coinbase-news

It’s not about competition when it comes to crypto security

By Matt Muller, Head of Security Operations, Coinbase

At Coinbase we believe that a healthy and safe crypto industry is critical to growing and maturing the cryptoeconomy. Malicious threats against any crypto business are bad for the industry as a whole, not only Coinbase.

That’s why it’s important to have a community mindset when we see security threats in the wild. As they say, rising tides lift all boats.

Security incidents aren’t unique to crypto but when they happen, the crypto industry has the unique advantage of being able to immediately analyze how stolen funds have moved on the relevant blockchains. This allows us to work with each other to freeze funds and return stolen assets to victims.

Earlier this month, Poly Network, a cross-chain DeFi protocol, and Liquid, a Japanese crypto exchange, reported sophisticated cyberattacks against their platforms. In both of these cases, Coinbase rapidly mobilized our teams to scope the situation, provide analysis and international cross-team collaboration to determine and mitigate the impact on the crypto industry (to be clear neither attack impacted the Coinbase threat platform.)

Coinbase works with industry partners to offer intelligence analysis on attacker tactics, techniques and procedures (TTPs), as well as blockchain analysis. For example, we regularly help connect victims of cyber intrusions (whether crypto exchanges or decentralized finance (DeFi) projects) to the appropriate communication channels with the rest of the virtual asset service provider (VASP) community to make sure swift and decisive action is taken.

Our specific responses depend on the type of attack, but in the case where funds are stolen, Coinbase will:

• Block any addresses that are identified as a part of the attack from sending funds to Coinbase customers
• Identify these addresses in our Coinbase Analytics tool (which propagates to internal and external customers of that tool)
• Track the movement of funds using Coinbase Analytics and other analysis tools
• Proactively reach out to ecosystem partners for additional information that might be useful in identifying the attacker

Coinbase has built relationships with the compliance, security, and other investigations functions at several exchanges and ecosystem organizations, which has helped create a trusted network of intelligence professionals that benefit from shared information when appropriate.

Sharing intelligence and analysis quickly is the most effective manner of disrupting unauthorized use of crypto exchanges and protecting our collective community of customers. By exchanging information about attacks, we can learn about attackers’ tactics and techniques, which ultimately help us defend Coinbase. Collaboration also improves our relationship with other exchanges for future incidents and helps make the crypto ecosystem more secure.

Although we’ve seen a steady decline in the financial impact of cryptocurrency exchange compromises over the past two years, there are advanced, persistent groups that continue pursuing new targets. By staying vigilant and working together we have successfully countered the actions of bad actors. For example, last September, KuCoin experienced an attack which led to the loss of $281,000,000 in funds. Ultimately, KuCoin was able to recover a large portion of stolen funds by working closely with exchange and asset issuer partners. Similarly, Liquid has already announced that $16,130,000 of the stolen ERC-20 assets have been frozen through collaboration with the cryptocurrency ecosystem.

When it comes to cybersecurity threats, it’s most important that we work together and self-regulate during these events. We encourage all organizations experiencing or suspecting a cyberattack to reach out to our security team at security@coinbase.com, in case we can help with blockchain analysis, incident response and investigation, and attacker attribution/identification.

How Coinbase responds to industry-wide crypto security threats was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

By: Lawrence Zlatkin, Global VP of Tax, Coinbase

As Global Head of Tax for one of the largest crypto exchanges, while I appreciate the Bloomberg Editorial Board’s perspective on the crypto tax provision in the Senate infrastructure bill, I would like to respectfully offer the following critique from a real-world actor in the crypto space. I disagree with the timing and need for the unexpected and new crypto tax provision in the bill and how it was drafted. The best first step would be to issue regulations so that digital asset brokers would be permitted to issue the same third-party reporting that brokerage firms, like Fidelity and Charles Schwab, issue today. It is not a good first step, and certainly not good tax policy, to require non-brokers to report on transactions for people who are not even their customers.

First, some facts —

The IRS already has the authority to require crypto brokers to provide regular reporting of the gains and losses of their customers’ accounts. But they haven’t. For years, the crypto industry has asked for those regulations, and we are still waiting.

The Editorial Board cites the IRS Commissioner’s estimate of the tax gap as $1T to underscore the urgency for including the crypto tax requirement in the infrastructure bill. Meanwhile, Congress’ Joint Committee on Taxation estimates that the crypto tax gap is approximately $28B over 10 years. In effect, crypto is a drop in the bucket when it comes to the tax gap. The Editorial Board neglects to mention this discrepancy, or that neither figure has ever been accompanied with further explanation or additional data. Without supporting data, both figures only serve to create hype and drama.

