bitcoin final

Emerging Risk Report – 2015Innovation SeriesTECHNOLOGYBitcoinRisk factors forinsurance

DisclaimerThis report has been produced by Lloyd’s for general informationpurposes only. While care has been taken in gathering the data andpreparing the report, Lloyd’s does not make any representations orwarranties as to its accuracy or completeness and expressly excludes tothe maximum extent permitted by law all those that might otherwisebe implied.Lloyd’s accepts no responsibility or liability for any loss or damage ofany nature occasioned to any person as a result of acting or refrainingfrom acting as a result of, or in reliance on, any statement, fact, figureor expression of opinion or belief contained in this report. This reportdoes not constitute advice of any kind.© Lloyd’s 2015 All rights reservedKey contactsNick Beecroft – Manager,Emerging Risks & Research+44 (0)20 7327 5605 nick.beecroft@lloyds.comFor general enquiries about this reportand Lloyd’s work on emerging risks,please contact emergingrisks@lloyds.comLloyd’s Emerging Risk Report – 2015

Contents1 Executive summary 022 Introduction: insurance of Bitcoin 043 Operational risks faced by Bitcoin companies 064 Strategic risks to Bitcoin operations 18Lloyd’s Emerging Risk Report - 2015

Bitcoin: risk factors for insurance 02Executive summaryThis report presents two expert contributions whichinvestigate the key risk factors for the insurance ofBitcoin operations. Their findings suggest that thetechnology, procedures and practices that underpinBitcoin are maturing. Nevertheless, legitimate concernsremain over security risk and the potential for criminalexploitation. The report does not, therefore, endorsethe insurance of Bitcoin operations, but rather aimsto contribute to the assessment of these risks forinsurance purposes.Bitcoin risk has been brought into sharp focus by highprofilelosses such as that suffered by the original BitcoinExchange, Mt. Gox, in 2014. Furthermore, Bitcoin lossesfrom fraud and theft in 2014 represented a much highershare of the overall volume of transactions comparedwith credit card fraud. These factors, when combinedwith the intangible and novel nature of Bitcoin, haveserved to generate a high degree of uncertainty over itssecurity and credibility as a store of value.Benefits of BitcoinIn essence, Bitcoin offers a low-cost, relatively fast meansto transfer value anywhere in the world; the only realconstraint is the availability of an internet connection.As such it offers a lower-cost alternative to establishedbanking and money transfer systems, which require abank account and/or the payment of fees. These benefitscould be very significant for a wide range of users aroundthe world.Security riskBitcoin is both a digital asset and a network, andboth are exposed to the potential for cyber attacks.The particular characteristics of Bitcoin make it anattractive target for cyber attack because the stolen datahas instant value, and transactions are not reversible.These vulnerabilities can be managed through effectivesecurity encompassing not only cyber security, butalso well-established physical and personal measuresused to protect other valuable assets that sharethese characteristics. Nevertheless, Bitcoin (like allfinancial services entities) faces a dynamic threat, andthe security risk will never be reduced to zero. Theestablishment of recognised security standards for cold(offline) and hot (online) bitcoin storage would greatlyassist risk management and the provision of insurance.Forms of attack against BitcoinA variety of tactics have been developed for the theftof bitcoins, and this report classifies these as ‘local’ –those designed to steal specific bitcoins – and ‘global’– those which manipulate the network to steal bitcoins.Technical and procedural mitigations are developing, buta number of vulnerabilities remain. As with any system ofsecurity, measures must evolve with the threat, and theireffectiveness will rely on routine and robust application.Exploitation by criminalsThere are legitimate concerns that the absence ofregulation and potential anonymity of transactions inthe Bitcoin network could afford real advantages forcriminals. Nevertheless, it should be remembered that aBitcoin transaction does leave a digital trail. It is essentialfor the long-term viability of Bitcoin that it does notbecome synonymous with crime, and the Bitcoincommunity should co-operate with law enforcementagencies to prevent exploitation by criminal networks.InnovationThe short history of Bitcoin has been punctuatedby high-profile security incidents and substantialprice volatility. Challenges such as these havecharacterised many emerging technologies, andthere are signs that the technology, together withthe procedures and professional capabilities ofpractitioners, are maturing. Insurance can be acomponent of responsible risk management toenable the next phase of Bitcoin’s evolution.Lloyd’s Emerging Risk Report – 2015

Lloyd’s Emerging Risk Report – 2015

Bitcoin: risk factors for insurance 04Introduction:insurance of BitcoinoperationsThe growing volume of Bitcoin transactions is generatingdemand for insurance cover for Bitcoin operations andthis report was commissioned to investigate the risksthat insurers should consider in designing risk transfer.Jerry Brito and Peter Van Valkenburgh (Coin Center)describe a classification of ‘local attacks’ – i.e. thosedesigned to steal specific bitcoin assets – and ‘globalattacks’ that seek to steal bitcoins by manipulating theBitcoin network as a whole. Their analysis investigatesthe capabilities and intent underlying the threat of bothforms of attack.Garrick Hileman (London School of Economics) andSatyaki Dhar provide a wider perspective and examinesources of risk including market volatility and regulatoryuncertainty. These sources of risk are unlikely to be directlytransferred in an insurance policy, but they are importantin shaping the overall risk profile of Bitcoin operations,and therefore provide relevant insights for insurers.Bitcoin offers the promise of major benefits – forexample through bringing global payment technologyto populations unable to access or afford conventionalbanking methods – but it is subject to security risk andlegitimate concerns over its potential to be exploitedby criminals.Many of the features of Bitcoin are novel and can bedifficult to comprehend for non-specialists. However, theessential components of risk bear similarity with othermore established insurable assets. By way of illustration,Bitcoin is a digital asset that provides instant value, alevel of anonymity and is not reversible. As such it isfundamentally different to other forms of valuable data,but has many similarities to cash. The security measuresrequired for Bitcoin should therefore be informedequally by the physical and personal protection measuresroutinely applied for cash, as by the cyber securitymeasures required for sensitive data. A private Bitcoinkey kept offline on removable media or recorded onpaper should be protected just as if it were a large sumof cash or consignment of gold.One area of development that would arguably greatlyassist risk management, and the provision of insurance,would be the establishment of recognised securitystandards for cold and hot storage. While this mightrun against the decentralised ethos of the Bitcoinnetwork, compliance with agreed security standardscould be expected greatly to enhance insurers’ insightand confidence in the nature of the risk.The potential for Bitcoin to be exploited by criminalsis a legitimate concern. Nevertheless, it should beremembered that Bitcoin transactions, while anonymous,do leave a digital trace that could assist law enforcement.It is imperative for the long-term viability of Bitcoin thatis does not become synonymous with criminality, andthe Bitcoin community has a responsibility to co-operatein the prevention of crime. Criminal exploitation is amajor challenge for the entire banking system, and riskmanagement will need to evolve in line with the tacticsand techniques used by criminal networks.Price volatility and high-profile losses, notably thatsuffered by Mt. Gox, have generated understandablescepticism over the long-term future of Bitcoin, andthis report is not designed to establish its commercialviability. But the challenges that are described inthis report should be viewed as symptomatic of anemerging, innovative technology, rather than evidenceof underlying critical flaws. There are signs that thetechnology, together with the skill and professionalismof practitioners, are maturing. With responsible andinnovative risk management, insurance can be a keycomponent of the future of Bitcoin.The following Lloyd’s underwriters provided valuableinput to the report: Andrew Banks (Ace), MadeleineBradnam (MR Underwriting), Ross Louden (Novae),Andrew Pearson (Barbican), Jason Roe (Ace).Lloyd’s Emerging Risk Report – 2015

