Category Archives: Risk Management

Accounting Firm, Financial Reporting, Law Firm, Privacy, Risk Management, Small Business

File Your Beneficial Ownership Information Report

Found in the nearly 1,500-page National Defense Authorization Act of 2021, is the 21-page Corporate Transparency Act (“CTA”), 31 U.S.C. § 5336.  The CTA currently requires most entities incorporated or doing business under State law to disclose personal stakeholder information to the Treasury Department’s criminal enforcement arm, Financial Crimes Enforcement Network (“FinCEN”), including Tax ID numbers, date of birth, government identification number and copies of government identification documents of all beneficial owners and company state formation applicants (collectively a Beneficial Ownership Information Report or “BOI Report”).

According to Congress, this law is intended to prevent financial crimes such as money laundering and tax evasion committed using shell corporations.  The relevant Constitutional question recently put before an Alabama federal court was whether Congress’ broad powers to regulate commerce, oversee foreign affairs and national security, and impose taxes and related regulations were enough to power such a massive information grab. 

In a 53-page opinion, Judge Liles C. Burke of the Northern District of Alabama answered this question in the negative and struck down the CTA as unconstitutional.  See Mem. Op. at 3 (“Because the CTA exceeds the Constitution’s limits on the legislative branch and lacks a sufficient nexus to any enumerated power to be a necessary or proper means of achieving Congress’ policy goals, the Plaintiffs are entitled to judgment as a matter of law.”).   As recognized by Judge Burke, there was no comparable State or federal law to the CTA.  Mem. Op. at 35.

As a result of Judge Burke’s March 1, 2024 ruling – which began its appellate journey on March 11, 2024, all the plaintiffs in that case are for the time being exempt from filing a BOI Report – including the over 65,000 businesses and entrepreneurs located in all 50 states who are members of Plaintiff National Small Business Association (“NSBA”).  As for everyone else who may be a Reporting Company, the CTA very much still applies.

By way of background, FinCEN issued a final rule implementing the CTA on September 29, 2022 and made that rule effective as of January 1, 2024.  87 Fed. Reg. 59498.  Because only the plaintiffs in the Alabama action are safe from the CTA’s reporting reach all other businesses operating in the United States who are considered Reporting Companies will have to comply with the Rule. 

More specifically, the CTA requires disclosures from “reporting company[ies],” defined as “corporation[s], limited liability company[ies], or other similar entit[ies]” that are either “(i) created by the filing of a document with a secretary of state or a similar office under the law of a State or Indian Tribe, or (ii) formed under the law of a foreign country and registered to do business in the United States.” 31 U.S.C. § 5336(a)(11)(A). The CTA exempts twenty-four kinds of entities from its reporting requirements, including banks, insurance companies, and entities with more than twenty employees, five million dollars in gross revenue, and a physical office in the United States. 31 U.S.C. § 5336(a)(11)(B).  In other words, this statute not only targets shell companies involved in criminal conduct or fraud, it expressly hits most small business owners in the country as well.

“FinCEN estimates that there will be approximately 32.6 million reporting companies in Year 1, and 5 million additional reporting companies each year in Years 2–10.”   87 Fed. Reg. at 59549. The CTA requires these millions of entities to disclose the identity and information of any “beneficial owner.” 31 U.S.C. § 5336(b)(1)(A). A beneficial owner is defined as “an individual who . . . (i) exercises substantial control over the entity; or (ii) owns or controls not less than 25 percent of the ownership interests of the entity,” with some exceptions for children, creditors, and a few others. 31 U.S.C. § 5336(a)(3).

For new entities formed or operating in the United States after January 1, 2024, the CTA requires them to disclose the identity and information of both Beneficial Owners and “Applicants,” defined as “any individual who files an application to form a corporation, LLC, or other similar entity under the laws of a State or Indian Tribe; or registers [a foreign entity] to do business in the United States.” 31 U.S.C. § 5336(a)(2).  Such filings must be made within 90 days of the relevant state filings and those companies formed or operating in the United States prior to January 1, 2024 have until year end.

Reporting entities must give FinCEN a Beneficial Owner or Applicant’s full legal name, date of birth, current address, and identification number from a driver’s license, ID card, or passport. 31 U.S.C. § 5336(a)(1), (b)(2)(A).   Under the final rule, reporting entities are also required to submit an image of the identifying document. 31 C.F.R. § 1010.380(b)(1)(ii)(E). If any of that information changes, the reporting company must update FinCEN, 31 U.S.C. § 5336(b)(1)(D), and FinCEN retains Applicant and Beneficial Owner information on an ongoing basis for at least five years after the reporting company terminates. 31 U.S.C. § 5336(c)(1).  Determining whether someone is a Beneficial Owner can be somewhat difficult given it requires a determination of who “has substantial influence over important decisions made by the reporting company” among other potentially vague criteria.  31 C.F.R. § 1010.38 (d)(1)(i)(C).

A willful provision of false or fraudulent beneficial ownership information or failure to report “complete or updated beneficial ownership information to FinCEN” by “any person” is punishable by a $500 per day civil penalty and up to $10,000 in fines and 2 years in federal prison, 31 U.S.C. § 5336(h)(1), (3)(A); a knowing and unauthorized disclosure or use of beneficial ownership information by “any person” is punishable by a $500 per day civil penalty, along with a $250,000 fine and 5 years in federal prison, 31 U.S.C. § 5336(h)(2), (3)(B); and a knowing and unauthorized use or disclosure while violating another federal law “or as part of a pattern of any illegal activity involving more than $100,000 in a 12-month period” by “any person” is punishable with a $500,000 fine and 10 years in federal prison, 31 U.S.C. § 5336(h)(3)(B)(ii)(II).

