The United States Federal Bureau of Investigation announced on Sept. 3 that North Korean scammers and hackers were targeting firms associated with cryptocurrency-related exchange-traded funds (ETFs).
Despite the billions of dollars flowing into these crypto ETFs, investors may be too quick to assume their assets are fully secure.
North Korean hacker groups such as Lazarus Group are no strangers to the cryptocurrency industry and are suspected of committing a number of hacks against prominent exchanges and blockchain protocols.
Officials fear they could target crypto-backed ETFs by going after their underlying assets.
Stock market ETFs must have a solid system that tracks and replicates the underlying asset price accordingly.
However, fund managers for a spot crypto ETF must provide custody — either themselves or through a third party — of the physical digital assets to match the total assets under management (AUM).
These honeypots are too big to ignore. According to data from Farside Investors, the total cumulative flows of spot Bitcoin (BTC) ETFs alone have surpassed $15 billion since July 2024.
Furthermore, while investors have injected billions of dollars into crypto ETFs, the majority of their funds are uninsured. If North Korean hackers were able to carry out a successful hack and steal from the backing assets, the consequences could be disastrous.
What would happen if a Bitcoin or Ether ETF gets hacked?
Jameson Lopp, co-founder and chief security officer of crypto self-custody wallet Casa, told Cointelegraph that if a Bitcoin or Ether (ETH) ETF were hacked, he’d “expect the ETF itself to quickly trade to zero” if it wasn’t halted. Shortly after, a decent marketwide dump would occur as the hacked coins were liquidated.
Recent: Memecoin ‘retail mania’ could go the way of ICOs and NFTs, say execs
If a vulnerability was uncovered, Lopp believes that “plenty of the investors from non-hacked ETFs would liquidate their positions, as the users would finally understand the risk of catastrophic loss involved.” He said it would be hard to speculate how long the market would take to recover from such a shock.
Luckily, it’s unlikely that hackers would be able to steal the crypto directly from Coinbase itself due to its chosen approach of “get hacked, but don’t get rekt,” said Taylor Monahan, lead security researcher at crypto wallet provider MetaMask.
Monahan explained in a post on X that Coinbase — practically the sole custodian for crypto-backed ETFs in the US — accepts that it will be hacked at some point.
The key to success is a proactive approach to creating infrastructure that will prevent catastrophe in the event of a hack.
Luke Youngblood, co-founder of decentralized finance lending protocol Moonwell and a former software engineer for Coinbase Cloud, explained that Coinbase’s security infrastructure has several layers hackers would need to get through before they could inflict real damage.
He said it would be highly improbable that hackers could obtain access to the funds, but if a hypothetical attack were successful, the damage would be compartmentalized.
Bitcoin and Ether ETF insurance risks
Lopp told Cointelegraph he “highly doubts that many ETF investors understand all the risks involved” and that he believes investors may ignore the fact that the assets are virtually uninsured:
“Insurance coverage of third-party custodians is a joke. It’s simply not economical to insure the full value of these assets given the risks involved and difficulty in recovering lost funds.”
The prospectus from BlackRock’s iShares Bitcoin Trust ETF states that Coinbase Global — the fund’s custodian — offers an insurance policy of up to $320 million. The amount may seem generous, but according to Coinbase, the exchange custodies $269 billion in digital assets. This means its $320 million insurance policy would cover only 0.12% of its AUM.
Andrew Rossow, a digital media attorney with Minc Law and CEO of AR Media Consulting, told Cointelegraph that a crypto ETF’s backing assets may “not necessarily” fall under the insurance policy. He explained, “There are potential scenarios where the coverage could be inadequate, leaving customers (and their assets) exposed to financial risks.”
Rossow said that the custodian’s insurance policy followed a shared policy. Effectively, “$320 million is collectively shared among all Coinbase customers,” rather than a specific allocation to any individual customer or particular types of assets such as crypto ETFs.
Katherine Dowling, chief compliance officer at crypto index and ETF provider Bitwise, told Cointelegraph that it’s common among crypto custodians to have an insurance policy that is not specific to one client but to an amount covering all clients.
Rossow stressed that in the event of a significant loss, “the total coverage as provided under policy might not be enough to cover all the possible claims.”
Furthermore, since crypto ETFs are approved financial products, they qualify for Securities Investor Protection Corp (SIPC) insurance. SIPC provides $500,000 of insurance per customer, including a $250,000 cash limit — but with a caveat.
SIPC typically protects consumers if a registered brokerage goes bankrupt, ensuring that securities in brokerage accounts, such as ETFs, cannot be stolen by the brokerage.
However, SIPC does not insure the underlying assets of those securities, such as Bitcoin or other commodities. Instead, it guarantees that the security, whether a digital or paper certificate, remains the customer’s property. Essentially, SIPC protects Bitcoin ETF shares from covered losses, such as theft by brokerages, but not the Bitcoin backing those shares.
The US cryptocurrency custodial sector is highly centralized
The rush to be the leader in Bitcoin and Ether ETFs has created many crypto ETF issuers. However, as mentioned earlier, Coinbase is virtually the sole custodian for all the US ETFs.
A Coinbase spokesperson told Cointelegraph that the platform’s status as the preferred option stems from its “proven track record, state-of-the-art technology, and deep expertise in crypto custody.”
Despite Coinbase being “proud to serve as the trusted custodian for the majority of crypto ETFs,” the issue of substantial centralization is evident.
One entity is responsible for custodying nearly all the EFTs’ backing cryptocurrencies, holding 808,619 BTC as of early September, according to data from Timechain Index.
Steven Walbroehl, co-founder and chief technology officer of cybersecurity firm Halbron, told Cointelegraph that Coinbase Custody puts “the utmost prioritization and focus on responsibility securing the cryptocurrency keys that hold the ETF funds.”
However, despite this attention to security, he believes the existing centralization of the sector is a significant risk factor for the industry:
“I think having the majority of custody held by a single entity can pose a systemic risk to the entire asset class if there is a compromise to that majority holder.”
Walbroehl said that no regulation or compliance mandate has clearly defined the security standards for crypto custody. He indicated that no security protocols have been publicly disclosed in detail.
Recent: Congressional elections critical for crypto’s future in the US
Walbroehl also acknowledged that revealing such protocols might offer hackers and bad actors valuable insights. However, their absence also means “we don’t know if revisions need to be made.”
Under the current system, he conceded, the industry is left “to trust that the custodians have implemented the most secure protocols needed.”
Diversification could spread the risk among multiple custodial providers, offering a possible solution. However, Walbroehl warned that “diversification can also lead to other types of risk, such as complexity of access, or transfer risk.”
Among all the crypto ETF managers, Fidelity is the only firm that self-secures its funds’ digital assets. Lopp believes that “any institution of sufficient size to launch an ETF is capable of building and maintaining an enterprise-grade self-custody system.” He argued that outsourcing to non-transparent third parties poses a risk:
“Every ETF should do this to improve their own security posture and not outsource their security to a trusted third party that operates as a black box.”
BlackRock declined Cointelegraph’s request for comment for this article.