It's bad enough having bitcoins vanish if the price drops on the ones you own — and it's been moving around a lot in January 2018. But what if your bitcoin account is hacked? Or you lose the password to your account?
More than 980,000 bitcoins have been stolen from online bitcoin exchanges since 2011. With bitcoin prices ricocheting between $10,000 and $17,000 so far in January 2018, that's between $9.8 billion and $16.6 billion in pilfered cryptocurrency. Two-thirds of that total was stolen during one massive attack on the Japan-based bitcoin exchange Mt. Gox in 2014.
The Mt. Gox disaster serves as a warning to newbie bitcoin investors who blindly put their trust — and tens of thousands of dollars of hard-earned cash — in fly-by-night online bitcoin exchanges hosted halfway around the world. Years after hackers emptied 24,000 individual Mt. Gox bitcoin accounts, none of the victims have received a single cent. And thanks to a messy tangle of international lawsuits, they probably never will.
Before we explain why it's nearly impossible to recoup lost or stolen bitcoin, here's a quick bitcoin primer. Bitcoin is an unregulated virtual currency or "cryptocurrency" that's run on a global, peer-to-peer computer network. To own bitcoin, you must create a bitcoin wallet on your computer, phone or on an external hardware device. What's confusing is that you don't store any actual bitcoin in your wallet.
Instead, when you create the wallet, you're assigned a 64-digit private key. That private key is what allows you to buy and sell your bitcoin or send and receive bitcoin from other people. In other words, the private key is everything. And as many early investors in bitcoin have painfully realized, if you lose your private key, you lose your bitcoin.
I Lost My Key
According to estimates by Chainanalysis, a security software company for bitcoin, between 2.7 and 3.7 million bitcoins are out of circulation because their owners lost their private keys on old hard drives and forgotten scraps of paper back when bitcoin was worth only pennies. There's supposedly a landfill in the UK containing a single trashed hard drive with a private key for more than 7,500 bitcoin — that's around $100 million today.
The good news is that most bitcoin wallets that you load on your phone, computer or an external device like a hardware wallet come with a 24-word recovery seed that can restore your private key if your device is lost or stolen. Bitcoin owners are encouraged to write the recovery seed words on a piece of paper (digital copies can be hacked) and store it somewhere safe. Like an actual safe.
If you lose your private key and recovery seed, your bitcoin is gone. OK, that's not totally true. Your bitcoin still exists — recorded for eternity on the shared virtual ledger called the blockchain — but you'll never be able to touch it again. Sorry, but that's on you.
Here Come the Hackers
But what if it's not your fault at all? What if, like the victims of the Mt. Gox attack, you (foolishly, maybe) trusted the sanctity of your private key to an online bitcoin exchange, and hackers came along and stole it? Is there any recourse to getting that bitcoin back?
One big technical issue with storing your bitcoin on online exchanges is that they don't give you a copy of your private key, explains Andrew Miller, a cryptocurrency and computer security researcher and professor at the University of Illinois Urbana-Champaign. So, there's no backup copy stashed away in a safe deposit box in case the exchange is hacked.
Then there are the legal obstacles.
Marc Wites is a Florida attorney who helped bring a class-action suit in 2016 against against Cryptsy, a U.S.-based online bitcoin exchange that was hacked in 2015 and robbed of around 13,000 bitcoin. Cryptsy subsequently filed for bankruptcy and claimed it couldn't repay the victims of the hack.
A judge ruled that Cryptsy CEO Paul Vernon and his associates illegally funneled money from client accounts and ordered Vernon to pay $8.2 million to the class of plaintiffs. The problem is that Vernon fled to China and is unlikely to ever pay up. His ex-wife settled and agreed to forfeit a home and other assets valued at more than $1 million to partially reimburse the victims.
Wites says that civil class action suits are one of the only effective ways to recoup stolen bitcoin, but even those are hard to come by, for two reasons. First, many exchanges are based outside the U.S. and require that suits be brought in foreign courts. Second, most exchanges make users sign terms and conditions that include forced arbitration of all disputes. Cryptsy was one that didn't.
What about criminal charges? Wites says that victims of bitcoin theft are free to file a claim with the police, the FBI or the Securities and Exchange Commission (SEC), but that authorities are unlikely to pursue cases involving a $10,000 or $20,000 loss. Most states don't even recognize bitcoin as legal tender, which further complicates criminal prosecutions.
"If someone steals money from your PayPal, you have ways to recover it. The police will get involved," says Ana Maria Dascalescu with Heimdal Security. "With bitcoin, it's a free-for-all. There's no government that's going to step in, no banks that will vouch for it. The responsibility falls on the user alone."