As recognized by Judge Burke, “[t]he ultimate result of this statutory scheme is that tens of millions of Americans must either disclose their personal information to FinCEN through State-registered entities, or risk years of prison time and thousands of dollars in civil and criminal fines.”  Mem. Op. at 8.  Given the importance of this information, FinCEN already compels banks and other financial institutions to obtain nearly identical information from State entity customers and provide it to FinCEN.  

More specifically, FinCEN’s 2016 Customer Due Diligence rule requires “covered financial institutions” to “identify and verify beneficial owners of legal entity customers.” 31 C.F.R. § 1010.230(a).   As with the CTA, this rule defines a “legal entity customer” as “a corporation, limited liability company, or other entity that is created by the filing of a public document with a Secretary of State or similar office, a general partnership, and any similar entity formed under the laws of a foreign jurisdiction that opens an account,” unless the entity fits into one of sixteen exemptions – eight less than the CTA exemptions. 31 C.F.R. § 1010.230(e)(1)-(2).

The CDD rule also defines beneficial owners in the same manner: “Each individual . . . who owns, directly or indirectly, 25 percent or more” of the entity; has “significant responsibility to control, manage, or direct a legal entity,” including “a Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Managing Member, General Partner, President, Vice President, or Treasurer)” and “[a]ny  other  individual  who  regularly  performs  similar  functions.”  31 C.F.R. § 1010.230(d)(1)-(2).

In other words, FinCEN’s CDD rule and the CTA provide FinCEN with nearly identical information.  The CTA itself acknowledges the similarity. See 31 U.S.C. § 5336(b)(1)(F) (requiring the Secretary of the Treasury to promulgate regulations that “collect [beneficial owner and applicant] information . . . in a form and manner that ensures the information is highly useful in . . . confirming beneficial ownership information provided to financial institutions.” (emphasis added).  See also Pub. L. 116-283 § 6402 (6)(B) (134 STAT. at 4604 – 4605) (“It is the sense of Congress that . . . [collection of] beneficial ownership information . . . [will] confirm beneficial ownership information [already] provided to financial institutions.”).

According to FinCEN’s compliance with the Paperwork Reduction Act of 1995: “The estimated average burden associated with this collection of information from Reporting Companies is 90 to 650 minutes per respondent for reporting companies with simple or complex beneficial ownership structures, respectively. The estimated average burden associated with Reporting Companies updating information previously provided is 40 to 170 minutes per respondent for reporting companies with simple or complex beneficial ownership structures, respectively.”

Given the appellate route will likely take well over a year to resolve and the NSBA plaintiffs no longer have any injury to adjudicate – which might have expedited an appeal if they had, it is incumbent on business owners to take the CTA at its face value and comply with the implemented regulations of FinCEN.

Accounting Firm, Blockchain, Digital Assets, DLT, Financial Reporting, NFTs, Risk Management

The NFT Growth Tax

Between Amazon launching next month its NFT Marketplace – tentatively called the “Amazon Digital Marketplace”, Sotheby’s already launched high-end secondary marketplace for “digital artwork”, and Christie’s launching last year its Christie’s 3.0 – a platform allowing for fully on-chain sales that demonstrates “the auction house’s commitment to both artists and collectors in the Web3 space”, programmable digital assets/NFTs are simultaneously entering both ends of the mainstream market.     

Probably the most important takeaway from such broad initiatives turns on the fact foundational brands have decided to supplant the prior NFT free-for-all initiated by PFP projects, artists and collectors.  Despite potentially risking the same fate of Dapper Labs, Amazon will rely on a private blockchain that takes credit cards while Sotheby’s eliminates “NFTs” from the equation altogether to focus on what it calls “digital artwork” even though digital art has already been around for decades.  What is clear is that Amazon’s use of its own “brand worthy” naming convention – “Amazon Digital”, elevates rather than hinders this new ecosystem. 

Being swept aside by this establishment wave is OpenSea – the newly-displaced old guard and wild-west pioneer who likely never contemplated insider trading as a risk until a former OpenSea Manager was recently convicted of it.  Not surprisingly, OpenSea offloads tax obligations and refers its users to CoinTracker for tax calculations.  OpenSea even explicitly points out to users of the marketplace that “[y[ou are responsible for determining what, if any, taxes apply to your purchases, sales, and transfers of NFTs. If you have specific questions regarding taxes, please consult with a professional tax advisor.”  OpenSea’s sole Help Center entry regarding taxes further drives home the point:  “Users are responsible for determining what, if any, taxes apply to their purchases, sales, and transfers of NFTs. If you have questions about taxes, please consult with a professional tax advisor.”

In sharp contrast, the government is certainly rooting for reliable tax collectors such as Amazon, Christie’s and Sotheby’s to enter the NFT sandbox.  Since 2018 – when the Supreme Court overruled decades of precedent, taxation of online sales no longer depends on physical presence within a particular state.  The new guard will create the proper recipe for mass profitable usage, namely removing tech geek elements, improving user interfaces, adding brand allure, and ensuring government is happy and remaining on the right side of the regulatory fence. 

