新世紀(jì)的銀行搶劫
人工智能新創(chuàng)企業(yè)Prome的首席執(zhí)行官肖恩·埃弗里特(Sean Everett)起初并不確定,他在加密數(shù)字貨幣上的投資會(huì)帶來(lái)怎樣的收益。但是,他絕對(duì)沒(méi)有想到,他的投資會(huì)在瞬間灰飛煙滅。 今年3月,埃弗里特賣掉了手中的蘋果(Apple)、亞馬遜(Amazon)等所有股票,將一大塊收益在一個(gè)叫Coinbase的網(wǎng)站上購(gòu)買了比特幣(Bitcoin)和以太坊(Ethereum)。這個(gè)決定讓埃弗里特立即變得更加富有,因?yàn)檫@兩種基于區(qū)塊鏈的貨幣的價(jià)值在隨后幾周飛速上漲??墒?,就在埃弗里特于5月17日晚上10點(diǎn)出門遛狗時(shí),他接到了一個(gè)電話,那是移動(dòng)運(yùn)營(yíng)商T-Mobile公司打來(lái)的,向他確認(rèn),公司正在將他的電話號(hào)碼轉(zhuǎn)移到另外一臺(tái)設(shè)備上。 這個(gè)舉動(dòng)很可疑,因?yàn)榘8ダ锾馗緵](méi)有要求過(guò)。但是,即使他懇請(qǐng)T-Mobile的服務(wù)人員阻止這次轉(zhuǎn)移,也已經(jīng)來(lái)不及了。沒(méi)過(guò)5分鐘,埃弗里特的手機(jī)服務(wù)就突然關(guān)閉。此時(shí),他沖向電腦,看到了自己的資產(chǎn)在眼皮底下被人劫走。一連串的電子郵件通知告訴他,有人已經(jīng)控制了他的Gmail主賬戶,打入了他在Coinbase的“錢包”。竊賊能進(jìn)來(lái),是借助了他的被轉(zhuǎn)移的電話號(hào)碼。埃弗里特的賬戶在登錄時(shí)必須輸入手機(jī)上收到的雙重驗(yàn)證碼短信,這是第二道保險(xiǎn)??稍诋?dāng)時(shí),短信被直接發(fā)給了竊賊。 竊賊只花了兩分鐘就將埃弗里特賬戶里當(dāng)時(shí)價(jià)值數(shù)千美元的數(shù)字貨幣洗劫一空。埃弗里特覺得,更讓他痛苦的是后來(lái)發(fā)生的事情:以太坊的價(jià)格在接下來(lái)的三周翻了兩番。6月的一個(gè)潮濕的下午,我在紐約的一家咖啡店里見到了埃弗里特。就在我們見面的幾個(gè)小時(shí)前,以太坊創(chuàng)下了400美元的歷史新高。此前一天,比特幣首次突破了3,000美元。對(duì)于自己的數(shù)字貨幣不翼而飛,埃弗里特到現(xiàn)在還是耿耿于懷。他痛惜地說(shuō):“我不光是本錢沒(méi)有了,還錯(cuò)過(guò)了這么大漲幅?!? 不過(guò),最讓埃弗里特以及其他很多比特幣愛好者感到驚訝的,是有人居然能夠在Coinbase盜竊。這家位于舊金山的公司是世界最大的加密數(shù)字貨幣交易所,是極少數(shù)保險(xiǎn)柜未遭黑客攻擊的公司之一。在區(qū)塊鏈?zhǔn)澜缋?,這一榮耀尤其被人看重,因?yàn)榇饲鞍l(fā)生過(guò)幾起損失慘重的黑客事件,成了全球性的頭條新聞。幾乎所有的早期投資者都會(huì)對(duì)你提及,他們?cè)贛t. Gox損失了錢。2014年,黑客從這家比特幣交易所劫掠了將近5億美元,它隨之倒閉。去年夏天,竊賊瞬間從香港的加密數(shù)字貨幣交易所Bitfinex搶走了7,200萬(wàn)美元。 但是黑客從未攻破過(guò)Coinbase的虛擬堡壘。牢不可破使它有了“買比特幣最安全”的名聲,幫助它吸引了900多萬(wàn)名用戶,他們至少在那里存放了價(jià)值30億美元的加密數(shù)字貨幣。到目前為止,在它的零售交易平臺(tái)和機(jī)構(gòu)交易平臺(tái)GDAX,至少已經(jīng)進(jìn)行過(guò)價(jià)值250億美元的交易。Coinbase已經(jīng)有五年歷史,在新一輪融資中融到了1億美元,估值高達(dá)16億美元,成為了區(qū)塊鏈行業(yè)的第一只“獨(dú)角獸”。風(fēng)投資本家、Coinbase最早最大的投資者之一弗雷德·威爾遜(Fred Wilson)在3月的一次會(huì)議上說(shuō):“看看這家公司最出色的地方,比如安全性、受信任度和防護(hù)能力,這些顯然都是銀行的強(qiáng)項(xiàng)。它就像區(qū)塊鏈里的摩根大通(JP Morgan)或高盛集團(tuán)(Goldman Sachs)?!? 但是,Coinbase的個(gè)別用戶確實(shí)曾經(jīng)被盜賊光顧過(guò),而且頻繁程度也令人吃驚和不安。即便是威爾遜自己也曾經(jīng)被猛烈驚醒:今年6月初在歐洲度假時(shí),他吃驚地看見了埃弗里特收到過(guò)的那類提醒郵件,有一名闖入者試圖進(jìn)入他的Coinbase賬戶。威爾遜在錢被偷走前成功地鎖住了賬戶。但是,在一篇博客中,他對(duì)自己投資的一家公司發(fā)表了罕見的公開抨擊:“這次經(jīng)歷讓我至今心有余悸,自然也有了幾分懷疑。” 自從那以后,《財(cái)富》雜志曾經(jīng)和10多名受害者交談,他們當(dāng)中有技術(shù)公司的高管,也有著名的區(qū)塊鏈支持者。他們?cè)贑oinbase的賬戶都曾經(jīng)被盯上和攻擊過(guò),方式幾乎相同;其他交易平臺(tái)遭受到的攻擊更多。在埃弗里特遭搶之后的第二天,洛杉磯的企業(yè)家亞當(dāng)·達(dá)奇斯(Adam Dachis)的時(shí)值10,000美元的賬戶資產(chǎn)被清空。7月7日,竊賊又清空了區(qū)塊鏈行業(yè)顧問(wèn)邁克·科斯塔奇(Mike Costche)在Coinbase賬戶里的18,000美元,當(dāng)時(shí)他在國(guó)外旅行,竊賊是趁他晚上睡覺時(shí)花了4個(gè)小時(shí)干的。自從去年圣誕節(jié)以來(lái),Coinbase的用戶平均每月被搶30次,相當(dāng)于每天一次。 每次案件都讓人們產(chǎn)生了相同的、始料不及的想法,人們開始關(guān)注區(qū)塊鏈固有的吊詭:讓加密數(shù)字貨幣有別于傳統(tǒng)貨幣的典型優(yōu)勢(shì),即交易的即時(shí)性與不可逆性,同時(shí)也是它的致命缺陷。位于倫敦的區(qū)塊鏈情報(bào)機(jī)構(gòu)Elliptic的聯(lián)合創(chuàng)始人及首席數(shù)據(jù)官湯姆·魯賓遜(Tom Robinson)說(shuō):“比特幣存在的原因之一是它的抗監(jiān)管性?!边@意味著沒(méi)有人能夠阻止數(shù)字貨幣交易的發(fā)生,政府或中央銀行也不行。因此,傳統(tǒng)銀行儲(chǔ)戶所倚仗的防欺詐措施對(duì)于數(shù)字貨幣交易基本沒(méi)用。魯賓遜說(shuō):“拒付、可逆與創(chuàng)建比特幣的目的水火不容。” 因此,每當(dāng)犯罪分子手癢想搶劫時(shí),他們?cè)絹?lái)多地選擇加密數(shù)字貨幣而非實(shí)際貨幣。2016年,在美國(guó)聯(lián)邦調(diào)查局(FBI)的互聯(lián)網(wǎng)犯罪投訴中心(Internet Crime Complaint Center)收到的報(bào)告中,來(lái)自于和虛擬貨幣相關(guān)的犯罪的損失高達(dá)2,800萬(wàn)美元,超出2015年三倍多。而且,這一數(shù)字還是基于受害者個(gè)人的自愿報(bào)告得出的,也不包括在Bitfinex等交易平臺(tái)上發(fā)生的大規(guī)模黑客盜竊。所以,實(shí)際損失可能要高出幾個(gè)數(shù)量級(jí)。 針對(duì)傳統(tǒng)金融機(jī)構(gòu)的網(wǎng)絡(luò)犯罪也在增長(zhǎng):例如,據(jù)Javelin Strategy & Research公司,通過(guò)所謂的賬戶接管偷錢——與Coinbase黑客事件類似的一種犯罪——在去年增長(zhǎng)了61%,達(dá)23億美元。但是,與存放在銀行里的萬(wàn)億美元相比,這類網(wǎng)絡(luò)犯罪涉及的金額相對(duì)很小。但加密數(shù)字貨幣的全部市值只有1,350億美元,黑客盜走的份額要大得多。例如,網(wǎng)絡(luò)安全公司Chainalysis稱,過(guò)去12個(gè)月,犯罪分子已經(jīng)偷走了以太坊總市值的1%,即2.25億美元。同期比特幣的損失估計(jì)更高。 前公司黑客、美國(guó)西北大學(xué)(Northwestern University)凱洛格管理學(xué)院(Kellogg School of Management)的一位教授莫蘭·瑟夫(Moran Cerf)解釋說(shuō),實(shí)體銀行的劫匪面臨“兩大難題:把錢偷走和埋藏證據(jù)。比特幣不存在第二個(gè)問(wèn)題,因?yàn)樗腥硕际悄涿摹!睂?duì)于交易不可逆這樣的缺陷,比特幣的鐵粉們似乎能夠接受。區(qū)塊鏈投資人克里斯·伯尼斯克(Chris Burniske)說(shuō):“我把這看成是特色,而不是漏洞。”伯尼斯克的新著《加密資產(chǎn)》(Cryptoassets)即將出版。不過(guò),他的比特幣賬戶在去年12月被洗劫過(guò),被偷走的比特幣價(jià)值在如今超過(guò)10萬(wàn)美元。 但是,當(dāng)受害者看著他們的錢被取走,進(jìn)入了不知名的陌生人的數(shù)字錢包時(shí),對(duì)于Coinbase來(lái)說(shuō),這就不僅僅是一個(gè)難題了:這是對(duì)比特幣自己的承諾的威脅。隨著加密數(shù)字貨幣價(jià)值的飆升,越來(lái)越多的投資者面臨的問(wèn)題,不僅僅是如何從中獲利,還有如何牢牢地持有。今年5月,科迪·布朗(Cody Brown)的賬戶在短短15分鐘內(nèi)就被黑客取走了8,000美元。他抱怨說(shuō):“Coinbase看起來(lái)像銀行,說(shuō)話也像銀行,像銀行那樣收了幾百萬(wàn)美元現(xiàn)金??蓪?shí)際上,它做事就像燈光昏暗的地下賭場(chǎng)。直到被黑客偷了錢,你才會(huì)發(fā)現(xiàn),那些方方正正的字體、柔順的藍(lán)色梯度變化曲線和無(wú)休止地復(fù)制信任聲明文字對(duì)你來(lái)說(shuō)毫無(wú)意義。” Coinbase拒絕討論具體案件,只說(shuō)它在調(diào)查所有的賬戶接管事件。但現(xiàn)年34歲的創(chuàng)始人和首席執(zhí)行官布萊恩·阿姆斯特朗(Brian Armstrong)表示,布朗和威爾遜的經(jīng)歷“有助于”指導(dǎo)公司改善業(yè)務(wù)。公司的安全措施已經(jīng)能夠匹敵甚至超越銀行,比如利用機(jī)器學(xué)習(xí)發(fā)現(xiàn)可疑行為,強(qiáng)制施行雙重驗(yàn)證。