Lloyd’s Emerging Risk Report – 2015

Bitcoin: risk factors for insurance 06Operational risks faced byBitcoin companiesJerry Brito & Peter Van Valkenburghperfunctory matter can be taken as writ: a car is a carand usually you can drive it away. For Bitcoin it is theexotic “what is it?” enquiry that occupies the bulk of arisk assessment. The following is a high-level overview ofwhat bitcoins are and how they might be lost or stolen.IntroductionThe February 2014 bankruptcy of Mt. Gox, the originaland for three years running largest Bitcoin exchange 1 ,may have been precipitated by a grand digital heist.Mt. Gox announced a “high possibility” that$600 million in bitcoins had been stolen because ofa security vulnerability, what CEO Mark Karpelèsdescribed as “a bug” in the Bitcoin protocol itself 2 . Thatclaim has come under intense scrutiny 3 , and with lessonsstill waiting to be learned from Mt. Gox, the landscapeof risks that surround Bitcoin remains very much terraincognita. Before that continent can be explored, someschema must be developed to categorise any potentialdiscoveries. This report aims to create that schema andbegin to offer data, primarily in the form of case studies,on the potential risks posed by Bitcoin.No systemic risk from the emergence ofBitcoinAs a technology poised to disrupt existing financialindustries and currencies, Bitcoin may one day posesystemic risks to the economy at large. For the nearfuture, however, it is important to keep these risks inperspective. At present, the scale of the Bitcoin economyis minuscule by global standards. As of January 2015,Bitcoin’s total market capitalisation was around$2.5 billion, less than the price tag of SantiagoCalatrava’s new train station in Manhattan 4 . WhileBitcoin’s design currently limits transaction volumeto seven transactions per second 5 , Visa’s network isdesigned to handle peak volumes of 47,000 transactionsper second 6 . Should the scale of Bitcoin adoption growsubstantially, economy-wide risks may emerge, but thiswould not be expected to happen in the short to mediumterm or without warning.Understanding operational risksRisks to those within the Bitcoin industry shouldbroadly be divided into price or volatility risk, regulatoryrisk, and theft or loss risk. The final element of this triois where Bitcoin sparks particular confusion owing to itstechnological novelty. The remainder of this report willfocus exclusively on those eccentricities and how theycan increase or mitigate the theft or loss risks facing aBitcoin or other cryptocurrency business.To understand how something might be stolen weneed to understand what it is. For traditional assets thisBackground and classification of threatsBitcoin is both a network protocol – Bitcoin – and anemerging asset – bitcoin(s).Bitcoin protocolAs a network protocol, Bitcoin is an open tool forprovably sending value between any computersconnected to the internet, just as the HypertextTransfer Protocol (HTTP) is an open tool for sendingtext and pictures. HTTP is accessed with softwarethat is run by network participants: web browsers(e.g. Google Chrome) and web servers (e.g. ApacheTomcat). The Bitcoin protocol is also accessed withsoftware: bitcoin wallets 7 (e.g. Electrum 8 ) and bitcoinmining clients (e.g. bfgminer 9 ). Bitcoin is “open”because, unlike a credit card network or a wire transferservice, a user hoping to send or receive value viabitcoins need not apply to an institution for approval oraccess. She need only download and run free softwareon her computer.Bitcoin software is not produced by a single individualor institution. Instead, there is an open-source referenceclient developed and maintained by a group of “coredevelopers” who have access to a public software coderepository on GitHub 10 . Other clients are developed byindividuals and institutions building on this referenceclient. These alternative clients are developed for variousreasons: to make the reference client software compatiblewith different types of hardware or operating systems(e.g. desktop computers vs. smartphones, or Windows vs.Mac) or to offer particular features to end users, such asthe design of the client’s user interface 11 .Incompatibility would result from altering so-calledconsensus rules found within the reference client. Theseconsensus rules are particular software rules that rejectattempts to create fraud on the Bitcoin network byeither (A) attempting to spend coins from an addresswhose keys you do not control, or (B) attempting to“double-spend” coins (i.e. send someone coins that youhave already spent elsewhere in a previous transaction).Therefore, even if a malicious software developer wasto attempt to alter an independently developed Bitcoinclient in order to commit fraud, this attack would befruitless because other nodes in the network wouldignore any actions of the client that violate thesefraud-preventing consensus rules 12 .Lloyd’s Emerging Risk Report – 2015

Bitcoin: risk factors for insurance 07All notable software for accessing the Bitcoin network isopen source. Closed-source clients may be developed andare not precluded by the copyright licence under which theBitcoin reference client is released 13 , but the communityof Bitcoin users is culturally biased against the creationor use of closed-source clients because it is more difficultto independently audit such software for back-doors thatmight weaken the network or steal user credentials 14 .Bitcoin assetThere are no physical bitcoins, nor are bitcoins softwarefiles like .mp3 music files or Word documents. Instead, abitcoin, or some fraction of a bitcoin, is a chain of digitalsignatures stored in a public ledger called the blockchain.The final digital signature in a given chain will be that ofthe current holder of a bitcoin amount and she will berecognised by the network by a random but unique stringof characters, the user’s public address. Possession andcontrol over a particular bitcoin holding is synonymouswith having knowledge of one or more private keys thatare mathematically linked to one or more public addresses.If those addresses have been sent some quantity of bitcoinin the past, as noted by the public record, the user holdingthe private keys is the only person capable of sendingthem on to another address.By signing a transaction message with her private key,the transferor asks bitcoin miners to add a new digitalsignature, identifying the transferee’s public address, tothe chain of signatures that proves provenance back tothe original creation of a bitcoin or bitcoins. Bitcoinsare created when miners solve difficult mathematicalproblems and faithfully update the blockchain, recordingvalid transactions across the network that occurredwithin a ten-minute interval.The Bitcoin network is not, therefore, a tool fortransmitting actual bitcoins. It is a tool for buildingan authoritative public record that records the chainof title for any current bitcoin holdings, and preventsindividuals from creating fraudulent entries in thatrecord by attempting to double-spend their bitcoins orspend some other user’s bitcoin. Owning a bitcoin isperhaps most similar to owning land. The conditio sinequa non of land ownership is identification in the mostrecent deed within a chain of title found in a publicrecord. The conditio sine qua non of bitcoin ownershipis holding the private key that links to the most recentrecipient public address within a chain of title found inthe blockchain.Bitcoin businessesMany Bitcoin users do not choose to directly access theBitcoin network, relying instead on an intermediarywho runs Bitcoin software and, potentially, securesthe private keys that constitute a customer’s bitcoinownership. Users may choose to keep their bitcoins withan intermediary, because running Bitcoin software canbe technically complicated and leave the user open totheft if she does not properly secure her computer, or lossif she does not make backup copies of her keys 15 .Intermediaries that run Bitcoin software and secure theuser’s keys are referred to as cloud wallet or hosted walletproviders; Coinbase 16 and Circle 17 are notable examples.Intermediaries that run software but do not secure keys,leaving them in the user’s possession, are referred to ashybrid wallet providers; Blockchain.info 18 is a notableexample. By contrast, a user who is running her ownsoftware and securing her own private keys is runninga software wallet.In addition to wallet providers, there are also Bitcoinexchanges (e.g. Bitstamp 19 and the now defunctMt. Gox 20 ) and Bitcoin merchant service providers(e.g. BitPay 21 ). These intermediaries will hold keys andrun Bitcoin software in order to provide traders ormerchants with access to the Bitcoin network.Classification of operational risks in running aBitcoin businessThis simplified though accurate picture of Bitcoin revealsthat all theft and loss risk emerges from two threatvectors: (1) an institution holding bitcoins may suffera local attack, where the thief obtains the institution’sprivate key(s) in order to gain control of bitcoins in thematched public addresses, or (2) a global attack, wherethe thief seeks to manipulate the network in order tocreate fraudulent transactions within the blockchain thatbenefit herself or cause harm to her targets.Local attacksCapabilityTo the extent that there is ever a “thing” to be stolen ina local attack, that “thing” is the string of characters thatmake up a private key 22 . Safeguarding that string is achallenge identical to the safekeeping of any digitisedsecret such as banking credentials, intellectual property,or private photographs. Where Bitcoin differs mostfrom ordinary digital secret keeping is in the intent orincentives that motivate attackers, and certain methodsof preventing attacks.IntentWhile the capability of malefactors to steal keys isidentical to that of any digital secret, the incentives thatdrive thieves are different in three significant ways.1. Instant gratification and irreversibilityBefore Bitcoin, network breaches only allowedLloyd’s Emerging Risk Report – 2015

Bitcoin: risk factors for insurance 08attackers to acquire information, not excludableassets. This means that, in order to ultimately profitfrom an attack, an attacker must “fence” the datathey gather. For example, stolen credit card numbersor traditional financial credentials must be eithersold on black markets or used to purchase real goodsbefore the theft is discovered and the credentialsinvalidated. Stolen bitcoins, by contrast, grant thethief their full value immediately, and no stepscan be taken to recover or mitigate this lost valueafter the thief has used the private key to move thefunds to a different public address. Acquiring thebitcoin is essentially acquiring money. This createsan instant gratification incentive not previouslypresent in network breaches, and because there isno intermediary in the Bitcoin network, there is nopossibility that the transaction can be reversed by athird party.Irreversibility is, in fact, a good thing for thenetwork. Recall that claims to bitcoins arerecognised as authoritative because the entire chainof title is publicly displayed on the blockchain.This record is constructed via deterministic rulesthat generate network consensus: transfer requestswill only be recorded if they are signed with theprivate key linked to the transferor’s address andif the transferor had sufficient funds (previoustransfers into their address) to send the amountthey are announcing. The result of this system isthat a Bitcoin user must only trust that a majorityof the Bitcoin network is behaving honestly, ratherthan placing her trust in some particular third party.Selectively granting some party the authority toreverse previously recorded transactions erodesthe certainty of this system. Who should have thisauthority and who should not? How is authoritylimited? What if the secret passkey enabling anybalance on the ledger to be changed is leaked tocriminals? What if those entrusted with such powerfall victim to their own greed?Moreover, any discussion as to how the protocolmight be altered to enable reversibility would bemet with resistance from existing participants.Changes in the protocol would need to be adoptedby the majority of network participants, manyof whom would believe such a change to beantithetical to the purpose of Bitcoin.2. Immobility and publicityDespite the instant gratification and irreversibilityof a Bitcoin theft, the benefits of a heist may besurprisingly difficult to transmute into actual materialwell-being without inadvertently triggering one’sidentification and capture. Recall that all transactionsare recorded on the blockchain. This recordationnecessarily extends to all thefts. When a thief obtainsthe private key to an address holding bitcoins at leasttwo persons now have full control over the coins: therightful holder and the thief. To truly steal the coinsthe thief must request a transfer of the funds to anaddress she alone controls. The network will validatethat transfer because network participants have noway of distinguishing between a rightful holder anda thief. Miners only look for proof that the initiatorof the request has the private key.With the theft transaction recorded, the subsequentmovement of the funds can be tracked from addressto address until there is an attempt to convert thebitcoins to a fiat currency or real goods 23 . Exchangesand merchants can be asked to deny such cash-outtransactions or take steps to identify the individualby reference to credentials submitted for the cashout(e.g. a bank account if the thief is trying toexchange the coins, or an IP address if the thief istrying to buy real goods on a e-commerce websitethat logs user data).The thief may attempt to make tracing the stolenbitcoins more difficult by using a coin mixingservice. These services take funds from a largenumber of individuals seeking greater anonymityand scatter transactions across many new Bitcoinaddresses. The coins you put in are not the same asthose you get out. These services can make it harderto trace stolen coins but they come with severalliabilities for the thief: (1) she must trust the mixingservice to not run off with the coins, (2) she musttrust the service to not keep records of whose coinswent to who, and (3) she must pay fees for theservice 24 . Even more problematic for major heists isthe fact that coin mixing only works if one is tryingto anonymise a quantity of bitcoin that is relativelysmall as compared with the total volume of themixing service. If a thief is seeking to hide$1 million in coins she must find a service withsufficient volume provided by other, non-criminalparticipants so that her participation is not asignificant portion of the mix. Otherwise she’d beunable to receive as many untainted coins as she put in.3. ‘Insider’ theftA further consideration for assessing the intentof hostile actors with respect to a local attack isthe opportunity for an insider to steal bitcoins.This arises because of the difficulty inherent indiscriminating between thefts from outside criminalactors and those that originate from dishonestemployees within the company. As discussed,Bitcoin transfers occur without the use of a businessintermediary, meaning that embezzlement couldoccur from within a Bitcoin company withoutLloyd’s Emerging Risk Report – 2015

