With a market cap of over $1 trillion, cryptocurrencies have quickly gone from an obscure novelty to an alternative currency juggernaut. The recent collapse of FTX, related entities, and others in the crypto ecosystem has drawn heightened attention to this important technology. Cryptocurrencies are decentralized digital currencies; cryptocurrencies also rely on the blockchain, described as “a distributed, shared, [virtual,] encrypted-database that serves as an irreversible and incorruptible public repository of information. It enables, for the first time, unrelated people to reach consensus on the occurrence of a particular transaction or event without the need for a controlling authority.”
The decentralized nature of the blockchain means it relies on a consensus of the network’s mining hash rate to maintain the blockchain accurately. This structure also means that if users who control more than 50% of the mining power collude, they could agree to alter the blockchain, which, if the majority desired, could result in massive cryptocurrency transfers. Pulling off such an attack would be difficult, especially with the larger currencies such as Bitcoin and Ether, but a successful attack could result in thousands of victims losing millions of dollars worth of cryptocurrency.
Currently, no criminal or civil statutes explicitly punish a 51% attack. Moreover, the novel, complex, and unregulated nature of blockchain technologies means that existing case law and statutes—largely created to address the theft of physical objects—lead to great uncertainty regarding potential criminal liability.
The two main cryptocurrencies, Bitcoin and Ether, are likely not considered a security for purposes of SEC regulation because they are transacted on decentralized autonomous platforms. Even if they were, it would be difficult for the SEC to prosecute a 51% attack. One could argue for potential liability under 15 USC § 78i Manipulation of Security Prices, but the statute explicitly applies only to the purchase, sell, or securities swap conducted to manipulate the price. A 51% attack does not directly manipulate the cryptocurrency’s price; it redistributes existing cryptocoins. Also, it is not the result of buying, selling, or swapping the asset. Furthermore, the SEC is well aware of 51% attacks and has yet to pass any guidance on prosecuting such an occurrence. While not dispositive, this supports the position that the SEC would not have the power to prosecute a 51% attack.
The CFTC and federal courts have both found that cybercurrencies are commodities that are subject to the Commodity Exchange Act (CEA). Similar to the SEC, although the CFTC is aware of 51 % attacks, it has not passed any guidance regrading enforcement of those attacks. CEA section 6(c)(1) and CFTC Regulation 180.1(a), the broad fraud provisions of the CEA, only apply to transactions in connection with swaps, or contracts of sale or of future sale of commodities. While it may be argued that a 51% attack is an a artifice to defraud, it would not be a transaction connected to a swap or commodity sale, leaving it outside of the jurisdiction of prosecution by the CFTC.
The Computer Fraud and Abuse Act has been proposed as a potential means for imposing liability. The statute punishes anyone who “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer.” The statute defines “damage” as “any impairment to the integrity or availability of data, a program, a system, or information.” A 51% attack alters the blockchain data, but the deleted data would still be “available” because the attack would not delete every blockchain record. The statute also requires that the crime be committed “without authorization.” This may appear to be fatal since the attackers do have authorized access to the blockchain; however, the majority rule is that “without authorization” modifies “intentionally causes damage” and does not modify accessing the computer (or, here, the blockchain). Therefore, a prosecutor, under the majority view, could allege that the malicious manipulation of the blockchain was unauthorized.
This brings us to perhaps the most important and ambiguous issue of cryptocurrency ownership. Is cryptocurrency ownership based on possession of the private key or based on the blockchain consensus? If it is simply the blockchain consensus, then it could be argued that cryptocurrency owners implicitly consent to any blockchain alterations made possible by the structure of the blockchain, which would include 51% attacks. A 51% attack was even warned about in the 2008 paper that introduced the concept of cryptocurrencies. And the well-known connection between cryptocurrencies and illicit transactions may further support the claim that investors are assuming the risk of a 51% attack.
Antitrust legislation such as 15 USC § 1 could potentially be used to prosecute a 51% attack since it would require collusion between the people performing the attack. A wire fraud statute such as 18 USC § 1343 is another potential avenue for criminal liability since the perpetrators could be interpreted to have devised a scheme to obtain the property of others through fraudulent pretenses. Finally, fraud statutes could potentially provide criminal liability. Under 18 USC § 1341 Frauds and Swindles Act, depriving someone of the “intangible right to honest services” is included. Since Bitcoin is sometimes used to purchase goods and services, this definition might be met due to vendors who have accepted Bitcoin for honest services and then had those Bitcoins deleted in the attack.
Traditional theft statutes are another potential avenue for criminal liability. For example, 10 USC § 921 Art. 121 Larceny and Wrongful Appropriation Act states that:
Any person subject to this chapter who wrongfully takes, obtains, or withholds, by any means, from the possession of the owner or of any other person any . . . personal property . . . with intent permanently to deprive or defraud another person of the use and benefit of the property or to appropriate it to his own use or the use of any person other than the owner, steals that property and is guilty of larceny.
Cryptocurrencies are likely considered personal property, and the victims of a 51% attack have been permanently deprived of the cryptocurrency, but it is still unclear if a 51% attack would violate this statute due to the “wrongfully” requirement. Again, this hinges on whether cryptocurrency investors are considered to have assumed the risk of such attacks when they buy into a system based on blockchain technology which, by its very function, results in the possibility of a 51% attack.
As this essay demonstrates—and is more thoroughly demonstrated in the full article—existing statutes are not designed with a 51% attack in mind. Because of the onerous burden placed on prosecutors (they must prove their case beyond a reasonable doubt and receive unanimous jury verdicts), prosecuting a 51% attack would be very difficult. This illuminates the importance of discussing the matter while it is merely a hypothetical consideration. The novel framework provided in this article will help inform prosecutors about the strengths and weaknesses of their options, legislators about the potential need for new legislation, and investors about the potential dangers of investing in cryptocurrencies.
Michael Conklin is the Powell Endowed Professor of Law in the Department of Accounting, Economics, and Finance at Angelo State University.
Brian Elzweig is an Associate Professor in the Department of Accounting and Finance of the University of West Florida.
Lawrence J. Trautman is an Associate Professor of Business Law and Ethics at Prairie View A&M University.
This post is adapted from their paper, “Legal Recourse for Victims of Blockchain and Cyber Breach Attacks,” available on SSRN.