Why is Asia the epicentre of crypto exchange hacks?

So far in 2018 over $673 million has reportedly been lost due to cryptocurrency hacks. Since the inception of bitcoin and the cryptocurrency markets, that number totals in the billions.

While western exchanges have not been immune to hackers, it is exchanges in Asia that routinely fall victim. For example, Coincheck, Coinrail, Bitfinex, Bithumb, Mt.Gox, and Zaif have suffered some of the biggest cryptocurrency exchange hacks, having lost a combined amount of $1.044 billion.

While exchange breaches in crypto’s early days could be attributed to a nascent industry learning its lessons the hard way, successful attacks in Asia continue to this day, with the prevalence of large-scale exchange hacks in the region begging the question: ‘Why is this happening?’

A laxer attitude towards cybersecurity?

An apparent reason for Asia’s crypto exchange hacks could be the region’s lax approach to cybersecurity, which has led Asian enterprises to fall behind their international peers when it comes to digital security.

A 2016 study by US-based information security firm Mandiant found that Asian organizations have the worst cybersecurity globally. The median time between a cybersecurity breach and its discovery was 520 days, which is three times the international average, the report stated.

Moreover, according to the Head of Cyber Security Services at Adura, Barnaby Grosvenor, "The lack of a strong network of national and regional-level cybersecurity regulations across Asia is a major gap in the cybersecurity landscape here."

"As past incidences have shown, some organizations do not even apply the security patches that are available in a timely manner. For example, our work in Asia showed that 99 percent of web servers lack at least eight critical security patches due to weak in-house cybersecurity processes. Organizations cannot afford to be slow in taking these basic steps as the risk of a potential breach is simply too high," Grosvenor told Network Asia.

A liberal approach to coin listings?

Another possible reason for the high number of hacks in Asia could be Asian exchanges’ liberal approach to listing new coins. If you look at exchanges such as Bitfinex, Bithumb and Coinrail, for example, these exchanges support a long list of altcoins — some of which may not be able to provide a secure enough network to prevent hacks, such as 51 percent attacks.

It is arguable that the more ‘smaller’ altcoins an exchange lists, the higher the chance is that malicious actors can exploit weaknesses in the smaller blockchain networks that can lead to exchange hacks.

Conversely, the leading US-based exchanges such as Coinbase, Gemini, and Kraken have taken a more defensive approach to adding new assets to their platforms. As opposed to listing a large number of digital currencies and tokens, these exchanges have opted to support only a handful of the most liquid and established digital assets. Moreover, new assets have to undergo a stringent selection process before being listed.

For example, Coinbase has just announced its new digital asset listing framework, which clearly outlines all the hoops that cryptocurrency projects need to jump through before receiving approval for listing. The quality of a cryptocurrency’s code is one of the main points Coinbase looks at as well as the project’s governance model to ensure that only high quality assets make it onto its platform.

This type of thorough due diligence is not being conducted by all exchanges. Instead, many merely require cryptocurrency projects to pay a fee to have their tokens listed. Binance, for example, charges $200,000 on average to list a new coin.

Asked on the Unchained podcast about its price to list, Binance founder Changpeng Zhao said it was good value for the coins. "We provide such value for coins, giving them liquidity, giving them our large user base, giving them credibility because now they have passed the Binance review. It’s worth way more … none of the projects that have listed on us complain about it at all."

North Korea and China targeting neighboring countries?

The proximity to China and North Korea – who allegedly regularly exercise their "cyber power" though state-sponsored hacking campaigns – might also be a reason for the high number of cyber attacks on Asian exchanges.

Speaking at the Asia Transnational Threats Forum in August, Chris Painter, former Coordinator for Cyber Issues at the U.S. Department of State, stated that China uses its hacking talent primarily for espionage and intellectual property theft while North Korea mainly runs cyber attacks for revenue generation and to develop destructive capacities for possible conflicts outside of its borders.

The latter could explain the high number of attacks on South Korean exchanges. Given North Korea’s fragile relationship with its neighbor to the South, the motive for state-sponsored hackers to target exchanges in South Korea is there.

It has been estimated the Chinese government has upwards of 50,000 hackers in its military and it has made little secret of its ambitions in the cyber space race against the US for quantum computing power. Along with its cyber firepower, the PBOC is also heavily investing in the research of cryptocurrency and blockchain to create a national digital currency under the remit of the central bank’s Digital Currency Lab.

Can regulators really protect investors from exchange hacks?

Interestingly, South Korea and Japan have some of the tightest regulations for cryptocurrency exchanges, which one would assume means exchange users there are receiving a higher degree of consumer protection than in other jurisdictions. However, as history has shown, that has not been the case.

Governments and financial regulators want to ensure that investors are adequately protected. That is the main driver behind the introduction of cryptocurrency regulations. However, looking at the exchange hacks in Asia, it seems that regulations have not managed to successfully protect investors from the pitfalls of cybercrime.

Moreover, as the recent Virtual Markets Integrity Initiative report, published by the New York State Attorney General’s Office, highlights, even regulated digital asset exchanges – in this case under the New York BitLicense – do not have sufficient security protocols in place to secure their clients’ funds and to monitor potential market manipulation.

How could government increase crypto investor protection?

Keeping a close eye on how cryptocurrency exchanges operate and monitoring what types of security protocols are in place to protect investor funds is an excellent start.

Several countries have taken steps to regulate their local crypto exchanges while others have opened up a dialogue with exchanges to understand how they operate and to find out how to best regulate this new growing investment asset class.

If governments want to embrace cryptographic assets but also want to ensure that investors are protected from potential losses due to cyber attacks on exchanges, they could go as far as offering an FDIC Deposit Insurance-like backstop for digital asset investors. Having said that, it is unlikely that governments will go above and beyond to protect cryptocurrency investors given the controversial nature of this budding new asset class.

The more likely scenario would be for governments to require digital asset exchanges to insure their customers’ funds in full, in case of a loss due to a hack. This is the strategy adopted voluntarily by the Gemini exchange, which has insured all its custodied digital assets through a global consortium of insurers arranged by Aon.

For exchanges that don’t currently offer insurance, this is something that could be implemented quickly and would certainly offer marketing advantages in a competitive environment.

Finally, more education for investors who are looking at digital assets is required. While the private sector is already heavily involved in this, governments could encourage educational institutions such as universities and professional qualification bodies, such as the CFA, to provide more information on how to securely invest in cryptographic assets.