In the 2013–2017 period, 29 hacks occurred in the Bitcoin market where a total of 1.1 million Bitcoin were stolen. Noting that the average price for Bitcoin (BTC) in December 2020 exceeded $20,000, the corresponding monetary equivalent of losses is more than $22 billion, which strongly highlights the societal impact of this criminal activity.
What did crypto exchanges do to address this problem? Nowadays, about 90% of exchanges use some kind of cold storage system, which means that digital assets are stored offline. Keeping Bitcoin offline considerably reduces the threat from hacking attacks.
Related: Roundup of crypto hacks, exploits and heists in 2020
Nevertheless, Jean Baptiste Su, principal analyst and technology futurist at Atherton Technology Research, highlights that in 2019, hackers stole over $4 billion, which was more than twice as much as in 2018. In fact, cyberattacks are a very serious issue that cast doubts on the security of modern blockchain-based applications in the financial industry. Of course, one can argue that thefts also occur when using traditional payment methods, such as credit cards. For instance, the Annual Fraud Statistics released by The Nilson Report documents that credit card fraud losses worldwide reached $27.85 billion in 2018.
Related: Crypto exchange hacks in review
I think it is important to point out that fraud in the market for credit cards as opposed to fraud in the cryptocurrency market are difficult to compare for at least four reasons:
- First, many more people use credit cards as opposed to cryptocurrency.
- Second, although the frequency of fraud in the market for credit cards is considerably higher, the average amount of stolen monetary equivalent per fraud is dramatically lower.
- Third, it is much more likely that credit card owners are insured by the credit card company, whereas Bitcoin users typically do not have such insurance.
- Finally, it is much more probable that the police have some chances of successfully dealing with credit card losses compared to Bitcoin thefts in cyberspace.
Hacking effects on the crypto market
To explore the question of how Bitcoin hacking incidents affect uncertainty in the overall Bitcoin market, I conducted an empirical study where I analyzed how the volatility — which is in financial economics a measure of an asset’s uncertainty — responds to hacking incidents. To do so, I used a so-called Exponential Generalized Autoregressive Conditional Heteroskedasticity model where I included binary dummy variables in the variance equation. The dummy variables measured the impact on the volatility up to five days after a hacking incident in the Bitcoin market.
In my study, I found that Bitcoin’s uncertainty in terms of volatility significantly increases. Surprisingly, I found two effects — a contemporaneous effect and a delayed effect. The volatility increases on the day of the hacking incident and then drops down to normal levels again. There is no effect between day one and day four. Then, on the fifth day after the hacking, the volatility substantially increases again. Since there are no other events that took place, the effect is most likely caused by the same hacking incident.
A possible explanation for the delayed effect could be that hacking incidents are more likely to occur at small exchanges that probably exhibit a lower level of security standards compared to larger exchanges. As a consequence, information diffusion occurs more slowly.
Another interesting finding of the study is that even other cryptocurrencies, such as Ether (ETH), do respond to hacks in the Bitcoin market. Interestingly, the volatility of Ether exhibits only a delayed effect. There is no contemporaneous effect. However, the delayed increase in volatility on day five is virtually the same as we observed for Bitcoin’s volatility.
A possible explanation for this finding could be that exchanges trade multiple cryptocurrencies at the same time, and if an exchange was hacked, thieves could steal both Bitcoin and Ether, which could be a possible explanation for volatility spillovers found in my study. Another possible explanation for this phenomenon could be that thieves are using one cryptocurrency to cash out on their theft of the other, thus shifting the demand for cryptocurrencies from Bitcoin to Ether, for instance.
What is the risk of a cyberattack in terms of the U.S. dollar?
To explore this issue, I collaborated with colleagues from the Finance Research Group and the Mathematics Research Group at the University of Vaasa. Together with Niranjan Sapkota and Josephine Dufitinema, we collected 53 hacking incidents in the Bitcoin market totaling in the 2011–2018 period corresponding to 1.7 million stolen Bitcoin. We argue that naïve risk management may dramatically underestimate the risk of those hacking incidents and that naïve risk management may dramatically underestimate the risk of those hackings incidents.
In the study, we show that the distribution of hacking incidents is extremely fat-tailed. This means that Black-Swan-like events are more likely to occur. We found that the probability distribution of hacking incidents does not have a theoretical mean, which implies that the mean of the loss distribution is infinite. To compute an estimate of the risk due to cyberattacks in the Bitcoin market, we then employed recently proposed tools from extreme value theory, or EVT.
We showed that the shadow mean of the expected risk of cyberattacks is $59.70 million, which is definitely larger (almost two times) than the corresponding sample tail mean of $30.92 million. More specifically, the shadow mean is computed by an application of ETV and corresponds in our research context to the expected risk of cyberattacks above a certain threshold. In our study, we chose as a threshold a loss of $1 million. That means all losses due to cyberattacks that are above $1 million are treated as extreme values.
The next step in our calculation was to combine the shadow mean with the expectation of the loss distribution where we collected all losses due to cyberattacks that are less than $1 million. Combining our shadow mean with the sample mean below our chosen threshold, we calculated an overall expected loss of $24.89 million instead of $12.36 million, which is the naïve sample mean of the hacking incident data.
Our findings have significant implications. For instance, our results show that standard tools used in traditional risk management can perhaps not be relied upon for making decisions.