Don’t miss the latest developments in business and finance.

With tech to hunt down hackers, cryptocurrency heists just got harder

A New York court case shows how law enforcement agencies can use tech platforms to bring cybercriminals to book, reports Shivani Shinde

Cryptocurrency, Bitcoin
In January this year the Liechtenstein Cryptoassets Exchange (LCX) was hacked and almost $8 million worth of cryptocurrency was stolen from its hot wallets. Photo: Bloomberg
Shivani Shinde
6 min read Last Updated : Jun 26 2022 | 7:08 PM IST
How many times have we heard that a hacker has been caught for their cybercriminal activities? For that matter, how often do we come across reports that legal notices have been sent to anonymous hackers who have siphoned off millions through ransomware or some such means?

Earlier this month, for the first time ever, an anonymous hacker was served with a restraining order as a non-fungible token (NFT). Not only was the hacker’s wallet frozen, but all other wallets that they had moved the funds to have also been frozen.

Why this is important becomes clear when you consider that according to a 2020 report by Third Way, an American think-tank (published in Cyberexperts.com), only about 0.3 per cent of all reported cybercrime complaints are prosecuted. In other words, about 3 out of 1,000 malicious cyber incidents face prosecution. Also, a large percentage of cybercrime victims do not report the incidents. Hence, the enforcement gap may be less than 0.05 per cent.

In January this year the Liechtenstein Cryptoassets Exchange (LCX) was hacked and almost $8 million worth of cryptocurrency was stolen from its hot wallets.

LCX made use of algorithmic forensic analysis and tracing of stolen assets through Tornado Cash, a crypto mixing service. As a result, it was able to identify the location of the stolen funds and the wallets operated by the alleged criminal.

Since LCX is a regulated blockchain company, it also engaged with law enforcement authorities in Liechtenstein, Spain, Ireland and the US. The alleged thief or group of criminals sent 500 ETH (Etherium) to a fully verified user account at Coinbase, an online platform for buying and selling cryptocurrencies, and recently swapped ETH to US dollar Coin (USDC) on decentralised exchanges. 

LCX explains the hack

USDC is issued by Circle Financial Services, while Centre Consortium operates the technology which is able to blacklist wallets, freezing USDC tokens (in particular wallets), LCX said on its website, explaining the hack.

The most remarkable thing about the case is that LCX’s law firm, Holland & Knight, successfully served a defendant in a hacking case a temporary restraining order via NFT, and, more importantly, the New York Supreme Court approved it.

“This innovative method of serving an anonymous defendant was approved by the New York Supreme Court and is an example of how innovation can provide legitimacy and transparency to a market that some believe is ungovernable,” LCX said in a statement.

What is also important to note is that LCX has managed to track down and freeze 60 per cent of the stolen funds.

The case shows how blockchain-based platforms are safer because every transaction can be traced to the rightful owner. 

In India, the technology innovation that the New York Supreme Court allowed is being seen as a trend-setter.

Rajgopal Menon, vice-president of WazirX, a cryptocurrency exchange, told Business Standard, “This case has certainly set a precedent on how technology can be innovatively used in the digital world. In India, too, we have seen law enforcement agencies using tech platforms innovatively. Now notices can be issued on WhatsApp, too. Using NFT to send restraining orders is indeed innovative and path-breaking.”

Trace and track 

Abhishek Singh Rajpurohit, founder of AkcoLedger, a Web3 startup, believes that this case will be remembered as one where multiple governments also worked together to solve it. “The Indian government can look at this specific case and may take some lessons and understand that anything which goes wrong in a blockchain can be traced and tracked,” he adds.

The legal fraternity in India, especially those who are aware of happenings in the digital world, is optimistic that something like this can be replicated under the Indian legal system.

“The use of NFTs to send a temporary restraining order to a wallet is a very innovative idea, especially when you cannot identify the person. In the US we now see this being used regularly,” says Navodaya Singh Rajpurohit, partner at Coinque Consulting, which is focused on blockchain companies, and founder of MetaverseLawyer Space.

He adds that nothing stops this from being adopted in India as well. “Earlier, notices could be sent only by India Post. Then slowly, courier services were included, and in 2021, the Supreme Court said that due to Covid, summons can be issued by Telegram and WhatsApp, in addition to other services.” 

He also believes that because “know your customer” is an important part of customer verification in India, the chances of identifying a hacker can become that much easier. 

According to WazirX’s transparency report for the period October 2021 to March 2022, the company received 952 requests from Indian law enforcement agencies and 71 requests from foreign law enforcement agencies regarding enquiries that were of a criminal nature. 

The report also states that between October 2021 and March 2022, the company locked 17,218 accounts, an increase of 19 per cent compared to the period between April 2021 and September 2021. As much as 73 per cent of this was user-driven (customers requested the account closure) and 27 per cent was initiated by WazirX over payment disputes or ongoing investigations. 

Menon says that one of the features of blockchain is that it allows you to track every transaction, which also makes the ecosystem much more trustworthy. Last year, a hacker was forced to return $600 million that he stole on the Poly Network platform, a decentralised finance platform that provides peer-to-peer transactions, especially allowing users to swap tokens across different blockchains.

When Poly Network realised what had happened, it immediately tweeted an open letter to the hackers. It also urged crypto miners and exchanges to blacklist tokens coming from the hackers’ addresses. Many joined hands. SlowMist, a blockchain security firm, published a report saying that it had tracked the hackers’ mailbox, IP address and device footprint, which made the hacker return the money.

As Tom Robinson, chief scientist at blockchain analytics company Elliptic, pointed out in a Forbes article, “…even if you can steal crypto-assets, laundering them and cashing out is extremely difficult due to the transparency of the blockchain.”

Topics :Technologycryptocurrencycyber crime