Hackers and ransomware groups have benefitted immensely by leveraging blockchain and cryptocurrencies to secure multi-million-dollar payouts. Cryptocurrency transactions are untraceable and not regulated by any government or authority. But hackers are now taking this further by attacking crypto exchanges and stealing coins from user wallets. They also indulge in illegal crypto mining activities – using thousands of compromised computers to mine coins. Crpto mining utilizes a great amount of electricity from the grid. Due to this, there have been power shortages in some countries.
CISO MAG got in touch with Amit Jaju, a Senior Managing Director with Ankura Consulting, to discuss these challenges. It was startling to learn from Amit that global temperatures will increase by two degrees by 2024 due to crypto mining activities. You will be amazed to learn how much power is consumed for every cryptocurrency transaction when the blockchain ledgers are updated. Amit offered some suggestions for crypto exchanges during our discussion to protect user wallets. He also suggests what regulators and governments can do to protect consumers.
Amit leads the Data & Technology Segment at Ankura Consulting in India. He has over 17 years of experience in forensic technology consulting covering data analytics, cyber, e-discovery, software licensing, and information governance. He has created market-leading solutions around financial crime, cyber incident response, analytics, and software licensing and delivered engagements for global and Indian clients in over 20 countries. His experience spans multiple sectors, including Financial Services, Information Technology, Pharmaceuticals, and Media & Entertainment.
He has led many complex global data analytics engagements, including implementing and managing enterprise-wide fraud and AML monitoring solutions for banks and implementing terrorism monitoring over the internet for defense services. He has delivered sanctions diagnostics, and investigation engagements across Europe and the Middle East for large US sanctions matters and has developed a sanctions analytics platform to deliver end-to-end sanctions diagnostics and monitoring.
Before joining Ankura, Amit was a Senior Managing Director and India head for FTI Consulting, Partner with Ernst & Young for nine years as Head of Forensic Technology in India and Markets. He was responsible for setting up and leading Forensic Technology in EMEIA. Before EY, Amit was the Forensic Technology lead at KPMG in India for five years. Previous to joining the Big Four, Amit worked with a boutique information security consulting firm.
Edited excerpts from the interview follow:
We have seen a lot of illegal crypto mining activities around the world in countries like Iran, Venezuela, Malaysia, the UK, Kazakhstan, and the U.S. Tremendous computational power is required for Bitcoin mining, which even leads to power outages directly impacting electricity prices. Are there any studies to back this? What impact will this have on the environment and resources like power?
That is a very important point, and it is getting missed out in many conversations around crypto. I think this is one of the most important points on adopting crypto and the blockchain itself. A few months ago, I made a LinkedIn post to initiate a conversation with my network on this aspect. One study said that just with crypto mining, the global temperature will shoot up by two degrees centigrade by 2024. That is two degrees in two years, and it is a significant increase.
A Cambridge Institute study says that around 0.5% of global electricity production could be utilized by crypto mining. That is roughly the annual energy utilization of small countries like Sweden or Malaysia. That is how bad it is. And when you look at carbon emission, we have some data points, but of course, it needs further verification. I see a trend in terms of where all the numbers are. So, just for larger countries where a lot of this mining is happening, for instance, in China, they say that 130 million metric tons of CO2 is the net contribution.
I talked to a friend of mine running a carbon credit trading company. It is a listed company. I was surprised by the numbers he gave me. And very few know about these numbers. Look at it in terms of a single cryptocurrency transaction. You are running complex mathematical calculations to validate that transaction. This requires tremendous computational power, which consumes a lot of power. In terms of energy consumption, if you do a Bitcoin transaction, it uses the equivalent power to process two million standard credit card transactions. That is the energy it takes to watch up to 160,000 hours of YouTube videos. So, imagine YouTube servers running and consuming all that energy. You have to watch 160,000 hours of video for one Bitcoin transaction because you need certain numbers of confirmations to validate a transaction at the end of it. This transaction will replicate across all ledgers at the end of the day. So, by the time that replication happens, that is the amount of energy it will use. In simpler terms, it is equivalent to 70 days of the total energy that a typical U.S. household will consume for one Bitcoin transaction.
What impact could this have on the energy resources of a nation? How do governments address this?
I think we need to at least start talking about the problem. Awareness related to the environmental impact of cryptocurrency and crypto mining is not at the forefront. We need to discuss it, get different experts to provide their opinions, and formulate some policies. You must create a framework around it and involve the experts. For example, if you need to identify illegal crypto miners who use hundreds or thousands of machines for illegal crypto mining, you need to use data analytics for that. In Venezuela, for instance, they have a history of illegal miners, and because of this, they had a power crisis. So, they used data analytics to identify 100 miners and take legal action.
We need regulation and then analytics. I know India has a draft bill on cryptocurrencies. It will be interesting to see whether crypto mining is addressed in it — or is it just about trading cryptocurrencies, because mining itself is an important piece. This is especially true for India, where most of our power gets generated from non-renewable sources. Today, we are fast moving towards renewable sources. And I have seen that a lot of miners go towards colder regions. That is because less cooling is required, and it is a very thin margin kind of enterprise. So, if you can reduce your cooling bill, that is a lot of savings. It is generally concentrated towards colder regions of the world where they do that. I think governments need to proactively address this through various means.
Cryptocurrency Exchanges are the new attack targets for hackers. A recent example is BitMart, which lost approx. $150mn in cryptocurrency assets. Attackers had stolen a private key and compromised two of the exchange’s hot wallets on the Ethereum (ETH) blockchain and the Binance smart chain (BSC), making off with approximately $150 million worth of assets; in a “large-scale security breach.”