但是,阿姆斯特朗承認(rèn),Coinbase已經(jīng)成為了一個(gè)誘人的目標(biāo)。他對(duì)《財(cái)富》雜志說(shuō):“我們需要實(shí)行更高的標(biāo)準(zhǔn),因?yàn)閿?shù)字貨幣是非常有趣和強(qiáng)大的新事物,很多人忍不住想偷。” 如果比特幣是宗教,相對(duì)于“耶穌應(yīng)該怎么做”,它的口號(hào)就是“成為你自己的銀行”。這是被行業(yè)內(nèi)廣泛接受的非正式口號(hào)。2009年,神秘的創(chuàng)始人(可能不只一位)以“中本聰”(Satoshi Nakamoto)的名義發(fā)布了區(qū)塊鏈。發(fā)布者把區(qū)塊鏈視為電子現(xiàn)金的理想形式。中本聰在一份傳奇白皮書中寫道,這種電子現(xiàn)金“無(wú)須經(jīng)過(guò)金融機(jī)構(gòu)”就可以換手。 但是,這一理想貨幣也吸引來(lái)了破壞分子,讓很多潛在的接受者望而卻步。阿姆斯特朗從中發(fā)現(xiàn)了機(jī)會(huì):改善這個(gè)在當(dāng)時(shí)由“黑客和秘密搗亂分子”統(tǒng)治的行業(yè)的形象。他說(shuō):“如果讓這個(gè)行業(yè)成為主流,就必須要有更受信賴的品牌。” 阿姆斯特朗是愛彼迎(Airbnb)早期的工程師,2012年,他離職創(chuàng)辦了“數(shù)字貨幣的Gmail”。他的戰(zhàn)略是:讓存儲(chǔ)、買賣加密數(shù)字貨幣變得更加容易和安全。早期的比特幣錢包公司允許客戶追查他們的私鑰:一個(gè)由64個(gè)字符組成的密碼口令,僅憑這個(gè)密碼就可以獲取某人的加密數(shù)字貨幣。但Coinbase做了一個(gè)開拓性的創(chuàng)新:代客戶儲(chǔ)存密鑰。這也存在風(fēng)險(xiǎn):客戶要拿到比特幣,不一定要知道真正的密鑰,只用一個(gè)密碼口令即可,對(duì)于黑客來(lái)說(shuō)同樣是如此。這位面帶稚氣的首席執(zhí)行官承認(rèn):“我們這是承擔(dān)了一個(gè)巨大的責(zé)任。但我也認(rèn)為,要讓行業(yè)上規(guī)模,使數(shù)字貨幣擁有下一個(gè)1億或10億用戶,這一步是必須要走的。” Coinbase已經(jīng)展現(xiàn)出了向大眾推廣這種新型資產(chǎn)的獨(dú)一無(wú)二的能力。他們的基礎(chǔ)客戶群大部分在美國(guó),在過(guò)去5個(gè)月里已經(jīng)增長(zhǎng)了50%,每天最多有5萬(wàn)人注冊(cè)。僅7月的交易量就是2016年全年的兩倍。Coinbase從中收取交易手續(xù)費(fèi),據(jù)說(shuō)已經(jīng)接近實(shí)現(xiàn)盈利。在《財(cái)富》雜志今年的40位40歲以下的商界精英排行榜上,阿姆斯特朗排名第10位。不過(guò),他對(duì)本公司的局限性心知肚明。他說(shuō):“一般人往高處想,可能以為我們是數(shù)字銀行,但我們不是銀行?!迸c銀行不同,Coinbase不放貸。更為關(guān)鍵的是,Coinbase雖然像貝寶(PayPal)或西聯(lián)匯款(Western Union)那樣接受對(duì)貨幣轉(zhuǎn)移機(jī)構(gòu)的管制,但它不在美國(guó)聯(lián)邦存款保險(xiǎn)公司(FDIC)的承保范圍內(nèi),也不受到用來(lái)監(jiān)管銀行的消費(fèi)者保護(hù)法的約束。 阿姆斯特朗的工資一直以比特幣的形式支付;他每月套現(xiàn)出一定的美元,以支付租金。他的很多員工跟他一樣。他們比任何人都更加了解安全問(wèn)題,但保護(hù)好消費(fèi)者顯然是嚴(yán)峻的挑戰(zhàn):從技術(shù)上來(lái)說(shuō),由于黑客是利用威瑞森(Verizon)、Sprint等通信運(yùn)營(yíng)商的弱點(diǎn)從客戶端攻破了消費(fèi)者的賬戶,并不能把這些黑客行動(dòng)直接說(shuō)成是Coinbase的錯(cuò)誤。一位高管說(shuō):“理性地說(shuō),我們很難阻止有人從客戶的賬戶上取錢?!? 盡管如此,Coinbase承擔(dān)不起忽視這個(gè)問(wèn)題的代價(jià)。它是真的沒(méi)有錢去承擔(dān)。雖然說(shuō)它不是銀行,但當(dāng)傳統(tǒng)金融機(jī)構(gòu)突然退來(lái)因黑客造成的欺詐性支付款項(xiàng)時(shí),Coinbase仍然要承擔(dān)銀行業(yè)系統(tǒng)協(xié)議規(guī)定的費(fèi)用。例如,當(dāng)達(dá)奇斯遭竊后,Coinbase的一位客戶支持代表在電子郵件里反而向他抱怨,因?yàn)榻灰妆划?dāng)作“詐騙”報(bào)告給了銀行,由此造成的沖正(即銀行系統(tǒng)對(duì)已經(jīng)成功記賬的交易進(jìn)行撤銷的行為——譯注)給Coinbase造成了1,657.41美元的損失。公司的數(shù)據(jù)科學(xué)主管蘇普斯·蘭詹(Soups Ranjan)不久前在一次行業(yè)活動(dòng)上說(shuō):“我們公司背了黑鍋?!贝祟悊?wèn)題,再加上以未授權(quán)信用卡購(gòu)買數(shù)字加密貨幣的情況,給Coinbase制造的成本占其營(yíng)業(yè)收入高達(dá)10%,詐騙活動(dòng)給公司造成的損失是貝寶的20倍。蘭詹說(shuō):“我絕對(duì)相信,我們面對(duì)著如今世界上最難解決的支付欺詐和用戶安全問(wèn)題。” 為了抗擊欺詐,Coinbase一直在利用分析技術(shù)預(yù)測(cè),哪位客戶欺詐和拒付的風(fēng)險(xiǎn)最高,然后先發(fā)制人地限制他們的購(gòu)買能力,甚至鎖住他們的賬戶。但是這么做也有不利的地方,客戶為此心情沮喪,公司的后端服務(wù)臺(tái)積壓了數(shù)萬(wàn)條幫助請(qǐng)求。Coinbase只有大約180名員工,其招聘速度無(wú)法跟上工作需要,目前正在填補(bǔ)100個(gè)工作崗位。直到9月,Coinbase甚至沒(méi)有客戶支持電話。 與此同時(shí),Coinbase還一頭陷入了很多人預(yù)料到的一個(gè)情況,這也是加密貨幣與高盛集團(tuán)最為接近之處。2015年,僅有802名美國(guó)納稅人在報(bào)稅單上報(bào)告了他們投資比特幣的收益,美國(guó)國(guó)稅局(IRS)請(qǐng)求法院命令Coinbase提供用戶記錄。今年,公司出現(xiàn)了第一次“閃崩”,以太坊的價(jià)格暴跌至10美分,市場(chǎng)在短時(shí)間內(nèi)陷入極度恐慌。公司稱,所有交易均“正常進(jìn)行”,但最終同意,出于善意,公司將補(bǔ)償交易者因被要求追加保證金所造成的損失。8月初,比特幣區(qū)塊鏈的一個(gè)“硬分叉”(對(duì)比特幣區(qū)塊鏈的一種升級(jí),升級(jí)后的比特幣不再兼容之前的版本,等于創(chuàng)造出了一種新幣——譯注)制造出了另外一種名叫“比特幣現(xiàn)金”(Bitcoin Cash)的貨幣,Coinbase一開始說(shuō)不會(huì)支持。幾小時(shí)后,它遭受了一次DoS(拒絕服務(wù))攻擊,讓這家交易所徹底斷網(wǎng),客戶紛紛威脅起訴。有人認(rèn)為,這是對(duì)它拒絕支持比特幣現(xiàn)金的報(bào)復(fù)。Coinbase最終屈服:賬戶持有者可以持有比特幣現(xiàn)金至2018年。阿姆斯特朗說(shuō):“我們處于極快的增長(zhǎng)期,特別令人激動(dòng),也有點(diǎn)混亂。” 在很多區(qū)塊鏈的狂熱愛好者看來(lái),Coinbase被黑提醒他們,把加密數(shù)字貨幣存放在別人那里是一件危險(xiǎn)的事情。Civic是一家利用區(qū)塊鏈技術(shù)進(jìn)行身份驗(yàn)證的公司,該公司的首席科技官喬納森·史密斯(Jonathan Smith)說(shuō):“不擁有密鑰,就不擁有比特幣?!辈贿^(guò)話又說(shuō)回來(lái),比特幣有一個(gè)骯臟的小秘密:作為這樣一種濃縮了未來(lái)的資產(chǎn),一些人管理它的辦法,簡(jiǎn)直像是回歸到了封建時(shí)代。 自己存放密鑰的比特幣投資者通常采用最原始的保護(hù)方法,和把現(xiàn)金藏在床墊底下差不多:比如把密鑰打印在一張紙上,剪成幾片,分配給家人,不讓家人知道應(yīng)該如何把它完整地拼湊起來(lái);或者把密鑰做成一個(gè)加密文件保存在一個(gè)U盤上,埋在自家后院里;或者干脆死記硬背。這些臨時(shí)想出來(lái)的應(yīng)急辦法也有缺陷,招致的損失也數(shù)不勝數(shù):紐約的一位老兄把自己的硬盤重新格式化了,忘了里面還有價(jià)值2.5萬(wàn)美元的比特幣的密鑰。一家對(duì)沖基金研究機(jī)構(gòu)的分析師多米尼克·福格蒂(Dominic Fogarty)在參加了一個(gè)單身漢派對(duì)之后,把存放了加密數(shù)字貨幣的手機(jī)落在了出租車?yán)?,他到處尋找,總算把它找了回?lái)。他對(duì)《財(cái)富》雜志說(shuō):“是的,我們錯(cuò)過(guò)了火車,但更重要的,是我的比特幣沒(méi)丟?!? 還有一個(gè)最大的諷刺:比特幣安全的黃金標(biāo)準(zhǔn)是把密鑰存放在不能上網(wǎng)的地方,稱為“冷存儲(chǔ)”,但這通常意味著要把它們放在區(qū)塊鏈的支持者特別想避開的地方:銀行。有一位加密數(shù)字貨幣對(duì)沖基金的經(jīng)理,曾經(jīng)去查看他在富國(guó)銀行(Well Fargo)的保險(xiǎn)箱,他在那里存放了價(jià)值500萬(wàn)美元的密鑰,結(jié)果卻發(fā)現(xiàn)箱子是空的?。◣字芎螅_的箱子找到了,原來(lái)被放在了指定位置的下一排。)即便Coinbase公司自己也以銀行為其部分冷存儲(chǔ)的地方,它把客戶資金的98%放在了銀行里。阿姆斯特朗承認(rèn):“我覺得,這樣的做法確實(shí)有點(diǎn)舊。”不過(guò)呢,這也可能是未來(lái),因?yàn)樵絹?lái)越多的主流投資者想入手加密數(shù)字貨幣,但他們又不想自己成為銀行。 對(duì)于加密愛好者來(lái)說(shuō),這么干完全是離經(jīng)叛道。邁克爾·克里格(Michael Krieger)曾經(jīng)擔(dān)任雷曼兄弟公司(Lehman Brothers)的分析師,被金融危機(jī)搞得理想破滅,離開了華爾街,從事加密數(shù)字貨幣行業(yè)。