Bitcoin: risk factors for insurance 09the need for a conspiracy involving other parties.Embezzling Bitcoin is akin to walking out of yourown bank with cash from the vault. Any individualwithin the company who has knowledge of theprivate keys related to public addresses can be avector for such embezzlement. That individual couldblame the lost funds on other parties in the bankwho had knowledge of the same key, or on outsidehackers. As will be discussed in the followingsection on mitigation, the best defence againstan inside job is dividing control of keys among anumber of control persons in the bank, all of whomwould need to collude to defraud the organisation.MitigationFour common ways that the risk of a local attack canbe mitigated are robust server-side security, cold-storage,multi-signature wallets, or by leaving custody of privatekeys with the customer (i.e. offering hybrid wallets).1. Server-side securityMaintaining server-side security is essential to aBitcoin business, but the techniques are no differentfrom those necessary for securing any other secreton internet-connected computers. Should acompany choose to secure their own servers, theirtechniques should be compared with industrystandards. A promising alternative, particularly forcapital-constrained start-ups, is to outsource storageand computing needs to a cloud services providerwith a known track record for top-notch security 25 .2. Cold storageCold storage involves placing the majority of aninstitution’s private keys in offline media, eitherdisconnected computer memory such as a thumbdrive,paper, or as memorised passphrases –a so-called “brain bank”. If keys are not stored oninternet-connected servers, then they can only beaccessed by compromising either the individualwith access to the key or the physical securitysurrounding the key. The attack surface could thusbe minimised by limiting the number of employeeswith knowledge of or access to offline key storage,and storing the offline drives or slips of paper in safedeposit boxes or guarded premises. Cold storagenecessarily makes transactions slower because keysmust be recovered from their off-network storagelocation before any transaction can be signed. Thebulk of an institution’s funds, however, can be keptin cold storage addresses, while sufficient funds forday-to-day liquidity can be kept in a handful ofvulnerable but small online “hot” wallets.3. Multi-sig and control personsMulti-signature wallets involve assigning bitcoinsto public addresses that are linked to multipleprivate keys, each separately stored, some majorityof which are needed to effectuate any transfer. Thinkof it like the keys to a hypothetical safe depositbox at a bank: you have one key, your banker hasthe other, and both are required to open the box.Bitcoin addresses can be mathematically linked sothat some number (M) of the total linked keys (N)are required to move funds out of an address. Thisis what is referred to as “M of N transactions” 26or, more simply, “Multi-sig”. Different officers ina company could retain keys to these addressesso that a majority of control persons would needto approve any transfer out of a wallet. If onecontrol person was compromised, either becauseher devices had been hacked or she, herself, was nolonger trustworthy, then her key alone would not besufficient to move funds.Institutions may also rely on a vendor thatspecialises in protecting funds using multi-signaturetechnology combined with external transactionmonitoring and policy rules. One such service isBitGo, recently chosen by Bitstamp to help secureits funds in the aftermath of the January 2015hack 27 . BitGo’s co-founder and Chief ProductOfficer describes how BitGo monitors a multi-sigwallet that they have created for a client and whatmotivates their decision to sign off or refuse to signoff on a requested transfer:Before deciding to co-sign, BitGo applies security policychecks on the wallet, such as enforcing velocity limits,address target whitelists, IP restrictions, and so on. Ifthe transaction passes the security checks, BitGo issuesthe second signature on the transaction using its key,and submits it to the network. If not, then BitGo mayeither reject the transaction, or hold it for additionalapproval from another administrator on the wallet.The final (backup) key does not come into play duringnormal operation. It is a cold-storage key which is fordisaster recovery, and also allows the customer to retainultimate custody of the bitcoin 28 .These technical aspects of the Bitcoin protocol mayoffer protections substantially more effective thanthose available for a holder of large sums of cash orcredit: multi-sig Bitcoin holdings cannot be spentunless an external security firm signs off or seeksadditional confirmation from a high-level employee,and the bulk of reserve funds cannot be accessedwithout stepping out of the virtual world and intoa series of real life vaults or safe deposit rooms.4. Hybrid walletsFinally, an institution could avoid losing keys bychoosing never to hold them in the first place.Lloyd’s Emerging Risk Report – 2015

Bitcoin: risk factors for insurance 10Blockchain.info, for example, is an online servicethat helps users secure their bitcoins. However,Blockchain.info never actually learns or holds thekeys that its customers utilise to prove their controlover Bitcoin holdings 29 .Blockchain.info builds and continually updatesa software wallet program that can be used by acustomer to store keys. They help the user configurethis software and allow the user to generate Bitcoinaddresses (for receiving funds) matched to privatekeys. The generation of these keys occurs on theuser’s local computer and, afterwards, the walletprogram along with its new keys is encrypted sothat it is unreadable. This encrypted file is storedon Blockchain.info’s servers as a back-up in casethe user’s computer is lost or damaged. Becauseof encryption, at no point can Blockchain.infoemployees or any unauthorised parties lurking ontheir servers see the keys unencrypted. By neverhandling unencrypted customer keys, the risk of keyloss is mitigated. As we will see in the next section,however, other risks may remain.Global threatsThese attacks may be called global because they targetnot the particular servers of the exchange or anythingonsite, but, instead, the protocol and ledger with whichany exchange must interact. This analysis focuses onsix key modes of global attack: flawed key generation;transaction malleability; 51% attacks; “Sybil” attacks;distributed denial of service attacks; and “consensus” or“fork” risk.Capability1. Flawed key generationAll Bitcoin holdings are associated with publicaddresses on the blockchain, each with acorresponding private key. Think of the private keyas a password required to spend the funds in theaddress. Both the key and the public address appearas highly random, uncorrelated and unique stringsof characters. For example, here are two linked keysgenerated using an Elliptic Curve Digital SignatureAlgorithm (ECDSA) 30 :Private Key:e6edcf30220499bd034a7f4ebbadd4d62c8995c01157067983b4f1f26b58111Public Key:0488ff723a55ae8f46d9decf66c10a249adb59ac91195adee879ecb5944ea7f5098dd9e193c2172047e6eacb6ddd524c77ee5669b2f69bbfb27fc03d717d657195The two strings are, in fact, provably linked by themathematical formula used to generate them. It isprobabilistically impossible to guess a private key bysimply knowing the corresponding public key, butit is trivially easy for a computer to check that twokeys are, in fact, linked. This is known in computerscience as a one-way function, a broad class oftechnical tools that form the basis for all securecommunications technology.These mathematical properties allow for digitalsignatures and verifiable messaging online. Tosend such a message, a person would first publiclyannounce her public key. Then she would take theprivate key and run it through a mathematicaloperation called a hash function along with themessage she wishes to sign. The output of that hashis called a digital signature. Anyone who sees theoutput can know with certainty that only the personwith both the public and private keys could havesigned the message. The observer, however, doesnot learn the private key throughout this process ofvalidation; therefore she can verify but not forge theidentity of the sender.A Bitcoin public address is an ECDSA public keythat has been mathematically transformed withhash functions in order to provide a shorter stringof characters to which network participants cansend funds 31 . The particular operation of equationsinvolved in this set-up is beyond the scope of thisreport. Suffice it to say, however, that ECDSA andthe associated hash functions are industry stateof-the-arttools for key generation and messageencryption across the internet 32 .One can, however, fail to implement these toolscorrectly when generating keys and addresses.If there is a faulty implementation, the keysgenerated may not be sufficiently random and, giventhe public address, a malicious party could be ableto guess the private key, at which point they wouldbe able to sign transactions and transfer funds out ofthe public address.This happened in December 2014 to hybrid walletprovider Blockchain.info 33 . A mistake was madeduring a software update, and when an affecteduser generated a new key pair on her local machineusing Blockchain’s software (recall that as a hybridwallet provider Blockchain.info does not know itscustomers’ keys, but rather gives them software togenerate those keys locally and stores encryptedversions in the cloud), inputs to the ECDSAalgorithm were not sufficiently random so as togenerate an effective one-way function. As a result,Lloyd’s Emerging Risk Report – 2015

