The exploit began around 4:36 P.M. on Nov. 11, with the unknown attacker quickly converting the stolen stablecoins for ether (ETH), which was then sent to low liquidity but noncustodial exchanges including FixedFloat and ChangeNow before being converted to bitcoin (BTC), using the permissionless THORChain bridge.
This is an excerpt from The Node newsletter, a daily roundup of the most pivotal crypto news on CoinDesk and beyond. You can subscribe to get the full newsletter here.
“They will probably deposit the funds to a mixer or send to a sketchy service next,” noted ZachXBT.
The attacker better hope he can access a mixer to launder those funds soon — cause ever step of the way, at least under U.S. law, is a taxable transaction.
Hacks like this happen All Of The Time in crypto, and is likely only being discussed because of the alleged victim: world’s largest exchange Binance.The paltry sum, $27 million, may be part of the ingenuity of the hacker, who appears smart or experienced enough to know that had he kept the stolen funds in USDT the cache likely would have been frozen by the stablecoin’s issuer, Tether.
Speculation, at best informed guesses at this point, has it that someone who has or had inside knowledge of Binance’s operations might be behind the attack. As others pointed out, keeping millions and millions in a hot wallet (a wallet with a live internet connection) is asking for trouble.
According to on-chain data, the attacked wallet received $26 million from another Binance hot wallet called “Binance 16” on Nov. 5. This may speak to and against the Binance Insider theory, in that someone at Binance may be privy to know the wallet was recently topped up but also that, because Binance is a prime target for attacks, being something as a trophy for hackers, being the largest exchange and all, it’s likely the exchange’s hot wallets are monitored closely by would-be hackers.
Binance hasn’t confirmed or denied the attack, at time of writing. Binance's deployer wallet has been inactive since December, 2020, and the victim’s wallet isn’t necessarily Binance affiliated. However, on the Binance blog a pseudonymous contributor with an impressive posting history, named The Narrator, did write about the exploit, and said: “The victim's address is connected to the #Binance deployer.”
A Binance spokesperson confirmed to CoinDesk its security team is investigating the exploit.
Being as the hacker and victim are still unknown, this is a moment to reflect on a related and growing issue in crypto: taxes. This week is Tax Week here at Consensus Magazine, and we’re focused on the big, outstanding questions concerning taxation policies around the world for this nascent industry.
One of the biggest issues happens to be the tax implications for people and companies that fall victim to an exploit. It’s a massive issue, considering how frequently exploits happen across DeFi and in crypto generally. Just last week, one of the largest exchanges Poloniex confirmed it suffered a $114 million breach, for instance.
Poloniex said it’d make affected users whole, but that in itself raises important tax filing implications. When FTX, the fraudulent exchange run by a team of money launderers led by the recently convicted Sam Bankman-Fried, was hacked in November 2022, it added to FTX customers' worries.
See also: The IRS Should Heed This Warning | Tax Week 2023
“Under the U.S. tax code, claiming that a loss is the result of a theft is much more difficult than just saying it was a theft. A taxpayer generally needs to show that a criminal theft occurred,” Head of Government Solutions at TaxBit Miles Fuller wrote in a recent op-ed. Additionally, traders need to convince the IRS their activity was in service of gaining income and that a genuine theft actually happened — points that are complicated in the wider world of crypto, especially because exploits so often go unsolved.
Further, Fuller wrote, “taxpayers will still need to wait before deducting any losses because the losses are not deductible until there is reasonable certainty as to if or how much of a recovery will be made because that recovery reduces the amount of the loss that can be claimed.”
When hack victims receive restitution, how should they characterize it? What if an exchange decides to reimburse users using a token, a la Bitfinex in 2018? Token airdrops are generally considered to be income when received, a policy that many tax experts would like to update to the point airdrops are converted to other cryptocurrencies or fiat.
Finally, as a matter of course the recent hot wallet hack is a reminder of how burdensome current tax policy is for average crypto users. The exploiter made a series of transactions immediately following the hack — sending $2.7 million to 10 new addresses within eight minutes, according to Etherscan data.
Under U.S. law, each of those conversions from tether to ether are taxable events, as were the following conversions into bitcoin. It’s hard to feel sympathy for a thief, and right now it seems unlikely he’ll pay either way, but the trail of transactions is a reminder of how unsensible current tax policy is. The amount being laundered has mostly stayed the same, and yet with each hop a user’s tax bill grows.
This is one of the many reasons why cryptocurrencies have yet to catch on as a regular form of payment despite sharing many of the attributes of money. Many tax experts for instance argue that conversions should be considered “in-kind” payments or have de minimus restrictions around them.
In either case, it’s unlikely crypto or crypto hacks will disappear anytime soon. So let’s think hard about the tax implications.