I Shot Crypto in Reno
In our post about The Crypto Hare and the Regulatory Tortoise, we remarked that if you took a time machine back to 2008 and the birth of bitcoin then traveled to today, the advancements in innovation are head-spinning compared to the lack of regulatory certainty in the same span. Very similarly, we’ve been as confounded all this time by the superglued, tired trope that “crypto is for criminals.”
So please repeat with us: You don’t throw babies out with bathwater. You don’t blame money for money laundering. And you don’t blame digital currencies for the prevalence of cybercrime.
We know that ‘crypto equals lawlessness’ is a headline which gains a lot of attention because of its digestibility. It is far harder for many people to understand the concept of a peer-to-peer digital store of value exchanged across a shared, immutable database when hey, I’ve got real money that someone could steal. Cryptocurrencies have also been burdened by the uneasy prefix of “crypto” itself, suggesting something hard to define and even deathly (think: the word “crypt”).
This leads to a persistent challenge for the blockchain and digital currency community, which is communicating if not the positives, then at least the immateriality of crypto when it comes to cybercrimes, especially today’s spotlighted scourge of ransomware.
The first ransomware attack occurred in 1989 and was called the AIDS Trojan. It was distributed through floppy discs that were sent to victims via email. It didn't spread too widely in part because not many people had personal computers at that time and the internet was still so nascent. But for the record, this was 19 years before the birth of bitcoin.
Now, for everyone whose inbox has entertained a Nigerian prince, we know that emails have been an easy entry point for criminals to target the unsuspecting, especially in Business Email Compromise (BEC) attacks. BEC attacks started appearing about six years ago, escalating each year until they surpassed all other forms of internet fraud. The FBI reports there were almost 20,000 BEC attacks against American businesses in 2020 alone, accounting for $1.8B in losses. For a crime that causes more losses than any other form of internet fraud (40% of all cybercrime take in the US according to the FBI) BECs retain a strangely low profile. Despite the significant amounts of money that have been stolen this way through the traditional financial system, the crime can seem technical and pedestrian compared to the high-stakes drama of holding a hospital or gas pipeline hostage for ransom — with bitcoin.
But looking at the above paragraph again, let’s underline that $1.8B was lost in BEC attacks in 2020. The same year, according to the noted cryptocurrency security firm Chainalysis, around $350M worth of cryptocurrency was paid in ransomware attacks. Yes, $350M is a lot of money but the vast majority of attacks are still in traditional currency. Moreover, the entire digital currency market is $2 trillion and growing, so obviously not all of crypto is criminal. But again, because the concept of cryptocurrency is simultaneously complicated but intriguing, it’s easy to give it undue prominence (see: John Oliver on Last Week Tonight) or blame (see: Lee Reiners in the Wall Street Journal).
Actually, to be fair, John Oliver’s show acknowledged that there are other reasons than cryptocurrencies for ransomware to exist — the most important being the clear vulnerabilities in computer systems and how companies protect those systems. If those weaknesses didn't exist, neither does ransomware. Case in point, on several occasions from 2017 to 2020, employees at Kaseya — a firm which experienced a bitcoin ransomware attack over the Fourth of July this year — say they flagged an array of cybersecurity concerns to company executives including outdated code, use of weak encryption and passwords, and a failure to adhere to basic cybersecurity practices such a regularly patching software and a focus on sales over security. These types of weak cybersecurity allegations by former employees also occurred following hacks at Twitter, SolarWinds, and JSB.
But Lee Reiners unfairly stated that “ransomware can’t succeed without cryptocurrency.” We think we have more than demonstrated why that is not true. But if you don’t believe us, our podcast guest Anoop Nannra, Blockchain Segment Leader at AWS and former Cyber Security Threat Intelligence Leader at Cisco, will also tell you why that is simply too simplistic.
As you probably easily recall, Johnny Cash famously sang, “I shot a man in Reno just to watch him die.” The fatigued side of us thinks there are still many people who want to see crypto die just because — just because they don’t understand it, they don’t like it, they don’t want it, what have you. And ransomware is an easy excuse for that death.
But as we repeated not to throw the baby out with the bathwater, if we consider the immense potential value of blockchain and digital currency to increase access to capital, remove financial friction, and democratize economic opportunity for all, we see no merit in blaming cryptocurrency for ransomware. Yes, crypto can be hard to make sense of when you are first trying to understand it and yes, the speed of technology innovation — combined with all the other extreme changes in today’s world — can seem scary and incomprehensible. But as the Canadian author and artist, Douglas Coupland, once observed, “blame is just a lazy person’s way of making sense of chaos.”
We know you’re not lazy. You wouldn’t be reading this if you were. And we are happy taking the time to make the right sense of this chaos together.