Introduction 240 A. Technological Background 240 B. The Growing Problem of Cryptotheft 242 C. Forays into Criminal and Civil Prosecution 243 I. Applying the DTSA 246 A. Is Cryptocurrency Really a Trade Secret? 247 B. Benefits of the DTSA Structure 248 1. Criminal and Civil Liability 248 2. Ex Parte Seizures 249 3. Confidentiality 250 4. Cybersecurity as a Prerequisite to Civil Protection 252 C. Superiority of the DTSA over Other Legal Schemes 253 II. Obstacles to Prosecuting Cryptotheft 255 A. Extraterritoriality of the DTSA 255 B. The Technical Challenges of Finding and Returning Stolen Cryptocurrency 257 Conclusion 259 INTRODUCTION
This Comment intends to advance a novel law for prosecuting the theft of cryptocurrency--the Defend Trade Secrets Act of 2016 (the DTSA or the Act). The DTSA is a powerful legal tool for combatting this difficult-to-define crime. Beyond the conceptual applicability of trade secret law, the confidentiality, extraterritoriality, and other uniquely tailored features of the Act make it practically useful. This Comment suggests this nonexclusive tool for prosecuting cryptocurrency theft and will not explore the many other ways that cryptocurrency may be regulated.
After explaining the technology of cryptocurrency, I will describe the growing threat posed by cryptotheft. I will briefly survey the legal tools currently used to deal with the theft of cryptocurrency. I will next propose that the DTSA should be used to prosecute, both civilly and criminally, the theft of blockchain-based currency. The DTSA includes a host of valuable features that make it particularly attractive and effective for both the government and individuals prosecuting cryptotheft. I will briefly compare the Act to other possible schemes for prosecuting cryptotheft. Finally, I will conclude by noting the challenge of applying American law to foreign actors and the technical difficulty associated with tracking and retrieving digital coins.
Cryptocurrencies are taking the financial world, and with it the regulatory world, by storm. (1) These relatively new technologies, many of which are described as "decentralized ledger technology" (DLT), revolutionize the way both information and money are stored. (2) Blockchain technology has formed the basis of a new wave of purely digital currency, beginning with the now ubiquitous Bitcoin. Like similar blockchain technology, Bitcoin provides "a way of recording and reconciling every transaction that has ever occurred, between every single participant, going back to the beginning." (3) This technology, while providing an exciting opportunity for investment, speculation, and innovation, also creates many new opportunities for exploitation. (4)
Bitcoin has existed since the mysterious Nakamoto paper was published in 2009, (5) though it is predated by a few lesser-known online currencies with similar ledger systems. (6) In 2009, the public began "mining" Bitcoins, a process by which new coins are created. (7) Mining takes progressively more computing power with each new Bitcoin created, with only a finite number of possible coins. (8) In 2010, 10,000 Bitcoins were exchanged for two pizzas--the first known sale. (9) In 2011, the first rival cryptocurrencies appeared, each attempting to offer a subtle but unique advantage, and these rivals have since multiplied into the thousands. (10)
Bitcoin, as an embodiment of blockchain technology, consists of a "shared database populated with entries that must be confirmed and encrypted," much like a shared document with each entry logically connected to every entry before. (11) This creates a secure log that, in the case of Bitcoin, is stored collectively (12) Owners of cryptocurrency do not actually possess their coins, which are stored in the blockchain--the agnostic public registry of all transactions. To designate ownership, Bitcoin owners rely on public and private keys: the public key is used to receive Bitcoin and can be safely published anywhere, while the private key is used to send Bitcoin and must be secured and protected. (13) Both keys allow users to access their portion of the blockchain, and are stored in one's digital wallet. (14) This information can be stored using a web-based (hot) wallet, or when large cryptocurrency values are at stake, in a more secure offline (cold) wallet such as a USB drive. (15)
The Growing Problem of Cryptotheft
Hackers targeting cryptocurrency have stolen massive sums of money, and these heists are only growing larger. In January of 2018, 500 million XEM (a blockchain-based currency)--worth $533 million--were lifted from a Japanese cryptocurrency exchange. (16) This was just one of "[a]t least three dozen heists on cryptocurrency exchanges since 2011" with over 980,000 Bitcoins stolen and few recovered. (17) The largest prior cryptoheist caused the bankruptcy of Mt. Gox, a Tokyo-based exchange, and led to an international collapse of cryptocurrency prices. (18) The 2018 XEM theft hardly impacted the cryptocurrency market--a statement of the world's increasing dependence on cryptocurrency. Given that cryptocurrencies are here to stay, it is concerning that "[h] ackers have compromised more than 14% of the Bitcoin and ether supply," and that "crypto hacking is a $200-million annual revenue industry" (19) This form of crime has cost companies and governments $11.3 billion in illegitimate transactions and lost tax revenue. (20)
