[This is a subpost of Bitcoin, Cryptocurrencies and Blockchains]

Two points about cryptocurrencies and blockchains that advocates often point to are that the transactions are untamperable and anonymous. This is largely correct, but neither is perfectly true, nor even necessarily a good thing.

Untamperable? Crime?

Let’s start with untamperable. The decentralized blockchain is untamperable for all practical purposes. In principle tampering could occour in the form of double-spending attacks, or a hard-fork that simply deletes certain blocks from the chain and thus the transactions those blocks are recording. Both of these are incredibly difficult and rare for any cryptocurrency that is being widely and actively used, and creating unauthorized transactions is nigh impossible due to the cryptography that verifies the transactions. This also make fraud, in the narrow sense of fake transactions essentially non-existent.

But. There is always a but. For cryptocurrencies the but is that untamperable is not necessarily desirable. While unauthorized transactions cannot be made, authorization of a transaction simply means that the correct keys are used to sign it. Just because a transaction has been signed by the correct keys doesn’t mean that the genuine owner of those keys made the transaction, keys can be stolen, or that they wanted to make the transaction, it could have been a mistake or made under threat. One implication of untamperable is that once an authorized transaction is made, it cannot be reversed, except by the party on the receiving end. This makes it very attractive for criminals. In this broader sense of authorized but undesired transactions fraud is much easier to pull-off with cryptocurrencies.

Normally, if a criminal steals your bank account details and transfers money from your account to another account you can call up your Bank, and they can work with the receiving bank to reverse the transaction. But with cryptocurrencies, if a criminal steals your keys, then they can use the key to make an authorized transaction from your account to theirs. Because the blockchain is untamperable, you have no way to get this reversed. The criminal has made off with your coin forever. This has led to many ingenious attacks by criminals to get peoples keys and steal their coin: some US$1.2 billion worth in 2017. This has ranged from trying to hack into email accounts and computers to steal cryptographic keys, to outright identity theft, stealing mobile phone numbers and then using these to change account details and thus get cryptographic keys. At the extreme end it has even led to threats of physical violence. A gang in Thailand trapped a Russian tourist in his own hotel room, and forced him to transfer them US$100,000 in bitcoin.

It is unclear what the implications of this are for cryptocurrencies. In principle such transactions could easily be reversed by a fork of the blockchain. But in practice this would require a majority of miners to agree to fork just to eliminate specific blocks from the blockchain, something which can happen, but is incredibly rare. Other quick fixes occour, such as wallets that require multiple keys which are spread among friends for extra security, but such fixes are impractical for most uses.

Anonymous?

Cryptocurrency ‘accounts’ are represented by unique numbers. This ‘account number’ is totally anonymous. This remains true as long as that account is used solely to transact with other cryptocurrency accounts. However for any kind of asset or currency to be useful, sooner or later it has to be used to purchase something. When this occours the user of the account is typically revealed; if you use bitcoin to buy a meal in a restaurant you must be in that restaurant and so can be identified in person. From then on the account is no longer anonymous and your name is attached. Because cryptocurrencies keep a public record of all transactions ever made it is also possible to everyone to see everything you ever did with that account. People try to hide their identities by ‘tumbling’ coins through multiple accounts, and by converting them as cash from one account and then depositing that cash into another account.

To some extent this works, it can be very difficult to establish the owner of a given account, but once they have been identified the public record of all transactions makes linking all of their activity and other accounts together relatively easy. The case of Dread Pirate Roberts who ran Silk Road, a major online marketplace for buying illegal drugs prior to it’s takedown in 2013, is illustrative. Dread Pirate Roberts took a comission on all transactions on the site which were made in Bitcoin, accumulating $80 million. His true identity, Ross Ulbricht, was uncovered by the FBI, but not by via his bitcoin accounts. However once he was arrested they were easily able to connect him to his Bitcoin accounts, and could see every single transaction paying him commissions going back for years on the public blockchain.

