The Biggest Bitcoin ETF Threat No One Is Talking About

A majority of bitcoin ETF issuers have chosen Coinbase as a custodian, which is a concentration of risk. Even if that is the safest option, new cybersecurity standards are needed for making crypto custody truly safe.

AccessTimeIconJan 11, 2024 at 10:41 p.m. UTC
Updated Mar 8, 2024 at 7:53 p.m. UTC
AccessTimeIconJan 11, 2024 at 10:41 p.m. UTCUpdated Mar 8, 2024 at 7:53 p.m. UTC
AccessTimeIconJan 11, 2024 at 10:41 p.m. UTCUpdated Mar 8, 2024 at 7:53 p.m. UTC

As I waited with the rest of the world for the first bitcoin ETF to be approved, one thing has been gnawing at me: With a handful of exceptions including Fidelity and VanEck, nearly every applicant for a spot bitcoin ETF intends to use Coinbase as its custodian.

David Schwed is chief operating officer of Halborn.

As a cybersecurity leader focused on blockchains, this concentration of risk along with the inherently high-risk nature of crypto custodianship and the still-evolving nature of security best practices gives me pause.

It’s not Coinbase itself that worries me here. The firm has never been hit by a known hack, which explains why so many traditional institutions trust its know-how. However, there is no such thing as an unhackable target – anything and anyone can be compromised, given enough time and resources, which is a lesson I've learned over a career at the intersection of cybersecurity and asset management.

What worries me is the extreme asset concentration in a single custodian. And given the cash-like nature of crypto assets, that makes the situation inherently concerning.

It may be time to rethink the “qualified custodian” designation, a regulatory sign-off which in its current form doesn’t necessarily ensure risky blockchain-based assets are necessarily (or best) secured. Further, ideally, digital asset custodians should be subject to more oversight by better-trained regulators, under more rigorous state and federal standards, than they are right now.

Most qualified custodians today secure equities, bonds or digitally tracked fiat balances, all of which are fundamentally legal agreements, which can’t simply be “stolen.” But bitcoin (BTC), like cash and gold, is what’s known as a bearer instrument. A successful crypto hack is like a bank robbery in the Wild West, as soon as it’s in the hands of a thief, the money is simply gone.

So for a crypto custodian, one mistake is all it takes for the assets to disappear entirely.

We also know the forces of global crypto-crime are formidable and determined. To pick just one notorious example, North Korea’s Lazarus Group hacking cohort is believed to have stolen $3 billion worth of crypto over the past six years, and it shows no signs of stopping. Inflows to a bitcoin ETF have been projected at somewhere above $6 billion in the first trading week — making these funds a prime target.

If Coinbase winds up with tens of billions in bitcoin sitting in its digital vaults, North Korea can easily organize a $50 million operation to steal those funds, even if it takes multiple years. Threat actors like Russia’s Cozy Bear/APT29 group might also find going after institutional crypto increasingly appealing as those pools get bigger — potentially much, much bigger.

This is the level of threat that major banks prepare for. One widespread model of risk management for financial institutions utilizes three layers of oversight. First, the business management layer designs and implements security practices; second, the risk layer oversees and evaluates those practices; and third, the audit layer makes sure that risk mitigation practices are actually effective.

On top of that, a legacy financial institution will have external auditors and external IT oversight, as well as numerous state and federal regulators looking over their shoulders. Many, many eyes will examine every aspect of risk and security.

But these multiple levels of redundancy and nesting failsafes require one deceptively simple thing: headcount.

During my time as global head of digital assets technology at BNY Mellon, the investment bank had roughly 50,000 employees, of whom around 1,000 – or 2% – were in security roles. Coinbase, even after recent expansion, has fewer than 5,000 employees. BitGo, also a qualified custodian certified by the State of New York and other jurisdictions, has only a few hundred.

This is not to impugn the intentions or skill of any of these organizations or their employees. But real oversight requires redundancy that these new institutions may struggle to provide at a level appropriate for securing tens of billions of dollars in bearer instruments.

Before those numbers get even bigger (and more enticing for the bad guys), it is well past time to refine the cybersecurity standards for qualified custodian designation. Right now, the designation accompanies trust or banking licensing, overseen by state and federal regulators. These are financial regulators largely focused on traditional banking, not cybersecurity experts, and certainly not crypto experts. They understandably focus on balance sheets, legal processes, and other financial operations.

But for crypto custodians, those aren’t the only kinds of oversight that matter, or even necessarily the most important. There are no industry-wide standards for cybersecurity and risk management practices by crypto custodians specifically, meaning that “qualified custodian” status isn’t quite as reassuring as it might sound. That exposes not just investors but an entire nascent sector to opaque risk with potentially dire consequences.

The approval of a cast of bitcoin ETFs is just the latest step in the continued integration of digital assets into the financial system. You don’t have to trust crypto partisans on that prediction – just ask Blackrock, a legacy giant that championed the ETF. As these developments continue, regulators truly interested in investor protection will focus on adapting to this new world: one in which rigorous cybersecurity standards are just as important to financial stability as honest disclosures and financial audits.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.


Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

David Schwed

David Schwed is the chief operating officer of Halborn. He previously served as the global head of digital assets at BNY Mellon and managing director and chief information security officer at Galaxy Digital.