Bitcoin: risk factors for insurance 11a thief could use software to determine the user’sprivate key merely by looking at the public address.Only a very small fraction (0.0002%) of users wereaffected, and the issue was detected and resolvedwithin two-and-a-half hours 34 . Even given thisshort time frame, individuals outside of Blockchain.info observed the vulnerability. As a result, somebitcoins were stolen. Again, the public character ofthe Bitcoin ledger is the reason for this quickness.Individuals can, and do, watch addresses as theyappear on the public ledger in real time. They canbuild computer programs that sit and wait forobservable weaknesses in address generation, andeven steal funds as soon as those weaknesses aredetected. In Blockchain.info’s case, the “thief ”turned out to be a German computer scienceresearcher, and frequent contributor to Bitcoincommunity online discussion forums, where heis known as Johoe. Johoe returned the funds andhelped point out the implementation weaknessesthat caused the hack 35 .2. Transaction malleabilityIn a transaction malleability attack the thief tricksher target into believing that a transaction hasfailed. The thief then asks for the transaction to berepeated. In this manner a thief who was alreadyowed X bitcoins could fraudulently obtain twice theamount 36 .The deception is created by altering a transactionrequest as it is sent through the peer-to-peer Bitcoinnetwork. Some malformed transaction messages canbe corrected by intermediary parties in the chain ofpeer-to-peer message exchange. That change maymake the transaction difficult to recognise, evento the original sender, and she may, instead, thinkthat the message failed to go through. If a targetedinstitution is careless about how it verifies that atransaction has either succeeded or failed to berecorded in the blockchain, it may unwittingly senda second transaction when the thief claims that thefirst transaction did not go through. The thief willhave doubled her money.To be clear, this particular attack relies on socialengineering, not mere technological manipulation.An individual at the institution must be contactedand persuaded to re-send funds that allegedly failedto be transferred in an initial request.Mt. Gox blamed its insolvency on this particularattack, but this has been challenged by many in theBitcoin community as the scale of theft would haverequired hackers to repeatedly convince customerservice personnel at Mt. Gox that their transactionshad failed and needed to be reinitiated. Moreover,by careful monitoring of the transaction messagesand tracing the outputs of a transaction, all withpublicly available information on the blockchain,the attack is avoidable 37 .Blockchain technologies can also be employedto improve internal accounting and auditing.Accounting software can be run by the business asan integrated part of the business’s consumer-facingapplications. It can be programmed to interactwith the Bitcoin protocol, placing limits on anysuspicious requests that could indicate a transactionmalleability hack or some other wrong-doing. Thesoftware can also be programmed to automaticallygenerate human-readable double-entry accountingrecords or other visualisation tools in real time, sothat the institution can always have a good senseof which transactions have succeeded, which havefailed, and what is the general state of the business.3. Fifty-one per cent attackA 51% attack involves manipulation of theblockchain itself rather than the protocol thatfacilitates communication between users andminers. Each block added to the blockchaindescribes the transactions verified in roughly theprevious 10 minutes. Miners compete for theprivilege to write the next block and receive amining reward of new bitcoins. To fraudulentlymanipulate the blockchain, an attacker would needto consistently out-compete all other miners bywielding a majority of the global computing powerspent mining bitcoins.The prospect of a single individual or small group ofindividuals obtaining such mining power is highlyremote because the cost would grossly exceed thelikely benefits of such an attack. The recent adventof large mining pools increases the likelihoodthat an organised group of miners could maintaina majority of computing power long enough tomanipulate the blockchain 38 . However, it is notconsidered likely that a 51% attack would pose amajor risk of loss or theft.A successful 51% attack could prevent a targetedactor from engaging in new transactions, mightallow the dishonest miners to demand exorbitanttransaction fees, or allow them to shut down thenetwork entirely by processing no new transactions.Attackers, however, would never be able to rewritethe blockchain’s history in order to steal fundsalready listed in a target actor’s public addresses.If a 51% attack were to be successfully carried out, itwould be a significant blow to consumer confidencein the stability and trustworthiness of Bitcoin.Lloyd’s Emerging Risk Report – 2015

Bitcoin: risk factors for insurance 12Institutions holding Bitcoin would suffer real lossesfrom any collateral drop in Bitcoin prices, butnominal Bitcoin holdings themselves would remainunthreatened.Additionally, the evidence of such an attack wouldbe manifest – newly mined blocks would not includerequested transactions – and steps could be taken toadjust the Bitcoin protocol so as to ignore the blocksmined by the attacker and return the network tonormal operation sufficiently quickly that the chanceof collateral consequences, like loss of faith in thecurrency, could hopefully be minimised 39 .4. Sybil attacksBitcoin, as discussed previously, is a peer-to-peernetwork. Rather than seeking to attack the entirenetwork, as with a 51% attack, a sybil attackerseeks to target one node on the network, say aparticular Bitcoin company’s known connectionpoint to the network. The sybil attacker createsa sufficient number of Bitcoin nodes adjacent tothe target node to become the victim’s only meansof connecting to the network as a whole. In otherwords, the attacker surrounds the victim withmalicious peers. It may appear to the victim thatthey are still accessing the network through manydifferent individual computers owned by various,honest individuals, but in reality their access islimited to a handful of peers that are all under thecontrol of the attacker.Once the attacker has her victim surrounded,she can refuse to relay the victim’s transactions,effectively disconnecting the victim from financialaccess. Alternatively, the attacker can feed the victimmis-information about the state of the network as awhole. Let us say the victim is an exchange and theattacker is a putative customer of that exchange.The attacker could claim that it transferred bitcoinsto the victim exchange hoping to trade thosecoins for dollars. To validate this transfer, thevictim expects the network to send it up-to-dateversions of the blockchain, the record of all validtransactions. The attacker can send fraudulentversions of this record. The fraudulent version couldindicate that the attacker has paid the victim evenif there is no such record on the genuine blockchainof the larger network. The victim believes theyhold new bitcoins and therefore credits the bankaccount of the attacker (presumably opened undera fraudulent name). If the attacker can continue todeceive the victim for long enough, they may be ableto withdraw from their bank account and walk awaywith cash before either the exchange or the bank isaware of the deception.The Bitcoin network, however, is inherently resilientagainst these attacks. In order to keep up thedeception, the attacker would need to continuouslyfeed the victim new fraudulent blocks that makeit appear as though the network is functioning asnormal. Each block, even a bogus block, is difficultto create, depending, as it must, upon the exertion ofscarce computing resources. An attacker with only10% of the computing power of the entire network(still a massive amount of power for any individualparticipant) would only be able to generate bogusblocks at 10% of the normal speed. A would-bevictim could monitor for such an attack by lookingfor notable decreases in the frequency of newblock generation. Should the network computingpower, referred to as the hash-rate, appear to dropprecipitously, the victim can be on guard that theymay be under attack. At this point the victim canblock the current nodes to which they connect andseek other, honest nodes within the peer-to-peerBitcoin network. The extreme difficulty of deceivingone’s victim in a sybil attack has led many in thedevelopment community, including lead developerGavin Andresen, to label the attack “theoreticallyworrisome, but practically not a high priority.” 40Exchanges and other large Bitcoin businesses should,nonetheless, take reasonable steps to mitigate againstsuch an attack. Automated processes should bedeveloped, if they have not been already, to monitorfor unusual network states, as when hash rate declinesprecipitously because of a sybil attack.5. Distributed denial of service attacksAs with any network, Bitcoin is potentiallyvulnerable to distributed denial of service (“DDoS”)attacks. Simply put, a DDoS attack is an effortto make a network resource unavailable byoverwhelming it with service requests. Given thatBitcoin is a peer-to-peer network, the resources onthat network (e.g. transaction relaying or validation)depend on the availability of peers. For the purposesof this network service, there are two classes of nodeon the Bitcoin peer-to-peer network: those thataccept incoming Transmission Control Protocol(“TCP”) connections, and all others. When aBitcoin wallet or Bitcoin node is attempting toconnect to the network, it must contact one or moreremote nodes that receive incoming connectionsfrom outsiders.There is no accepted technical term for thesenodes, but we can refer to them as “acceptor” nodes.Acceptor nodes are the linchpin of the network.There may be 100,000+ nodes out there withcopies of the blockchain. Without acceptor nodes,however, there is no network to relay copies of theblockchain to users. Estimates on acceptor nodecount are under 7,000, and falling 41 . A maliciousLloyd’s Emerging Risk Report – 2015