If an account is never used to make a purchase then it remains perfectly anonymous, the prime example being the Bitcoin accounts of its creator who goes by the pseudonym Satoshi Nakamoto. These accounts were credited with the first bitcoins mined, and contain roughly one million bitcoins, worth some US$19 billion during December 2017 when the value of Bitcoin was at a peak. Because these coins have never been spent, both the account and Satoshi Nakamoto remain anonymous.

So at one level cryptocurrencies are perfectly anonymous. As long as you remain within the cryptocurrency world. On the other hand as soon as you interact with the outside world and spend your cryptocurrency you are almost certainly revealing your identity, and because every transaction your account ever made is publicly recorded you reveal everything. Contrast this with cash where, while you reveal your identity when you spend it, it is increadibly hard to figure out any previous transactions you may have made. In practice, many people interact with cryptocurrencies not directly, but via exchanges which are covered by anti-money laundering laws that require they know your identity, and so for most users of cryptocurrencies there is no anonymity whatsover.

Price Manipulation and Fraud?

With over 1,500 cryptocurrencies in existence as of early 2018 many are little used. These are called thin markets, markets in which few trades are made. Thin markets are vulnerable to price manipulation, a small volume of transactions means prices can be easily mislead and manipulated with just a few large transactions. The rapid increase in the price of Bitcoin from US$150 to $1000 in 2014 looks to have been a direct result of price manipulation.

Two bots, Markus and Willy, on the Mt Gox exchange made suspicious trades purchasing 600,000 bitcoins, worth $188 million over nine months. Markus “bought” bitcoin over seven months in 2013. His Mt Gox account was fraudulently credited with bitcoins that did not exist. Because transactions were duplicated, no legitimate Mt Gox customer received the currency Markus supposedly paid to acquire these claimed coins. On 80% of the days Markus and Willy were active the price rose, versus on 55% of days they were inactive. Prices rose 4 to 5% on average on the days Markus and Willy were active, versus flat to negative price changes on days they were inactive. Price manipulation by the Markus and Willy bots appears to have directly driven the large price spike in Bitcoin during 2013 to early 2013, and after Mt Gox folded in early 2014 there was a major price collapse. This evidence points to price manipulation. As of early 2018 the volume of transactions on Bitcoin is roughly four times higher than in 2013, making the market less thin and price manipulation more difficult.

Bitcoin exchanges are more like the dark-pools of Finance, than stock exchanges. Just like dark-pools, trades occurring inside a Bitcoin exchange like Mt Gox are not publicly visible or recorded. Mt Gox only needs to record the net transactions activity on the exchange to the blockchain, and even this can be largely disguised by Mt Gox itself holding a buffer of bitcoin. This is what allowed the Markus and Willy bots trading on the Mt Gox, at that time the largest Bitcoin exchange, to operate without being detected and to make fraudulent transactions; neither of which would be possible on the blockchain itself. In late 2013 a log of all transactions on Mt Gox was stolen and publicly leaked online, allowing the data analysis that revealed the activity of these bots ex-post. The Bitcoin price spike from $150 to $1,000 occoured over just two months in late 2013. The Mt Gox exchange, which at the time accounted for over 70% of all Bitcoin transactions, collapsed in April 2014 announcing that 850,000 bitcoins worth $450 million, belonging to customers and the company, were missing likely stolen. The Bitcoin price crashed back to around $400, and it was three years before previous highs were reached. Former CEO of Mt Gox has confirmed that the Willy bot was operated by the owners of Mt Gox and purchased algorithmically. Some of the missing bitcoins were likely stolen by outside parties attacking Mt Gox. The precise evidence on the bots, described in previous paragraph, is detailed in Gandal, Hamrick, Moore & Oberman (2018). It is possible, but unlikely, that the bots simply operated on those days with large transaction volume to disguise their activity; this could have been more easily and more effectively done by simply making many smaller transactions.

Next post in this series on Cryptocurrencies: Blockchains: Smart Contracts and Cartels

Another interesting bit of cryptocurrency crime is cryptojacking: a website is hacked so that the computers of visitors to that site are used to mine cryptocurrencies.

References:

Gandal, Hamrick, Moore & Oberman. Price Manipulation in the Bitcoin ecosystem, 2018.