Ethereum’s recent transition to a proof of stake consensus mechanism prompted SEC Chair Gary Gensler to state that most crypto tokens are investment contracts, meaning the agency has regulatory authority over them. This may mark the beginning of the end for the largely unregulated proliferation of cryptocurrencies, which has given rise to both rapid innovation and a large number of scams.
The amount of fraud facilitated by crypto has increased an incredible 6900% over the past 4.5 years and has been one of the main driving factors of an overall uptick in fraud since late 2020. If that rate of growth is sustained, crypto will account for over 50% of all fraud by Q4 of 2023.
Crypto’s widespread use as a means of defrauding both people and organizations poses a threat to the continued growth of the industry. Many older Americans have had exactly one experience with crypto which ended with them losing their money. Voter turnout is particularly high among the elderly, so harm inflicted on them is particularly dangerous to maintaining the relatively light regulatory environment the blockchain industry has benefitted from for the past decade.
The growth of scams like rug pulls also threatens to undermine investor confidence in blockchain startups. While some might say it’s obvious which scams were rug pulls (which is true in many cases), there is a long tail of poorly informed investors who are permanently turned off of crypto by their experiences.
Though the percentage of crypto transactions accounted for by illicit activity has continued to fall, absolute losses have continued to climb. In 2021, total illicit activity grew by 79% compared to the previous year. With this rate of growth, there is a real risk that the term “crypto” will become synonymous with “scam”, since most fraud will be conducted using crypto.
Why is crypto fraud increasing?
Let’s take a look at the different categories of crypto fraud over time to see how the relative size of each has changed.
You can see that since 2020, almost all of the growth in fraud has come from scams and theft. But why did those categories grow?
Most of the growth in theft came from DeFi exchanges, which saw a massive 1330% increase in theft between 2020 and 2021. Code exploits in smart contracts were the biggest culprit, and were used in the theft (and surprising subsequent return) of $612 million from Poly Network. Two other popular means of theft include manipulation of price oracles using flash loans and security exploits resulting in hackers gaining access to users’ private keys (see page 71).
So far the approach has been technical whack-a-mole, with interventions such as code audits and bug bounties proving ineffective at prevention. Code audits can help, but 73% of flash loan attacks occurred using exploits in code bases audited within the last year (see page 73). Incentives such as scaling bug bounties, such as those announced by OlympusDAO at the start of this year, might also help by offering hackers a stronger incentive to report a high-impact bug to developers rather than exploit it.
But perhaps the most effective method to prevent scams is to make it harder for criminals to use their funds while remaining anonymous. Most centralized exchanges have implemented KYC rules, which make it harder for criminals to move funds around without getting caught. Centralized exchanges also have a greater ability to freeze or prevent fund transfers. This is one reason why theft is 55x more common in DeFi than in centralized exchanges when dividing value stolen (see page 6) by volume traded for each.
Crypto scams also saw large growth in 2021. Scams are one of the biggest problems for any nascent industry because they affect such a large number of people. While the average thief is incentivized to target the richest accounts, the average scammer is incentivized to target much smaller, more naive users. This means that while the average amount stolen in an individual theft is much higher, the impact of scams on public perception is likely larger.
Ponzi schemes have been around for hundreds of years and are unlikely to go away anytime soon. But past efforts to curtail the damage they cause have focused mostly on transparency, which we see as the most likely solution to the same phenomenon in crypto.
Before Bitconnect collapsed in January 2018, it promised users 20% monthly returns through use of its “trading bot”, which was the supposed vehicle behind these incredible returns. The details of the bot, and the supposed profits it generated were never disclosed to investors in the BitConnect token.
This need for transparency is one of the main reasons companies are required to issue a prospectus with audited financial statements before going public. Though many of the larger centralized exchanges do a good job enforcing disclosure before listing new tokens, some smaller exchanges and most DeFi exchanges do not. Some level of transparency is required for prospective investors to make good choices.
As important as disclosure for individual tokens can be, disclosure by exchanges themselves is even more crucial. Of the $2.8 billion of losses in 2021, 85% are attributable to a single incident: the failure of Thodex, a centralized exchange based in Turkey.
There was no single reason that the Thodex rug pull resulted in such a huge loss. Instead, as with previous large scams, a perfect storm of internal and external factors came together at the right time. Public trust in the highly inflated Turkish lira had been declining for years, encouraging many Turkish citizens to seek out a more stable store of value. For many of these individuals, crypto appeared to be the answer to their problems, and Thodex, as the premiere Turkish crypto exchange, was perfectly situated to take advantage of this demand.
Thodex offered low commissions, a mobile app, and all of the most popular cryptocurrencies. They also set up an affiliate program to reward current users for referring new customers by granting referrers a portion of commission revenue. Once the exchange had obtained sufficiently large amounts of customer money, they simply shut off the exchange and transferred customer balances to their own wallets.
Following the collapse, Turkey banned the use of crypto assets for payments. It is hard to imagine such a rule would have been created without the failure of Thodex. These kinds of knee-jerk regulatory responses are exactly what the industry should be aiming to avoid.