As Grace Kyne of EY informed attendees at the April 13, 2023 NFT.NYC session “NFTs and Marketplaces: Opening Pandora’s Box”, there are state-specific marketplace facilitator rules that make most marketplaces subject to state tax.  Not surprisingly, Amazon is front and center in pointing that hard fact out to its market participants: “Marketplace Facilitator legislation is a set of laws that shifts the sales tax collection and remittance obligations from a third party seller to the marketplace facilitator. As the marketplace facilitator, Amazon will now be responsible to calculate, collect, remit, and refund state sales tax on sales sold by third party sellers for transactions destined to states where Marketplace Facilitator and/or Marketplace collection legislation is enacted.”

In other words, pushing digital asset sales to Amazon is really every state treasurer’s dream.

This should not come as any surprise.  Ever since the 2019 tax year, IRS Form 1040 has included a question regarding a taxpayer’s cryptocurrency activity. In 2021, the IRS slightly broadened the scope of its inquiry:  “At any time during 2021, did you receive, sell, exchange, or otherwise dispose of any financial interest in any virtual currency?”  In 2022, the scope of the latest IRS Form 1040 broadened yet again: “At any time during 2022, did you: (a) receive (as a reward, award, or payment for property or services); or (b) sell, exchange, gift, or otherwise dispose of a digital asset (or a financial interest in a digital asset)?

In other words, the IRS expressly seeks disclosure of all digital asset transactions and not merely those involving cryptocurrencies.  The IRS now wants to know about a taxpayer’s NFT sales and any income generating activities where digital assets are received as payment.  On April 5, 2023, the IRS released its IRS Tax Tip 2023-45 which elaborated on this new position regarding a taxpayer’s obligation to report digital asset transactions – including citation to applicable supplemental forms.  By informing taxpayers of their new obligations – by way of tax forms and “tax tips”, it becomes increasingly difficult for them to argue any lack of knowledge on the topic.   The easiest approach will always be one which just assumes all realized digital asset gains are taxable.   

And, to the extent there was any ambiguity regarding more specific tax treatment of NFTs, that might soon evaporate given the IRS – in its March 13, 2023 Notice 2023-27, seeks to classify most NFTs as “collectibles” – a lesser form of asset for purposes of capital gains and other tax purposes.

Specifically, Notice 2023-27 – which seeks comments before June 19, 2023, announces the IRS’s and Treasury’s intention to issue guidance as to whether certain NFTs are “collectibles” under IRS Section 408(m).  Currently, the only available categories of “collectibles” under this section are:  “(A) any work of art, (B) any rug or antique, (C) any metal or gem, (D) any stamp or coin, (E) any alcoholic beverage, or (F) any other tangible personal property specified by the Secretary for purposes of this subsection.”  See 26 USC § 408(m)(2).  The IRS recognizes that NFTs do not presently constitute any of the above – including “art” given an NFT is not the art itself, it is a digital file pointing to the actual digital art typically found using an IPFS gateway such as Pinata.  Moreover, Section (F) expressly references “tangible personal property” so that catchall also does not squarely fit. 

While waiting for comments, the IRS will deploy a “look-through” analysis:  “Under the look-through analysis, an NFT constitutes a section 408(m) collectible if the NFT’s associated right or asset is a section 408(m) collectible. For example, a gem is a section 408(m) collectible under section 408(m)(2)(C), and therefore an NFT that certifies ownership of a gem constitutes a section 408(m) collectible. Similarly, an NFT does not constitute a section 408(m) collectible if the NFT’s associated right or asset is not a section 408(m) collectible. For example, a right to use or develop a “plot of land” in a virtual environment generally is not a section 408(m) collectible, and therefore, an NFT that provides a right to use or develop the “plot of land” in the virtual environment generally does not constitute a section 408(m) collectible.”  See IRS Notice 2023-27.

It is not clear whether the “look-through” approach would be limited to an underlying physical asset tied to the NFT or whether it might include potential money-generating components of an NFT.  More than likely, however, the relevant IRS section could not be broadly interpreted to include future gains unrelated to specific associated assets.  Moreover, earning rewards by way of an NFT should not be taxable given rewards are generally treated as a rebate or discount on purchases – that should be treated no differently than frequent flyer miles.

The lesson learned for businesses seeking to grow NFT adoption is that market validation and future growth opportunities are now inevitable given the tax hounds have gotten the scent.  To the extent there were any previous regulatory barriers to growth opportunities, those will be lifted so long as the government gets it take.

Blockchain, Digital Assets, DLT, Financial Reporting, NFTs, Risk Management

NFT vs. FTX

Fine art NFTs slowly but surely prop up blockchain technology while also moving the nascent Digital Fine Art movement – like popcorn placed in a Raytheon microwave oven but in a less pedantic manner.  On November 16, 2022, a burning question for NFTs is whether the unfolding FTX disaster advances or hinders their cause.

Over 230 years ago, Courts recognized that fraud taints everything it touches.  Snyder v. Findlay, 1 N. J. Law (Coxe) 48, 51 (1791).  Notwithstanding the good intentions of respected celebrity endorsers Larry David, Tom Brady and Stephen Curry, the fraudster Sam Bankman-Fried – now derided as “Sam Bankrun-Fraud”, incredibly avoided internal detection by stealing and hiding funds using his own personal backdoor software tool.  By trading client assets, his massive fraud did the exact opposite of what his firm contractually promised clients as a condition of FTX’s custody. 