他說(shuō):“我不會(huì)把我的私鑰托付給銀行里的保險(xiǎn)箱,我只會(huì)托付給自己。”不過(guò),昔日的金融衛(wèi)士與區(qū)塊鏈的叛逆者之間的高墻已經(jīng)開始瓦解,也許終有一天,這兩個(gè)系統(tǒng)將實(shí)現(xiàn)無(wú)縫融合。道富銀行(State Street)的一名前高管梁滸稱:“我們想擺脫的一些規(guī)則和流程正好是我們想要用來(lái)保護(hù)客戶的規(guī)則,這幾乎是諷刺,也很有意思。”梁滸今年8月從道富離職,為機(jī)構(gòu)投資者開辦了一家加密數(shù)字貨幣交易平臺(tái)。區(qū)塊鏈的信徒盡管夢(mèng)想取代幾百年來(lái)定義了銀行的那些規(guī)矩,但他們正在意識(shí)到,完全擺脫這些規(guī)矩根本不可能。 今年8月的一個(gè)早晨,喬納森·萊文(Jonathan Levin)在他位于曼哈頓的一家聯(lián)合辦公空間的辦公室里迎接我,他騎了6英里(約9.66千米)的自行車來(lái)上班,此時(shí)仍然喘息未定。這位27歲的旅美英國(guó)人身穿一件灰色純棉T恤,上面寫著“比特幣,創(chuàng)建于2009年”。他放肆地對(duì)我大聲說(shuō):“打擊網(wǎng)絡(luò)犯罪的地方,就是這個(gè)樣子!” 萊文是Chainalysis公司的聯(lián)合創(chuàng)始人,這是一家新創(chuàng)企業(yè),追蹤虛擬貨幣的走向,并調(diào)查其非法使用。據(jù)了解相關(guān)調(diào)查的人說(shuō),Chainalysis曾經(jīng)在今年7月的一周時(shí)間內(nèi),協(xié)助執(zhí)法部門,扳倒了兩家公司,并對(duì)其提出了犯罪指控,一家是“黑網(wǎng)絡(luò)”市場(chǎng)AlphaBay,另一家是臭名昭著的數(shù)字貨幣交易所BTC-e。此前,該公司已經(jīng)能夠鎖定從Mt.Gox和Bitfinex偷出的資金的去向:比特幣的所有交易紀(jì)錄都不可篡改,實(shí)際上指明了資金的流動(dòng)線路,任何人都能找到接收資金的數(shù)字錢包的地址。Chainalysis的人工智能“群集”技術(shù)能夠確定資金經(jīng)過(guò)的交易所,但是,在尋找這些數(shù)字錢包的控制者時(shí),公司似乎沒(méi)有什么進(jìn)展。我問(wèn):“有多少人因?yàn)閺谋忍貛糯蠼灰姿蹈`被抓?”萊文生動(dòng)地回答:“答案是零?!? 凱瑟琳·豪恩(Kathryn Haun)說(shuō):“這個(gè)答案不完全對(duì)?!彼?jīng)是領(lǐng)導(dǎo)打擊虛擬貨幣犯罪行動(dòng)的聯(lián)邦檢察官,今年5月加入了Coinbase董事會(huì)。她說(shuō),確實(shí)沒(méi)有人因?yàn)榍秩虢灰姿蛞噪娮邮侄伪I竊加密數(shù)字貨幣而入獄,但對(duì)AlphaBay和BTC-e做的調(diào)查是首批案件,尚未結(jié)案。由于數(shù)字錢包是匿名的,調(diào)查人員可能要花好幾年時(shí)間才能夠?qū)⑦@些案件與某個(gè)人聯(lián)系起來(lái),這需要從Coinbase這樣的交易所和互聯(lián)網(wǎng)更不知名的角落搜集數(shù)據(jù)。豪恩說(shuō):“我會(huì)把它比做傳統(tǒng)的銀行盜竊。如果竊賊戴著面具、假發(fā)和手套,想抓到他可能非常難,但不是不可能。” 個(gè)別盜竊案可能太小,不足以讓聯(lián)邦調(diào)查接手,但越來(lái)越多的受害者向聯(lián)邦調(diào)查局等政府機(jī)構(gòu)報(bào)告犯罪行為,帶來(lái)了更大的希望。Chinalysis在7月開設(shè)了一個(gè)特別調(diào)查部門,如有黑客入侵受害者提出請(qǐng)求,便提供幫助。專家認(rèn)為,實(shí)施盜竊的犯罪分子來(lái)自于復(fù)雜的組織,它們擁有技術(shù)和人手,在社交網(wǎng)絡(luò)上搞拉網(wǎng)式的搜索,尋找有關(guān)加密數(shù)字貨幣的賬戶信息。而它們擁有的資源可以讓它們?cè)?4小時(shí)里給電信運(yùn)營(yíng)商威瑞森打28次電話,直到成功地將某個(gè)手機(jī)號(hào)碼移植到其他電話上(即不斷給運(yùn)營(yíng)商打電話,編造各種理由,說(shuō)服客服人員把某個(gè)號(hào)碼轉(zhuǎn)移到其他手機(jī)——譯注)。這便是對(duì)沖基金Cyrptochain Capital的管理合伙人亞當(dāng)·波科爾尼基(Adam Pokornicky)的遭遇。做這么大的騙局不可避免地會(huì)留下痕跡,從中可以找到作案的模式。豪恩說(shuō):“手機(jī)移植騙局已經(jīng)引起了執(zhí)法部門的注意,請(qǐng)看好戲吧?!? 即使如此,就算區(qū)塊鏈?zhǔn)澜绲母鞣铰?lián)手將網(wǎng)絡(luò)犯罪分子成功抓獲,也不能保證受害人拿回他們的錢。用于指控加密數(shù)字貨幣盜竊者的部分司法先例還未得到驗(yàn)證,對(duì)于無(wú)形資產(chǎn)能否沒(méi)收,仍然存在問(wèn)題。首先,拿獲這些贓物必須知道私鑰。杰弗里·伯恩斯(Jeffrey Berns)來(lái)自于加州一家專業(yè)從事數(shù)字貨幣案件的律師事務(wù)所,他說(shuō):“犯罪分子可以抓到,但政府無(wú)法強(qiáng)迫他們說(shuō)出寶貝在哪里。”在一個(gè)最為重視去中心化的系統(tǒng)里,銀行業(yè)的保險(xiǎn)箱根本不存在。伯恩斯說(shuō):“這里沒(méi)有消費(fèi)者保護(hù)措施,我也不知道能不能有。” 在瑞士一座大山深處,有一處深達(dá)200米的洞穴,是二戰(zhàn)時(shí)期的一座軍事地堡,那里據(jù)信是目前全球最大的比特幣倉(cāng)庫(kù)。在2014年Mt.Gox被黑之后,一位阿根廷的科技創(chuàng)業(yè)者文塞斯·卡薩雷斯(Wences Casares)認(rèn)為,有一個(gè)辦法可以解決比特幣的存放問(wèn)題:深入地下。 他的公司Xapo目前在五大洲運(yùn)營(yíng)著受到重重保衛(wèi)的地庫(kù),有的地庫(kù)深入地下達(dá)1,000米。每個(gè)地庫(kù)都擺著所謂的氣隙服務(wù)器(即不與互聯(lián)網(wǎng)相連的服務(wù)器——譯注),保存著加密的私鑰。Xapo的總部位于帕洛阿爾托(Palo Alto),它的客戶有的來(lái)自于新興市場(chǎng),其賬戶上只有5美元;也有全球最大的對(duì)沖基金和金融機(jī)構(gòu)。對(duì)于不讓他們受到黑客入侵,公司派特工監(jiān)督服務(wù)器的制造,一直到下生產(chǎn)線,并將服務(wù)器護(hù)送到秘密地庫(kù),確保它們完全不接觸互聯(lián)網(wǎng)??ㄋ_雷斯還擔(dān)任貝寶的董事,他說(shuō):“我們不得不去保護(hù)密鑰,這多少有點(diǎn)荒唐?!? 但即便這樣的保護(hù)措施也有局限。當(dāng)客戶出于交易的目的將資金挪到Xapo的“熱錢包”(這本身是一個(gè)48小時(shí)的過(guò)程)時(shí),這筆錢就有可能遭受Coinbase賬戶所遭遇到的攻擊。換句話說(shuō),只要你想動(dòng)用,你的加密數(shù)字財(cái)富就不安全。 ? 盜賊的手段 據(jù)接近Coinbase公司的人稱,它的用戶每年因?yàn)楹诳腿肭謸p失高達(dá)500萬(wàn)美元。入侵怎樣進(jìn)行?元兇為何如此難以捉到? 窺視 騙子搜索區(qū)塊鏈行業(yè)的人,尋找目標(biāo)。他們可能會(huì)結(jié)合社交媒體上有關(guān)比特幣和Coinbase的信息。攻擊者先要從網(wǎng)上的貼文或此前的數(shù)字外泄中找到目標(biāo)的電子郵件地址和手機(jī)號(hào)碼。 呼叫轉(zhuǎn)移 然后,騙子聯(lián)系受害人的移動(dòng)運(yùn)營(yíng)商,將手機(jī)號(hào)“轉(zhuǎn)接”到一臺(tái)由他們控制的設(shè)備上。 假扮受害者 由于Gmail的賬戶通常綁定手機(jī)號(hào)碼,作為備用的讀取方式,讓騙子們能夠登入目標(biāo)的電子郵箱,并重置密碼,然后在Coinbase上做同樣的事情。 “進(jìn)來(lái)了!” 除了密碼口令,Coinbase要求雙重驗(yàn)證。結(jié)果,雙重驗(yàn)證被發(fā)給了已經(jīng)登入賬戶的騙子。 溜走 騙子將資金挪到他本人控制的數(shù)字“錢包”里。執(zhí)法部門很容易追蹤到區(qū)塊鏈中被盜數(shù)字貨幣的去向,但他們無(wú)法阻止交易,也難以找出控制那些錢包的人。 洗錢 為了掩蓋路徑,騙子將貨幣轉(zhuǎn)移到海外“加密數(shù)字貨幣交易所”或?qū)⑵滢D(zhuǎn)化為難以追蹤的其他形式的數(shù)字貨幣。最終,他得以將其變成現(xiàn)金或是其他資產(chǎn)。 怎樣更好地保護(hù)加密數(shù)字貨幣 要加強(qiáng)安全: >給手機(jī)號(hào)設(shè)置“不準(zhǔn)轉(zhuǎn)接”的指令。 >不以短信形式發(fā)送雙重認(rèn)證信息,使用Google Authenticator這樣的app應(yīng)用。 >采用專門的密碼口令,不用于其他社交媒體的賬戶。 (財(cái)富中文網(wǎng)) 譯者:天逸 |