Hackers not only target individuals and exchanges that hold Bitcoin, but they go after cryptocurrencies before the coins even reach the public, stealing directly from Initial Coin Offerings (ICOs). (21) This can be done via "denial of service attacks, hacking web applications and exchanges, and breaching the accounts of people linked to companies running the ICOs."22 And while American policing authorities have responded lethargically to this growing body of cryptothreats, private institutions are beginning to fill the void. For instance, "[m]ajor global insurers are starting to offer protection against cryptocurrency theft." (23) This is no light task for insurance companies: "the challenge is how to cover those risks for customers they know little about, who use technology few understand and represent a young industry that lacks troves of data insurers usually rely on in designing and pricing coverage." (24)
Forays into Criminal and Civil Prosecution
Because cryptocurrency theft involves the unauthorized discovery of an owner's private key, it is difficult to legally characterize as theft. The private key itself has no value, beyond unlocking access to however many Bitcoins the owner may possess under that key. Law enforcement has been demonstrably skeptical of pursuing investigations of cryptotheft, likely in part because Bitcoin is not by definition currency (25) and its theft does not fit into a neat legal box.26 In one report from 2011, the FBI referred to a hacked and pilfered cryptocurrency platform as an alleged "computer intrusion," rather than theft. (2)'There have been multiple instances of FBI investigations, but it is unclear if the investigators take this form of crime seriously (28) The
FBI has shown more willingness to pursue action against those who redistribute Bitcoin without a license to do so, (29) or against those who employ ransomware to remotely lock computers. (30) The FBI and other relevant authorities should and likely will pay increasing attention to cryptotheft. In support of increased prioritization, a report from President Obama's Commission on Enhancing National Cybersecurity found that "we must move the responsibility for (or burden of) cybersecurity away from individual enterprises and citizens, and handle it at higher levels for everyone's benefit." (31) Criminal actions have only tangentially circled the field of cryptotheft. For example, in January of 2018, a federal prosecutor brought criminal charges of wire fraud against a Chicago trader who allegedly stole $2 million worth of his firm's cryptocurrency holdings for personal use. (32) He then lied to the firm's management about the location of the company's cryptocurrency and his own trading. (33) Although this was one of the first known instances of direct federal prosecution of cryptocurrency theft, it seems more closely aligned with prosecutions of corporate misappropriation. In a similar 2018 case, the Commodities Futures Trading Commission pressed charges against a defendant corporation for "misappropriating over $6 million from at least twenty-eight customers by transferring customer funds into personal bank accounts, and using those funds for personal expenses and the purchase of luxury goods." (34) The case was about misrepresentation, consumer abuse, and unfair practices, not theft. These examples fit a trend among known prosecutions: none embody the paradigmatic case of cryptotheft characterized by offsite hacking by a third party with the goal of obtaining access to an entity's wallet to steal its private key and designate new ownership of its cryptocurrency. There is an ever-growing need to prosecute the direct theft of cryptocurrency, as thieves have gone so far as to engage in home invasions in pursuit of cryptoassets. For example, in Britain, armed men broke into the home of a cryptotrader and forced him at gunpoint to transfer his assets. (35)
Federal prosecutors recently brought charges of "operation of an unlicensed money service business," "conspiracy to commit money laundering," "money laundering," and "engaging in unlawful monetary transactions" against a Russian national, Alexander Vinnik. (36) Vinnik operated a Bitcoin currency exchange, known for illicit dealings, which helped launder Bitcoin stolen from Mt. Gox. (37) Despite a competing extradition request from Russia, Vinnik will face trial in the United States. (38) As evidenced by the charges, Vinnik's prosecution turns on his conversion of illicit Bitcoin into...