Fried’s fraud has become a major contagion in the crypto world – some are even posturing FTX as Exhibit “A” in their case against crypto adoption.  Despite the pernicious nature of Fried’s massive fraud, there remains underlying positive news given FTX’s failures shine a light on why NFTs will continue having a long and impactive run and why their decentralized nature will eventually become baked into most financial assets.  Indeed, the term “NFT” will hopefully disappear from our vernacular given the underlying technology’s future ubiquity.  Literally no one cares how “Hypertext Transfer Protocol Secure” works so long as the “https” before a website address gets the job done.  Similarly, few really care about the technology behind a “non-fungible token”.   Owners only care about having transferable digital property self-containing proof of ownership, verifiable uniqueness and programmable contract attributes.

The FTX debacle immediately adversely impacted NFT markets because NFTs are purchased and sold using cryptocurrencies – most of which took a major hit beginning on November 2, 2022, the publication date of Coindesk’s expose on FTXAnd, with Solana’s SOL emerging as this worst-performing crypto asset – losing over 41% in value given FTX was an important backer of the network, several Solana NFT marketplaces, namely Magic Eden and Solanart, felt an even greater FTX sting than other NFT marketplaces.   

Despite the fact NFT sales remain on a slow mass adoption cycle, as of November 16, 2022 OpenSea alone still had nearly $33 billion in total NFT trades.  NFTs are well beyond the proof-of-concept stage but mass adoption will continue a slow journey given the constant press assaults.  For example, in a May 3, 2022 Wall Street Journal hit piece suggesting that it may be “the beginning of the end” for NFTs, Zach Friedman, co-founder and chief operating officer of crypto brokerage Secure Digital Markets, is quoted as saying:  “The ones that continue will be utility-focused for sure.” 

That perspective is both correct – utility is an intrinsic feature of all NFTs, and wrong given it begs the question:  Since when does fine art ever need additional utility for it to gain status as “fine art”?  Utility is always found in great art simply by way of the esthetic utility derived.  As of the same month as the WSJ article – May 2022, collectors sent over $37 billion to NFT marketplaces, putting them on pace to beat the total of $40 billion sent in 2021.  Even though the vast majority of these transactions are not for fine art NFTs, the disrespect shown today for Digital Fine Art remains no different than cubist art in 1910. 

At the 1913 Armory Show in New York City, the most famous collectors of modern art originally shunned what they saw.  Indeed, after the show travelled to Chicago, members of the Art Institute of Chicago – the first museum brave enough to display these works, burned mock-Matisse and Picasso effigies on the museum’s steps. Today, the Art Institute of Chicago proudly hangs over five hundred important works created by Matisse and Picasso.  History will always have an uncanny way of repeating itself.

At an Art Basel panel discussion, Esther Kim Varet, owner of the L.A. and Seoul gallery Various Small Fires, reportedly let the cat out of the bag as to why Digital Fine Art runs against the grain of the fine art world: “There are a lot of barriers and it feels exclusive once you get in. And I fear that the more pricing transparency there is … we’re going to have to invent new ways to create this aura of exclusivity or privilege. Not that those things are things that we should value but it’s just kind of what the art world is built on.”

In other words, pricing opaqueness is positioned as a virtue of the art world community.  Not surprisingly, the pricing transparency and documented provenance inherent in Digital Fine Art in the form of NFTs in some ways runs counter to this view of the art world.   While the actual art in Digital Fine Art provides utility plain and simple, the programmable nature of the smart contracts used in NFTs provides a world of opportunity for collectors and artists. Such underlying contractual rights can create a lifetime relationship between collector and artist – one with ties to direct interactions removed from any centralized control.  More to the point, fine art galleries and dealers can readily join in this new form of relationship.  Ultimately, the only barriers to the heights Digital Fine Art can achieve is driven by a lack of imagination and a fear of the unknown.

UPDATE: December 13, 2022

On December 13, 2022, the SEC filed criminal charges against Bankman-Fried. The complaint alleges he “orchestrated a years-long fraud to conceal from FTX’s investors (1) the undisclosed diversion of FTX customers’ funds to Alameda Research LLC, his privately-held crypto hedge fund; (2) the undisclosed special treatment afforded to Alameda on the FTX platform, including providing Alameda with a virtually unlimited “line of credit” funded by the platform’s customers and exempting Alameda from certain key FTX risk mitigation measures; and (3) undisclosed risk stemming from FTX’s exposure to Alameda’s significant holdings of overvalued, illiquid assets such as FTX-affiliated tokens.”

In parallel actions, the U.S. Attorney’s Office for the Southern District of New York and the Commodity Futures Trading Commission also announced their own charges against Bankman-Fried.

Given that he was about to testify before Congress, the timing of the SEC and CFTC actions are not nearly as important as that of the criminal indictment. In effect, the DOJ has prevented a potential treasure trove of wholly admissible statements from being elicited. Now that he has been indicted and arrested in the Bahamas, lawyers will be the only ones talking for money-runner SBF. That’s too bad.

Blockchain, Digital Assets, DLT, Network Security, NFTs, Risk Management, Social Media

Another Day, Another Phishing Exploit Seeking NFTs

On July 15, 2022, several of DeeKay Kwon’s Twitter followers were the latest victims of scammers feasting in the NFT space.  DeeKay is an animator and part of a growing number of innovative artists developing the Digital Art Movement spurred on by NFTs.  One of DeeKay’s admirers is Calvin Cordozar Broadus Jr. also known as Snoop Dogg also known as Cozomo de’ Medici – who acquired DeeKay’s “Life and Death” for “$1m USD, or 310 ETH.”  According to this very important art collector, “all of this [NFT profile picture] mania is bringing massive attention to NFT. And when they come in for an azuki, punk, bored ape, or their choice of “culture token” . . . But then stumble across an @XCOPYART, a @fewocious, a @deekaymotion . . . That’s when one realizes the true power DIGITAL art can have, beyond any traditional art they have ever seen before.”

