The following is an edited summary of comments by Antonopoulos. To listen to the full podcast please go here.
The Ledger data breach
In July 2020, hardware wallet manufacturer Ledger was made aware of a data breach. The company said the leak "consisted mostly of email addresses, but with a subset including contact and order details such as first and last name, postal address, email address and phone number."
In December this data was made available online. The data actually consisted of a list of one million email addresses, as well as a list of 272,000 individual customers, containing emails, phone numbers and physical addresses. Those customers have since been targeted with phishing attempts by scammers sending fraudulent emails claiming that their "cryptocurrency assets are at risk", prompting them to download a fake version of Ledger Live that would then ask for the user’s seed phrase.
Antonopoulos says “the big risk here is that some of the personal information that was released in this dump of 272,000 customers included phone numbers and physical addresses. We’ve since seen a flurry of phishing activity. Phishing is when you receive an email or a text message that attempts to create a sense of fear and urgency in order to make you act rashly. Usually what they’re trying to do is get you to visit a website where you’re told that your device is being disabled. And if you don’t take action immediately, something bad will happen. And the action that they try to make you take is to reveal your 12 to 24 word mnemonic phrase, which is the basis of your entire security. For anyone affected, the simple advice is do nothing. Inaction is probably the best strategy. Your funds on your devices are perfectly safe as long as you don’t do anything rash.”
SIM Swap Attacks
Antonopoulos says that affected Ledger customers are also vulnerable to SIM swapping, a more serious type of attack. “That’s when by using your phone number, an attacker contacts your cellular phone company and attempts to socially engineer one of their customer service operators to transfer control of that number to a SIM card and mobile phone they control. And if you use this as a two factor authentication with a text message code on any service, they can then hijack that account. They would start with your cryptocurrency exchange accounts. A SIM swap attack can be incredibly damaging.”
Antonopoulos has recorded a PSA with more detailed advice and information for anyone that is targeted as a result of the Ledger data breach.
The data breach is an illustration of the tension that exists behind the idea of Bitcoin as “be your own bank” and “not your keys, not your coins,” and the reality that for some new Bitcoin investors, they may be better served by a third party custodian than take responsibility for their own private keys.
Not your Keys, Not your Coins
Antonopoulos says “When I coined the expression, ‘not your keys, not your coins’, what I wanted to describe is the idea that in cryptocurrency, custody and control are the same thing. So your ownership is defined only by control of your private keys. The simple truth of the matter is that this leak of a database of names, addresses and phone numbers is disturbing and problematic and can lead to various types of attacks. However, it pales in comparison to the billions of dollars that have been stolen directly from exchanges. Exchange hosted wallets are not secure. They’re not secure because they concentrate the funds of thousands of customers under a single ownership and control structure. If you have the funds of a thousand customers, your security needs to be a thousand times better than the security of each of the individual customers, because an attacker can simply attack the honeypots and not worry about robbing each individual bee. The problem in information security terms, is that a thousand times better security than you can achieve in your home doesn’t exist. If you put your money on a cryptocurrency exchange, you don’t remove risk. You simply substitute one set of risks, which have to do with personal control, responsibility, technical skill, and learning, with a completely different set of risks.”
And when it comes to centralized databases some of the most attractive honeypots, and the least secure, are government agencies.
The 2020 Solarwind hack targeted many U.S. agencies, with the Treasury Department among the worst affected. However in the days before Xmas 2020, FinCEN, part of the U.S. Treasury Department, proposed new KYC/AML regulations that would directly impact the crypto asset industry.
Totalitarian financial surveillance
Antonopoulos, never one to mince words, says the new regulations are an attempt to extend a totalitarian financial surveillance structure over the entire world. “They are acting with complete disregard for the consequences and side effects on billions of innocent people,” he says.
“This is wrapped up in the self-righteous and easy to sell idea that this prevents crime. Of course they bundled in all of the worst kinds of crimes, such as terrorism and child pornography. However, the truth is that for decades now, every study that has ever looked at the effectiveness of anti money laundering and counter-terrorist financing, these kinds of regulations prevent a vanishingly small amount of those activities.”
One of the reasons these regulations fail is because the organizations most responsible for large scale money laundering are in fact the banks. While Ripple and several other crypto organizations and personalities were hit by the SEC in 2020, it was actually mainstream brands like Wells Fargo, Morgan Stanley, and Goldman Sachs that once again featured most prominently in 2020 enforcement actions. Wall Street not only gets away with minuscule punishments, it seems they view these as simply a cost of doing business.
This has many negative side effects, says Antonopoulos. “These include condemning billions of people into poverty because of economic exclusion, due to creating so many barriers to participation in the world economy. They create structures of corruption, surveillance, and privacy violations. This enables dictators to control their populations through means that are disguised as economic measures. These regulations don’t actually stop most criminals, but they do criminalize innocent behavior all around the world and penalize billions of innocent people.”