What can the exchanges do to protect themselves and their users? What do users need to do to protect their Hot Wallets? Since these are not centrally regulated, what kind of legal provisions are in place to enable the exchanges to penalize attackers when they are traced? We have seen how the big exchanges were brought down completely, and some went out of business overnight. And that is the weak link; crypto exchanges do not make only trades, but they are quasi custodians of your wallet, and they have access to your wallet because your private key is stored with them. It is on the blockchain, though. It is impossible to offer 100% protection for exchanges, because cyber is an area where you always have to plan for contingencies.
But I am reading more about the zero-trust model, which I think is valuable for exchanges. It is often an insider attack, or the attack vector is within the company, which gets exploited. It could be an employee or vendor who has access to maintenance. Or perhaps a developer writing the code for the trading platform has intentionally created some backdoors. There are incidents where ransomware hackers pay employees a commission of up to 20% to run a file on the server. You can never rule out insider involvement.
To address this, you need to look at independent custodians; for our capital market exchanges, we have CDSL (Central Depository Services Limited) and NSDL (National Security Depository Limited) as independent custodians of our DMAT accounts. That is where our shares reside. So, these independent custodians will ask us for an OTP verification for the transaction – and not the exchanges. Similarly, we could have independent custodian firms as custodians of the wallets. There could be a model where the offline wallets are with the end customer. And the offline wallet could automatically sync with the exchanges. So, the exchanges are not keeping your coins or tokens.
The offline wallet (cold wallet) could be backed up to a USB pen drive, laptop, or phone. It could be on a piece of paper. You could print out certain words, and that is your coin. So having a tiered approach to storing these coins is more secure. On the other hand, having all your coins with the exchange is risky because they also have your private key.
So, to strengthen their defenses, a zero-trust model with independent custodians, plus a hybrid wallet model, also de-risks the exchanges. Of course, that will result in some disruption to their business models. For example, some exchanges deposit your coins for an annual percentage return. This may not be possible in such cases, but the risk is far higher for an exchange that has your wallets online with them (hot wallets).
Are you suggesting a mix of cold and hot wallets? What else could be done to ensure resiliency and minimize downtime due to code vulnerabilities being exploited?
Yes, hybrid wallets. You have the wallet at the exchange keeping the user data, but then it gets transferred T +1 or end of the day to the user’s wallet (cold wallet), which resides with them offline. Both cold and hot wallets could be used during a trading session.
I think trading platform resilience is very important. That is always the case, with capital market exchanges or crypto exchanges. Trading platforms are high-frequency platforms, so you have millions of texts transmitted in one second, resulting in an order getting placed. The coding of that must be robust to facilitate the performance. But at the same time, looking at it from a security perspective is very important. It is about making sure every source code or application developed is reviewed thoroughly by multiple parties. Changes should be tracked from a security perspective, not just a functionality perspective. If something goes down, they should revert to the older version to ensure that the exchange runs. Crypto exchanges run 24×7 unlike our captive market exchanges, which shut down in the afternoon or the evening. Market exchanges have time for maintenance and upgrades. But that is more difficult for crypto exchanges since they run 24×7. So, they must have backup environments. And it’s slightly complicated, but by ensuring that the trading platform is thoroughly checked, they can provide defenses to implement two-factor at every stage. And when you implement a zero-trust model, a lot of that gets addressed.
What do you see as the big trends coming in 2022? What are the opportunities that exist?
I closely monitor the developments around quantum computing. Some companies are very close to building a retail version of a quantum computer. Whenever such a computer is available, it will transform this space overnight.
I also look at the zero-trust model and how it is evolving because I think that is a very good model to address all the challenges we face with our existing perimeter security and access control model.
I am also looking at the personal data protection regulation and the new challenges and opportunities that it will create. Compliance is a challenge for corporations trying to protect their data assets. It is also about individuals knowing their privacy rights and options if that data gets stolen or compromised.
There are opportunities too. The multinationals will have to build an infrastructure within India to address all the data-related challenges within the country (data residency). There is a huge demand for workforce and technology components, which India can address because we have a lot of talent. But we must see how different sectors adopt it. We already see financial services adapting to data localization, even though some companies take longer. I am seeing this with other industries such as pharmaceutical and life sciences, from data privacy and data confidentiality perspectives. Here they will focus more on protecting their IP and their data within the country. I see the measures they must put in place because these companies also deal with sensitive personal information of many people.
Take hospitals, for instance. Many U.S. hospitals have been impacted by ransomware in the past two years because they have sensitive personal data. Hackers know that they will not benefit much if they attack a steel company. But hospitals have critical data on which they rely for their operations, so the risks are higher.
In terms of technologies, we will see more use cases for blockchain. It will be used for transmitting documents and maintaining integrity, which is crucial.
Cybersecurity and forensics will also use blockchain. If you have an evidence chain of custody logs, how do you maintain the integrity and authenticity of that data? This is most important when something goes wrong. The insider threat is an area where companies will not trust a user because they are employees. They have to look at a customer, a vendor, or an employee, and observe how they behave. Based on that, they will profile the person and then create rules and access controls around the person’s behavior. Machine learning will play a key role because it is a rule-based analysis, and it cannot be done manually. All of this will be machine learning-based with human input for authorization. We will see more use of machine learning and artificial intelligence in cybersecurity. This is a space to watch out for.
About the Interviewer
Brian Pereira is the Editor-in-Chief of CISO MAG. He has been writing on business technology concepts for the past 27 years and has achieved basic certifications in cloud computing (IBM) and cybersecurity (EC-Council).