What the Binance hack says about the crypto world
Binance is an outlier because of its size and its attitude. Now it’s been hacked.
Binance has become the world’s most prominent crypto player thanks to its snubbing its nose at regulation. When people in the digital-asset industry call for better governance, their appeals do not move Binance.
Led by CEO Zhao “CZ” Changpeng, the company’s strategy has been to skip town when it ended up in regulators’ crosshairs: from China to Japan to Malta, and with offices distributed in other don’t-ask don’t-tell jurisdictions – but also in Singapore.
This week, on Wednesday, Binance revealed it had been the victim of a sophisticated theft. Hackers got their hands on API keys and two-factor authentication codes, before downloading 7,000 bitcoins ($40.7 million) out of client hot wallets in a single strike.
Binance claims to trade the equivalent of almost $1 trillion daily. This is an inflated figure: according to BitWise Asset Management, in a March 19 filing with the U.S. Securities and Exchange Commission, Binance probably trades $110 million in average daily turnover.
Nonetheless it is by far the biggest exchange, far ahead of Bitfinex ($38 million ADV), Coinbase ($27 million) or any other.
This inflation of numbers is in line with the industry: according to BitWise, 81 exchanges reported a total AVD of around $6 billion but in reality the figure is probably $273 million. But only the largest exchanges, including Binance, exhibit tight trading spreads and other signs of genuine liquidity.
Exchanges need to raise the bar in order to reduce the perception riskMurray Wood, Aon
But whereas nine out of the top 10 biggest exchanges are regulated under America’s FinCEN (a unit of the Treasury department) as money service businesses, Binance is the one that is not. Its KYC and AML procedures are considered inadequate compared to other exchanges. More: it happily lists tokens that are deemed securities in the U.S., Hong Kong or Japan, making its refusal to abide by regulation possibly illegal in those jurisdictions (the company says it does screen out citizens of the U.S. and some other markets).
Binance’s cowboy attitude has helped it win the lion’s share of the crypto market. But as the rest of the industry looks for growth to institutional money, even retirement funds, Binance’s strategy may not be sustainable. Moreover, as it has become so big, the company is more likely to end up in the crosshairs of securities regulators and tax authorities.
Life for Zhao and his team could get uncomfortable. Getting hacked, therefore, is likely to complicate the executives’ long-term strategy for dealing with the long arms of the law.
Who gets hurt?
At a conference yesterday in Hong Kong organized by BC Group (at which DigFin was a media partner), people in the digital-asset space said the hack, though not huge in absolute terms, would be a blow to the reputation of the industry’s leading player.
But the firm hasn’t suffered much in trading terms. The overall market stabilized, with the price of Bitcoin recovering a temporary setback.
As crypto goes to cloud, it will need hardware solutionsIan Christofis, nCipher
The price of Binance’s own token, BNB, was down -7.4% in U.S. dollar terms yesterday, to $20.56 (and down -6.3% against Bitcoin) but this is a blip against what’s been a stellar performance since the crypto market’s slump in early 2018. In fact, BNB is trading near its bubble highs.
(Binance gives trading discounts to people who also hold its coin, which some investors believe makes it valuable, although it could also be ruled a form of equity – another regulatory puzzle.)
Kudos for responding
Some industry execs are sympathetic. Noting the professionalism and the patience of the Binance heist, Chad Lynch, cybersecurity software engineer at Seoul-based Horangi Cyber Security, noted that even well-resourced organizations will fall prey to state-sponsored attacks.
Urszula McCormack, partner at law firm King & Wood Mallesons in Hong Kong, noted that the Binance team had reacted responsibly, reporting the hack right away and being transparent about the situation. (Our story’s image is taken from yesterday’s video featuring Zhao in a Q&A about what had happened – this may seem de rigueur in established industries, but many crypto exchange execs, like the crew at Bitfinex, often prize anonymity in the face of bad publicity.)