Bitcoin: risk factors for insurance 13party could spam these nodes with phony requests,overwhelming their ability to respond to legitimaterequests from the network at large. This could makethe network slow or unresponsive for the durationof the attack.The resources necessary to sustain such an attackwould likely be costly. Nevertheless, it is widelybelieved that those costs are substantially less thanthe costs involved in a 51% attack 42 .To be clear, a DDoS attack would not threatenexisting Bitcoin holdings or enable theft. It wouldsimply make the network unavailable to process newtransactions. A prolonged attack would, however,significantly undermine confidence in the value ofthe currency, potentially leading to a large-scalesell-off once transactions resume.6. Consensus or fork riskAnother global risk is consensus or fork risk. In thiscontext, “consensus” means the Bitcoin network’sability to agree upon an authoritative ledger, orblockchain, that lists all current Bitcoin holdings.Miners continuously add to this chain by generatingnew blocks at a rate of roughly one block everyten minutes, network-wide. All miner software ispre-programmed to add blocks only to the largestcurrently broadcast chain. A “fork” occurs whensome miners work on one chain while others workon another. The danger of a fork is that it presentsBitcoin users with two alternative states of thetransaction record. One state has new blocks thatcould suggest that a transaction has occurred, whilethe other has blocks that could deny that fact oreven record that a different transaction, using thesame funds but paying another party, has occurred.Users are left wondering whether money has, orhas not, in fact changed hands. And malicioususers could purport to send the same money to twodifferent people on two different prongs of the fork.Brief forks are normal, and one or two block forkshappen on the network every day. These forksare quickly resolved as the network actively andautomatically seeks to identify the prong of the forkthat has the most computing effort dedicated to it,i.e. to reach consensus. Once that prong is clearly andcertainly identified, the new blocks in the rejectedprong will be abandoned. Because these forks onlylast some two blocks, transactions can only be lost ordouble spent within a short (~20 minute) window.As the network returns to consensus, thesediscrepancies will be resolved, and after an hourany transactions included in the now unified andauthoritative blockchain can be presumed trustworthy.Therefore, as with transaction malleability risk,losses can be avoided by refusing to take an action(e.g. credit an account, or resend a purportedly losttransaction) until the relevant transaction has beenconfirmed by some five or six blocks (i.e. existed inthe blockchain for roughly an hour).However, should a long-standing fork occur, thedamage to Bitcoin as a whole could be severe. Inthis situation, merchants and businesses cannot becertain which fork is accurate. The same bitcoinsmay be double-spent on each fork, violatingthe core Bitcoin security promise 43 . Such a forkwould be instantly recognisable by Bitcoin usersand observers owing to the public nature of theblockchain. An insurer, faced with this event, mightwell consider limiting insurable assets to those onthe books before the fork. In such a circumstance,all responsible, aware Bitcoin parties would stopprocessing transactions beyond the fork, and untilthe fork is resolved, to avoid being defrauded.Until that resolution is reached, all Bitcoinpayments stop. Bitcoin is essentially shut down, asone cannot trust any bitcoins received. The longerthis divergent state of affairs continues, the greaterthe likely erosion of faith in Bitcoin as money. ThisLloyd’s Emerging Risk Report – 2015

Bitcoin: risk factors for insurance 14Intentcreates added incentive amongst invested partiesto resolve the fork. This larger risk is less relevantfor the purposes of insurance so long as insuredassets are limited to those on the books before afork and/or businesses decline to transact during along-standing fork. Nonetheless, this is a profoundrisk to Bitcoin as a whole, given that an unresolvedfork could lead to a massive decline in the price ofBitcoin.The incentives driving a global attack are similarto those behind a local attack, with one exception.Particularly far-reaching attacks that would be perceivedas destabilising the entire network – such as in the 51%attack, but not with transaction malleability or flawedkey generation – would be observed in real time. Thealarm generated by such an event would likely severelylower the price of bitcoins. An attacker would haveinvested heavily in bitcoin-specific infrastructure onlyto erode the value of that which she sought to stealor control.This self-righting incentive has only been accentuatedin recent times by the proliferation of new mininghardware known as Application Specific IntegratedCircuits 44 (ASICs). This new hardware is vastly moreefficient at mining Bitcoin than previous tools becauseit is purpose-built to solve Bitcoin hash functions alone.As a consequence, however, the hardware is useless forany activity other than mining Bitcoins. A malevolentminer hoping to commit a 51% attack would needto purchase large volumes of these ASIC machines,incurring significant costs, in order to be successful.The attack, however, could very well render that costlyhardware useless if the network was abandoned orforked in a way that broke compatibility with theattacker’s hardware in order to repair the damage.This self-righting incentive does not, however, apply toindividuals who wish only to destabilise or destroy theBitcoin network, rather than profit from it. Moreover, awidespread DDoS attack, as discussed, could immobilisethe network and destroy faith in Bitcoin as moneywithout requiring costly investment in bitcoin-specifichardware. Governments, for example, may at some pointhave the intent to destroy Bitcoin, whether because ofthe perceived illegality of transactions, the funding ofterror, a fear of capital flight, or widespread tax evasion.Should a government wish to do so, DDoS attacks maybe a cost-efficient means of bringing the network down.At present, however, these risks and any potential effortsat mitigation 45 are considered highly speculative.ConclusionQuantifying risk is difficult within the Bitcoin industry.The technology is new, early entrepreneurs show widerangingskill, caution and capability, and best practicesare still being determined and implemented. Evenbefore Mt. Gox’s insolvency, the exchange industry hada worrisome track record. Computer scientists TylerMoore and Nicolas Christin found that of some fortyBitcoin exchanges established in a three-year period,eighteen closed, many taking consumer balances withthem 46 . Some have called the spate of failures a sign ofa shake-out or changing of the guard: under-qualifiedor downright criminal amateurs are exiting an industrythat has outgrown them. Others, however, questionthis analysis, arguing that too many technically savvyand reasonable persons have suffered losses 47 . In thisanalysis, the underlying cause was the weaknesses of thetechnology’s early iterations and the slow adoption ofnewer techniques for safeguarding funds. Those newertechnologies have been discussed throughout this report:multi-sig, cold storage and hybrid wallets. Rather thanquantifying risk from past performance, Coin Centeradvises that insurers and industry observers keep tabs onwhether a business is employing these new controls.Lloyd’s Emerging Risk Report – 2015

Bitcoin: risk factors for insurance 15References1. Historic exchange market share can be visualised athttp://bit.ly/1oYFCbF2. See Mt. Gox. Addressing Transaction Malleability. Mt.Gox, https://xrptalk.org/topic/1258-mtgox-pressrelease-addressing-transaction-malleability/3. For example, Decker and Wattenhofer haveconducted a technical analysis of the Blockchain andconclude that only some “386 bitcoins [of the total850,000] could have been stolen using malleabilityattacks,” the particular protocol vulnerability citedby Mt. Gox. See http://bit.ly/1ojBa7U4. David Dunlap, How Cost of Train Station at WorldTrade Center Swelled to $4 Billion, NY Times (Dec. 2,2014)http://www.nytimes.com/2014/12/03/nyregion/the-4-billion-train-station-at-the-world-trade-center.html5. Bitcoin Wiki, Scalability,https://en.bitcoin.it/wiki/Scalability6. Visa, Merchants Rack Up $7.8 Billion in Online Saleson US-issued Visa Cards in Just Five Days, VISAViewpoints, http://www.visa.com/blogarchives/us/category/visanet-2/index.html7. A wallet is used to store the keys to one’s bitcoins,allowing the user to prove that they hold bitcoinsand giving them an interface from which to sendtransaction messages to the network.8. Electrum, https://electrum.org/9. BFGMiner, http://bfgminer.org/10. GitHub is a software repository on the internet:https://github.com/. The Bitcoin repository onGitHub is located at https://github.com/bitcoin/bitcoin11. Independently developed clients may also includesome adjustments to the code that determines howthe software speaks with the network, called policyrules, so long as those adjustments do not make theclient incompatible with the reference client.12. Unless the malicious client was adopted by amajority of participants in the network, an unlikelystate of the network unless the malicious codewas hidden and undiscoverable by all networkparticipants.13. Bitcoin is released under the MIT open sourcesoftware licence. See Satoshi Nakamoto, Re:Switch to GPL, Bitcointalk (Sep. 12, 2010). The MITlicence is permissive meaning future original worksthat borrow from the underlying code can be,themselves, copyrighted and closed source.14. See ibid. (Satoshi Nakamoto, the pseudonymousinventor of Bitcoin, stresses the importance of opensource software for his/her project). See, e.g., NickODell, Suggestion: Closed-source cryptocurrenciesshould be off topic. Bitcoin Meta Stack Exchange(Oct. 22, 2014).15. For example, in 2013 Mr James Howells of Waleslost 7,500 bitcoins when he threw away his harddrive. At that point the holdings were worth around£500,000. Mr Howells never recovered the drive andthose coins are lost to this day. Without a privatekey, they simply can never be transferred to a newaddress. Alex Hern, Missing: hard drive containingBitcoins worth £4m in Newport landfill site, TheGuardian (Nov. 2013) http://www.theguardian.com/technology/2013/nov/27/hard-drive-bitcoin-landfill-site16. Coinbase, https://www.coinbase.com/17. Circle, https://www.circle.com/en18. Blockchain.info, http://blockchain.info/19. Bitstamp, https://www.bitstamp.net/20. Robert McMillan, The Inside Story of Mt. Gox,Bitcoin’s $460 Million Disaster, Wired (Mar. 3, 2014)http://www.wired.com/2014/03/bitcoin-exchange/21. Bitpay, https://bitpay.com/22. This is what a private key looks like:5HpHagT65TZzG1PH3CSu63k8DbpvD8s5ip4nEB3kEsreAbuatmU. That particular key is matchedto this public address on the Bitcoin network:1MsHWS1BnwMc3tLE8G35UXsS58fKipzB7a.Bitcoins can be sent to this address; however,anyone who has read this footnote knows thatmatched private key and can, therefore, spendthem.23. See, for example, how individuals utilising publiclyavailable tools tracked the early transactions fromthe $5 million BitStamp breach. Michael Carney, Withthe stolen BitStamp bitcoins on the move, Redditflies into detective mode, Pandodaily (Jan. 2015)http://pando.com/2015/01/08/with-the-stolenbitstamp-bitcoins-on-the-move-reddit-flies-intodetective-mode/24. Tracking Bitcoin transactions and linking them toidentities has proven easier than many initiallyexpected. See Alex Biryukov, et al. “Deanonymisationof clients in Bitcoin P2P network” eprint arXiv:1405.7418 (May 2014) available at http://arxiv.org/pdf/1405.7418v3.pdf; Elli Androulaki, et al.“Evaluating User Privacy in Bitcoin” 7859 FinancialCryptography and Data Security Lecture Notes inComputer Science 34 (2013); Philip Koshy, et al.“Analysis of Anonymity in Bitcoin Using P2P NetworkTraffic” (Doctoral dissertation, Pennsylvania StateUniversity) (2013) available at http://ifca.ai/fc14/Lloyd’s Emerging Risk Report – 2015

