Cryptocurrency - 14 questions from our webcast

We recently hosted a webinar with Astraea Group covering Cryptocurrency and fight against financial crime. Over the course of the discussion between AlixPartners' experts Mark Doughty and David White, and Astraea's James Ramsden QC and Nina Stewart, a number of questions came in from attendees. We have answered these below.

1. I've heard of people "losing" bitcoin because they physically lost their physical storage device (CD-ROM, USB stick etc) on which it was stored. Is this still an issue with with the distributed ledger?

When you hear about "lost" Bitcoin, it is the Private Keys which are actually lost. A Private Key is a digital code which is used to mathematically unlock the unspent coins previously sent to a Public Key (or Public Address).

To "spend" your Bitcoin, you use your Private Key to prove you "own" the public address and transfer the value to a new public address, and the public ledger stores the transaction. If you lose your private keys and are unable to recover them with your wallet software, then you will never be able to unlock and access the value that is stored. Essentially you have lost the Bitcoins forever.

In the situation you describe, it's as if you lose the keys to your car, rather than the car itself. And, as bitcoin does not have a central authority (like a bank, or, to continue this analogy, a car manufacturer), in this situation there is nobody who can create a new car key for you. As the car cannot be unlocked by anyone, it is as good as "lost".

2. If cryptocurrencies are property, is a gain subject to capital gains tax (CGT)?

Whether cryptos are subject to CGT is dependent on your jurisdiction and how the crypto is held. In the US the IRS does consider most cryptos as property and levies CGT in the same manner as any other property. There have been interesting developments recently where Exchanges have been disclosing data to Tax Authorities so they can identify people who should be paying tax.

Likewise in the UK, if you hold cryptocurrency as a personal investment, you will be subject to Capital Gains Tax rules. This means that you are taxed on the capital gain at the time the cryptocurrency is disposed of (e.g. sold, traded, used for a purchase, etc.). The capital gain is the difference between the GBP value of the disposed asset at the time of the disposition minus the GBP value of the disposed asset (how much you paid for it) at the time it was acquired. If you trade cryptocurrency as a business activity, income will be subject to Income Tax rules.

3. What are the main implications of treating a crypto asset as property rather than currency? Should its treatment as currency not ensure a tighter regulation and higher customer protection?

The classification not only determines which laws apply and how it is regulated, it can have a significant impact on how the asset is treated in liquidation or claims settlement. You can read more about this is in David White's recent article.

4. Could an arrangement be established to give a creditor (e.g. a lender) a security interest in a holding of cryptocurrency, i.e. an arrangment whereby (a) in specified agreed circumstances (e.g. default under the loan) the creditor/lender can dispose/transfer/sell the holding - without needing any action/co-operation by the borrower/owner but (b) in all other circumstances (eg no default) the borrower/owner retains control?

Yes, there are several mechanisms for accomplishing this. They differ depending on which cryptocurrency you are working with. With Bitcoin (BTC) you can use the 'pay to script hash' function in creative ways and with Ethereum (ETH) you can develop a smart contract. Also, this is how most Decentralized Finance (DeFi) lending works. You can also use traditional trust mechanisms.

Because crypto is regarded as property you can in theory apply all the conventional security apparatus to it – but in practice mortgages and liens are very difficult to enforce. Holding subject to a trust structure does, in contrast, work well so long as it is a proprietary trust, meaning you have a legal and equitable right to the trust property. In that way dispersal of the crypto into multiple wallets or trading structures still allows you to trace.

5. Has anyone resolved the apparent conflict between blockchain's immutable ledger and GDPR's requirement that a subject can be forgotten?

There is no real conflict in this regard. GDPR only applies to personally identifiable information and most blockchains are specifically created not to store any such information. There are also exceptions and limits to the GDPR (and most other similar privacy regulations) that allow for the retention of information where not technically feasible to delete it. Any personal information stored on a public blockchain was submitted with the users consent and knowledge that the information would not be able to be deleted in the future as it will always be needed to ensure the legitimacy and accuracy for the ledger. Individuals have the right to have their personal data erased if the personal data is no longer necessary for the purpose which it was originally collected or processed for, and here it still needed.

Finally, its unclear if GDPR or local member state laws even apply to most blockchain ledgers in this way. Their decentralized natures mean there is no "controller" or "processor" within the jurisdiction of the regulators on while they can enforce such legislations. Who do you even ask to delete your records from the Bitcoin ledger?

6. I presume that crypto assets constitute part of the matrimonial estate or the probate estate, but is there a standard method of a) searching for and discovering its existence; and b) dealing with it upon a divorce or death ?

Crypto assets are an increasingly important part of contested matrimonial proceedings. The most effective detection tools are the conventional comms used either in the setting up of the crypto account or wallet, or in converting its content back into fiat or other tangible assets.

So far as estate planning is concerned, knowing where the wallet or hash codes are is essential. They are analogous in many ways to a bearer share. There needs to be a reliable and independent custodian of them – but they need to know what they are and what value is in them if they are part of the Regulated sector for anti money laundering (AML) and counter terrorism financing (CTF) purposes.

There is no real way to detect these if the holder is actively trying to keep them secret.

However, we deploy a number of forensic means to uncover artifacts of cryptocurrency trading activity both on and off the blockchain ledger. These can include searching personal devices such as phones and laptops for forensic evidence to identify wallets, addresses, or communications with exchanges. With some information to start with we are often able to trace assets to an exchange and obtain records from them to substantiate a claim.

The up side, is that the ledger is a permanent record and once a trail is identified it is almost impossible to refute. But without some breadcrumbs and movement, assets can be easily hidden in cold storage without ever being detected. There are billions of dollars worth of bitcoin assets sitting in wallets the ownership of which is known solely by the holders.