DeeKay reported his Twitter account was hacked and “and the hacker has been tweeting a fake mint site.  I reacted to it ASAP and spread the word but could not stop the damage in time.”  An unknown number of DeeKay’s over 179,000 followers clicked on a phishing link found in the below fake Tweet – a Tweet that purportedly brought them to a new collection from the artist:

According to Deekay, “[t]he fake mint site was made two weeks prior, 100% copied my original website. I assumed he studied my time when I am inactive too.”   While trying to claim the purported free NFTs on the fake site, victims instead approved transactions granting the scammer access to their wallets and allowing the removal of various digital assets. It is not yet fully known how many NFTs or other crypto assets were stolen from Deekay’s Twitter followers.  Most reports currently peg the number at $150,000 worth of digital assets. 

DeeKay has been trying to “work something out” with those have been scammed.  For example, one victim was gifted “something special” by DeeKay to “help ease” his loss.  Interestingly, DeeKay recognizes the problem with reimbursing victims given that it “also encourages hackers to keep doing their thing since I am the one covering the mess. Part of me says reimbursement should not be a standard way to react, and another part of me says I should still find a way to compensate and find a balance.”  This is no different than the problem caused by insurers who continually reimburse ransomware victims and why ransomware payments should be self-insured.

DeeKay’s Twitter phishing scam comes on the heels of another phishing exploit days earlier targeting Uniswap liquidity providers that used a similar scheme but obtained a much larger $8.6 million in crypto assets.  As reported in Crypto Briefing, the Uniswap fake site “instructed the victims to claim the malicious UNI tokens as a reward for providing liquidity on the exchange, but when the victims agreed to the claim, they inadvertently approved a transaction that granted the attacker access to their wallets. From there, the attacker could make token transfers to drain their wallets.”

The phishing technique used in these scams is relatively easy to pull off given most folks still click on links without really thinking and many users of crypto wallets such as MetaMask have no clue as to what they are really providing consent for when clicking on the consent button.  After going to what appears to be a genuine site, they just assume they are obtaining what they are pitched as the reason for going to the site in the first place, namely freebies of some sort.  In a similar way an email address can be spoofed in a phishing exploit, consents can say whatever a scammer wants it to say. 

Whether it’s DeeKay’s Twitter followers or Uniswap’s liquidity providers, these pools of potential victims are publicly known and easily reached by scammers.  One way of getting away from this vulnerable crowd is by using multiple wallets and intermediaries such as fine art galleries that can work with collectors to improve their security hygiene.  More to the point, until art galleries become a mainstay part of the Digital Art Movement, these sort of scams will continue to proliferate.

UPDATE: July 20, 2022

On July 19, 2022, DeeKay let everyone know he was targeted again – likely by way of another phishing exploit. He suggested that his collectors be aware that he would “NEVER do a free mint.”

Behavioral Advertising, Privacy, Risk Management, Social Media

NY Privacy Bill Inches Forward

On January 6, 2022, the newest draft of the proposed New York Privacy Act now being jointly worked on by the Senate and Assembly was published in the Senate as S6701A and in the Assembly as A680B.  A review of this latest draft shows that even though a great deal of important changes were newly inserted into this bill , it still requires some tweaking or it will end up having the same loopholes found in other privacy laws implemented around the country. 

Hopefully, the NY legislative has the will to fully take on the data oligarchs – who have been very aggressively working behind the scenes fighting against this bill.

Blockchain, Digital Assets, DLT, Network Security, Risk Management, Technology Law

Defi Security Growing Pains Continue with BitMart Breach

On December 6, 2021, crypto exchange BitMart – which bills itself as “The Most Trusted Crypto Trading Platform”, announced a security breach “mainly caused by a stolen private key that had two of our hot wallets compromised.”   A tweet from security analysis firm PeckShield first called attention to this hack days earlier.  According to Peckshield, the loss is around $196 million.  Interestingly, BitMart at first denied there was any hack – claiming it was “fake news”.

According to the BitMart Twitter release:  “At this moment we are temporarily suspending withdrawals until further notice.”  A Telegram “ask me anything” is scheduled for 8:00 p.m. est this evening.

Similar to what was done by other centralized crypto exchanges after a security incident, BitMart will use its own funds to compensate users impacted by the theft.   

The BitMart theft comes on the heels of a report by London-based consulting firm Elliptic revealing billions of dollars stolen from DeFi platforms.  According to Elliptic’s recently released report, the overall losses caused by DeFi exploits total $12 billion and of that amount, fraud and theft accounted for $10.5 billion, seven times the amount from last year.

Thefts hitting crypto exchanges such as BitMart and DeFi protocols such as Poly Network shine a light on the fact DeFi is largely driven by startups lacking cybersecurity maturity.   In contrast, the financial institutions that literally spend billions on cybersecurity want no part in helping DeFi projects; and more likely, welcome cyber incidents that tarnish DeFi’s reputation.  Until they reach a higher level of security and such incidents become less commonplace, DeFi projects will continue making platform users whole after a security incident – or risk a total collapse in the market for non-money laundering usage. 