And while it’s true that the Senate infrastructure bill’s overbroad and unworkable language alarmed us, it also roused a public outcry well beyond the crypto industry. According to public reports, Senate offices were “swamped” with phone calls and emails, with almost 80 thousand people contacting their senators in just a few days. This wave of public advocacy was diverse, ranging from civil liberties organizations like the Electronic Frontier Foundation (EFF) to the Americans for Tax Reform. Social media lit up with citizens from all walks of life protesting this threat to crypto’s future, including non-apparent champions such as TikTok influencers and rock stars.

The Bloomberg Editorial Board says that the IRS needs a broad statute to include non-brokers right now because we don’t know what we don’t know. But why would we impose reporting requirements on intermediaries who are wholly unrelated to brokering a transaction and have no customer relationship? The IRS doesn’t do that outside of crypto and it shouldn’t do that here.

It is disingenuous to suggest that the IRS will take time to issue these regulations and that non-brokers should have no fear of the law until then. Tax policy should be thoughtful and deliberate. Broad overreach is a regulatory mistake. As long as the statute says that software developers, miners, stakers must do the impossible, there is no lawyer who would advise them to risk operating in violation of laws whose penalties for non-compliance would easily bankrupt them. This will harm innovation and stifle the potential of a hugely important technology at its earliest stages of development.

The one thing on which I do agree with the Editorial Board is that the requirements should “apply to entities that can provide the necessary information.” The Editorial Board also should have acknowledged that crypto brokers, like Coinbase, are currently precluded from reporting sales and exchange related information to the IRS. Without a specific legal mandate (such as the IRS regulations), we cannot compromise or disclose customer information to the government.

Now, some suggestions-

1. “Brokers” of digital assets should be defined as it is understood in the real world today. It is well established that the predominant number of crypto transactions occur with brokers. If Congress decides that it must create a new definition of “broker” within the infrastructure bill for “digital assets,” then it should define brokers as persons who act as middlemen for compensation, with customers as counterparties. This is a traditional definition of broker and would cover entities like Coinbase.
2. Propose regulations to define the parameters of tax information reporting for crypto. We would welcome the rules of the road so that we can have a meaningful discussion on how it should be introduced and applied in the real world. The IRS has this authority today.
3. Hold hearings in Congress on tax oversight for crypto so that there is robust debate on the issue. Today, around 60 million Americans own crypto — roughly one-fifth of the entire U.S. population. Those Americans, and the entire crypto ecosystem, deserve more dialogue than midnight provisions inserted at the last minute.
4. We should not draft legislation that focuses on crypto ghosts that don’t exist now and have no roadmap to exist in the future. If we focus our laws on problems that don’t actually exist, we will erode America’s leadership in crypto. Why chill the industry in its infancy and send it (and the taxes associated with it) offshore?

Coinbase, as the largest U.S. exchange, agrees with the need for information reporting of crypto. We want people to pay all taxes required under the law. We are building systems and protocols for information reporting in response. While we continue to wait on Congress and the IRS to act, we will do our best to provide our customers with the information they need to comply with their personal reporting obligations.

We are rolling out a Tax Center for our customers in the coming month, with the goal of providing education, guidance, support, data, and historical transactional information. It’s hard to do this in practice, and it can’t be done overnight, but we are confident that we will get there and be best in class. Our customers want to be compliant with their tax obligations and have asked for this guidance and support.

We invite meaningful dialogue and discussion to set the appropriate regulatory parameters for our industry. We have offered this at every turn to both legislators and the IRS. The bipartisan leadership demonstrated by Senators Wyden, Lummis, and Toomey in offering their amendment to help resolve this unnecessary confusion underscores exactly how impactful meaningful dialogue can be.

Our response to a recent editorial from Bloomberg on Congress’s crypto tax proposal was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Coinbase’s mission is to increase economic freedom in the world through the crypto-economy. To achieve this, it is essential to develop common infrastructure that is transparent, safe, secure and benefits all participants.

