Risks with cryptocurrencies extend far beyond price volatility

December 2021  |  SPOTLIGHT | FINANCE & INVESTMENT

Financier Worldwide Magazine

December 2021 Issue

From time to time, some new trading methodology throws a curve ball at the staid world of finance, leaving its leaders struggling to understand, never mind control, the risks associated with apparently routine but innovative events happening in its treasury functions on its trading desks or elsewhere.

The senior management of Barings discovered this when it failed to grasp the implications of Nick Leeson’s futures trading bets in the mid-1990s, as did Lehman Brothers when it misread the massive downsides to its subprime mortgage activities in the lead up to the global financial crisis of 2008-09.

Now we have the wondrous world of cryptocurrencies, into which more and more corporates and financial institutions continue to be drawn. The extraordinary volatility of prices for the likes of bitcoin is well-publicised, but what do most senior management teams know about the risks lurking under the bonnet of this new phenomenon, specifically concerning the operations of crypto exchanges?

The simplest way to acquire bitcoin and other cryptocurrencies is to buy it on a crypto exchange. Once anti-money laundering (AML) and know your customer (KYC) checks have been passed, customers will be allowed to deposit cash at their chosen exchange and the exchange will convert that into the cryptocurrency of choice. Most exchanges also offer to store cryptocurrency in a personal ‘wallet’.

The demise in 2019 of one such exchange, Cubits, is a case study in what can go wrong and the extreme challenges of tracing and recovering assets for the benefit of users. Cubits was a bitcoin exchange, trading platform and storage facility and became one of the fastest-growing platforms in Europe following its launch in 2015. Its users comprised both corporates and individuals.

The trading platform allowed customers to buy, sell, trade and store bitcoins. The company operating Cubits was registered in the UK, but its operations were both multinational and cyberspheric.

Cubits was young, dynamic and operating in a rapidly evolving industry. Unfortunately, the world of cryptocurrency can be a minefield and its unregulated status facilitated a less than robust approach to the inherent risks.

By mid-December 2017, when the price of bitcoin was around $20,000 and trading volumes were at record highs, Cubits was profiting handsomely from the 100,000 individual clients and 5000 corporate clients that it was servicing.

However, it is unlikely that many of its corporate clients were aware that Cubits was providing a very fast and smooth bitcoin conversion service to a plethora of high-risk countries, including jurisdictions in which trading in cryptocurrencies was illegal, thereby exposing the exchange to some individuals and organisations with less than desirable behaviours and ethics.

Unfortunately, the accounts of three Chinese users were compromised in February 2018. The three customers had between them amassed €27m worth of bitcoins in their accounts with Cubits. Their trading patterns were atypical and they had not initiated the two-factor authentication security protocol recommended by Cubits. They reported that their accounts had been hacked and their passwords changed immediately prior to the withdrawal of circa 2800 bitcoins by unknown third parties.

These customers had purportedly transferred the Chinese Yuan to purchase their bitcoins to a third-party payment service provider (PSP), which was Cubits’ main PSP in Asia. The PSP, on hearing the allegations of the customers being hacked, allegedly returned the funds to them. So, the money for the bitcoins was never remitted to Cubits and, worse still, Cubits’ bitcoins had been withdrawn from the exchange.

The PSP subsequently refused to honour the payments for the bitcoins purchased and reneged on payment of some €7m of outstanding amounts owed to Cubits for other unrelated bitcoin transactions. Faced with serious liquidity issues, Cubits filed for insolvency in the UK after 10 months of fruitless attempts to recover the missing assets.

Administrators were faced with formidable challenges wherever they turned. Cubits’ senior management and staff had scattered, fearful of repercussions from some of the less savoury customers, and most refused to cooperate. Accounting records were wholly inaccurate, incomplete and unhelpful. There was no reliable information about the most basic of issues: where the servers on which the exchange’s data was stored were located.

Disaffected staff refused to provide access to the transactional records or the keys to the company’s crypto wallets. The stolen bitcoins had been processed through ‘tumblers’ and ‘mixers’ (essentially money laundering services for cryptocurrencies) severely hindering the tracing of stolen bitcoins.

On the whole, crypto exchanges are difficult to communicate with and some actively encourage an aura of mystique and opacity. But where there is a will, there is a way. A forensic team, working alongside administrators, collaborated with legal advisers and law enforcement agencies around the world, issuing requests to the various crypto exchanges known to be involved with Cubits to reveal the identity of the account holders receiving the stolen bitcoins.

The exchanges were also required to reveal if the receiving account holder had any funds remaining on the exchange in other ‘wallets’, or whether the bitcoins had been transferred onwards. If the latter, the forensic team resumed the tracing until it hit another exchange or known account; or, if the bitcoins had been converted into traditional currency, they began the more common asset-tracing and recovery exercises.

One helpful factor in a formal insolvency scenario is that the company’s former suppliers will still want to be paid. For example, as there was no accurate information as to where the company’s servers were located, and no-one would provide this information, ultimately, this question was answered in a demand for payment from the company’s former service providers making contact to chase unpaid invoices. In this way, key data could be recovered, and decrypted with the use of forensic tech, which in turn facilitated further investigation and the recovery of assets.

Similarly, it was possible to identify more than 30 different bank account-providers globally, including some in territories where Cubits had never had any customers. Funds have been recovered from accounts based all over the world, a process which is still ongoing. Bitcoins were seized and recovered from two wallets located in the US, using Chapter 15 legislation designed to facilitate cross-border cooperation in bankruptcy matters.

One remaining issue with cryptocurrencies is that the precise nature of bitcoin (and therefore by extension all other cryptocurrencies) is still yet to be settled by UK courts. Under current English law, bitcoin is neither property of which a party can take physical possession, nor does it create a property right that can only be obtained or enforced through legal action because it is intangible in nature, being either information or data, and numerous English authorities have affirmed that information or data is not property.

However, in the recent case of Liam David Robertson v Persons Unknown, the Commercial Court granted an asset preservation order over more than £1m of bitcoins stolen in a spear-phishing attack, deeming bitcoins to be ‘assets’. Indeed, in an insolvency context, Bitcoin is more likely to fall within a debtor’s property, as the definition of property in insolvency is extremely wide. Nevertheless, it is important to stress that its status has not yet been properly defined.

The moral of this convoluted tale of global asset tracing is that trading in crypto or holding it as an investment or as a resource is fraught with risk. There can be none of the peace of mind of using traditional, heavily-regulated banking systems. Crypto exchanges are not all like Cubits, but by definition none of them have matured yet, there is little or no regulation and as yet there is no developed body of either local or international law to govern disputes.

Cyber space is a largely lawless place and therefore, one of the least ideal places for an entity, whether corporate or individual, to carry risk. Using cryptocurrencies for business and commercial purposes has become unavoidable for many, but those that do must ensure they understand the risks, gather all the information they can about their counterparties and have forensic advisers with expertise in this field ready to deploy the moment problems occur.

 

Allister Manson is a partner and Nick Hood is a senior business adviser at Opus Business Advisory Group. Nicholas Parton is a partner and head of forensic accounting at Opus Pear Tree. Mr Manson can be contacted on +44 (0)7775 570 017 or by email: allister.manson@opusllp.com. Mr Hood can be contacted on +44 (0)7967 658 296 or by email: nick.hood@opusllp.com. Mr Parton can be contacted on +44 (0)7590 269 393 or by email: nicholas.parton@opusllp.com.

© Financier Worldwide

BY

Allister Manson and Nick Hood

Opus Business Advisory Group

Nicholas Parton

Opus Pear Tree

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.