John Jay Ray III is one of the world’s top bankruptcy lawyers. He has worked on cases like Enron and Nortel. But his latest gig appears to be the most challenging. On November 11, he took the helm at FTX, a massive crypto platform, which has plunged into insolvency.
His Chapter 11 filing reads more like a Netflix script. In it, he notes: “Never in my career have I seen such a complete failure of corporate controls and such a complete absence of trustworthy financial information as occurred here. From compromised systems integrity and faulty regulatory oversight abroad, to the concentration of control in the hands of a very small group of inexperienced, unsophisticated and potentially compromised individuals, this situation is unprecedented.”
Security Forensics Investigation
Ray has wasted little time in assembling a top-notch team, which includes an unnamed cybersecurity forensics firm. He has “worked around the clock” to secure assets, identify crypto on the blockchain, find records, and work with regulators and government authorities.
Here are just some of the alarming details about FTX, based on the bankruptcy filing:
- There were unclear records and lines of responsibility for the team.
- Payment requests were done through a chat platform and approved with personalized emojis.
- There were no “appropriate” security controls with digital assets. Sam Bankman-Fried and Zixiao “Gary” Wang controlled the access. This involved using an “unsecured group email account as the root user to access confidential private keys and critically sensitive data for the FTX Group companies around the world…”
- About $740 million in cryptocurrency has been placed into new cold wallets. This is a fraction of what FTX had under management.
- At the time of the bankruptcy filing, there was at least $372 million in unauthorized transfers, which may have been due to a hack or an inside job.
- Bankman-Fried “often communicated” using chat apps that auto deleted. He encouraged employees to do the same.
“The FTX collapse will certainly have a lasting impact on the crypto industry,” said Muddu Sudhakar, co-founder and CEO of AI service experience firm Aisera. “But this is more than a financial story. Security is another issue with the industry. FTX is a stark example of this.”
The crypto industry has a checkered history with security. One of the first high-profile hacks occurred in February 2014 with the Mt Gox exchange. The hackers drained much of the holdings, or about 750,000 BTC. The exchange ultimately became insolvent.
Since then, there would be many more breaches. Just some include Coincheck ($532 million), Poly Network ($610 million), KuCoin ($281 million), Coincheck ($524 million), Binance ($570 million) and Axie Infinity ($600 million).
“From a cybercriminal’s perspective, crypto is an optimal target because the transactions are quick and irreversible,” said Brittany Allen, Trust and Safety Architect at fraud prevention firm Sift. “This is due to victims being unable to initiate a process to undo the transaction and receive a refund of their stolen funds. In any case, this doesn’t mean that the funds can’t later be frozen by a crypto exchange or by law enforcement. But the recoveries can be a fraction of what is stolen.”
Crypto can also be a way to leverage cybersecurity breaches. One way is through hijacking computer resources to mine cryptocurrencies. “These attacks are often overlooked as unthreatening ‘background noise,’ but the reality is that any crypto-mining infection can turn into ransomware, data exfiltration or even an entry point for a human-driven attack at the snap of a finger,” said Marcus Fowler, CEO of Darktrace Federal.
Another source of vulnerabilities is the design of crypto systems and smart contracts. It’s common for there to be bugs, as the development process can be complex.
“Security risks for end users take the form of two discrete methods: private key theft and ice phishing attacks,” said Christian Seifert, Researcher, Forta.org. “But both are launched via social engineering attacks where users are tricked into disclosing information or signing transactions that give attackers access to a user’s digital assets. For users, the consequences of their actions may not always be immediately apparent, and FOMO – or fear of missing out — are often exploited by attackers to trick users into dangerous actions.”
Improving security with crypto is no easy feat. A big part of this is about the behavior of the end user. After all, the cryptocurrency needs to be stored in either a cold (offline) or hot wallet (online) – and both have their pros and cons.
“If it’s a wallet stored on the computer and the computer is infected, then the threat actor may steal it all,” said Dmitry Bestuzhev, Most Distinguished Threat Researcher at BlackBerry. “If it’s a hardware-based wallet and it breaks or is stolen, then the funds can be lost or stolen. The situation is similar with an online wallet, as we have seen online wallet sites hacked. The problem is not with cryptocurrency, but with the security of its storage.”
In terms of the crypto platforms, security requires strong policies and cybersecurity tools. This is no different from any other organization. However, in light of the scale of the transactions and the transparency on the blockchain, the security systems need to be proactive.
“By ingesting thousands of different signals, machine learning systems can quickly adapt to detect suspicious activity in real-time without human intervention,” said Allen. “This allows cryptocurrency companies to automatically stop fake account creations, defend against account takeover attacks and secure every transaction on their platform to mitigate cyberattacks and ensure bad actors aren’t sowing distrust in their platforms.”
The Cloudy Future
Increased regulation for crypto seems likely. But this can take time. In the U.S., where there is now a divided government, there may actually not be much action for the next few years.
“The crypto industry players should not wait for regulations to be handed down,” said Igor Volovich, VP of Compliance Strategy at compliance automation firm Qmulos. “Those who wish to demonstrate their commitment to integrity, transparency, and security of their customer assets should not wait to adopt existing regulatory frameworks and standards as a model for maturing their organizations’ controls.”
Read more about Security Compliance & Data Privacy Regulations