Sean Everett wasn’t sure how his bullish bet on cryptocurrency would turn out. But he definitely didn’t expect it to be over so soon. In March, he sold all his stocks, including Apple and Amazon, and used a chunk of the proceeds to buy Bitcoin and Ethereum on a site called Coinbase. The decision made Everett, the CEO of artificial intelligence startup Prome, almost instantly richer, as the blockchain-based currencies’ value rocketed up exponentially over the next several weeks. But then, while he was out walking the dog after 10 p.m. on Wednesday, May 17, Everett got the call. It was T-Mobile, ringing him to confirm that it was switching his phone number to a different device. It was a suspicious move that Everett had most certainly not requested. But even as he pleaded with the agent to block the switch, it was too late. Less than five minutes later, Everett’s cell service abruptly shut off, and as he rushed to his computer, he saw himself being robbed in real time. A raft of email notifications confirmed that someone had taken control of his main Gmail account, then broken into his Coinbase “wallet.” They’d gotten in with the help of his switched-over phone number: Everett’s account required him to log in with a two-factor authentication code sent by text message, as a second safeguard—and now the text had gone straight to the thief. It took only two minutes for the attacker to clean Everett out of what was then a few thousand dollars’ worth of digital coins. From Everett’s perspective, the even more painful heist was what came next: Ethereum’s price quadrupled over the next three weeks. It had reached its all-time high of $400 just hours before I met Everett in a New York coffee shop on a humid June afternoon. Bitcoin, meanwhile, had broken $3,000 for the first time a day earlier, and Everett was pining for his missing digital coins. “I’m not only still out my money, I also didn’t get the rise in price,” he lamented. Then again, the biggest surprise for Everett—and, it would turn out, for many other Bitcoin enthusiasts—was that the theft happened on Coinbase at all. San Francisco’s Coinbase, the world’s largest exchange for trading cryptocurrency, is one of very few such companies whose own coffers have never been hacked, a distinction that carries extra weight in the realm of blockchain, where several costly breaches have made global headlines. Almost any early investor you talk to lost money in Mt. Gox, an exchange that collapsed in 2014 after hackers pillaged nearly $500 million in Bitcoin. Last summer, thieves grabbed $72 million from Hong Kong cryptoexchange Bitfinex in one fell swoop. But hackers have never breached Coinbase’s own virtual fortress, and that impenetrability has earned it a reputation as the safest place to buy Bitcoin, helping it attract more than 9 million customers who store at least $3 billion in crypto-currency there, and who have traded $25 billion to date on its retail brokerage as well as its institutional exchange, GDAX. The five-year-old Coinbase just raised $100 million in new funding, valuing the company at $1.6 billion—making it the blockchain industry’s first “unicorn.” “If you look at what they are world-class at, it’s security, trust, safety?…?all these things that, frankly, banks are good at,” Fred Wilson, the venture capitalist and one of Coinbase’s earliest and largest backers, said at a conference in March. “They’re like JPMorgan or Goldman Sachs for blockchain.” But Coinbase’s individual customers do get burglarized—with surprising and unsettling frequency. Even Wilson himself was in for a rude awakening: While vacationing in Europe in early June, the VC woke up to the same telltale emails that Everett saw, signaling that an intruder was trying to get inside his Coinbase account. Wilson managed to lock it down before anything was stolen, but in a rare public chastising of a company in his own portfolio, he wrote in a blog post: “I am still a bit shaken up from the experience and a fair bit more paranoid from it.” Since then, Fortune has spoken with more than a dozen victims, including tech CEOs and well-known blockchain proponents, whose Coinbase accounts have been targeted and hacked in almost exactly the same fashion; still more have been attacked on other exchanges. The day after Everett’s robbery, Los Angeles entrepreneur Adam Dachis’s account was wiped out of what was then $10,000. On July 7, thieves emptied $18,000 from the Coinbase wallet of blockchain adviser Mike Costache, during the four hours he slept one night while traveling overseas. Since Christmas, there have been months when Coinbase users have been robbed as often as 30 times—a rate of one robbery every single day. In each case, the same blindsiding realization arrives, bringing the inherent paradox of blockchain into focus. The quintessential strength that sets cryptocurrency apart from traditional money—that transactions are instant and irreversible—is also its fatal flaw. “One of [Bitcoin’s] reasons for existence is that it’s censorship-resistant,” says Tom Robinson, cofounder and chief data officer of Elliptic, a London-based blockchain intelligence firm. That means no one, not even a government or central bank, can stop a digital currency transaction from happening. And therefore the fraud protections