PYMNTS Crypto Basics Series: How To Lose Your Crypto Without Being Hacked
Bitcoin, blockchain and cryptocurrency are words that most people have at least heard of since the industry exploded into the mainstream public consciousness in 2021.
Over the course of this series of articles, we’ll be delving into the basics of the industry, providing an introduction to crypto that will give you a solid grounding in the technology and a lexicon for its terminology — cryptographers should never be allowed to name anything the public will eventually need to know — in short, enough to understand what people are talking about and decide if you want to learn more.
See the series:
PYMNTS Crypto Basics Series: What’s a Blockchain and How Does It Work?
PYMNTS Crypto Basics Series: What’s a Consensus Mechanism and Why Is It Destroying the Planet?
How many ways can you lose crypto without being robbed or scammed?
Plenty, actually. Some of them have to do with the way the “cryptography” part of cryptocurrency works, others with the type of security used to store cryptocurrencies, and still others to fact that a cryptocurrency transaction cannot be halted or reversed.
Let’s start with this: You cannot send bitcoin to an invalid wallet address.
There are plenty of stories circulating about someone who typed a character wrong and sent his crypto off into the abyss. That’s sort of an old wives’ tale based on people assuming you can send crypto to an invalid — non-existent — account. But it doesn’t work that way.
Why? Because cryptographers have gone to great lengths to prevent that from happening. Crypto wallet addresses are 32-character strings of numbers and letters. If a person makes a typo and hits send, nothing will happen — other than getting an error message that more or less says “Try again, fat thumbs.”
Why that happens is that when the wallet tried to connect to the address specified, it couldn’t be found, so the system refused to process it. Thus, the chances of making a mistake that send funds to an existing account are small enough not to exist outside of a textbook explaining that it might happen.
Now, if that wallet holder misplaces a decimal point in the amount they’re sending, or doesn’t pay attention to what they’ve typed in…
Let’s travel back to Nov. 4, 2020.
A player of the blockchain-based game Wallem bought an NFT that gave him the rights to any “skin” sold in the game that made the game’s avatar look like YouTube star PewDiePie. At the time, PewDiePie had endorsed the game, for 60 ether — about $25,000— on the top NFT marketplace OpenSea. A few hours later this player received an acquisition request that popped up on his phone. While he was driving.
He saw something with “1” in it and just hit “yes.”
He soon realized the dangers of texting while driving.
“Afterwards I received an email with ‘Congratulations! You sold your NFT PewDiePie for 1 [ether],’” he said. “I started screaming and called a friend of mine, a blockchain expert, crying.”
Adding insult to injury, the NFT in question came with the right to the funds raised by selling other PewDiePie skins in the game. An hour after the sale, royalties of roughly $1,200 worth of the game’s token was sent to the new NFT owner.
No do-overs
The way a blockchain works is that once information is added to it, it cannot be changed or erased. Transactions are immutable.
See also: PYMNTS Crypto Basics Series: What’s a Blockchain and How Does It Work?
The only way for a transaction to be reversed is by asking the recipient to give it back. Of course, that assumes there is a way to contact the recipient.
In the case like the one above, the market or exchange might have been able to contact the buyer who signed up for an account on the site. But since AML-based customer identification capabilities are something new, it’s not certain the exchange had any information. Besides, the person bought it fair and square.
There is a way to contact the recipient of a transaction by sending another, presumably very small, amount of crypto to them with a message embedded — it’s how the hacked Poly Network platform corresponded with the hacker who eventually gave back its $612 million. But only fairly crypto-savvy people even know this exists and how to do it.
See more: PYMNTS Crypto Crime Series: The $612 Million Heist That Wasn’t
As we’ve discussed elsewhere, cryptocurrency transactions are not anonymous — every one is recorded on the publicly viewable blockchain — but they are pseudonymous. That means all anyone knows about the person is their public key address with no name attached.
Read more: PYMNTS Crypto Crime Series: When Privacy Counts, Crypto Users Turn to Mixing Services
Experts and law enforcement can trace transactions, but it’s a long, expensive process and still counts on lucking out by finding a related transaction that leads to an identity. That would be a bank account that received the proceeds of selling or a web post with a digital wallet address and an email address posted so long ago the person forgot about it. The alleged Bitfinex hackers just arrested were traced by the purchase, with bitcoin, of a $500 Walmart gift card, prosecutors have said.