7. What are the key considerations for individuals considering investments in cryptocurrency given the regulatory uncertainty?

The volatility in cryptocurrencies certainly means you will need a strong stomach. As new and refined regulation comes in, the implications on the values could certainly shift. I think an important consideration is why you are investing and what the specific token you're investing in actually does. The purpose and use of a token will impact the regulatory scrutiny it comes under. It’s also important to consider who is actually holding the asset you are investing in. Most fraud schemes involve assets held on behalf of the investors which are then squandered or which turn out not to exist. For these reason due diligence on the parties you are dealing with is paramount.

8. How would law enforcement agencies manage and hold confiscated crypto

The most secure way for law enforcement to hold confiscated crypto is in a Cold Wallet (i.e. a wallet which is not connected to the internet). Access to the Cold Wallet would obviously need to be very tightly controlled. The real challenge for enforcement authorities is getting the crypto to be confiscated transferred to a wallet under their control. This means gaining control of the private keys and executing a transaction. As you can imagine, this is often quite difficult.

9. Could someone keep hacking away at a public address ie guessing the private key until they get it right? Does quantum computing make this more likely? Thanks.

Theoretically the answer is yes - you could simply keep guessing a private key until you get it right. However, this would take billions and billions of years on current computers.

Quantum computers pose an existential threat to the asymmetric cryptography currently used for blockchains and all other applications. Using an algorithm first described by the mathematician Peter Shor in 1994, nearly all asymmetric encryption will be able to be solved with quantum computing. Fortunately we can also expect to get quantum encryption at the same time.

It is important to note that, not all cryptocurrencies use simple asymmetric encryption. For example, Bitcoin uses asymmetric encryption for pay-to-public-key (P2PK) transactions where the public key is visible on the ledger and therefore the private key will be able to be derived with quantum computing. However, most of the recent transactions on the bitcoin ledger rely on pay-to-public-key-hash transactions (P2PKH) or pay-to-script-hash (P2SH) functions that do not display the public key on the ledger and which will not be compromised by quantum computing as easily, unless the address has been reused in the same way as it was previously. This means that presently, about 25% of the Bitcoins currently held are vulnerable to a quantum attack. Other cryptos may also be vulnerable if they use straight line asymmetric cryptography.

10. Can you expand on “smart contracts”?

Smart contracts are computer programmes which run on decentralised networks. The computer code is written on the ledger (or blockchain) and therefore can't be changed once agreed to. The computer programmes are designed to perform actions when certain conditions are met and therefore introduce autonomy. Programmable Money is one use case

11. When it comes to tracing, how will regulators deal with assets being converted to privacy coins such as Monero or other cryptoassets that use ring signatures/transactions etc and are effectively "untraceable?"

The privacy-oriented cryptocurrencies have built-in anonymity and privacy features that make it nigh on impossible to trace funds back to a particular user or successfully seize funds present in a cryptocurrency wallet. Criminals use these currencies in different kinds of malware and DDOS extortion attacks to launder money.

Monero employs a particularly unique design to ensure user anonymity, including always-on, enforced privacy. Unlike other anonymity-enhanced cryptocurrencies, Monero uses enforced privacy-by-default for all transactions so that no user can accidentally or deliberately be traceable or insecure. These built-in obfuscation techniques are what draw in privacy advocates and criminals alike.

While more difficult to trace, many of the same analytics techniques used for other cryptos still work on privacy-oriented ones. These include tracing methodologies based on simulation techniques and Bayesian approaches, statistical and probabilistic methods for clustering likely owners and the use of third party nodes and participation in the Monero network to gain intelligence.

We have deployed forensic tools to investigate forensic artifacts these cryptocurrencies leave behind on computer systems. For example, we examine different sources of potential evidence like the volatile memory, network traffic and hard disks of the system running the cryptocurrency software. These artifacts vary from mnemonic seed phrases and plain text passphrases in the volatile memory to indicators of the use of a cryptocurrency in the captured network traffic.

12. What do you think of Non-Fungible Tokens (NFTs) and what that means for Digital Art? There are claims that they harm environment and that things bought as NFTs can simply be duplicated.

NFTs are a very interesting use of blockchain technologies and will likely become one of the most significant use cases in years to come as they can be used to track all manner of collectible and valuable items and to help combat digital piracy and counterfeiting. Yes, NFT art can be copied but the key is that the original is always cryptographically provable as the original and copies as copies, so the originals retain value while the copies do not.

13. If you can't transfer denominations of cryptocurrencies, how do people transfer denominations of Bitcoin?

The mechanics of Bitcoin mean that when you "spend" Bitcoin, what actually happens is that you spend a previous payment which someone made to you. It is this previous payment which must be spent in its entirety, but the non-spent component (i.e. "the Change") gets sent back to your wallet. As an example, if I had sent you £10 and you then wanted to send £8 to a friend, you would "spend" £10 where £8 would be sent to your friend and £2 would be sent back to your wallet.

14. If you're a victim of a ransomware attack - what information do you have to trace the crypto paid in ransom?

If you were to make a ransom payment to a public address then you would know both the public address and the coin (or token) in which you paid. Once you have the public address, you can then investigate to see all the transactions associated with that address, where the transactions came from and where they go to. You may not be able to directly identify the culprits from the receiving addresse(s). However, if they want to spend the ransom, they will eventually need to move them to an exchange to convert them to spendable fiat currencies. It is this activity that can often disclose their identities. While most criminals will go to great lengths to obfuscate their activities, we have rather robust forensics means to overcome many of these.

Depending on the coin used, you would have different options as to how you could trace the funds. For example, coins like Monero are much harder to trace than Bitcoin.