traditional bank depositors rely on are mostly unavailable. “Any kind of charge-back and reversibility would be the antithesis of what Bitcoin was created to achieve,” says Robinson. That’s one reason that, when criminals want to pull a heist, they’re increasingly choosing cryptocurrency over real dollars. In 2016, $28 million in losses from crimes involving virtual currency were reported to the FBI’s Internet Crime Complaint Center, more than triple the 2015 total. And that figure is based heavily on voluntary reports by individual victims. It doesn’t include large-scale thefts from exchanges like the Bitfinex hack, so it likely underestimates the true damages by many orders of magnitude. Cybercrime is rising at traditional financial institutions too: For example, thefts through so-called account takeovers, a crime analogous to the Coinbase hacks, rose 61% last year to $2.3 billion, according to Javelin Strategy & Research. But hacking losses are a blip relative to the trillions of dollars kept in banks. Hackers are stealing a much larger proportion of the crypto-currency pie, whose total market value is only about $135 billion. In the past 12 months, for example, criminals have absconded with 1% of Ethereum’s total market value, or $225 million, according to cybersecurity firm Chainalysis; the Bitcoin toll is estimated to be even higher. Brick and mortar bank robbers have “two problems: stealing the money and hiding the evidence,” explains Moran Cerf, a professor of business and neuroscience at Northwestern’s Kellogg School of Management and a former corporate hacker. “Bitcoin solves the second one for you because everyone there is anonymous.” Bitcoin diehards seem resigned to the reality of irreversible transactions—and its drawbacks. “I think of that as a feature and not a bug,” says Chris Burniske, a blockchain investor and author of forthcoming book Cryptoassets—even though his own accounts were looted in December for digital coins that would now be worth over $100,000. But when victims watch their money up and leave into the digital wallet of a nameless stranger, it becomes more than just a problem for Coinbase: It’s a threat to the promise of Bitcoin itself. As the value of cryptocurrency soars, more investors are grappling not just with how to profit from it, but how to hold on to it at all. “Coinbase looks like a bank, talks like a bank, and takes millions of dollars in cash like a bank, but, in practice, it functions like a dimly lit underground casino,” says Cody Brown, whose account was hacked for $8,000 in the span of just 15 minutes in May. “You don’t realize that the balanced fonts, smooth blue gradients, and endless copy about trust mean absolutely nothing—until you are robbed blind.” Coinbase, for its part, won’t discuss specific cases except to say that it investigates all account takeovers. But Brian Armstrong, Coinbase’s 34-year-old CEO and founder, says Brown’s and Wilson’s experiences were “helpful” in teaching the company how to improve. Its security measures already match or exceed those at banks—from using machine learning to detect dubious activity, to mandating dual-factor authentication. Yet Armstrong recognizes that Coinbase is also a juicier target: “We need to be held to a higher standard,” he tells Fortune, “because digital currency is so new and interesting and powerful that it is attractive to a lot of people out there to try to steal it.” If Bitcoin were a religion, its equivalent of “What would Jesus do?” would be “BYOB: Be your own bank,” an unofficial slogan widely embraced in the industry. The original blockchain was launched in 2009, by the mysterious founder (or founders) going by the name Satoshi Nakamoto, as a utopian form of electronic cash that could change hands, as Nakamoto wrote in a legendary white paper, “without going through a financial institution.” But that ideal also attracted a subversive element, repelling many potential adopters. That’s where Armstrong saw an opportunity to bring polish to an industry run by “hackers and crypto-anarchists” at the time, he says: “If this was going to go mainstream, it needed something that had a more trusted brand around it.” An early engineer at Airbnb, Armstrong quit in 2012 to create the “Gmail for digital currency.” His strategy: making it easier and safer to store, and then buy and sell, cryptocurrency. While early Bitcoin wallet companies made people keep track of their own private keys—the secret 64-character passwords that alone provide access to one’s cryptocurrency—Coinbase’s pioneering innovation was its offer to store keys on customers’ behalf. That also came with risk, as customers wouldn’t need to know their actual key, but rather just a password, to get to their Bitcoins—and neither