Why a $600mn Crypto Heist Is Bad News for Telcos and Banks

Last week saw one of the strangest crimes in history. A hacker took control of USD600mn of cryptocurrency by exploiting a vulnerability in the code of Poly Network, whose software provides a mechanism to conduct transactions between separate cryptocurrency blockchains. “Mr. White Hat”, as the hacker subsequently became known, returned almost all of the stolen cryptocurrency by the end of the week, after Poly Network offered him a reward of USD500,000 and promised he would “not be held accountable for this incident”. Much of the dialogue between Mr. White Hat and Poly Network occurred in public, through messages added to the Ethereum blockchain. Commentators are divided on how to interpret the hacker’s actions, with some believing his story about wanting to highlight the vulnerability for the good of others, whilst others concluded there was no way he could spend his loot without being caught. Cryptocurrency transactions do not require the disclosure of the identities of those involved, but the transparency of the blockchain means there is a complete log of every transfer. So whilst Poly Network were right to observe the heist “greatly affects the confidence of society at large in the crypto industry”, it has also served to demonstrate the maturity of the reputable businesses willing to freeze accounts and assist the identification of criminals.

Poly Network’s goal of enabling interoperability between cryptocurrencies sees them betting on the rapid rise of decentralized finance (DeFi), the hottest emerging market in the nexus of finance and networked technology. The promise of DeFi is that it will give buyers and sellers of currency and other assets the opportunity to do peer-to-peer swaps that cut out middlemen like banks and the fees they charge. The Bank for International Settlement’s most recent central bank survey of foreign exchange found that the global value of currency transactions is USD6.6tn per day. If a modest proportion of this trade was conducted through DeFi it would massively erode the profitability of banks and lead to enormous collective savings for others. DeFi will also compete with the telcos who have diversified into mobile money and international transfers. The reason DeFi is becoming increasingly viable is because of the launch of a growing number of stablecoins, which are cryptocurrencies whose values are pegged to ordinary fiat currencies. Some of these stablecoins are issued by central banks and many more are in development. DeFi has great promise, but an obvious weakness is that the technology lies beyond the understanding of most users. Stories about crime will spook many. This means providers of DeFi technology need to do a much better job of managing risk and quality than the rest of the technology sector.

Despite the obvious embarrassment, Poly Network were shrewd in how they communicated with Mr. White Hack. They began by pointing out the low probability of escaping justice if he tried to profit from his crime.

The makers of the Tether cryptocurrency distinguished themselves by almost immediately freezing the Tether tokens taken by Mr. White Hat.

Poly Network advised Mr. White Hat how to return the cryptocurrency and kept the public informed of progress with its recovery.

Poly Network openly thanked the cryptocurrency exchanges, cryptocurrency developers, and security firms that helped them monitor and obstruct the flow of the stolen money.

A security bug will and should hurt the reputation of any business, but Poly Network’s response is a master class in risk management. A lot of data suggests that moments of crisis give management teams an opportunity to enhance their reputation overall, if they are transparent, proactive and successful in mitigating the harm done. The confidence that comes from seeing management overcome adversity can lead to an increase in the value of their business that more than offsets the fall caused by the initial bad news. The same could prove true for Poly Network, and for DeFi more generally. Every day the public is fed cautionary tales about banks and telcos being powerless to cope with an onslaught of crime. Banks blame telcos, telcos blame banks, and the police have nothing useful to say. Contrast their story of collective incompetence with the crime described above, where a relatively immature branch of fintech left a criminal with little option but to return what was stolen.

This heist may have seemed like good news for banks and providers of mobile money by damaging an emerging rival to their business models. However, the same story also includes the kernel of an argument for why most of us should prefer transactions conducted through public ledgers. We all pay a lot just to move money from one place to another, but the businesses who profit seem incapable of reducing the crimes that exploit their services. Occasionally they will talk about exchanging information to tackle crime, and even less frequently they will actually share data, though usually only because they have been compelled to do so. Consider how different the problem would be if they already used methods of moving money that depended upon a common ledger that everyone can see.

People trust established brands more than they trust unfamiliar technology, but neither telcos nor banks have enhanced their reputations during the last few decades, and the steep rise in remote unauthorized access of accounts is eroding public confidence. If DeFi providers and cryptocurrency exchanges prove adept at identifying, blocking and reversing criminal transactions, whilst offering competitive services at greatly reduced rates, then we could see a rapid transition in customer sentiment and behavior, similar to the impact that the internet has had on markets like insurance. Perceptions of risk can change dramatically, and neither banks nor telcos can afford to be complacent about reducing risk on behalf of their customers.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.