FTX collapse offers lessons about the cyber risks of cryptocurrency investing
RACHEL MARTIN, HOST:
More fallout from the FTX crypto scandal. The former CEO Sam Bankman-Fried is under investigation for financial crimes. But he and his lawyers, meanwhile, are also making allegations about hackers pilfering customers' digital cash. NPR cybersecurity correspondent Jenna McLaughlin is here to explain. Hey, Jenna.
JENNA MCLAUGHLIN, BYLINE: Hey there.
MARTIN: So this scandal has gotten so big, I understand, that investors are suing big names - Tom Brady and Steph Curry. What?
MCLAUGHLIN: Yeah, it's pretty wild. To summarize, Sam Bankman-Fried, in 2018, he created what's called a cryptocurrency exchange, which is a place to trade, exchange, buy, sell different forms of cryptocurrency like Bitcoin. And it quickly got really popular, including with celebrities. But Fried also had this second company, Alameda Capital, which was his own, personal trading firm. The investigation, of course, is still ongoing. But what's been alleged is he took money from investors in FTX. And he used it to trade with through Alameda and lost it.
MARTIN: OK. But draw the connection for me, Jenna. What does this have to do with cybersecurity? Is anyone accusing anyone else of stealing funds besides the founder?
MCLAUGHLIN: Yeah, that's actually where things get a little bit tricky. Bankman-Fried and his lawyers have alleged that it's not just FTX's mistakes that have left investors with empty pockets. They say that there's also been a breach after they declared bankruptcy and that they've hired a cybersecurity firm to investigate. Though, I'm not sure which one. Most recently, Bankman-Fried has changed his tune a little bit. During a live interview with The New York Times Wednesday night, he said he believes some money was seized by Bahamian and U.S. authorities. But he still alleged that an unknown third party took the rest. Regardless of whether hackers took the money, though, it is true the cryptocurrency exchanges are pretty vulnerable to cyberattacks.
MARTIN: So explain why. And shouldn't that be quite troublesome?
MCLAUGHLIN: Yeah, absolutely. That does create some confusion, because you've probably heard of this thing called a blockchain...
MCLAUGHLIN: ...Which is a secure record of digital transactions that can't be altered. But once you move your money to exchanges, rather than keeping it safe in your virtual wallet, that's where the danger comes. So I spoke to Megan Stifel. She's the chief strategy officer for the Institute for Security and Technology. And she's testified about this topic for Congress. Here's how she put it.
MEGAN STIFEL: Not being a regulated space or commonly regulated space, there isn't this kind of - as there is in the financial services sector, per se, more broadly - requirements around cybersecurity.
MCLAUGHLIN: And she said that that has led to some pretty big breaches in the past. For example, in October, one of the biggest exchanges, Binance, reported potential losses of up to half a billion dollars after a hack.
MARTIN: So when all this settles - and it may be a while before it does, with all these charges and allegations - do you believe, Jenna, based on your reporting, that all this is going to inspire new cybersecurity requirements?
MCLAUGHLIN: So my source, Megan Stifel, said that she thinks it's too soon to say, especially since we don't know if a breach happened here. Like you mentioned, it could be a while before we get answers. But she said that it might be a chance for lawmakers or other countries - FTX is in the Bahamas, for example - to think about how existing regulations might apply to cryptocurrencies. Even so, it's not a total disaster as is for investigators because there are a lot of tools in place to investigate these kinds of crimes that already exist. Cybercriminals, for example, often think that cryptocurrency is really anonymous, when in reality, that blockchain that I mentioned earlier does actually record every transaction. Plus, the process of actually turning virtual currency into cash isn't always so easy.
MARTIN: Right. NPR cybersecurity correspondent Jenna McLaughlin. Thanks.
MCLAUGHLIN: Thank you. Transcript provided by NPR, Copyright NPR.