Bitcoin: risk factors for insurance 16papers/fc14_submission_71.pdf; Sarah Meiklejohn,et al. “A Fistful of Bitcoins: Characterizing PaymentsAmong Men with No Names” Proceedings ofthe 2013 conference on Internet measurementconference (ACM, 2013) available at http://cseweb.ucsd.edu/~smeiklejohn/files/imc13.pdf25. For example, after suffering $5 million in lossesfrom a local attack wherein private keys werecompromised, prominent Bitcoin exchange Bitstamprebuilt its platform utilising Amazon Web Servicesfor storage and computing.26. See Gavin Andresen, BIP 0011, https://github.com/bitcoin/bips/blob/master/bip-0011.mediawiki27. Bitstamp, Bitstamp is open for business - Better thanever! (Jan, 2015).28. Ben Davenport, No Sleep till Multi-Sig, Medium.com(Jan. 2015) https://medium.com/@bendavenport/nosleep-till-multi-sig-7db367998bc729. See Blockchain.info, http://blockchain.info/30. The ECDSA algorithm can be tested at this site:http://kjur.github.io/jsrsasign/sample-ecdsa.htmlKey pairs can be generated and signing ofdocuments tested out.31. See Bitcoin Wiki, Technical background of version1 Bitcoin addresses https://en.bitcoin.it/wiki/Technical_background_of_version_1_Bitcoin_addresses32. See Certicom, An Introduction to the Uses of ECCbasedCertificates https://www.certicom.com/index.php/an-introduction-to-the-uses-of-eccbased-certificates33. Giulio Prisco, Gentleman Hacker Returns StolenBitcoins to Blockchain.info, Cryptocoinsnews(Dec 2014) https://www.cryptocoinsnews.com/gentleman-hacker-returns-stolen-bitcoinsblockchain-info/34. Alyson Margaret, Blockchain.info SecurityDisclosure, Blockchain Blog (Dec 2014) (“Whenmaking a scheduled software update overnight toour web-wallet, our development team inadvertentlyaffected a part of our software that ensures privatekeys are generated in a strong and secure manner.The issue was present for a brief period of timebetween the hours of 12:00am and 2:30am GMTon December the 8th 2014. The issue was detectedquickly and immediately resolved. In total, this issueaffected less than 0.0002% of our user base and waslimited to a few hundred addresses.”)35. Ibid, note 33.36. Christian Decker and Roger Wattenhofer, BitcoinTransaction Malleability and MtGox, arXiv:1403.6676(Mar. 2014) http://arxiv.org/abs/1403.667637. Ibid, note 36.38. The mining pool GHash.io has crossed the 51% markfor brief periods although no exploitation of thispower has been authoritatively observed. GHash.io has promised to abstain from achieving suchdisproportionate power in the future. See http://bit.ly/1gMDDGb39. Gavin Andresen, Neutralizing a 51% attack,GavinTech (May 2012) http://gavintech.blogspot.com/2012/05/neutralizing-51-attack.html40. Gavin Andresen, “What’s the plan about the sybilattack?” BitcoinTalk.org (Comment #3, May 12,2011) https://bitcointalk.org/index.php?topic=8051.msg117573#msg11757341. See Daniel Cawrey, “What are Bitcoin Nodes andWhy do we Need Them?” CoinDesk (May 2014)http://www.coindesk.com/bitcoin-nodes-need/42. See David Bradbury, “Bitcoin network recoveringfrom DDoS attack” CoinDesk (June 2013) http://www.coindesk.com/bitcoin-network-recoveringfrom-ddos-attack/(Bitcoin core developer Jeff Garzikexplains, “Operationally, network attacks are farcheaper. Any smart attacker is going to look for acheaper way to attack Bitcoin. Network attacks areone of the big worries right now.”).43. See Gavin Andresen, “BIP 50: March 2013 Chain ForkPost-Mortem” GitHub (Mar 2013) https://github.com/bitcoin/bips/blob/master/bip-0050.mediawiki44. See Ian Cutress, The Rush to Bitcoin ASICs: RaviIyengar launches CoinTerra, AnandTech (Aug 2013)http://www.anandtech.com/show/7246/the-rushto-bitcoin-asics-ravi-iyengar-launches-cointerra45. The vulnerability of the network to a large scaleDDoS attack at the hands of a state or other largeentity could, in theory, be minimised by increasingthe number of acceptor nodes (thereby increasingthe number of nodes that must be spammed) orby enhancing existing protocol protections againstspammy connections.46. Tyler Moore and Nicolas Christin, Beware theMiddleman: Empirical Analysis of Bitcoin-ExchangeRisk, 6859 Financial Cryptography and Data SecurityLecture Notes in Computer Science 25 (2013).47. Vitalik Buterin, Multisig: The Future of Bitcoin, BitcoinMagazine (Mar 2014) https://bitcoinmagazine.com/11108/multisig-future-bitcoin/Lloyd’s Emerging Risk Report – 2015

Lloyd’s Emerging Risk Report – 2015

Bitcoin: risk factors for insurance 18Strategic risks to Bitcoin operationsGarrick Hileman (London School of Economics)& Satyaki DharWhat is Bitcoin? Why do people use it? Whatmakes it different from other currencies andtransaction networks?Financial and monetary systems rarely experienceparadigm shifts. Indeed, the operating principles thatguide commercial and central banks have remainedlargely similar to the era when Walter Bagehot’sLombard Street was first published in 1873. Today,however, many believe that cryptocurrencies such asBitcoin have the potential to revolutionise the way wetransact, store and account for value.Cryptocurrencies can be considered as a type of peerto-peer(P2P) value transfer system. In contrast to otherP2P payment networks like PayPal, which orchestratethe movement of currencies such as the US dollar,cryptocurrencies incorporate both their own currencyunit (often referred to as “bitcoin” with a little “b”) andpayment network (often referred to as “Bitcoin” with acapital “B”). The advantages that cryptocurrencies offerover existing payment networks include:• Low cost, speedy transactions: Bitcoin can be fasterand significantly less expensive than other types oftransactions, such as credit card and internationalremittances.• Ease and flexibility of use: Bitcoin enablesmicro transactions of up to eight decimal places;also the widespread implementation of imagescanning technology (such as Quick Responsecodes for identifying/tracking items) could enablecryptocurrency adoption.• New approaches to privacy and transparency:pseudonymous accounts limit identity theft risk; alltransactions publicly registered on a ‘blockchain’.• Decentralised structure: thousands of differentnetwork nodes mitigate single point of failure risk.• Open access: no need to apply for an account –anyone can use bitcoin.Bitcoin is far from the only cryptocurrency: as ofMarch 2015 there were approximately 600 knowncryptocurrencies available to users 1 . Nevertheless, Bitcoinhas a dominant market share, representing 84% of theUSD 4.2 billion in total market capitalisation for allcryptocurrencies as of 23 March 2015. For this reasonthe report will primarily focus on and refer to Bitcoin,although many of the issues discussed in the report areapplicable to other cryptocurrencies.Bitcoin has now been operating for over six years 2 .However, the system is still considered to be in itsinfancy with many still referring to Bitcoin as a “betatechnology” 3 . Beta technologies, and the still maturingecosystem of companies and processes which surroundthem (Figure 1) often feature a greater number of risksthan more established systems.This report examines three dimensions of the riskattached to Bitcoin: security and technology risk,through hacks and other technical breaches; market risk,through exchange rate and liquidity risk; and regulatoryrisk, through the impact of policy uncertainty.Figure 1: The Bitcoin start-up ecosystem –seven different Bitcoin company typesWalletsPaymentProcessingInfrastructureUniversalMiningSource: State of Bitcoin Report 2015, CoinDeskhttp://www.coindesk.com/research/state-of-bitcoin-2015/Security and technology riskExchangesFinancialServicesBitcoin security risk arises from deliberate targetingby malicious actors for theft or other purposes, whiletechnology risk is associated with the design of theBitcoin software protocol.Security riskBitcoin’s pseudonymous nature, the fact that bitcoinsare fungible, the network’s fast transaction executionand the irreversibility of transactions are a few of thereasons why the cryptocurrency can be an attractivetarget for theft. Many justice systems are also still justlearning about Bitcoin and are either unwilling orunsure how best to pursue loss claims. The rapidrise in Bitcoin’s value, coupled with the discovery ofvulnerabilities, has attracted the attention of cybercriminals,leaving Bitcoin institutions and userssusceptible to material losses.The largest Bitcoin loss to date stems from the wellpublicicedFebruary 2014 collapse and insolvency of theBitcoin exchange Mt. Gox, where an estimated$500 million worth of bitcoins went missing 4 . While noother cryptocurrency-related loss comes anywhere closeto the size of Mt. Gox, other notable losses include theLloyd’s Emerging Risk Report – 2015

