Securing Cryptocurrency

I once saw a colleague rip into a regulator for uttering (what was purported to be) the dumbest statement ever. The regulator had dared to say that security ROI was best calculated from a baseline with zero controls. That is, by adding security to an empty starting point, ROI could be perfectly measured. My colleague called this statement ridiculous, citing that no such baseline could ever exist: There are always some security controls.

Well, my colleague was partially wrong, because an environment does exist with basically zero security controls: It’s called Cryptocurrency. That is, if you buy, hold, sell, trade, or otherwise amuse yourself with currencies like Bitcoin or Ethereum, then you are operating without the usual types of security controls. Yes – the currency algorithms obviously use cryptography, but don’t expect much else: You’ll basically find nada here on security.

With this in mind, it was great to spend time last week with John Jefferies, the new Chief Marketing Officer of CipherTrace, a San Francisco-based start-up that specializes in anti-fraud and security solutions for cryptocurrency. I was keen to learn how emerging exchanges, digital wallets, and related offerings could be made sufficiently secure to warrant the kind of growth touted by so many enthusiasts. Here is a summary of what I learned:

“Our goal at CipherTrace is to make cryptocurrencies safe and trusted,” Jefferies explained, “and there are several dimensions involved. First, users of cryptocurrency must follow best practices to prevent theft from criminals or even exchange owners. Passwords for wallets must be carefully stored, and multi-factor authentication other than SMS is critical. And exchanges must be vetted based on reputation, location, and experience.

“But, in addition, cryptocurrencies must be protected from criminal and terrorist usage to support illegal and malicious activity. And this is our main focus at CipherTrace. We develop commercial technology controls that are designed to help secure the cryptocurrency ecosystem from such nefarious activity. To that end, we work closely government agencies to address these threats, and we help build public confidence in cryptocurrency.”

To accomplish this goal, the CipherTrace team immerses itself in on-going cryptocurrency-related activity and blockchain forensics. They manage virtual accounts, operate Bitcoin nodes, and continually engage in day-to-day tasks that support a knowledge base from which real-time intelligence can be derived. And with regulations increasing in the US, EU, Japan, and other countries, such intelligence provides powerful context to reduce risk.

Now, I could easily imagine how a firm like CipherTrace might engage directly with law enforcement or regulators on specific project-related engagements. But I wanted to understand the commercial possibilities of their offering. I asked Jefferies to make things more concrete by explaining the specific products and services CipherTrace provides – and I was delighted to learn how commercially significant their solutions appear to be.

“CipherTrace customers can purchase an annual subscription, which gives them access to our user interface,” Jefferies said. “Our UI provides them with a window into our rich data and intelligence to support actions such as transaction-tracing so investigators can follow the money. Customers can also purchase access to our API, which supports real-time risk-rating of activity, deep-diving for investigations, and support for compliance monitoring.”

Categories of CipherTrace customers include the exchanges and funds trying to prevent money laundering, financial investigators focused on detecting criminal activity, banks and financial institutions who must prevent malicious actions and avoid liability, government auditors trying to measure and monitor risk, and cryptocurrency researchers developing new anti-fraud techniques and clustering algorithms based on blockchain evidence.

I asked Jefferies about the learning curve for cryptocurrency fraud investigators and users, and he resonated: “We include a training program for customers that is taught by a former intelligence officer,” he explained. “Cryptocurrency relies on non-trivial underlying technology, so it can certainly represent a challenge for anyone trying to understand how it all works. We believe this will improve over time as crypto becomes mainstream.”

From the perspective of an analyst, I'd say that the CipherTrace platform looks like a winner. The growth of the underlying cryptocurrency ecosystem certainly appears to be both inevitable and significant. As a result, the commercial opportunities here would seem limitless. Founded by a team of experts, including Dave Jevans, well-known as Chairman of the Anti-Phishing Working Group, the company looks well-positioned for growth.

If you work in one of the customer categories mentioned above, then I cannot imagine why you wouldn’t be in touch with CipherTrace immediately. Their intelligence would seem essential for investigators or regulators, and their API provides a means for automating controls. And if you are like the rest of us, wondering whether cryptocurrency will ever reach its full potential, then recognize that CipherTrace is part of the success equation.

Let me know what you think.