would a hacker. “That’s a big responsibility to take on,” the fresh-faced CEO admits. “But I also think it’s necessary to help the industry scale and make digital currency accessible to the next 100 million or billion people.” Coinbase has demonstrated a unique ability to bring the new asset class to the masses. Its base of customers, most of whom are in the U.S., has grown 50% just in the past five months, with as many as 50,000 signing up in one day; trade volume in July alone was twice as much as all last year. Coinbase, which makes money by charging transaction fees, is said to be nearing profitability, and Armstrong ranks No. 10 on this year’s Fortune 40 Under 40 list. But he is pretty clear about his company’s limits. “The average person may at a high level think of us as a digital currency bank, but we’re not a bank,” he says. Coinbase doesn’t lend money, as banks do. And critically: Coinbase, which is regulated as a money transmitter like PayPal or Western Union, isn’t covered by the FDIC or bound by all the consumer protection laws that govern banks. Armstrong has long taken 100% of his salary in Bitcoin; he now cashes out enough into dollars each month to cover his rent. Many of his employees do the same. They understand the security issues better than just about anyone, yet protecting customers is proving to be a gnarly challenge: Technically, because hackers are breaching accounts from the consumer end, exploiting weaknesses at companies like Verizon and Sprint, the hacks aren’t directly Coinbase’s fault. “Within the realm of reason, it’s very difficult for us to prevent their account from being drained,” says one executive. Still, Coinbase can’t afford to ignore the problem—literally. Even though it is not a bank, Coinbase still bears the cost of banking-system protocols, when traditional financial institutions yank back fraudulent payments induced by hackers. For example, when Dachis was robbed, a Coinbase customer support rep complained right back to him by email that “Coinbase has suffered a $1,657.41 USD loss due to bank reversals” of transactions subsequently reported as fraud. “Coinbase is left holding the bag,” Soups Ranjan, the company’s head of data science, said at a recent industry event. Problems like this—along with unauthorized credit card purchases of cryptocurrency—cost Coinbase a stunning 10% of all revenue it collects, a fraud-loss rate 20 times as high as PayPal’s. “I firmly believe,” Ranjan added, “we have the hardest payment fraud and user security problem in the world right now.” To combat that, Coinbase has been using analytics to predict which customers have the highest risk of fraud and charge-backs, and preemptively limiting their purchasing power or locking their accounts. But that method comes with a downside of its own in the form of frustrated customers—and a backlog of help-desk requests that has stretched into the tens of thousands. With about 180 employees, the company hasn’t been able to hire fast enough to keep up with demand and is now looking to fill another 100 positions. Coinbase doesn’t even have a phone number for customer support, though it plans to add one in September. At the same time, Coinbase finds itself slamming headfirst into the expectations that come with being the closest thing cryptocurrency has to Goldman Sachs. The IRS has gone to court seeking Coinbase user records, after only 802 U.S. taxpayers reported Bitcoin profits on their tax returns in 2015. In June, Coinbase had its first “flash crash,” with Ethereum’s price collapsing to 10¢ for a brief, panicky stretch; the company said that all trades “were executed properly” but eventually agreed, as a courtesy, to reimburse traders who had lost money owing to margin calls. And in early August, when a “hard fork” of the Bitcoin blockchain created another currency called Bitcoin Cash, Coinbase initially said it wouldn’t support it. Hours later, a denial-of-service cyberattack—which some perceived as retaliation—knocked the exchange completely offline, and customers began threatening to sue. Coinbase gave in: Account holders will be able to withdraw their Bitcoin Cash by 2018. “We’re in a period of hypergrowth, and it’s superexciting and a little chaotic,” Armstrong says. For many blockchain enthusiasts, the Coinbase hacks have been a reminder of the danger of letting anyone else store your cryptocurrency. “If you don’t own the private keys, you don’t own the coin,” says Jonathan Smith, the chief technology officer of Civic, a company that uses blockchain tech for identity verification. Then again, Bitcoin has a dirty little secret: For an asset that epitomizes the future, managing your coin yourself can feel like a journey into the troglodytic past. Smart-money investors