Bitcoin: risk factors for insurance 19January 2015 hack of another leading Bitcoin exchange’s“hot wallet”, which resulted in a loss of $5 million 5 .While such larger thefts receive the lion’s share of themedia headlines, it is important to note that Bitcoinlosses are by no means isolated to large-scale events.Based on recently published research that examinedsmaller Bitcoin losses (i.e. excluding larger multi-milliondollar losses like those at Mt. Gox and Bitstamp) it hasbeen estimated that approximately $11 million has beenlost by about 13,000 victims in close to 200 smaller-scaleBitcoin scams over the past few years 6 . The majority ofthese Bitcoin losses have been realised in the last year,during which time Bitcoin’s value increased substantially,as shown in Figure 2 below.Three primary categories of Bitcoin scams have beenidentified:• “Ponzi schemes”: investors are promised lucrativereturns, which are in turn used to attract newinvestors.• Mining scams: a form of advanced-fee fraud thatexploits people’s interest in Bitcoin mining bypromising a way to profitably mine Bitcoin withoutmaking large up-front investments in expensivehardware.• Scam wallets and exchanges: thieves provide soughtafterservices, such as “mixing” coins at a seeminglyaffordable price, only to steal incoming transfersfrom customers. Fraudulent exchanges and escrowservices have also employed similar tactics.How do Bitcoin losses compare to other types offinancial services losses? The total estimated losses due toUK credit card fraud in 2013 were $675 million, a figurenot far off from total Bitcoin losses for 2014 8 . However,it is worth noting that credit card transactions in theUK in 2014 totalled approximately $240 billion (£160billion), or over ten times larger than the$22 billion in total worldwide bitcoin transactions overthe last 12 months 9 . In other words, losses related toBitcoin scams and fraud in the last year have, given theamount of underlying economic activity, been an orderof magnitude larger than credit card fraud.Technology riskMost of the security risk associated with Bitcoin tendsto be focused on service providers such as wallets andexchanges, and Bitcoin security has arguably come along way in recent months with the further adoptionof additional security measures, such as the wider useof multi-signature (third-party transaction approval)and “cold storage” (offline) wallets. However, a recentstudy of wallet services and their ability to survivean attack designed to exploit the Bitcoin protocol’slong-known transaction malleability problem (whereelements of a Bitcoin transaction are performed in away that undermines the integrity of the transaction’sdata) revealed that problems still exist at nearly all majorBitcoin wallets. The test conducted by Andrychowiczet al found that all the wallets in their study exceptXapo and Bitcoin Core failed at least one aspect of theirtransaction malleability test, as shown in Figure 3:Figure 2: Major Bitcoin thefts coincide with Bitcoin weekly price spikesNote: The highest peak is the Mt. Gox loss and has been scaled down by a factor of 1001,2006,000Bitcoin prices in USD ($)1,0008006004002005,0004,0003,0002,0001,000Major theft amounts in thousands of USD ($)02012 2013 20140Bitcoin closing priceTheftsSources: Weekly average Bitcoin price source: https://www.quandl.com/BCHARTS/BITSTAMPUSD-Bitcoin-Markets-bitstampUSD and top 25major thefts source: https://bitcointalk.org/index.php?topic=576337#post_t2013_forkLloyd’s Emerging Risk Report – 2015

Bitcoin: risk factors for insurance 20Figure 3: Summary of results of malleability tests onleading Bitcoin wallets (• denotes problem)*Wallet name Type (a) (b) (c) when the problem disappearsBitcoin core Desktop -Xapo Web -Armory Desktop • neverGreen Address Desktop • neverBlockchain.info Web • • after six blocks without confirmationCoinkite Web • • after several blocks withoutconfirmationCoinbase Web • • after several hoursElectrum Desktop • • after application testMultiBit Desktop • • after “Reset block chain andtransactions” procedureBitcoin Wallet Mobile • • after “reset block chain” procedureKnC Wallet Mobile • • • after “Wallet reset” procedureHive Desktop • • • after restoring the wallet from backupBitGo Web • • neverMycelium Mobile • • never*Notes from study authors:(1) Three malleability tests were performed: (a) the walletincorrectly computes the balance, (b) the wallet is unable to makean outgoing transaction because it assumes that some transactionwill be confirmed in the future (which in fact will never happen), (c)the application crashes.(2) All the tests took place in October 2014 and hence may notcorrespond to the current software version.Source: Andrychowicz, Dziembowski, Malinowski, Mazurek, On theMalleability of Bitcoin Transactionshttp://fc15.ifca.ai/preproceedings/bitcoin/paper_9.pdfOne widely discussed technical risk associated withthe core Bitcoin software protocol is the “51% attack”,whereby an individual or entity controls at least amajority (over 50%) of the Bitcoin network’s “hashing”(computer) power. This level of control would enable anumber of malicious activities, including spending thesame bitcoin more than once (“double-spending”) andpreventing certain Bitcoin transactions from being addedto the blockchain 10 . The 51% vulnerability is inherentto Bitcoin core software protocol, meaning this risk willremain unless a change to the protocol can be devisedand implemented.While at least one pool of miners has already garneredover 50% of the Bitcoin’s hashing power, a 51% attackhas yet to take place 11 . Indeed, there are considerableeconomic disincentives in place for many of those whowould have the resources to carry out such an attack 12 .For these and other reasons, many believe it is highlyunlikely that a 51% attack will ever occur. However, thehistory of hacking has demonstrated that many hackersare often motivated for non-economic reasons. Indeed,hacker motivation often tends to resemble somethingakin to Mallory’s famous quip to the question of whyclimb Everest (“because it is there”). Like a famousbut still unsolved mathematical puzzle, executing asuccessful 51% attack may represent a tantalising trophyfor some hackers or other actors with incentives to stealor damage Bitcoin. It is unclear how much damage a51% attack would do to Bitcoin’s prospects for adoptionin the longer run, but in the short run a material declinein Bitcoin’s price, disruptions to transactions andreputational damage could be anticipated.In sum, Bitcoin security and technology risk isconsidered unlikely to go away in the near futureregardless of whether Bitcoin companies further adoptenhanced security practices. In the words of the USFederal Bureau of Investigation, “As long as there is ameans of converting bitcoins into real money, criminalactors will have an incentive to steal them.” 13Market riskMarket risk stems from the volatility in Bitcoin’s priceand can be examined in two principal ways – exchangerate risk and liquidity risk.Figure 4: Bitcoin price vs. gold price in USD, 2013–20148001,600851.581,4004001,237.211,2002013 Mar May Jul Sep Nov 2014Average BTC USD ($) XAUUS USD ($)Data Source: https://www.bigterminal.com/chart/averageBTCUSD/?from_goldnet=1Lloyd’s Emerging Risk Report – 2015

Bitcoin: risk factors for insurance 21Bitcoin’s value, like other freely traded assets, isultimately a function of supply and demand. As arelatively new asset class, Bitcoin lacks the historicaltrack record of other commodities (such as gold) thatcan guide its valuation. It has been claimed that the maindrivers of Bitcoin’s price volatility have been interestin Bitcoin (measured through Google Trends data)and the number of Bitcoin transactions 14 . In addition,unlike national currencies such as the dollar and pound,Bitcoin’s price is not backed by a central bank with thecapacity to guide the currency’s exchange rate.Figure 5: 2014’s worst performing national currencies164Serbian Dinar RSD165 166 167 168 169 170 171 172 173 174Colombian Peso COPHungarian Forint HUFSource: BloombergMoldovan Leu MDLSwedish Krona SEKSilver XAGIt has been claimed that Bitcoin was 2014’s “worstperforming currency” with an annual price decline of67%, significantly worse than both the Russian ruble andthe Ukrainian hryvnia (Figure 5) 15 . Nevertheless, weeklyNorwegian Krone NOKArgentine Peso ARSGhanaian Cedi GHS-15.76 -15.97 -16.10 -16.80 -17.01 -17.24 -18.04-23.76 -25.67Russian Ruble RUBUkrainian Hryvnia UAH-41.82-47.83Bitcoin price volatility, although still considerably greaterthan other asset classes, has been on a downward trendover the past year (Figure 6a). The weekly Bitcoin pricevolatility displayed in Figure 6a has been calculated inthree different ways:• Weekly Volatility – Method 1: Standard deviationof daily returns over a week.• Weekly Volatility – Method 2: Weekly high minusweekly low divided by weekly low.• Weekly Volatility – Method 3: Magnitude of Sundaynight closing price minus previous Monday nightclosing price divided by the previous Monday nightclosing price.Figure 6b: Bitcoin volatility methods comparisonAverageSt. Dev.Weekly Volatility – Method 1 4.37% 3.82%Weekly Volatility – Method 2 16.33% 19.36%Weekly Volatility – Method 3 10.08% 10.92%Method 1 is a standard measure for volatility and under the samemeasure the average of the volatility of gold (In USD) was 0.93%for the same period, whereas Bitcoin's is 4.37%, or ~500% greaterthan gold 17 .Liquidity riskLiquidity risk can result in not being able to exchangebitcoins quickly enough to prevent a loss, and it iscurrently one of the main drivers of Bitcoin pricevolatility. Bitcoin liquidity risk stems primarily fromthe limited number of market participants and lack ofFigure 6a: Bitcoin weekly price volatility180%160%140%120%1,200.001,000.00800.00Volatility (%)100%80%60%600.00400.00Price USD40%20%200.000%20132014 2015Weekly volatility (St. Dev.) Weekly volatility (high minus low) Weekly volatility (close minus open) Average weekly priceData Source: http://www.coindesk.com/price/Lloyd’s Emerging Risk Report – 2015

