Cryptocurrency theft has been hitting headlines lately.
Auckland businessman Mark Geor told the Herald that $4 million in cryptocurrency on a USB stick was stolen from his Westmere, Auckland home - or at least was one of the items sitting inside a safe that was taken.
That case involved a hardware "wallet", but Government's Computer Emergency Response Team (Cert NZ) has recently highlighted several incidences of cryptocurrency being stolen from online wallets (see more on the crypto wallet options at the foot of this story).
In one case a person replied to an email that appeared to come from the cryptocurrency exchanged they used. They inadvertently spilled their logon - and thieves used it to drain their digital currency account of the equivalent of $10,000.
In another, a victim installed what they thought was a cryptocurrency app. In fact, it was malicious software. Some $100,000 worth of digital currency was subsequently stolen from his account.
You can also lose your cryptocurrency simply by forgetting the password to your account because, unlike the centralised world of banking, there's no reset option. Just ask Auckland man Adrian Clarke, who has around $52,000 in bitcoin sitting on a USB stick he doesn't remember the access code for.
Clarke - one of NZ's unluckier bitcoin investors - also lost money when the Mt Gox exchange was targeted by online thieves in 2014, then subsequently collapsed. His losses total around $110,000.
And the 2021 version of Wild West bank robberies continue. Christchurch-based Cryptopia had $30m in cryptocurrency stolen in a January 2019 heist and went into liquidation a few months later. A former staffer will appear in court next month, charged with stealing cryptocurrency worth $246,000 from online wallets (more on the ongoing Cryptopia mess below).
So what's the situation if you get cryptocurrency stolen?
In general insurance terms, you're probably out of luck - in a not dissimilar situation to old-fashioned cash, where most policies will only cover up to around $500 if you lose cash that's physically lying around.
The same is likely for more specialised cyber policies, which are more geared toward covering the costs of disruption caused by cyber attacks.
But a spokeswoman for the Insurance Council adds, "While it is unlikely a cyber policy would provide cover for lost or stolen cryptocurrency, it is possible that there would be cover under a crime policy given that it's theft.
"If 'money' isn't defined under a crime policy and it's not explicitly excluded, there could therefore be cover. We would recommend people talk with their insurer or broker to understand what cover they have for crypto/digital currency under their policy, and if there are any exclusions that could mean their cover is limited."
Tax: Can claim a loss
Brighter news comes from Inland Revenue.
IRD issued guidance on stolen cryptocurrency in September 2020.
A spokeswoman said the update was an interpretation of existing tax law rather than reflecting any new legislation governing digital currency.
"We were aware of instances where cryptoassets had been stolen so we felt it was important to outline the circumstances in which the loss arising from stolen cryptoassets could be deducted for tax purposes," she said.
In any case, it's promising for crypto theft victims.
IRD's advisory says, "You may be able to claim a loss for the cost of your stolen crypto assets.
"The amount you can claim is the cost that you initially paid to acquire them."
You can only claim a deduction if you can prove that the cryptocurrency was stolen, and that efforts to recover it have failed.
In the Geor case, a police spokeswoman told the Herald, "As there are no active lines of inquiry, the matter has been filed pending any further information ... There was no reported theft of cryptocurrency but rather [that] a safe had been taken."
Geor had nothing to add to his original account when approached for comment earlier this week.
Although it's out-and-out theft of cryptocurrency that concerns us here, Cert NZ also reported a rise in investment scams and other fraud where alleged cryptocurrency gains were used as a lure. All up, reported losses increased 50 per cent to a total $500,000 quarter-on-quarter in the three months to June 30, although Cert NZ director Rob Pope said that was probably the tip of the iceberg. Cryptocurrency - and in particular bitcoin - is also favoured by ransomware attackers for payoffs - because it's relatively easy to mask the identity of the person who ultimately receives the funds.)
And while the Geor incident highlighted the risks of keeping cryptocurrency on a hardware wallet, there have also been several cases of hackers stealing money from virtual wallets associated with online exchanges, including the Cryptopia intrusion.
We may soon, finally, be about to learn more about the heist on the Christchurch exchange, or at least some of the events that occurred in parallel. Police have charged a former employee with alleged offences relating to the theft of customer data from Cryptopia and the subsequent theft of cryptocurrencies valued at $246,000.
The alleged offender, who has interim name suppression, is scheduled in the Christchurch District Court on October 30.
But the police's ongoing investigation into the main event - the $30m hack - has yet to yield any charges more than two and a half years on.
What did I sign up for?