who store their own keys often resort to the most rudimentary of tactics to protect them. They’re the Bitcoin equivalent of stuffing cash under the mattress: a private key printed out on a sheet of paper, cut into pieces, and distributed among family members who don’t know how to put it back together; an encrypted file loaded on a USB stick and buried in the backyard; a password committed only to memory. These jury-rigged methods come with their own pitfalls, and stories of self-inflicted losses are legion: The New York man who reformatted a hard drive and erased the key to $25,000 in Bitcoin. Dominic Fogarty, a hedge fund research analyst who left his phone, storing his cryptocurrency, in a taxi after a bachelor party—then schlepped all over the Adirondacks to retrieve it. (“Yes, we missed our train, but more importantly I didn’t lose my Bitcoins!” he tells Fortune.) The ultimate irony is that the gold standard in security, storing private keys in what’s known as “cold storage,” without connection to the Internet, often means putting them in the very places blockchain advocates hoped to avoid: banks. One cryptocurrency hedge fund manager once went to check on his safe-deposit box at Wells Fargo, which stored the key to $5 million, only to find the drawer empty. (A few weeks later, the correct box was found one slot below where it was supposed to be.) Even Coinbase itself relies on banks for some of its cold storage, where 98% of customer funds are kept. “It does seem a little old-fashioned, I suppose,” Armstrong acknowledges. And yet, it may also be the future, as more mainstream investors want in on cryptocurrency but without the worries of BYOB. For some crypto devotees, this is nothing less than heresy. Says Michael Krieger, a former Lehman Brothers analyst who abandoned Wall Street for cryptocurrency after becoming disillusioned by the financial crisis, “I wouldn’t trust my crypto private keys to a safety-deposit box at a bank. That’s just me.” But already, the walls between finance’s old guard and blockchain’s renegades are beginning to crumble, and a day may come where the systems meld together almost seamlessly. “It’s almost ironic and funny that some of the rules and procedures we want to get rid of are almost exactly the rules we want in place to [protect] a major client,” says Hu Liang, a former State Street exec who left in August to start a cryptocurrency trading platform for institutional investors. Even as they dream of supplanting the conventions that have defined banking for centuries, blockchain disciples are realizing that you can never quite escape them. Jonathan Levin is still catching his breath from a six-mile bike commute as he welcomes me into his office, on the second floor of a Manhattan coworking space, early one August morning. Wearing a gray cotton T-shirt that reads “Bitcoin, est. 2009,” the 27-year-old British expat exclaims cheekily, “So this is what fighting cybercrime looks like!” Levin is the cofounder of Chainalysis, a startup that tracks virtual currency movement and investigates illicit use. Chainalysis’s software assisted law enforcement with the takedowns and criminal indictments of both “dark net” marketplace AlphaBay and notorious digital currency exchange BTC-e during the span of a week in July, according to people familiar with the investigations. Previously, the company was able to locate where the stolen money from Mt. Gox and Bitfinex ended up: Bitcoin keeps an immutable record of all transactions—a literal money trail—so anyone can see the addresses of the digital wallets where funds are sent. Chainalysis’s artificial intelligence “clustering” techniques mapped the funds to particular exchanges. But progress seems to have hit a dead end when it comes to determining who controls those wallets. “How many people have been caught for stealing money from major Bitcoin exchanges?” Levin asks rhetorically. “The answer is zero.” That’s not entirely true, says Kathryn Haun, a former federal prosecutor who led the crackdown on virtual-currency crime and joined Coinbase’s board in May. While no one yet has gone to jail for hacking into an exchange or electronically pilfering cryptocurrency, she says, the AlphaBay and BTC-e probes are the first of a wave of cases that have yet to be completed or unsealed. Because wallet addresses are pseudon-ymous, it can take years for investigators to link them to a person—gathering data gleaned from exchanges like Coinbase and more obscure corners of the Internet. “I liken it to more traditional crimes, like bank robberies,” Haun says. “If he’s wearing a disguise and has a wig and gloves, it makes it that much harder to capture the criminal. But that doesn’t mean it’s impossible.” Individual thefts may be too