Depending on their popularity, open-source products can be highly secure and DeFi should be no different. At some point in time – after decentralized protocols are adequately security tested and implemented and DeFi projects become fully independent and organic and not reliant on any centralized cloud solution or centralized servers, breaches such as the one that hit BitMart will be rare.  In other words, as the market and business opportunities for DeFi increase in scale and scope DeFi’s security profile will naturally evolve.

Blockchain, Digital Assets, DLT, Risk Management

DeFi May Overtake Traditional Finance If Crypto Changes to 26 U.S.C. § 6050I Becomes Law

The day after the world’s largest NFT event concluded – a truly spectacular event, a bill criminalizing unreported digital asset transactions over $10,000 was sent for presidential signature.  Prior to passage, one blogger warned:  “The amendment to section 6050I is an affront to the rule of law and to the norms of democratic lawmaking. It was slipped quietly into a 2,700 page spending bill, allegedly as a tax measure to defray the bill’s trillion-dollar price tag even though section 6050I is in fact a costly criminal enforcement provision.”

While US bankers and financial institutions thought this provision would level the playing field or even knock DeFi out from the playing field, it may eventually have the exact opposite impact.  By way of background, the 1980’s era 26 U.S.C. § 6050I requires persons who engage in “a trade or business” and receive “more than $10,000 in cash in 1 transaction (or 2 or more related transactions)” to file a Form 8300 report containing the “name, address, and TIN of the person from whom the cash was received, the amount of cash received, [and] the date and nature of the transaction”. 

In the proposed amendment to this law, however, there is a new additional definition of “cash”, namely “any digital asset (as defined in section 6045(g)(3)(D))”.  The definition of “digital asset” is broadly defined as “any digital representation of value which is recorded on a cryptographically secured distributed ledger or any similar technology as specified by the Secretary.”.  Not surprisingly, existing exemptions for “cash received by financial institutions” and reporting organizations or for those transactions “occurring outside the United States” all remain intact.

If this law is signed “as is” – which is apparently likely, it will push a knife deep into the virtual heart of DeFi, NFTs and any other burgeoning alternative investment solutions targeting US customers.  The KYC and reporting requirements would presumably create insurmountable disadvantages.

Some bitcoin whales rejoiced given that hodlers don’t really care much about DeFi or NFTs – they just want to buy more bitcoin and anything that gives rise to anti-governmental sentiment is bullish for hodlers.  In fact, BTC rose to new heights on the news.

While in the short term DeFi and NFT platforms may have significant new hurdles if this bill is signed into law, in the long term it may have the opposite impact intended by the bankers who likely pushed for this financial reporting provision in an “Infrastructure Bill”. 

For one thing, no one country can kill something that is truly decentralized – whether it is China, India or the United States.  The whole point of decentralization is that it is not tethered to any country.  Mandating governmental centralized reporting is no different than pushing a child into a pool – the reality quickly becomes “sink or swim”.  If this bill gets signed, platforms may very well expedite their decentralization plans and US banks will be flanked by truly decentralized platforms they cannot control or influence and participants who would rather take more control over their financial future.  After a decade or two, traditional financial institutions may very well go the way of Sears.

UPDATE: November 16, 2021

On November 15, 2021, the Infrastructure Bill was signed into law. None of the major news outlets discussed the change to 26 U.S.C. § 6050I – with only a few discussing the changes impacting digital asset broker disclosures. One senator, however, introduced on November 16, 2021 a bill to repeal all of the Section 80603 digital asset provisions – including that one involving 6050I. With any luck, it will quickly be enacted into law. And, if not, there is still the potential that down the road this change will forever alter the financial institution landscape by accelerating implementation of DeFi.

UPDATE: June 12, 2022

On June 10, 2022, a federal action funded by Coin Center was filed in the US District Court of the Eastern District of Kentucky against the Treasury Department in the first constitutional challenge to the amendment of Section 6050I of the IRS Code. One of the lawyers bringing suit first sounded the alarm on this amendment last year at NFT.NYC.

Seeking to block enactment of the amendment, the federal suit makes two major claims: “(1) forcing ordinary people to collect highly intrusive information about other ordinary people, and report it to the government without a warrant, is unconstitutional under the Fourth Amendment; and (2) demanding that politically active organizations create and report lists of their donors’ names and identifying information to the government is unconstitutional under the First Amendment. The first claim is about privacy and our Fourth Amendment right to be secure from unreasonable searches and seizures. The Fourth Amendment already has some huge carve-outs that leave people with precious little space for privacy. For example, under the “third-party doctrine” once you hand private information over to a bank or social media company, you lose your right to prevent warrantless searches of that information.”

It remains to be seen whether the suit will successfully block enactment of the new regulation but what is undeniable is that DeFi specifically and Web 3.0 generally is under attack by centralized institutions and constitutional challenges such as this one are an absolute necessity.

Blockchain, Digital Assets, DLT, Network Security, Risk Management

$600 Million Loss Shines a Light on DeFi Security

On August 10, 2021, Chinese cross-chain DeFi platform, Poly Network, was apparently hit with the exploit of a smart contract vulnerability in its “EthCrossChainManager” contract impacting three separate chains, including two leading DeFi blockchains – Ethereum and Binance Smart Chain, and numerous cryptocurrencies.   This latest exploit is part of a major trend in security incidents involving DeFi platforms.

Poly Network developers quickly asked for help on Telegram to block transfer of the stolen assets:   “We call on miners of affected blockchain and crypto exchanges to blacklist tokens coming from the above addresses.”  

