The Cryptopia Nightmare Drags on as Liquidators Struggle to Reimburse Hacked Users

As the cryptocurrency market finds its legs in mid-2019, an unfortunate undercurrent persists vis-à-vis thefloundering New Zealandexchange Cryptopia. Its one-time international popularity and solid reputation have already been ruined after the exchange dragged its feet on revealing a January hack, which cost its users somewhere in the region of $16 million in cryptocurrency drained from Cryptopia wallets. However, it was not long before new obstacles emerged in the way of an eventual settlement.

Optimism surrounding the reimbursement of these funds to customers is now dwindling, as appointed auditing and liquidation firm Grant Thornton recently indicated “the process of recovering data and determining how to make distributions to account holders will take some months at least.” With similarly guarded language, Grant Thornton executive David Ruscoe commented via a press release that his firm “will conduct a thorough investigation, working with several different stakeholders including management and shareholders, to find the solution that is in the best interests of customers and stakeholders.”

New information has been uncovered in the last week, however, and it’s now more apparent why the wait has been so interminable.

An international tangle

Despite the fact that the blockchain ledger’s open-book transparency has made it clear which cryptocurrency wallets hold the majority of stolen funds, the identities behind Cryptopia’s hackers are difficult to determine. Sadly, the same goes for the other side of the equation as well. Matching individual customers to the funds owed to them is proving harder than anticipated.

The filing from May 24 to the Bankruptcy Court in the Southern District of New York (SDNY) clearly illustrates that liquidators don’t yet know who is owed money, nor do they yet have the ability to begin remunerations.

The filing for emergency provisional relief first of all asks the court to recognize the New Zealand liquidation process and furthermore to issue an order preserving a specific SQL database. Held exclusively on Arizona servers, this data contains vital information that can reconcile individual holdings with the currencies held by (and stolen from) Cryptopia.

Grant Thornton itself admits that the recovery of funds will be “impossible” without this data. These facts cater for a messy situation with many moving parts, in which the repayment of international customers of a New Zealand-based cryptocurrency exchange hinges on the willingness of a federal court in the United States to force a domestic data company to comply with data release requests. The chief communications officer for international noncustodial crypto swap platform ChangeNOW, Pauline Shangett, told Cointelegraph:

“The crypto market is still in its adolescence, and the traditional legal system is not sufficient when it comes to enforcing the rules. This problem has two possible solutions. Either the space moves on to being fully decentralized and self-regulated, or it adopts the best practices of regulators. The former might lead to anarchy as cases like Cryptopia’s have a chance to happen again, which would hinder mass adoption.”

The chaos that has ensued after Cryptopia’s hack evidences the incapacity of established legal entities to promptly respond to fraud in the cryptocurrency space. Cryptocurrency permeates borders and therefore easily creates problems that have international implications — but cleaning up after a negligent actor requires time and labor, and at a greater magnitude. Given the technology available for exchanges to secure their infrastructure, this would seem a moot point.

Kamil Gorski, CEO of smart contract auditing and blockchain security firm Blockhunters, spoke to Cointelegraph and noted:

“There are numerous tools exchanges could use to prevent these kinds of hacks, but they aren’t legally obligated to use them. These include blockchain analysis tools that track stolen funds, AI-based mechanisms that halt payouts when triggered, and even manual code audits that track bugs in software and address threats and vulnerabilities.”

By Gorski’s estimation, the lesson learned from Cryptopia is that over the long run, “this approach can end up biting them, and more importantly their users, in the a–.”

This blasé attitude toward security features creates a paradoxical situation that stems from the lack of investor protections that could otherwise be provided, for example, by an equity broker. However, centralized exchanges like Cryptopia are liable when their platforms are breached, even if they go to great lengths to avoid responsibility.

U.S. investors take the biggest hit

One notable circumstance that lends a new tint to the liquidation situation is the fact that Cryptopia’s holdings were largely made up of money of American users.

If anything, just because of that, the SDNY could be persuaded to assist Grant Thornton and New Zealand. U.S. account holders made up the largest slice of the Cryptopia userbase and also accounted for the majority of exchange’s revenues. This fact casts light on some often unaddressed issues with how cryptocurrency exchange services are administered worldwide.

Firstly, a New Zealand exchange deriving most of its profits from Americans could be a sign for concern, as this may also be relevant to other exchanges (and regulators) as well. Second, it’s interesting that a white-shoe legal firm is the only safety net for a bevy of international customers participating in the “decentralized revolution,” but this irony is compounded by the third concern: Few have sounded the alarm about Cryptopia’s decision to host what is arguably its most sensitive data with an outside service — which is nowasking for $2.6 million to release it. Crypto commentator Stephen Palley posted regarding this:

“A Chapter 15 filing is a way to get US bankruptcy court to give effect to a foreign bk/liquidation proceeding. This gives the company the ability to ask the BK Court to order the company’s AZ based database provider to preserve the data. It’s funny how easily this trustless decentralized narrative ends up in court with a white shoe law firm asking a federal judge to order preservation of a SQL database.”

This is what required the hiring of Grant Thornton in the first place, but it also draws attention to the very real fact that other supposedly safe exchanges may be practicing negligent data custody at the expense of customers.

The Cryptopia saga has pulled back the curtains on many of cryptocurrency’s weak points, especially the centralized model relied upon to build momentum for the bull markets today and in the past, and one that is still used. As the bull marches on, events like these provide a sobering contrast, but it’s now unarguable that investors and enthusiasts should be paying even greater attention to them — just as much as they do the charts.