The Cryptopia incident has also underlined a couple of the drawbacks of cryptocurrencies.
One is that in a world of newly-minted, virtually unrelated services, it can be hard to gauge what you've signed up for.
For example, Grant Thornton liquidators for Cryptopia have managed to work with legal authorities to track and recover some $16.9m of the missing $30m.
However, the process of tracking, freezing and recovering funds has been long and complicated.
And the same goes for the (still ongoing) process of setting up a mechanism to return funds to Cryptopia users.
The liquidators say a key complication is that although users had individual digital wallets, behind the scenes "the crypto-assets themselves were pooled (co-mingled). Customers' trades would occur in the exchange's internal ledger without confirmation on the blockchain." (The blockchain is the distributed ledger technology usually used to confirm cryptocurrency trades.)
That has meant that untangling which funds are owed to whom among some 900,000 Cryptopia customers has turned into a multi-year effort that has required the liquidators to stomach the costs of keeping Cryptopia's servers running and keeping on staff to keep its systems going.
There have also been the costs of tracing lost funds, and those associated with a High Court hearing required to clarify whether cryptocurrency could be regarded as an asset (the court ruled the crypto coins stolen from Cryptopia did constitute "property" - meaning Grant Thornton could hold them in trust until it was able to distribute them to beneficiaries - that is, the victims of the heist).
The net result is that in their fifth report, filed in June this year, the liquidators had racked up $11.8m in expenses.
On your own
The Cryptopia heist also underlined that no cryptocurrency is Government-guaranteed in the event of a large scale theft that knocks an exchange over.
For libertarian boosters of cryptocurrency, a big part of the appeal is that s that the likes of bitcoin are decentralised and not regulated.
But it does mean you could be on your own if things go south. That's why the Financial Markets Authority, which recently issued a "be prepared to lose it all" advisory on cryptocurrency, recommends that if you do invest in digital currency, you do so via an NZ-based outfit.
Crypto enthusiasts can point out that your savings in a traditional NZ bank are not Government guaranteed, either.
But banks and traditional fiat currency are tightly regulated; it would be politically untenable for our Government (or Australia's) to let a traditional bank fall over, and our Government is in the process of introducing deposit insurance that will see savings accounts of up to $100,000 protected by the Crown.
MPs are currently investigating if cryptocurrencies should be more regulated, or treated with a lighter hand, as recommended by the sectors' boosters, who say NZ will be missing out on economic opportunity if it wraps bitcoin in red tape.
Things to look out for in a digital wallet:
Cryptocurrencies are held in digital wallets. You can look after your own digital wallet, or you can keep your cryptocurrency in an exchange's wallet and they'll look after it on your behalf.
• Forgetting your wallet's private key. If you forget your private key - which is basically the password for your wallet — you won't be able to retrieve it anywhere. It's generated specifically for you and you're the only person who has access to it. And if you can't log into your wallet, you can't access any of the funds in it.
• Consider your wallet storage options. It needs to be kept securely, either on your own device or with an exchange. If you prefer to use an exchange's wallet services, look for a reputable one. If the exchange is targeted by a DDoS attack and goes down, or the business closes and goes offline, you'd lose your cryptocurrency, such as Bitcoin.
• Cryptocurrencies are still relatively new technologies. It is a maturing market especially for the use of cryptocurrency wallets and cryptocurrency exchanges – investigate the technologies being used before committing any money.
• Minimise risk. A cryptocurrency wallet is the same as a normal wallet, where you only carry cash with you that you are willing to risk losing, rather than thousands of dollars. A solution to minimise risk would be to reduce the amount of money in your cryptocurrency wallet to an amount you are willing to lose and keep the rest in offline storage.
• Encryption Ensuring that you have full disk encryption on all devices from laptop to mobiles, will reduce the risk that an attacker who has physical access to your device could extract your wallet while the device is powered off or locked.
• Two-factor authentication 2FA adds an extra security check on top of your password, making it an extra step harder for someone to access your wallet or exchange account. This can be a randomising token via a text message or something only you have, such as a fingerprint.
• Backup There are a number of issues which could mean you could lose your wallet, such as ransomware, your device breaks, or your wallet is deleted. Wallets which are used to store cryptocurrency must be backed up to offline storage. Test your backup so you know you can restore it if you need to.
• Cryptocurrencies are not regulated in New Zealand. Cryptocurrencies, crypto-exchanges and the people that use them are often the targets of hacking, online fraud and scams. Read the Financial Markets Authority's advice before making any financial decision.
Source / Cert NZ