In another August 10, 2021 post on Telegram, Poly Network also posted:  “If you are experiencing any difficulty due to the hack that just happened theres [sic] a compensation plan , connect your wallet and get your refund in minutes , our dev only lose but this did not affect any of our users.”  

It is not clear how this protocol platform would make all users whole.  

As a start, the ESL Poly Network team also posted the following open letter asking for the return of the stolen assets:

Not surprisingly, this plea was immediately derided:  “Imagine successfully stealing over $600m and have the people you stole from think there’s a chance you might be willing to return it with what amounts to a passive-aggressive post-it note on the fridge.”  

Notwithstanding the obvious desperation found in its letter, the Poly Network team may be on to something given this was apparently never really a “hack” – it was likely yet another person who exploited a vulnerability in a deployed smart contract.  As of August 11, 2021, $119 million in Binance pegged BUSD was returned by the hacker’s associated address to those 947,598 owners impacted by the exploit.  BUSD is a stablecoin used to trade crypto assets on the Binance chain.  And, another $134 million was also soon thereafter returned to other impacted owners.  According to Chainalysis, at total of $261 million in cryptocurrencies have been returned to date.

A review of the micro transactions found on Etherscan and BscScan indicates that the “hacker” has been testing literally thousands of ways to move the stolen assets.  In other words, the exploiter does not know what to do with the stolen booty.  A few posts back that up – including one where the “hacker” is allegedly asking for someone to instruct on how to circumvent miner scrutiny.

The “hacker” purportedly also posted:  “WHAT IF I MAKE A NEW TOKEN AND LET THE DAO DECIDE WHERE THE TOKENS GO.”  

As things continued going downhill, the claimed sole perpetrator of the exploit – again claiming such identity solely by virtue of using the perpetrator’s wallet address, allegedly came out as an innocent interloper:

Information posted in the form of a Q&A on an ETH transaction Private Note section goes into further detail:

It’s looking like these posts are all from the same exploiter.  A spreadsheet tracking the exploit – including related communications, can be found on Google docs.  Even if these posts are not genuine, chances are still high the exploit was performed by one or more persons who decided to offload some coin and ultimately decided to give back – as apparently already done to the tune of $261 million, whatever could not safely be absconded with using his/her/their current knowledge.  There were certainly many out there willing to provide the necessary crypto laundering assistance, but apparently the advice was not taken – the clearest signal this was committed by an “ethical” hacker.

Poly Network is at its essence an interoperability protocol used by and integrated with many DeFi projects so this exploit will have direct ripple effects well beyond the Poly Network.  The more indirect impact of this exploit is the slight chance it might be replicated elsewhere by others having the necessary domain knowledge to move stolen assets.  

The best way for investors to minimize the likelihood such failings will not impact them in the future is to seek out and only use DeFi platforms that rely on a holistic “security by design” architecture – something not easily found in a decentralized world. Not surprisingly, in a recent survey nearly 75% of institutional investors and wealth managers state that the security of virtual currencies is a “significant” hurdle stopping many individuals from entering the crypto asset space – let alone the more exotic DeFi domain where software vulnerabilities can still cause the exfiltration of $600 million in digital assets.  Beaches will always have little appeal to swimmers when there are known sharks in the water.

UPDATE: August 12, 2021

Except for $33 million in Tether stablecoins previously frozen by Tether, the entire amount taken was apparently returned. Reuters is reporting that this was done in return for an after-the-fact $500,000 “bug bounty”.

Digital Assets, Network Security, Privacy, Risk Management, Small Business

Exchanges May Crack Down on Ransomware OFAC Risk

On April 22, 2021, Chainalysis published its findings on the OFAC sanctions violation risk tied to ransomware payments.  According to Chainalysis, 15% of ransomware payments paid in 2020 were at risk of OFAC sanctions.  Even though lower than the measured risk from 2016 – 2018, last year’s numbers remain an uptick from 2019.  

Chainalysis discovered ransomware victims paid out in 2020 more than $50 million worth of cryptocurrency to addresses that carried sanctions – with mainstream exchanges receiving “more than $32 million from ransomware strains associated with sanctions risks.”  Given the public market embrace of crypto exchanges, it is very likely those exchanges seeking greater regulatory scrutiny will eventually implement curbs to address the OFAC October 2020 advisory – eventually making it more difficult for smaller businesses to satisfy ransomware demands.

Electronic Health Records, IT Consultants, Network Security, Privacy, Risk Management

Ransomware Payments Should be Self-Insured

According to Chainalysis, payments to ransomware gangs using cryptocurrency more than quadrupled in 2020, with less than 200 cryptocurrency wallets receiving 80% of funds.  And, Palo Alto Networks – which claims to use data from ransomware investigations, data-leak sites, and the Dark Web, reports that the average ransom paid by companies in 2020 jumped 171% to more than $312,000.  Despite being around for many years, the rise of ransomware has largely coincided with the diminished value derived from compromised personal data.

The REvil ransomware-as-a-service operation now picks up the phone to add a threatening personal touch to its exploits:  “Calling gives a very good result. We call each target as well as their partners and journalists—the pressure increases significantly.”  According to a published March 16, 2021 interview with a representative of REvil – also known as Sodinokibi, the group has “big plans for 2021.”  

Probably the more interesting point made by this REvil representative was the answer to the following question:  “Do your operators target organizations that have cyber insurance?”  The answer is not much of a surprise:  “Yes, this is one of the tastiest morsels. Especially to hack the insurers first—to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer themselves.”   This is the first confirmation from an actual ransomware gang that they target cyber insurance policyholders.

