Cryptocurrency has a security problem it hasn't been able to shake.
Bad actors stole $1.7 billion worth of cryptocurrencies from investors last year, according to a new report from CipherTrace Cryptocurrency Intelligence published Tuesday. Of that total, roughly $1 billion was taken from exchanges.
Even as prices dropped last year, crimes went up. The plunge in cryptocurrencies meant a lower total value for these stolen coins, but the volume of coins stolen in 2018 was 3.6 times higher than it was in 2017 and seven times what it was in 2016, according to the report.
"These numbers only represent the loot from crypto crimes that CipherTrace can validate; we have little doubt that the true number of crypto asset losses is much larger," said Dave Jevans, CEO of CipherTrace.
The report underscores massive risks in the new asset class. Aside from the reality of losing money as prices erode, the possibility of getting hacked is still one of its biggest challenges to mainstream adoption and acceptance by regulators.
Bitcoin became a household name as it rallied 1,300 percent to almost $20,000 at the end of 2017. Media coverage and a frenzy of buyers followed. But unfortunately, so did hackers. Jevans said they saw a "residual effect" after hackers finally figured out how to scam people, even months after the bubble popped.
Cryptocurrency payments are recorded on an open ledger known as blockchain, meaning they can be seen by anyone. The team at CipherTrace is able to track them but still might not know the anonymous parties who sent or received the money. The firm also scans the black market and criminal forums for data. The firm monitored chat rooms that advocated for targeting crypto and blockchain start-ups that raised massive amounts of money at the height of the price bubble.
"These aren't street thugs — these are people who have masters degrees in computer science," Jevans said. "We're starting to see more organization in the space with professional gangs bankrolling computer scientists."
In the beginning of the year, exchange hackers dominated the crypto crime scene, but the report showed a rise in "inside jobs" or fraud in the fourth quarter of last year. Something called SIM-swapping, where a hacker takes over a victim's mobile device to steal credentials, then breaks into wallets or exchanges, was the top threat in 2018, the report said.
In addition to outright thefts, investors lost almost $750 million from threats such as "exit scams," where founders of initial coin offerings simply ran off with the funds they raised. Initial coin offerings, or ICOs, where people sell "tokens" to fund projects, became a popular but controversial way to make money. Many of those were backed by a promise to build a product or software that they never delivered.
A separate report out this week from Chainalysis echoes those findings. But it also shows that the majority of these crimes were carried out by just two organized groups.
Philip Gradwell, chief economist at Chainalysis, said the $1.7 billion number was in line with their own findings and that criminal activity has "grown significantly" in the past 18 months. The firm tracks cryptocurrency transactions and provides insights to governments, law enforcement and some hedge funds to help them comply with anti-money-laundering laws.
"When we look at these patterns it's clear these are large, sophisticated hacking groups," Gradwell told CNBC.
The two groups accounted for $1 billion of the total cryptocurrency hacks and averaged $90 million per hack, according to the report. In order to get away with it, hackers typically move the stolen crypto through a complex web of exchanges and personal wallets. The hackers often observe a quiet period over 40 days or so, and wait until interest has died down before cashing out.
The two strategies diverge, though. One group, which the report labels "Alpha," is more sophisticated and complex. It makes a bigger effort to hide its tracks, "expertly shuffling funds around in a way that suggests they want to avoid detection." To do that, the group moves the stolen cryptocurrency 15,000 times before they sell it on exchange. On average, both hacking groups move funds at least 5,000 times.
The Alpha group appears "as eager to create havoc as to maximize profits," according to the report.
The other group, called "Beta," is smaller and less sophisticated. They seem to be more focused on the money, and "don't appear to care very much about evading detection, just about getting a clear route to convert illicit assets to clean cash."
While crypto crime increased in 2018, it made up a smaller slice of a much larger market. The amount taken from exchanges, for example, was 1 percent of bitcoin's value, Gradwell said.
"The level of criminal activity is still relatively low and the main use of crypto is still as a financial asset," Gradwell said.
Regulators are acutely aware of the issue.
Securities and Exchange Commission Chairman Jay Clayton has repeatedly voiced concerns over security and investor protection. He cited the lack of market surveillance and questions about how to safely store these assets as major roadblocks before he would feel "comfortable" green-lighting a bitcoin ETF.
"We've seen some thefts around digital assets that make you scratch your head," Clayton said at CoinDesk's Consensus Invest conference in November. "We care that the assets underlying that ETF have good custody and that they're not going to disappear."
Advocates have long awaited a bitcoin ETF, which they hope would help usher in institutional buyers and lift prices. Meanwhile firms including Gemini, Coinbase and Fidelity have stepped in to be the trusted custodian.
But security is still an uphill battle as long as hacking remains profitable.
"It's definitely not going to slow down," CipherTrace's Jevans said. "It's still a massive multi-billion-dollar business and has gotten more sophisticated and bigger — what we're seeing in 2018, we'll see through 2019."