To aid this community effort, in 2020 we launched our Crypto Community Fund, and in 2021 we’ve allocated $2M through Coinbase Giving, our philanthropic arm, to expand the program. Today, we’re officially seeking applications for our 2021 developer grants focused on blockchain developers who contribute directly to a blockchain codebase, or researchers producing white papers addressing one or more of the following themes:

1. Scalability: Scalability is a huge barrier to adoption. Current development varies between layer 2 protocols, and has different consensus mechanisms and layer 1 structures. While much of this work has high monetary value, we are specifically looking to fund novel approaches and applications which are not so easily monetized (for example, rollups that originate in math/graph theories).
2. Privacy, Identity and Zero Knowledge research: Financial privacy is a critical and necessary development for a widespread, safe adoption of crypto. In a world where personal privacy is increasingly at risk, we recognize that the public and permanent broadcasting of transaction history can be concerning. We are open to any applications related to this area, but we are particularly interested in development related to composable privacy — privacy preservation which can be combined with smart contract ecosystems. For example, this may lend itself to academic zero knowledge research.
3. Protocol security, audit research, developer experience, and other foundational infrastructure: The crypto-economy should be safe for all users, and this is only possible when the protocols themselves are verifiably safe. This could take the form of better developer experience, so that common bugs are easier to avoid, better audit tooling, or even work like Solidify, our static analysis tool. To this end, we’re looking for projects which improve the foundational security of contracts, prevent exploits, and otherwise do the needful, inglorious, sometimes non-monetizable work.
4. Environmental footprint: For the crypto-economy to have a place in the mainstream, it must be sustainable. While there is still much to understand about the scale of impact, there’s no debate that mining is energy-intensive. We’re excited to see applications with innovative solutions to address this generational challenge.
5. Wild card: If you are working on a foundational improvement and are finding it hard to get funding, we want to hear from you!

Eligibility and Preferences

• We welcome applications across any blockchain
• We are open to submissions for any time frame, although our default is year-long grants
• Our primary focus is to fund initiatives that maximize community benefit (and that is typically harder to monetize) and/or research that advances the industry
• We seek diversity in applicants and projects
• Some examples of previous recipients can be found here.

Process

We encourage all blockchain developers and prospective developers to apply for a Crypto Community Fund grant here, by September 15, 2021.

Proposals will be shortlisted by current crypto developers and important community members. Coinbase will make the final decision.

This website contains links to third-party websites or other content for information purposes only (“Third-Party Sites”). The Third-Party Sites are not under the control of Coinbase, Inc., and its affiliates (“Coinbase”), and Coinbase is not responsible for the content of any Third-Party Site, including without limitation any link contained in a Third-Party Site, or any changes or updates to a Third-Party Site. Coinbase is not responsible for webcasting or any other form of transmission received from any Third-Party Site. Coinbase is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement, approval or recommendation by Coinbase of the site or any association with its operators.

2021 Developer Grants Call for Applications was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

By Emilie Choi, Coinbase President and COO

When I joined Coinbase in Spring 2018, I spoke with our founder and CEO, Brian Armstrong, about booting up Coinbase Ventures. Brian said, “Write a blog post about what you intend to do.” I did, sent it to him, and he said, “Looks good.” I said, “Now what?” He said: “Go launch it!”

Just over three years later, Coinbase Ventures has more than 150 investments in our portfolio. These investments include bets across all sorts of compelling areas in crypto, from international plays (Bitso, a Latin American exchange) to crypto tax players (CoinTracker and TaxBit) to marketplaces (Dapper Labs and OpenSea) to infrastructure plays (Spacemesh and Starkware) to decentralized finance, or DeFi (Uniswap and Compound).

Imagine if you were Google or Facebook in the early days and had made investments in some of the most promising emerging internet companies of the time, from Stripe to Shopify. That’s exactly what we’re achieving in the crypto ecosystem via Coinbase Ventures, our investing arm whose structure mirrors our commitment as a company to decentralization — the team, effort, and decision making is decentralized, and we’re investing in companies that are making this decentralized world possible.

Here are some answers to questions I get:

What’s the common theme? Easy. We invest in amazing teams who are executing on the most important new ideas in crypto.

What will success look like? We want the crypto ecosystem to bloom. We don’t solely invest to generate ROI (Return on Investment), but we’re keeping pace with the best VC funds in terms of returns and ultimately, we’re focused on driving innovation that helps us further our mission to increase economic freedom in the world.

Do the companies have to be of strategic interest to Coinbase (M&A, partnership, or other)? Not at all. That can often be a side benefit, but really we want to invest in amazing entrepreneurs and companies that are building the ecosystem, including potential competitors in certain areas.

Do we invest in competitors? Yes! These companies may look competitive to Coinbase from the outset, but these are still-early days of the industry and we’re committed to building out the cryptoeconomy. Also, Coinbase is a multi-product company and competitors of one product can and often are critical partners for another product.

