Bitcoin Redux: crypto crime, and how to tackle it

Bitcoin Redux explains what’s going wrong in the world of cryptocurrencies. The bitcoin exchanges are developing into a shadow banking system, which do not give their customers actual bitcoin but rather display a “balance” and allow them to transact with others. However if Alice sends Bob a bitcoin, and they’re both customers of the same exchange, it just adjusts their balances rather than doing anything on the blockchain. This is an e-money service, according to European law, but is the law enforced? Not where it matters. We’ve been looking at the details.

In March we wrote about how to trace stolen bitcoin, describing new tools that enable us to track crime proceeds on the blockchain with more precision than before. We waited for victims of bitcoin theft and fraud to come to us, so we could test our tools on real cases. However in most of them it was not clear that the victims had ever owned any bitcoin at all.

There are basically three ways you could try to hold a bitcoin. You could buy one from an exchange and get them to send it to a wallet you host yourself, but almost nobody does that.

You could buy one from an exchange and get the exchange to keep the keys for you, so that the asset was unique to you and they were only guarding it for you – just like when you buy gold and the bullion merchant then charges you a fee to guard your gold in his vault. If the merchant goes bust, you can turn up at the vault with your receipt and demand your gold back.

Or you could buy one from an exchange and have them owe you a bitcoin – just as when you put your money in the bank. The bank doesn’t have a stack of banknotes in the vault with your name on it; and if it goes bust you have to stand in line with the other creditors.

It seems that most people who buy bitcoin think that they’re operating under the gold merchant model, while most exchanges operate under the bank model. This raises a whole host of issues around solvency, liquidity, accounting practices, money laundering, risk and trust. The details matter, and the more we look at them, the worse it seems.

This paper will appear at the Workshop on the Economics of Information Security later this month. It contains eight recommendations for what governments should be doing to clean up this mess.

3 thoughts on “Bitcoin Redux: crypto crime, and how to tackle it

  1. The second sentence in the last paragraph on p. 14 says “notes that it has $20bn in assets under management [Par18].” Looks like this reference should be [Fun18]. In the subsequent discussion, the shifting between $ and £ is confusing. (Where does “not £20m” come from?)

    1. It looks like the following sentences in the paragraph should have all values in $ (at least based on current cryptocurrency market cap), and that “not £20m” should be “not $20bn”.

  2. Sorry, I just assumed that people who care can do the conversion; I find it condescending when newspapers spell all conversions out and irritating when the result is spurious accuracy (“The Las Vegas thieves got away with $100,000 (£74,490)”).

    In the paragraphs you note, I’m interested only in the order-of-magnitude calculation, which points to the conclusion that Coinbase might hold 2 billion on behalf of UK customers and have about one percent of that on its balance sheet as reserves. It’s not really critical that the sums in question are denominated in dollars or in pounds as the difference is only 25%. (A more interesting question might be how much of the balance sheet is actually available as reserves.) That said, we might perhaps have phrased it better.

Leave a Reply to Ross Anderson Cancel reply

Your email address will not be published.