Crypto markets suffered some serious shocks over the past few days. A big crash happened over the weekend, dragging bitcoin below $50,000. Around the same time, there were disclosures of two massive cyber attacks — one leading to the theft of nearly $200 million from cryptocurrency exchange BitMart, and the other draining $120 million from decentralized finance platform BadgerDAO.
The market has started to recover from its drop, offering investors the opportunity to make up for their losses. Some victims of the heists, however, are likely to remain bruised. That’s because there are no legal mechanisms in the cryptocurrency industry that guarantee coverage for fraud, unlike for banks and securities brokers.
When you take a look at the aftermath of the two hacks, it’s easy to see how dicey the situation can be for investors, who either rely on a crypto business’s promises of reimbursement, or on a (kind of spotty and unregulated) range of private insurance products.
BitMart, which describes itself as “the most trusted cryptocurrency trading platform,” revealed on Saturday that hackers withdrew at least $150 million from its platform. A third-party security firm Peckshield later estimated the total theft at $196 million. On Monday, BitMart told users that it had identified the cause of the breach — a stolen private security key — and that it would compensate victims using “its own funding,” including possible “token swaps.”
The money was stolen from “hot wallets,” connected to the internet (as opposed to hardware wallets) to allow users easy access. Unfortunately, the hackers were also able to slip in just as effortlessly.
Users showed mixed responses to the disclosures on Twitter, with some saying that they were uncertain about what the company’s response was actually going to be, and others appearing totally unfazed, even excited, by the news.
“Everyone load up now #safemoon,” tweeted investor Josh Cortez, referring to one of the affected tokens. “If bitmart has to buy all the hacked tokens back, the reflections + pump are going to be insane!!”
As of Tuesday, some Twitter users said they hadn’t seen compensation yet, but that the market for certain tokens was already soaring.
"For all the fudders out there saying 'oh Bitmart not going to buy back and dev might make a deal to sell tokens for cheap' the dev here said it,” one user tweeted. “So stop the fud. We are going to moon fam. Have some faith and sit back and relax.”
This confirms concerns that have been brewing about risk for attacks on centralized crypto exchanges. But security breaches do not seem to be sparing DeFi projects either in recent days.
DAOs, or decentralized autonomous organizations, established via blockchain and smart contracts, can pool assets for various purposes. Sometimes described as crypto’s answer to venture funds, DAOs are owned by members and lack a centralized leadership structure.
Victims of the BadgerDAO hack, including crypto lending firm Celsius Network, which reportedly lost as much as $50 million, have not been promised compensation. Crypto-based insurance platform Nexus Mutual provided coverage to BadgerDAO, but not for “front-end” attacks.
“We’re waiting for full details from the BadgerDAO team, but this appears to be a frontend attack,” Nexus Mutual tweeted on Thursday. “If this is confirmed as a frontend attack, BadgerDAO’s smart contracts were not impacted & this would not be a covered event.”
Many Twitter users who replied to the post did not seem pleased with that response.
“That’s one reason i haven’t gotten crypto insurance, they always gonna find ways to screw [the] customer and not pay,” one user going by the name “cryptotwitty” commented.
Another user, David Hay, who described himself as a crypto developer, added that “insurance doesn’t work unless you have a government legal apparatus to force them to adhere to some standard — otherwise you just have a bunch of dudes who will always deny big claims because who exactly is going to vote to bankrupt their own mutual paying a colossal claim?
In a reply, another account, BraveNewDeFi, which appeared to be associated with Nexus Mutual, disputed that characterization of the insurer.
“It’s also important to note that Nexus Mutual is member-owned and operates as a discretionary mutual,” the user tweeted. “The Claims Assessment process is designed like an optimistic oracle to prevent members from denying legitimate claims. Unfortunately the mutual cannot cover all types of risk.”
Major insurance providers, such as Lloyd’s of London, have been increasingly offering insurance for crypto currency wallets over the past few years, but there are few if any regulatory restraints on how the insurance can be structured. (There could be very significant exclusions and limitations.)
The largest U.S.-based crypto exchange, Coinbase Global, carries crime insurance “that protects a portion of digital assets held across our storage systems against losses from theft, including cybersecurity breaches,” the company says on its website. The company warned that its insurance does not cover losses resulting from the theft or misuse of individual customers’ login credentials, however.
Despite promises that blockchain technology is more secure than “web2.0,” hackers have still found ways to steal billions of dollars’ worth of cryptocurrency globally over the past decade. Once they take funds, hackers can use tricks like converting their assets into new forms of cryptocurrency, to cover their tracks. Finding the hackers and getting the money back is far from a given.
In an unusual turn of events in August, however, hackers returned nearly half of $600 million they stole from Poly Network, a platform that connects different types of blockchains. The hackers apparently had a change of heart after being informed by Poly Network that their theft was “the biggest in defi history.”
BadgerDAO said on its Twitter that it is working with law enforcement authorities in the U.S. and Canada and with forensic experts at Chainalysis and Mandiant to understand the scale of the attack and figure out what can be done. It is possible to limit the scope of possible suspects by looking at public transaction histories and other wallets the hackers are connected to.
“To the Community – Please refrain from any offensive actions and instead, please reach out to the following email firstname.lastname@example.org,” the DAO said on Saturday. “Let’s do our best to stay patient and supportive as a community. Badger will continue to do everything it can. Be Relentless. Be Badgers.”