What is Coinbase Ventures’ secret sauce? OK, here’s the real secret. It’s a labor of love. We don’t have any dedicated employees solely responsible for Coinbase Ventures. Shan Aggarwal, our Head of Corp Dev, oversees it in addition to his demanding day job, and we have a group of exceptional, crypto-native employees such as Justin Mart and Ryan Yi, who do this nights and weekends because they love it so much. My theory is that we’re doing so well because of this. We have no LPs (Limited Partners), no committees, no heavy infrastructure, no marketing, nothing. Just a bunch of passionate employees who use their networks, know-how, and love of crypto to find the best players in the space to invest in.

Coinbase Ventures: Investing for a Decentralized World was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

By Philip Martin, Chief Security Officer, Coinbase

The recent high profile ransomware attacks on Colonial Pipeline and food processing giant JBS have led to knee jerk calls to ban cryptocurrencies because the attackers demanded to be paid in Bitcoin. But if cryptocurrency went away tomorrow would ransomware end? In a word, no. Ransomware existed before cryptocurrency was popular and, if cryptocurrency was outlawed tomorrow, criminals would simply seek alternative payment methods, of which there are many.

The rise of ransomware has been horrible to behold. It is one of the rare online crimes where the impact is felt broadly by everyone. Hospitals unable to service patients. Local governments unable to support citizens. Workers losing jobs because their employers go bankrupt.

But blaming crypto for ransomware is like holding email accountable for ransomware because that’s a vector criminals use to infect victims. Neither are the cause of ransomware. What we need to eradicate this scourge is a more nuanced, multi-pronged strategy that gets to the root cause of the problem.

Why it’s getting worse

The growth of ransomware can be attributed to the rate at which companies are shifting critical systems online and the poor level of controls many companies have over their IT systems. When you couple those factors with ransomware gangs operating from foreign jurisdictions with relative impunity and little ability for law enforcement to drive an international response, you get a recipe for trouble.

This has led some pundits to throw up their hands and conclude the only way to fight back is to ban cryptocurrencies. But if cryptocurrencies are banned, attackers will simply fall back to traditional money laundering methods like prepaid gift cards, money-mules, bulk cash smuggling, funnel accounts or requiring air-dropped cash payments.

What’s more, there are many reasons cryptocurrency is good for law enforcement. Talk to law enforcement agents and those prosecuting crimes like this and they’ll tell you that cryptocurrencies are much easier to track than traditional, harder to trace forms of payment, such as cash.

In the world of Bitcoin, while you might not be able to immediately attach a name to a transfer, the whole history of transfers, for every address on the cryptocurrency network, is preserved forever and accessible to all. Law enforcement can use these “digital breadcrumbs” to track spending patterns. Where that cryptocurrency touches an exchange like Coinbase, which collects KYC (Know Your Customer) data for customers, a subpoena or a warrant will get them a real-world identity. That stands in stark contrast to traditional money laundering using cash or commodities.

What we should be doing

If banning use of cryptocurrency isn’t the answer, what is?

1. Increase global law enforcement focus on ransomware and aggressively prosecute criminals — in the US or overseas — to create a real disincentive for criminals to use ransomware. The creation of a Ransomware and Digital Extortion Task Force by the DOJ was a positive step forward, but genuine investment in prosecutorial resources and continued engagement with our international partners will be key in the fight to ensure there are no safe haven countries for criminals.
2. In the wake of the Enron scandal, Congress created incentives for public companies to clean up financial controls and reporting via the Sarbanes-Oxley Act. Earlier this year Congress passed the Anti-Money Laundering Act, setting a framework for financial institutions to modernize their technology and improve the sharing of information to combat money laundering and terrorist financing. Congress must play a similar role in creating minimum standards for corporate security reporting and transparency, creating accountability for malfeasance and creating safe harbors for cooperation and information sharing among companies.
3. Ensure common sense, existing regulations are applied evenly so that certain exchanges aren’t allowed to use jurisdictional arbitrage to avoid implementing KYC/AML programs. Research shows that the majority of illicit Bitcoin flows through a small group of exchanges. Law enforcement and regulators could curb the flow of ransomware-proceeds by enforcing existing regulations on these venues.

That will take time, of course, so in the meantime companies in the trenches should actively review their own security posture and figure out if and how they could recover if attacked. Most companies have backup policies, but few organizations have restore policies or regularly test their ability to restore in a real-world scenario.

Ransomware isn’t going away even if cryptocurrencies are banned. So don’t be tempted by the “easy answer” given it isn’t really an answer at all. Let’s take the bull by the horns and focus on the hard work of putting ransomware in its place.

This piece originally appeared in Morning Consult.

Ransomware is a scourge, but eliminating cryptocurrencies won’t make it go away was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.