Losing your keys
There is another way to lose crypto — something that many more people may be the victim of.
Bitcoin or any other cryptocurrency has two codes: one public and one private. If one loses the private code, that crypto is literally gone. When crypto projects want to destroy some cryptocurrency — for example, to reduce the total supply in an attempt to increase demand and price, they send it to an address with no private key recorded. That’s called “burning” it, because that’s how effective it is.
If a crypto wallet is kept on a reputable exchange, it’ll have two-factor authentication (2FA) tech support. If it’s a hardware or software wallet, it will have a passcode, just like a bank account app. But, if you lose that code, the wallet will likely have a much longer recovery passphrase, also known as a seed code. These work much like resetting the password to a bank account, except instead of answering a security question like the name of your high school, it’s a string of 12- 25 randomly selected, randomly ordered words. Use it and you can recover your crypto just as you can regain access to your bank account.
But remember, there’s no help desk. Lose that seed code and you are done. There’s no other way into the wallet, and the crypto is lost. Equally, anyone who learns that seed code can essentially reset the passcode to your crypto wallet, meaning don’t type it into your iPhone’s Notes app. Write it down, and put it somewhere safe. Depending on how much is in the wallet, that could be a desk drawer or a bank safety deposit box.
That said, the scams are legion — particularly “give back” scams, where someone offers to send back twice as much cryptocurrency as they are asking to be sent. If you remember the great Twitter hack that took over more than 100 high-profile and verified accounts such as Elon Musk and Joe Biden, they all had a message saying they were “giving back to the community” and would return funds doubled — but only for a half hour.
Steve Wozniak sued YouTube for failing to take down these sac ads using his name, picture and even videos claiming to be “live” interviews.
Read here: Bitcoin Daily: YouTube, Ripple Reach Settlement Over XRP Lawsuit
One thing to highlight: when buying or downloading a hardware or software crypto wallet, make sure it’s the real thing. Only use wallets made by a legitimate company — a little Googling will suffice — and make sure that you’re actually getting the real thing. So only download a software wallet or buy a hardware wallet from the maker directly or a VERY reputable distributor that does not have independent sellers on its site. There are plenty of forgeries floating around.
Not your keys, not your crypto
That phrase, “not your keys, not your crypto” is an old industry-insider warning about keeping too much cryptocurrency on an exchange wallet. In most of these, the private keys that governs crypto transactions are held by the exchange — they have to get it back to you, after all. The story of the QuadrigaCX exchange, retold in our crypto crime series, says it all.
Read more: PYMNTS Crypto Crime Series: The Tale of QuadrigaCX, Canada’s Longest Crypto Ponzi Scheme
While some of the top exchanges like Coinbase and Gemini have state-of-the-art custody facilities and private insurance policies, there is no FDIC insurance on crypto accounts. That Bitfinex case where the feds just recovered $3.6 billion stolen in 2016? Yeah, you’ll note that it was stolen in the first place.
It’s not just exchanges, either. That $612 million Poly Network hack was a blockchain bridge that allowed people to put one cryptocurrency into custody to borrow another. The funds in custody were what was (briefly) stolen.
REead this: PYMNTS DeFi Series: What Is DeFi?
Everything here applies doubly to decentralized finance, or DeFi, projects. There’s no human central authority, only smart contracts that can be hacked or have exploitable safety flaws. And there’s no one to complain to or advocate to get money back.
Smart and stupid
Self-executing smart contracts are at the core of everything blockchain except for straight currency replacement cryptos like bitcoin and Litecoin. Everything else — all of DeFi, all of blockchain gaming, all of the metaverse, all of supply chain management blockchain — is run by smart contracts.
Also read: PYMNTS DeFi Series: What Is a Smart Contract?
At their core they are “if this, then that” agreements, with the payment loaded into the contract when it is created. That is the core of all computer coding, so smart contracts can be very complex.
But they are also very literal. Phrase something wrong in the wording of the contract agreement and it may pay at the wrong time, under the wrong circumstances, or not at all. And if the contract doesn’t have an expiration date, funds locked into it may be gone for good. There’s a whole new field of law growing in this specialty.
Finally, if you decided to buy a few dozen bitcoins when they were selling for $50, don’t talk about it. As the tech-head cartoon XKCD famously pointed out, no level of encryption can defeat a $5 wrench.