From a practical perspective, the proposed Requirements for Certain Transactions Involving Convertible Virtual Currency or Digital Assets would require that small startups, without the infrastructure for security personnel compliance, collect information on their customers. This process then exposes those customers to data risk. It makes new targets of millions of customers by creating honeypots of information that are vulnerable to leaks and hacks.
The proposed legislation says that users who send crypto assets from an exchange to a private wallet would have to provide personal information about the owner of that wallet to the exchange if the amount sent is greater than $10,000 in one day. The exchange would need to maintain records involving transactions over $3,000.
While there was some advance warning that Steven Mnuchin and FinCen would announce the proposal legislation, it was released days before Xmas and the industry was given just 15 days to respond with feedback.
Antonopoulos views this as a cynical tactic. “It’s a cynical and contemptuous move by a tiny privileged and out of touch group of elite banksters. If you study what Mnuchin has done in the past, he was at the head of the mortgage fraud industry and the robo foreclosure industry and got away with putting millions of people out of their homes,” he says. “I’m not surprised by the timing of this release and the limited opportunity for the democratic process because these people sneer at democratic process. Democratic process is a silly encumbrance on their power and they have utter contempt for the population, for the voters, for anyone who would stand in their way. But that’s par for the course.”
Another downside to the proposed regulations is that were they to be successfully adopted, it is likely that other countries would then adopt similar laws. The laws are designed to be emulated and immediately adopted by other countries around the world to create a global framework. In the meantime there is renewed interest in Bitcoin as an asset class from Wall Street. Ben Hunt of Epsilon Theory has argued that Wall Street is less interested in the actual price action of Bitcoin, and more interested in capturing the flow around a new asset class. So if they have the ability to capture the flow then that is how Wall Street will try and co-opt Bitcoin. However, Antonopoulos has taken the other side of this argument, articulating his idea of Bitcoin as a poison pill that will instead eat the legacy financial system.
“We see that with both Bitcoin and other systems, including Ethereum and DeFi applications,” explained Antonopoulos. “A great example is this new regulation. One of the problems with it is that they’ve written it for a world in which you’re doing wire transfers between people who have bank accounts. And of course, none of that applies in the blockchain context. When you’re doing a transaction whose destination is an Ethereum contract, a DeFi application, for example, there is no owner to identify. Therefore you cannot comply with this proposed regulation. Custodial accounts, hosted wallets, exchange wallets, etcetera, could not use DeFi contracts because that would violate this regulation. So they’ve tied one hand behind their back because to continue to operate in a compliant fashion as a regulated industry would require them to forego the innovative uses of this that simply do not mesh with regulation.”
Antonopoulos says the regulations are a wrench in the ability for regulated institutions to use DeFi. DeFi is harder to regulate so they regulate the things that look most like banking and the organizations that are centralized like banks and exchanges.
“Yes, so that’s the part they attack, he says. “They have a hammer and anything that looks like a nail, they whack it. But the problem is that all that does is it makes the organizations, institutions, and the systems that are on the periphery of blockchains, that look most like banks subject to their regulation. And when they regulate those, they make them less attractive to the rest of the ecosystem while the rest of the ecosystem continues to innovate. If they continue doing this, the decentralized systems of innovation around this technology will see these regulations as a form of predation, as a threat, an attack against the ecosystem, and the ecosystem will innovate against them. What that does is it then makes these technologies even more of a poison pill. Ultimately they won’t tame blockchains. They will only tame the banks that are playing in the blockchain space and it will encourage innovation of defenses in the blockchain area.”
Decentralized protocols as a source of hope
One of the big stories of 2020 was Michael Saylor and Microstrategy buying significant amounts of Bitcoin and promoting this in a vocal way. Saylor even bought the domain hope.com which now directs to Microstrategy Bitcoin content. This was clever branding, as to a growing segment of the population, Bitcoin does indeed represent hope.
“I’m a techno optimist,” explains Antonopoulos. “I believe that technology and progress with technology have historically freed people from the constraints of the past. It has empowered individuals and raised living standards and improved the lives of billions. The world is a more, fair, and equitable place, as a result. Technology itself is a neutral tool that we can use for good or evil. The reason I’m optimistic is because ultimately, when a new technology arrives on the scene, the first reaction by most people is to try to resist or deny or avoid. But that doesn’t change anything. And a lot of people are scared about how this technology might be used for bad things. The only way to really resolve these concerns is to put your energy into amplifying the good things that technology can do. You have to take the assumption that the vast majority of human beings are good. They want to protect their families, and their future. I strongly believe that is humanity. There are exceptions, of course, but the exceptions validate this truth. If you trust that technologies that are truly decentralized and go directly into the hands of empowering individuals, they will be used by those individuals to do good. And so when I look at a technology that can be used at scale by lots of people and based on my understanding of human nature, I see immense hope. I see immense hope that if you allow people to act on their own impulses and give them power in the form of technology, the outcomes are massive good on a massive scale.”
To listen to the full podcast interview with Antonopoulos, please go here.