Cryptocurrency assets now top $1.5 trillion globally, attracting a wave of cyber crime.

Cybertheft of assets held in Bitcoin and other cryptocurrencies is escalating. It’s a target-rich environment: Cryptocurrency assets now top $1.5 trillion globally. The rise in Bitcoin prices this year and the heightened interest in cryptocurrencies from large institutions announcing their intentions to deal in these new currencies have raised the stakes. As more mainstream businesses find themselves drawn into cryptocurrency transactions, security and insurance coverage issues will have to be taken into account.

In addition to targeting individuals, recent thefts of cryptocurrency executed by hackers have gone after companies in finance, energy and other industries. An alert published last summer by the Cybersecurity and Infrastructure Security Agency (CISA) warned that “North Korea’s widespread international bank robbery scheme that exploits critical banking systems may erode confidence in those systems and presents risks to financial institutions across the world.”

FBI, CISA and Treasury Department Warnings About “AppleJeus”

In an advisory issued on February 17, 2021, the Federal Bureau of Investigation, together with CISA and the Department of Treasury, highlighted the threat to cryptocurrency posed by North Korea’s “AppleJeus” code exploit. These actors, according to the report, “are targeting cryptocurrency exchanges and accounts to steal and launder hundreds of millions of dollars in cryptocurrency.” There are variations on the scam, but a common tactic uses a copy of a legitimate-sounding cryptocurrency trading platform or “wallet” to steal credentials and other vital information from victims in the United States and elsewhere. According to the advisory, this scam has targeted organizations for cryptocurrency theft in more than 30 countries during the past year alone. It is likely that these actors view modified cryptocurrency trading applications as a means to circumvent international sanctions on North Korea – the applications enable them to gain entry into companies that conduct cryptocurrency transactions and steal cryptocurrency from victim accounts.

Another malware trap involving cryptocurrencies is a program known as “Union Crypto trader.” According to CISA’s analysis, “The program … loads a legitimate-looking cryptocurrency arbitrage application – defined as ‘the simultaneous buying and selling of securities, currency, or commodities in different markets or in derivative forms to take advantage of differing prices for the same asset’ – which exhibits no signs of malicious activity. … When launched, it collects the victim’s host information … , combines the information in a string that is MD5 hashed and stored in the auth signature variable before exfiltration, and sends it to a C2 website.”

What to Do: Mitigation Techniques and Insurance Coverage

According to CISA’s February 17 advisory, companies impacted by the exploit should make immediate contact with law enforcement, along with taking a number of technical steps outlined in detail therein. CISA also recommends these “Pro-Active Mitigations”:

• Verify the source of cryptocurrency-related applications.

• Use multiple wallets for key storage, striking the appropriate risk balance between hot and cold storage.

• Use custodial accounts with multifactor authentication mechanisms for both user and device verification.

• Patronize cryptocurrency service businesses that offer indemnity protections for lost or stolen cryptocurrency.

• Consider having a dedicated device for cryptocurrency management.

Insurance Considerations

Insurance markets are rolling out dedicated insurance products specifically meant to cover cryptocurrencies. Substantial limits may be available for businesses with assets in cold storage (under a specie policy) or assets in hot wallets.

Cold storage refers to cryptocurrency that is kept secure using offline storage, not connected to the internet. This will typically will involve a hardware device, but it could also include private keys written on a piece of paper and kept in a safe. Specie policies were originally created to cover things such as precious metals, diamonds or currency, kept in bank vaults. The coverage has been innovated in recent years to provide similar protection for crypto assets in cold storage. Large cryptocurrency exchanges and custodians may secure this coverage on their own behalf for client assets. Cryptocurrency custody and trading platform BitGo, for example, has reported that it maintains $100 million in specie coverage.

Crime policies are typically used to cover assets in hot wallets, which is to say assets that are available online, via the internet. Crypto exchange Coinbase reported in 2019 that it had secured $255 million in coverage for hot wallet assets, placed through Lloyds syndicates.

Individual corporate policyholders who custody their own cryptocurrency may also have coverage under their dedicated cyberinsurance and commercial crime coverage policies, as well as potentially under personal lines insurance policies. However, this is not an absolute certainty, and any company that has a position in crypto assets and intends to use self-custody should carefully review their own policies and determine whether their risk-management philosophy makes a third-party custodian with well-developed security protocols and coverage in place a safer approach, albeit one that provides less control over the assets themselves.

While some insurance companies have taken the position that cryptocurrency is not “personal property” subject to coverage, this argument is contrary to established principles of insurance policy interpretation. Questions may also arise regarding valuation of a loss and the amount to be reimbursed – that is, whether at the spot price of the currency at the time of the loss, the time of acquisition, or the time the claims payment is made. Here, the correct position may turn on facts, circumstances and policy language, but given the volatility in crypto markets, reaching the right answer is ever more important for a policyholder who has suffered a significant loss.

As with all insurance products, review the fine print and work with a seasoned insurance broker. Certain insurance companies will not hesitate to apply the fine print in a manner that frustrates, if not completely undermines, the whole point of purchasing the insurance in the first place.

Print:
EmailTweetLikeLinkedIn
Photo of Joshua Gold Joshua Gold

Joshua Gold is a shareholder in Anderson Kill’s New York office and chair of Anderson Kill’s Cyber Insurance Recovery Group. He regularly represents policyholders in insurance coverage matters and disputes concerning arbitration, time element insurance, electronic data and other property/casualty insurance coverage issues. 

Photo of Stephen Palley Stephen Palley

Stephen D. Palley is a partner in the Washington, D.C. office of Anderson Kill. He is co-chair of the firm’s Technology, Media and Distributed Systems Group and a member of the Insurance Recovery Group.