small on their own to merit a federal case, but as more victims report crimes to the FBI and other government agencies, there’s more cause for hope. Chainalysis, for its part, opened a special investigations unit in July to take on personal cases after fielding pleas for help from hack victims. And experts believe the criminals who commit the robberies belong to sophisticated organizations with the technology and manpower to trawl social networks for mentions of cryptocurrency accounts—the kinds of resources that let them, say, call Ver-izon 28 times in 24 hours until they succeed in porting a phone number, as they did in the case of Adam Pokornicky, managing partner at hedge fund Cryptochain Capital. Efforts that ambitious inevitably leave traces, and from such clues a pattern can emerge. “Phone porting cases and schemes like it have captured the attention of law enforcement, so I would say, stay tuned,” Haun says. That said, even if the blockchain world’s combined forces succeed in capturing cybercriminals, there’s no guarantee that victims will get their money back. Some of the legal precedent for charging cryptocurrency hackers is still untested, and there are questions as to whether intangible assets can even be seized. For one, accessing the booty would require knowing the private key: “They could get the criminal, but the government can’t force them to say where the gold is,” says Jeffrey Berns, whose California law firm specializes in digital currency. In a system that prizes decentralization above all else, the creature comforts of banking may never exist. Adds Berns, “There is no consumer protection, and I’m not sure it can be built in.” Deep inside a mountain in Switzerland, down a 200-meter cave, a World War II military bunker now stores what is believed to be the largest repository of Bitcoins on the planet. In the wake of the Mt. Gox hack in 2014, Wences Casares, an Argentinean tech entrepreneur, thought there was one solution to storing digital coins: Go underground. His company Xapo now operates heavily guarded vaults, on five continents, some as far as a kilometer down into the earth. Each contains so-called air-gapped servers on which the encrypted private keys are stored. To ensure hackers cannot rob its clients, who range from $5 account holders in emerging markets to the world’s largest hedge funds and institutions, agents of Palo Alto–based Xapo personally witness the manufacturing of the servers before they even come off the assembly line and escort them to the hermetic vaults, guaranteeing they never touch the Internet. “It’s somewhat ridiculous,” says Casares, who also sits on the board of PayPal, “the extent to which we have to go to make sure that the keys are protected.” But even that safeguard has its limits. When customers move funds into a “hot wallet” on Xapo for transaction purposes (itself a 48-hour process), the money could be vulnerable to the same hacks that Coinbase accounts are. In other words, your cryptowealth is as safe as can be—until you want to actually use it. ? Anatomy of a Cryptoheist Coinbase account holders lose up to $5 million annually to theft by hacking, according to a person close to the company. Here’s how the hacks happen, and why the culprits are so hard to catch. The Stakeout A scammer scouts a target by searching for people who work in the blockchain industry—or by combing social media for mentions of Bitcoin and Coinbase. The attacker finds the target’s email address and phone number through online postings or previous data leaks. The Switcheroo The scammer contacts the victim’s mobile provider and “ports” the phone number to a device under the scammer’s control. The Disguise Because Gmail -accounts often link phone numbers as a backup access method, the scammer can now log in and reset the target’s email password, then do the same at Coinbase. “I’m In!” Coinbase requires two-factor authentication (“2FA”) in addition to a password. That 2FA now gets texted to the thief, who logs in. The Getaway The scammer moves the money into digital “wallets” under his control. Law enforcement can easily track the movements of the stolen currency recorded on the blockchain, but they can’t block transactions, and figuring out who controls the wallets is difficult. The Laundering To try to cover his trail, the scammer can move the currency to foreign “cryptoexchanges,” or convert it to other kinds of digital currency that are harder to track. Eventually, he can convert it to cash or other assets. Building a Better Vault For better security: Put a “do not port” order on your phone number. Don’t use text-message 2FA; instead, use an app like Google Authenticator. Use a unique password, one you don’t use for other accounts or social media. |