While Bitcoin is still the largest cryptocurrency in the world by market capitalization, the Ethereum blockchain maintains the unique ability to tokenize assets and execute smart contracts. These benefits for businesses and investors also come with additional opportunities for cybercriminals, such as when a company simply runs away with the money after tokenizing its assets.
In our recent paper, we study on-chain market misconduct and fraud at an aggregate scale on the Ethereum blockchain, using primary Ethereum ledger data. In particular, we propose a novel taxonomy of cybercrime on the Ethereum blockchain and examine how cybercrime impacts victims’ risk-taking and returns. To identify the extent of fraud on the Ethereum blockchain, we acquired an extensive list of blockchain addresses of cybercriminals from Etherscan and Scam Alert. A novelty of our empirical setting is the granularity of transaction-level data to identify victims who interacted with cybercriminals.
Taxonomy of cybercrime
Our data enables us to develop a taxonomy grounded in the economic impact of each cybercrime, yielding 19 overarching categories. Ponzi schemes are the most common scam involving cryptocurrency, accounting for 60% of the aggregate stolen funds on Ethereum. Giveaway scams involve misrepresenting the identities of reputable companies, exchanges, or influential individuals and are the second-largest cybercrime, amounting to 18% of the aggregate stolen funds on Ethereum. Exploits are a phenomenon unique to digital systems and occur when cybercriminals take advantage of a vulnerability or bug within a system. They are the third-largest category of cybercrime. A notable example is The DAO exploit in 2016, where an attacker exploited a code vulnerability in a decentralized autonomous organization on the Ethereum blockchain, resulting in a loss of about $50 million.
Extent of cybercrime
Today, a substantial share of financial market misconduct and fraud occurs on blockchains. The Federal Trade Commission (FTC) reported that since 2021 more than $1 out of $4 reported stolen was stolen in cryptocurrency. The agency, responsible for protecting consumers and promoting fair competition, documents $1.18 billion in aggregate losses to cybercriminals since 2018, with most losses in Bitcoin, followed at some distance by Tether and Ether. Using terabytes of primary blockchain data from Ethereum and the fact that on-chain scams are readily observable on public blockchains, we find that the FTC underestimates crypto scams by a factor of almost 16. Relative to the FTC’s estimate of scams on the Ethereum blockchain amounting to $106 million, we show that Ethereum addresses associated with scams received a staggering $1.65 billion, and we identify more than 1.78 million transactions that are externally verified to be linked to cybercrime.
Responses of victims to cybercrimes
At the core of our empirical analysis, we develop a causal approach to estimating how cybercrime impacts victims’ risk-taking, risk-adjusted returns, and investor behavior. Our findings provide evidence that victims’ raw and non-risk-adjusted returns increase after a cybercrime, not accounting for the misappropriated funds due to the cybercrime per se. If we account for the nominal value of abducted funds due to the cybercrime, cybercrime victims have, on average, lost 10% of their wealth twelve months after the cybercrime relative to non-victims. However, risk-adjusted returns decrease statistically significantly by 55.2% to 96.4% relative to non-victims; the victims’ alphas, from the three-factor crypto-asset pricing model that includes cryptocurrency excess market return, size, and momentum to capture the unique risk factors inherent in the cryptocurrency market, respond significantly negatively to cybercrime. The negative risk-adjusted returns for cybercrime victims can be explained by higher post-cybercrime risk-taking. Finally, we conduct a risk decomposition and find that the post-cybercrime response of victims in terms of total risk-taking is mostly driven by changes in their diversifiable risk-taking.
Identifying cybercriminals and cybercrime victims
We also find that addresses engaged in illicit activities tend to diversify their assets better. Stolen tokens and hacks could naturally lead to greater diversification in cybercriminals’ portfolios, while cybercriminals that distribute malware often only accept a few cryptocurrencies. Moreover, we find a positive relationship between the share of altcoins in the criminals’ blockchain addresses for most cybercrime types. Altcoins may offer a balance between anonymity, risk, and reward that may appeal to cybercriminals. Regarding cybercrime victims, we find that the age of the blockchain address is negatively associated with victimization across all types of cybercrimes. This suggests that older and potentially more experienced investors are less likely to fall victim to cybercrimes. In line with this finding, we also provide evidence that poor blockchain addresses yield significantly lower alphas over the 24 months following the cybercrime.
Towards better regulation of blockchain ecosystems
Our findings indicate that cybercrime is widespread on the Ethereum blockchain. If fraudulent activities on the Ethereum blockchain result in a loss of trust in the technology, then innovative projects such as blockchain-based settlements for asset trading and cryptocurrency-related business activities of financial institutions might be negatively affected. Moreover, if traditional financial institutions provide services related to the Ethereum blockchain, such as custody or trading, they may be exposed to risks related to the illegal activities of the blockchain’s customers or counterparties. Finally, since poor blockchain addresses yield significantly lower risk-adjusted returns following cybercrime, the FTC and Securities and Exchange Commission should fulfill their mandate to protect consumers and retail investors better.
From our findings, we first conclude that most stolen funds are wired through several layers of the crypto ecosystem, often involving centralized exchanges. Regulators should therefore ensure that exchanges can be held accountable for facilitating the transfer and laundering of stolen funds. At the same time, exchanges could be required to cooperate with law enforcement and reveal the actual identities of cybercriminals from their know-your-customer files. These two regulatory steps would likely curb most of the cybercrime observed in our data. Second, our predictive models show that it is relatively easy to spot Ethereum addresses that most likely belong to a cybercriminal. Thus, we expect that our study will spur the development of better forensic tools to detect fraudulent activity before it can cause significant harm. However, working with large datasets like ours, reaching several terabytes, is very expensive in terms of CPU cost. Therefore, developing forensic tools to curb cybercrime comes at a price that could be prohibitive for most universities, and therefore requires university-industry partnerships.
Lars Hornuf is a Chaired Professor of Business Administration, esp. Finance and Financial Technology at Dresden University of Technology.
Paul P. Momtaz is a Professor of Entrepreneurial Finance at TUM School of Management.
Rachel J. Nam is a Ph.D. Candidate at Goethe University Frankfurt, Graduate School of Economics, Finance, and Management.
Ye Yuan is a Research Assistant at the Professorship of Entrepreneurial Finance at TUM School of Management.
This post is adapted from their paper, “Cybercrime on the Ethereum Blockchain,” available on SSRN.