While the largest cryptocurrency scams have been centralized, decentralized exchanges are not without their own problems. The lack of KYC or financial disclosure requirements to list a new currency on a DEX have encouraged a series of smaller rug pulls accounting for $400 million dollars of losses in 2021 including AnubisDAO, Uranium Finance, deFi100, and many others. Add in the amount of theft committed through DeFi exchanges, and it becomes clear that moving to a decentralized model would make the fraud problem much worse.
Fraud’s existential threat to blockchain
The trajectory of the banking industry following the financial crisis of 2008 provides another stark warning of what might happen to the blockchain industry if the prevalence of scams continues to grow.
In the years leading up to the 2008 financial crisis, the banking industry created a new financial instrument — the collateralized debt obligation, or CDO for short. This financial instrument — and its evil twin, the synthetic CDO — were the engine of doom that crashed the world economy in 2008 and led to stifling regulations two years later.
The details of how CDOs work are beyond the scope of this blog (see Michael Burry’s excellent book “The Big Short” for an overview), but in short, it is a reasonable simplification to think of them as a black box that generated cash via some underlying asset like mortgages.
CDOs were so complex and so little financial information was available for prospective buyers that their valuations were based almost entirely on the credit rating they received from Moody’s or Standard & Poor’s. But the models used to assign these ratings failed to consider several important variables, particularly those relevant to whether a homeowner would default on their mortgage.
They didn’t take into account the distribution of homebuyer credit scores, only the average. They didn’t consider the length of a buyer’s credit history, only their current score. They didn’t distinguish between loans that required proof of income and those that didn’t, allowing people without jobs to buy expensive houses they couldn’t afford. The result was a large number of very risky assets were blessed with high ratings by the agencies.
On top of issues with the underlying mortgages, Wall Street started selling bets on whether or not homeowners would default on their mortgages. Because the underlying mortgages were incorrectly assumed to be safe, the agencies gave these bets strong ratings, allowing Wall Street to sell them to pension funds and retirees. This highly leveraged set-up ensured that every time a homeowner defaulted on their mortgage, the losses generated were equal to several times the value of the underlying home.
When the bubble finally burst, the US entered the largest financial crisis since the Great Depression. The justifiable anger felt by ordinary Americans who lost homes or retirement savings led congress to pass the Dodd-Frank act, the biggest overhaul of the US financial system since the great depression. While the new regulations did much to ensure that a financial crisis like the one in 2008 will not happen again, little attention was paid to the costs of the new rules.
Following the crisis, the number of new banks dropped off a cliff as the FDIC severely tightened standards for issuing new banking licenses. A decade later, the number of new banks was not even close to its pre-crisis levels.
This kind of overregulation is a real risk for any industry that fails to address harm to everyday consumers and the broader economy. Blockchain technology is not immune to this possibility. If scams and theft continue growing at their current rates, we will see huge public pressure to clamp down, creating higher barriers to startups in the industry. This could have a serious negative impact on the pace of innovation within blockchain. Reduced competition reduces the incentive for companies to improve their products. We are not immune to that kind of slowdown.
Many of the biggest success stories in the industry were created by relatively small teams. When Ethereum was finally released in July of 2014, it was after long delays navigating the relevant legal processes in the United States and Switzerland, which caused many of the developers “substantial hardship.” If industry isn’t able to reduce the prevalence of scams, the next Ethereum may die before it can even get off the ground.
While the blockchain industry is much smaller than banking — and seems unlikely to crash the US economy without significant additional growth — it could still become the target of punitive regulation. Blockchain’s small size relative to banking makes it easier to punish, and the increasing prevalence of scams means public pressure to “do something” will continue to mount.
If congress or the SEC decide to crack down on crypto, it could easily curtail the kind of disruptive innovation the industry has become well-known for.
Regulation where needed, industry improvement everywhere else
So far, we’ve made the case that the blockchain industry needs to make improvements to handle the growing incidence of fraud, and that failing to do so could have catastrophic consequences. However there is another point worth making: there are some cases where there is no good alternative to regulation.
Ratings agencies didn’t fail to update their models of CDOs because they were ignorant. They were afraid that if they did, banks would simply take those deals to their competitors across the street, and they would fail to generate the fees on which their business depended (see The Big Short, Chapter 7).
In such situations, collective action via regulation or an industry consortium is the only way to reach a better, stable equilibrium. Teaser rate mortgages, which triggered the financial crisis, were not abandoned because they became unprofitable. They were banned by Dodd-Frank.
We as an industry need to start taking the problem of fraud more seriously. To prevent fraud, law enforcement must be able to identify criminals, which in turn requires systems that make this possible. When the entire tech stack is built around anonymity, fraud is bound to proliferate.
If the blockchain industry can solve some of these problems itself, regulators will see less need to get involved. And in the few cases where cooperative action is required, companies should work with regulators to ensure whatever rules are passed protect consumers while doing as little harm as possible to the industry’s pace of innovation.
We are still in the first inning for blockchain technology. There is huge potential yet to be realized. There are applications no one has yet discovered. It is our hope that in a decade, we will look back on the current problems as growing pains that were taken care of by an industry that was on its way to transform the world.