Bitcoin ETF Hack Possible?
New security worries emerged in the light of massive investment in Bitcoin ETFs, which exceeded $15 billion since July 2024.
It is hopeless to deny the fact that new financial products will always attract people who will neglect the risk ascribed to them. That is why the FBI warning regarding North Korean hackers, who target cryptocurrency-related ETFs, is so upsetting. This concern exposes not only the weakness of the industry but also the effect of hacks on the assets and on the cryptocurrency market as a whole.
Why Crypto ETFs Are Vulnerable?
Unlike in traditional stock markets, where an ETF is simply a derivative that holds and resets the price of the assets underlying it, a spot Bitcoin or Ether ETF requires a fund manager to hold or hire someone to custody the physical assets. This creates new attack surfaces and ways to fail securely, and according to the custody methods of existing ETFs, hackers can steal hundreds of millions of cryptocurrencies in one go. This means that every time somebody steals or compensates a Bitcoin and/or ETF there, the result can be a market-damaging dump, according to Jameson Lopp, co-founder & CTO of Casa:
“If the stolen assets are liquidated, the ETF itself could go to 0 in value, people panic and try to sell their bags.”
– Jameson Lopp (Co-Founder, CASA)
Why Hackers Love Crypto?
Crypto ETFs (at least those in the spot Bitcoin category) need to store a pool of underlying digital assets like stock ETFs, which makes them more administratively elaborate than their counterparts.
This in actuality forms a type of Honeypot for Hackers, Security personnel say.
North Korean units have attacked cryptocurrency firms in the past to use exchange escalation and blockchain protocol breaches as grounds for making as much money as possible, but never has this process been turned towards ATMs that widespread. But the fear is that there are so many Bitcoins (BTC) and Ethereums (ETH) sitting with the big crypto ETFs that these folks just might not be able to resist the urge.
The cumulated inflows in the total spot Bitcoin ETF of Farside Investors will exceed $15 billion by September 2024, for instance. But the flood of investment these products have induced notwithstanding, there is currently no form of insurance for most of that currency on the theft coverage market.
And if you were able to fully hack all the underlying assets of an ETF, well — according to Jameson Loppf, co-founder and chief security officer at Casa (a crypto self-custody provider), their value would go immediately to zero.
This could potentially cause a drastic market wide correction followed by billions and billions to be wiped out of the cryptocurrency sector.
Coinbase: Security Provider of Crypto ETF, Is It Enough?
Coinbase is the primary custodian for crypto ETFs in the United States and is influential in the sector. According to Timechain Index, the XBTC ETFs had 808,619 BTC in trust with the firm in early September 2024, meaning that only a tiny portion of US crypto ETF assets are out of control with the company.
The safe infrastructure has been one of the company’s selling points for quite some time. It is a bit of frosting that would not be easy to cut through for any hypothetical thief with his eye on the mountain of money stored on Coinbase accounts.
Nevertheless, even Coinbase knows that hacking is only part of the game. The tech was made following a tweet by one of the principal core security researchers at MetaMask, Taylor Monahan, who had tweeted his conclusion about Coinbase’s philosophy. “Get hacked, but don’t get rekt.” The idea is that while breaches are possibly occurring, the destruction is controlled within a certain range because of how the platform is structured.
Regardless of the apparent security of the system, the insurance they provide to customers for damage is very low relative to customer holdings.
As an example, the BlackRock iShares Bitcoin Trust ETF uses Coinbase as a custodian. The firm has purchased a $320 million insurance policy. That is 0.12 percentage of the exchange’s claim that it has $269 billion of digital assets. In Andrews’ view, that is a “gigantic gap,” and Lopp is even more pessimistic, stating that the “industry insurance of third-party custodians is a joke.”
Centralization: The Core Weakness in Crypto Custody
Finally, the most important systemic risk is the degree of centralization of the custody of crypto relative to the rest of the ETF industry. With no more than one or two other autostyles in the U.S., Coinbase is establishing itself as a single point of risk over every crypto-backed ETF. If the hackers can find flaws in the security protocols of Coinbase, then any number of crypto ETFs could get wiped out in one fell swoop.
Steven Walbroehl, the co-founder of ‘Halbron’ explains that, despite all the assurances from entities like Coinbase, the lack of transparency about security is actually very dangerous for anyone working in this industry.
So while investors are being asked to put their trust in custodians like Coinbase, without public security standards, there will be risks.
Establishing a second or third custodian would be a start. But, as Walbroehl notes, that brings its own whole suite of new risks, such as making it harder to access and move money.
In other words, Fidelity is the only major player in the ETF game to simply self-custody their digital assets. Or, as Jameson Lopp puts it, all the goddamn big ETFs should be doing that instead of outsourcing their security liabilities to third parties.
A Growing Risk in a Booming Market
Crypto ETFs are attracting billions in investment, at the same time, security concerns seem to have become even more relevant. While platforms like Coinbase have done their best to establish strong security postures, the absence of large-scale insurance, the centralization of custody, and constant menace from advanced hackers (especially North Korea) remain persistent concerns in this space.
Put another way, the combination of these factors does not bode well for future crypto-backed ETFs. The next time some hackers come along with bigger guns, they’ll make sure it doesn’t happen if nothing is done to shake up custody practices and re-assess the risks that we find ourselves in a downdraft of Peak Cryptocurrency on breach.
Three years later to the month, in September 2024 and with $15 billion secured among Bitcoin ETFs, the looming danger of a heist has many asking if this time around, the new industry would be ready.