The best solution is to hold your own assetsBen Soong, Ledger
And while Binance may not be known for its zeal in AML checks, it has for the past year been seeding its own rainy-day fund out of trading commissions, which should pay for most of the losses; Binance says it will cover the rest.
Whatever the outcome for Binance, the real damage of this attack is likely to fall on others: the rest of the digital-asset industry that is trying to establish its professionalism and legitimacy with regulators and investors.
Murray Wood, Singapore-based head of financial specialities for Asia at insurance broker Aon, says it’s already hard for crypto-companies to give insurers the perception of safety. Actuaries struggle to price risk or estimate probabilities around digital assets. He reckons fewer than 10 percent of companies in the digital asset space are insurable.
“Exchanges need to raise the bar in order to reduce perception risk,” he said, citing BC as an example (the group operates ANXOne, an institution-facing exchange).
Crypto is unique in that both its users and the cloud infrastructure can be attackedChad Lynch, Horangi
The Binance hack shows that even the biggest exchanges are still operating retail-level operations instead of the deep, sophisticated tech and procedures that banks have honed over decades.
Banks too get hacked, of course, and if hackers are determined enough, they can breach anyone’s defenses. Binance succumbed to a phishing campaign, in which someone internally opened attachments loaded with malware.
But digital-asset players have, in general, ignored security in their rush to conquer markets and deliver products. Many are now transferring their computing needs to cloud vendors, which opens up yet new vulnerabilities.
“As crypto goes to cloud, it will need hardware solutions to protect private keys,” said Ian Christofis, managing principal consultant at nCipher Security, in Hong Kong. Too many rely just on software to handle cyber-security, but software is complex. “It’s hard to know what’s protected.”
Ben Soong, head of Asia Pacific at Ledger, which manufactures hardware storage devices, says the bear market in crypto has made exchanges even more reluctant to invest in security; and regulators, which so far have yet to come up with a formula to license crypto trading venues, have not set out standards. He thinks this will change when banks and institutional investors start to allocate money to digital assets.
The real vulnerabilities right now, Soong says, is not the lack of hardware but sloppiness in how different organizations communicate. Whether it’s a trader sending a message to the exchange, or an exchange leveraging unsecure APIs to make accessing hot wallets more convenient, or someone going through the steps of recovering a lost key, there are a growing number of ways hackers can attack a vault.
“The best solution is to hold your own assets and don’t keep them with the exchange,” Soong said. Which may be true but is anathema to many banks and investors that rely on third parties as fiduciaries.
“Crypto is unique in that both its users and the cloud infrastructure can be attacked,” said Horangi’s Lynch. At the end of the day, managing people is even more important than the tech. Binance succumbed, after all, to someone opening a toxic attachment (so far as we know). “We need to improve the user experience when it comes to handling cryptographic secrecy.”
What’s the real threat to crypto?
There is one last area that has so far gone unremarked by the professional elements in the industry, but was noticed by the crypto trading and developer communities right away.
That’s Zhao Changpeng’s revelations via Twitter that he and his team had considered a “rollback” of the Bitcoin protocol, in order to “cancel” the fraudulent transactions.
Doing so would require 51 percent of the networks’ hashing power – its miners and mining pools – to agree.
Zhao immediately added that he was against the idea because it would destroy Bitcoin’s credibility.
This isn’t unprecedented: “hard” forks occur when the developer and mining community split on fundamental issues. Ethereum faced the same problem when in 2016 someone hacked Genesis DAO, an early version of a crypto venture fund. The debacle ended in a hard fork, with those rejecting a rollback left to create Ethereum Classic. Bitcoin also has variants, such as Bitcoin Cash.
But Zhao’s comments didn’t suggest he would have needed to enter a long campaign to generate a rollback, as happened with DAO. Rather, he said it would take a few days. Moreover, he said $40 million wasn’t worth splitting the Bitcoin community. But at what amount would he have forced a rollback?
More importantly, just how much power does Binance – which thumbs its nose at regulators in the name of decentralization – have in what’s meant to be a decentralized network?