Articles from the Associated Press and ProPublica years earlier suggest that cyber insurers were inadvertently driving up ransomware attacks but neither outlet provided any hard facts to back up their supposition.  Indeed, a leading broker took the natural counterpoint:  “[A]lthough no one wants to support cyber criminals, organizations are forced to weigh the option of paying ransoms against the risk of operational disruptions that could last weeks or months and cost far more.”  

It was never hard to imagine, however, that buying cyber insurance actually places a target on those companies who buy it and do not likely have the security resources necessary to stop ransomware gangs – especially given carriers may be inadvertently providing a roadmap to their house.  Indeed, last year one major cyber insurer was purportedly targeted by the Maze ransomware gang.   And, as of March 2021, there were at least two ongoing investigations involving attacks on major cyber insurers. Unless things change, it will only get worse for insurers and brokers given they are the new holders of the crown jewels.

One tactic that can impede the current claims challenge facing the industry is building on what was recently begun by AIG – a thought leader in this space for over two decades.  In January 2021, AIG became the first lead cyber insurer to require ransomware co-insurance across the board – mandating that insureds share in paying a ransom payment.  Following this lead, the larger markets began hardening on price and their underwriting requirements.  Other markets immediately began to take advantage – only temporarily repairing the holes in the dike.   As pointed out by Inside P&C:  “The retrenchment of capacity and continued upward pricing pressure also continues a reordering of the market in which some of the largest names in US cyber insurance cede market share to upstart InsurTechs.”  

Despite the fact cyber insurer MGAs are heavily funded and are now grabbing as much market share as they can, they still use paper backed by the largest reinsurers in the world – who frankly probably care more about their own profits rather than the market growth strategies of unrelated companies.  In other words, any retrenchment may also eventually hit the MGAs when treaties get renegotiated.   

Retrenchment is a good idea but will not be enough to fully address the problem. The best way to solve this problem is to do exactly what the FBI has said for years – do not pay the ransom.  An October 2020 OFAC Advisory buttresses this “do not pay” advice by warning insurers against making ransomware payments to those on the OFAC list. In other words, law enforcement would prefer that ransomware payments not be made and it may ultimately be in everyone’s best interest if such payments are self-insured – making it much less likely they will actually be paid.

This is not K&R coverage where lives are typically at stake.  Once the ransomware gangs recalibrate knowing there is no available insurance payment, the incidents will resemble earlier times, namely demands that are less frequent and for lower amounts.  These threat actors want to go in and out as fast as possible given they know that the data itself likely has very little real value on the Dark Web – it’s the urgent threat of release that has exploitive value.  If there is no expeditious insurance payment, the actual value of the target diminishes.

Insurance dollars are actually better spent helping insureds bolster their security rather than the coffers of criminals – especially because even with a payment there is no guarantee that data would be properly decrypted or that a Dark Web release or sale would not take place. There is much that can be done to assist insureds improve their risk profile and better avoid ransomware exploits. Some very basic steps include developing trusted partner relationships with vendors and law enforcement before an incident takes place; retaining a security expert to evaluate the current readiness profile; providing consistent education and training of staff; and developing or updating a Business Continuity Plan.  

On a more technical level, full and incremental backups should be consistently performed like your company’s life depended on it; weak passwords of service accounts should be removed; system logs should be maintained and monitored; employee access to sensitive data and information limited; operating systems and applications timely patched; users with admin privileges evaluated to ensure passwords are strong and secure; system safeguards such as Windows Defender Credential Guard deployed; port connections monitored and unnecessary ones removed, etc., etc., etc.  The relevant protocols all have a common goal – harden security sufficiently so that the bear decides to run after the slower runner.  If everyone ends up becoming a fast runner, the hungry bear will eventually tire of the chase and just eat something else for food.

With a robust cyber insurance policy in place, most every resource necessary to assist a ransomware victim is already available to an insured. By focusing on these other valuable first-party coverages, improving an insured’s risk management profile, and curtailing ever increasing payouts to criminals, the industry will continue with its meteoric rise.

Cyber Insurance

UPDATE: March 25, 2021

On March 24, 2021, CNA publicly disclosed that it sustained a cybersecurity attack. As of March 25, 2021, the following is the only information found on its website:

UPDATE: May 10, 2021

The day before the Colonial Pipeline ransomware attack went public, global insurer AXA announced it would cease writing cyber-insurance policies in France that reimburse policyholders for ransomware extortion payments. This is hopefully the start of a much larger trend.

UPDATE: May 12, 2021

On May 12, 2021, security experts labeled as “absolute stupidity” comments regarding the payment of ransomware that were emanating from the White House. A few days prior, the White House’s Deputy National Security Adviser for Cyber, Anne Neuberger, had given the private sector a complete free pass regarding the payment of ransoms: “And they have to just balance off, in the cost-benefit, when they have no choice with regard to paying a ransom.” Unfortunately, this position directly contradicts the long-standing position of the FBI and numerous other government agencies.

UPDATE: December 1, 2021

On November 18, 2021, North Carolina relied on its Operations Appropriations Act of 2021 to add a new article to Chapter 143 of the State’s General Statutes which now reads in part: “No State agency or local government entity shall submit payment or otherwise communicate with an entity that has engaged in a cybersecurity incident on an information technology system by encrypting data and then subsequently offering to decrypt that data in exchange for a ransom payment.” This is the first effort by a governmental entity to bar ransomware payments.