hacking of Binance didn’t register on cryptocurrency prices may also have had to do with (potential) manipulation of Bitcoin prices by Bitfinex to cover up losses of US$850 million in client funds, as alleged by the New York attorney general’s office. Plausible, but for now at least, inherently unprovable.
And therein lies the danger when we confuse correlation with causation.
Cryptocurrency exchanging hackings do not always result in cryptocurrency prices falling. Nor does the absence of hackings result in a rise in prices.
What makes cryptocurrencies so interesting (for me at least) is the vast unknowable unknowns.
But to only focus on correlation from the Binance hack would be to miss the forest for the trees.
To begin with, cryptocurrency exchanges shouldn’t even custodize client assets.
Candidates for Custody
That cryptocurrency exchanges custodize client assets today is more a consequence of circumstance than it was a deliberated decision.
To understand why that is, we need to go back to the days of Mt. Gox — the world’s first dedicated Bitcoin exchange.
Before everyone and their uncle was developing cryptocurrency exchanges, Mt. Gox was the first web-based marketplace that supported the trading of Bitcoin and Bitcoin was stored in wallets administered and managed by Mt. Gox — a huge conflict of interest and a potential target for hackers.
For the same reason why the New York Stock Exchange doesn’t hold on to share certificates of the various companies listed on the exchange, cryptocurrency exchanges ought not also custody the very assets for which they are facilitating the trade in.
Many argue that the practice of custodying cryptocurrency assets on exchanges is a necessary evil to reduce friction and transaction costs. To that argument, I would ask one to simply investigate when was the last time the New York Stock Exchange was robbed.
Criminals will go to where the money is and if cryptocurrency exchanges are where the money is — that’s where they’ll go.
Today Binance, one of the world’s largest and arguably most important cryptocurrency exchanges had “sufficient funds” to cover the losses, what about the day when it doesn’t?
And what are the underlying currencies that Binance keeps its emergency funds in? Bitcoin? Dollars?
What if there is a sudden run-up in the dollar value of Bitcoin at the time of the hackings, making it impossible for Binance or indeed any cryptocurrency exchange to use their dollar reserves to cover an ever-increasing hole? What then?
Should cryptocurrency exchanges then be forced to keep a fractional reserve of their trading volumes in the denomination that is being traded? Should a cryptocurrency exchange keep 1 Bitcoin in reserve for every 10 traded?
Which is why if cryptocurrencies ever want to ever have a decent shot at institutionalized interest, cryptocurrency exchanges will eventually need to consider going the way of their financial market counterparts — with regulated liquidity providers, licensed custodians and leverage providers.
According to Henri Arslanian, global cryptocurrency leader at accounting giant PwC,
“Hackings risks are part of the business reality for crypto exchanges. While crypto exchanges are becoming increasingly better prepared, hackers are becoming increasingly sophisticated as well.”
The irony is that hackings don’t need to be part of the business reality for cryptocurrency exchanges — it just seems that way because both regulators and cryptocurrency exchanges have done nothing to achieve otherwise.
If hackers are becoming increasingly sophisticated, then the solution is for cryptocurrency exchanges to become more sophisticated, but not just in terms of cybersecurity, in terms of legal and regulatory sophistication as well.
The only reason that cryptocurrency exchange hacks are part of the “cost of doing business,” is simply because for too long, too many participants have been willing to pay that cost.
Correlation in this case may imply causation.
Written by Patrick Tan on Medium for Altcoin Magazine
Patrick Tan is CEO of Novum Global Technologies, a cryptocurrency quantitative trading firm. Trading up to 100,000 times a day the way only an algorithm could.