Two broad categories of cyber-security threats
First, there are hacks targeted against cryptocurrency exchanges and platforms. It has been reported that, in the first three quarters of 2018 alone, over $927 million was stolen from exchanges and platforms, 3.5 times more than during the whole of 2017. This trend is likely to continue given the potentially lucrative awards for criminals.
Hacks targeted against exchanges and platforms tend to be sophisticated and less opportunistic than those against individuals or entities holding cryptocurrency. They have tended to focus on exploiting the security measures adopted by exchanges and platforms. One such example took place in May 2018 when a ‘51% attack’ was executed against the Bitcoin Gold exchange. When a hacker controls more than 50% of the relevant network’s computing power, they are able to prevent new transactions gaining confirmation on the blockchain. This allows the hacker to use a single cryptocurrency more than once. This was an extremely sophisticated attack and, until recently, considered a mere hypothetical possibility.
Secondly, there are hacks targeted against corporate and individual investors in cryptocurrency which focus on accessing the private key that enables the ownership of cryptocurrency to be transferred. In one relatively simple method called ‘SIM swapping’, hackers arrange, directly with the mobile operator, the transfer of the victim’s phone number to a new SIM card that they hold. Reports suggest that employees within the mobile operators are not complicit, but that the hackers bypass security measures by simply resetting the victim’s login credentials using the compromised phone number. In 2018, this method was deployed in a high-profile hack against several Silicon Valley executives which included the theft of over $1 million from a single individual.
Against this backdrop, regulators worldwide have increased efforts to ensure that cyber-security risks are minimised to the extent possible through mandatory security requirements. For example, in Japan, in 2018, the Financial Services Authority launched a series of inspections to assess the security measures employed by Japanese cryptocurrency exchanges. This resulted in ‘business improvements orders’ being issued by the regulator to deal with specific concerns identified.
In the UK, a Cryptoassets Taskforce (comprising HM Treasury, the FCA and the Bank of England) was established in early 2018. In October 2018, the taskforce published its final report which called for “strong action” to be taken in the regulatory sphere to deal with various risks including cyber-security given that “Cryptoassets are now viewed as high-value targets for theft”.
On the back of this report, in January 2019, the FCA published a consultation paper as a precursor to issuing final Guidance (expected later this summer). The consultation paper refers to the need to minimise harm including that caused by cyber-security issues. The paper is, however, thin on answers to the problem of cyber-security. It will be interesting to see what concrete requirements the regulator seeks to impose to limit the risk and impact of cyber-security issues.
There is, of course, a limit to the steps that can be taken to mitigate cyber-security risks. Exchanges, platforms and investors in cryptocurrency will likely continue to suffer from hacks however strong the regulatory and mandatory security framework is. When hacks do take place, it is essential that the victims understand the legal framework given that this has a significant impact on recovery options.
The key legal principle that determines whether action can be taken to recover stolen cryptocurrency is whether it is deemed to be property in the eyes of the law. Given that cryptocurrency constitutes lines of code stored in an electric ledger (i.e. the blockchain), it is, on one view, mere information rather than something constituting property. It does however, have value and - for reasons that follow - there is a good chance that, when tested, the courts in England & Wales will classify it as property.
The issue has not yet been considered by the courts in England & Wales. However, in the US, the Internal Revenue Service has determined that cryptocurrency is to be treated as property for taxation purposes. Of greater significance in predicting how the courts in England & Wales may approach the issue is the decision in B2C2 Ltd v Quoine Pte Ltd  SGHC(I) 03, handed down by the Singapore International Commercial Court in March 2019.
This case concerned Quoine’s (a trading platform) decision to reverse a trade that was made as a result of an error in its platform’s coding. This error benefited the Claimant, B2C2, which held cryptocurrency on the platform. B2C2’s position was that Quoine held its cryptocurrency on trust and their decision to reverse the trade constituted a breach of trust. An asset must constitute property for it to be capable of being held on trust. Therefore, whether cryptocurrency constituted property was key. Although the point was not considered in detail by the court because Quoine accepted that cryptocurrency may be treated as property, the judge commented that he considered Quoine’s position to be correct.
He explained that this was because cryptocurrency has “the fundamental characteristic of intangible property [because it is] an identifiable thing of value” - referring to the definition of a property right in the seminal House of Lords decision of National Provisional Bank v Ainsworth  1 AC 1175 at 1248, in which it was held that property “must be definable, identifiable by third parties, capable in its nature of assumption by third parties, and have some degree of permanence or stability”. In Quoine, the judge observed that cryptocurrency “met all of these requirements”.
Although not an absolute certainty, the courts in England & Wales are likely to arrive at the same conclusion when the issue inevitably comes before it. If so, this would open the doors (for victims of hacks) to several recovery options including tracing and conversion claims. We will examine these recovery options in our next article in this series on cryptocurrency.