Bitcoin: risk factors for insurance 22Figure 7: Bitcoin price (USD) and trading volume (in 100 BTC units), December 2011 – December 20141,60012,0001,40010,000Closing price in USD ($)1,2001,0008006008,0006,0004,000Volume in BTC (’00 s)4002002,00002012Volume in BTC (’00 s)Closing price (USD)2013 20140Data Source: http://bitcoincharts.com/market depth. Bitcoin’s comparatively small marketcapitalisation makes it particularly vulnerable to largeswings in value from relatively small transactions 18 : as ofMarch 2015, Bitcoin had a relatively small total marketcapitalisation of approximately $3 billion, compared withthe total value of all gold estimated at approximately$6.5 trillion 19 . Daily turnover of Bitcoin is also relativelysmall at 0.01% of total market capitalisation, as comparedwith 2–6% for other liquid asset classes such as gold,US Treasuries and Japanese Government Bonds 20 .The liquidity risk attached to Bitcoin is illustrated inFigure 7, which shows the volatile nature of tradingvolume. We can see that trading volume peaks oftenfollow sudden spikes and declines in Bitcoin’s price. Thiscan also be taken as evidence of the speculative nature oftransactions that drive Bitcoin trading volume at present.Both greater liquidity and lower volatility could comeabout through greater adoption of bitcoin. For example,it is estimated that less than 50% of all bitcoins incirculation are used in transactions, and greateracceptance by merchants would mean more demand forconversion, and hence more liquidity 21 . Over 88,000merchants now accept bitcoin, including a number ofFortune 100 companies such as Microsoft and Dell(Figure 8). While bitcoin has proven attractivefor merchants to adopt due to its lower fees, nochargebacks, and other factors, consumers have yet toshow much interest in paying for goods and serviceswith bitcoin. Barriers to wider consumer adoptionof bitcoin include the previously noted concerns overtheft and price volatility, as well as the fact thatbitcoins are still relatively difficult to use and acquirefor many consumers.Figure 8: Ten largest retailers that accept bitcoin(annual revenue)Rank Company2013 annual revenue ($B)1 Microsoft 86.802 Dell 56.903 Dish Network 13.904 Expedia 5.005 Intuit 4.506 Monprix* 4.307 Time Inc. 3.408 NewEgg 2.809 Overstock 1.3010 TigerDirect* 1.00Total $179.90*Note: Monprix is a private company and most recent revenuedata is from 2005. TigerDirect estimate provided by parentcompany investor relations. Other divisions that are part of a largerparent organisation, but do not break out individual divisionalrevenues, are excluded.Source: State of Bitcoin Report 2015, CoinDeskhttp://www.coindesk.com/research/state-of-bitcoin-2015/Lloyd’s Emerging Risk Report – 2015

Bitcoin: risk factors for insurance 23Regulatory riskLegal and regulatory concernsGovernment-imposed restrictions could result in a fallin Bitcoin’s value or the suspension of Bitcoin operationsfor those involved in the Bitcoin economy. To date, theactions and statements about Bitcoin by governmentagencies around the world reveal three primary areasof concern:1. Money laundering and illegal trade. The unregulatedand decentralised nature of Bitcoin means that itcould be attractive for money laundering and otherillegal activities, such as trade in illicit goods and taxevasion 22 . Bitcoin has been prominently associatedwith online black markets such as the originalSilk Road, which was shut down in autumn 2013.Technological developments designed to offeradditional layers of anonymity protection, such asthe ‘Dark Wallet’ app, combined with cryptocurrencymixing services (which make bitcoin ownership moredifficult to trace) have led to further concerns over thepotential for Bitcoin to be exploited by criminals 23 .2. Consumer protection. Bitcoin is a decentralisedmoney transfer system and there is no recourseavailable for users to reverse transactions orenjoy other safeguards offered by traditional andmore centrally managed financial services, suchas fraudulent transaction protection and depositinsurance.3. Avoidance of capital controls. Bitcoin can enablethe avoidance of regulations designed to restrict theinternational movement of funds or limit ownershipof foreign financial instruments 24 .Some regulatory authorities have also published reportsthat identify cryptocurrencies as posing a systemic riskto the financial system in the medium to long term 25 .However, barring a significant increase in Bitcoinadoption, and/or a macroeconomic crisis, it is unlikelythat such systemic concerns will affect Bitcoin regulationin the near future.Worldwide approaches to Bitcoin regulationTo date over 60 countries have officially issued some formof regulatory guidance or regulation relating to Bitcoinor alternative currencies more generally. The Bitcoinregulatory map in Figure 9 shows a rough approximationof the countries where the use of bitcoin is legal (blue),subject to some restrictions (dark grey), and banned orseverely restricted (black). Countries coloured light greyhave not yet issued any regulatory guidance on Bitcoin.Overall, the map highlights how the vast majority ofcountries have neither banned nor severely restrictedbitcoin’s use. The map also highlights how few AfricanFigure 9: Legal status of Bitcoin by countrySource: Wikipedia https://en.wikipedia.org/wiki/Legal_status_of_BitcoinLloyd’s Emerging Risk Report – 2015

Bitcoin: risk factors for insurance 24countries have issued any regulatory guidance onBitcoin. It is important to note that the regulatory mapis rather simplistic. For example, while bitcoin has notbeen banned in Europe, the authorities have discouragedbanks from transacting with bitcoin or interacting withthe Bitcoin companies 26 . This in turn has limited theability of Bitcoin businesses to connect with the broaderfinancial system and grow.Given both the high number of Bitcoin operationsbased in the US, and the position of the US in the globaleconomy and financial system, regulation in the US willprobably have a significant influence on the developmentof global Bitcoin regulation. In July 2014 the USSecurities and Exchange Commission issued an investoralert on cryptocurrencies 27 . Subsequently, the NewYork State Department of Financial Services proposedspecific regulation for Bitcoin businesses and operatorscalled “BitLicenses” 28 . In March 2014 the InternalRevenue Service classified bitcoin as a property andsuggested that all bitcoin transactions could be subject toindividual capital gains taxes. Perhaps on a more positivenote, the US Marshals’ auctioning of millions of dollarsof bitcoins seized in the Silk Road drug marketplaceraid has been viewed as a de facto legalisation of bitcoinat the federal level of the US government given that thegovernment will not auction any seized goods that aredeemed illegal (e.g. cocaine). While a unified regulatorypolicy has yet to emerge, further examination of Bitcoinby US state and federal authorities is expected.Impacts of varying approaches to BitcoinregulationThe different Bitcoin regulations that have been appliedand the resultant impact are illustrated in the followingthree mini regulatory case studies. While they diverge inapproach, all three cases demonstrate the potential thatregulation has to impact bitcoin’s market value:1. Prohibition. Citing security issues, the possibility ofenabling tax evasion, and clashes with its monetarypolicy, the central bank of Bolivia issued a resolutionbanning all cryptocurrency-related activity 29 . The bancovers conversion and quoting of prices in bitcoin,amounting to an indirect ban on transactions. Sinceimplementing the ban in May 2014 there has beena gradual decline in the bitcoin/boliviana (BOB)exchange rate at a rate faster than the bitcoin/USDexchange rate. Bitcoin/BOB exchange rates havefallen by about 66% since the ban was implemented.2. Partial restrictions. In Thailand, exchanges areallowed to legally convert Thai bahts to bitcoinsbut are banned from converting bitcoins for othercurrencies. The Thai government initially bannedBitcoin altogether before moving to this morerelaxed stance 30 . On 29 July 2013, Bitcoin Co. posteda notice saying it was suspending all activity due toa directive from the Bank of Thailand, resulting in a15% decline in the value of bitcoin (Figure 10).It remained at that level until December 2014,after which it recovered and stabilised.Figure 10: Bitcoin value against Thai baht, July 2013 – September 2014130 45,00012040,0001101009035,00030,00080706025,00020,00050403015,00010,000201005,0000Jul 13 Aug Sep Oct Nov Dec Jan 14 Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan 15Local bitcoins (THB)Mar 08 2015 - DailyClosing price Vol: 13.36Data Source: http://bitcoincharts.com/charts localbtcTHB#czsg2013-07-01zeg2015-01-01ztgCzm1g10zm2g25zvLloyd’s Emerging Risk Report – 2015

Bitcoin: risk factors for insurance 253. Regulatory warning. The Reserve Bank of Indiahas indicated that it has no plans to regulateBitcoin, but on 24 December 2013 it issued a publicnotice warning citizens about the dangers of virtualcurrencies 31 . In the weeks leading up to the noticethe value of bitcoin fell by almost 40% against theIndian rupee (Figure 11). The warning coincidedwith a steep fall in the value of bitcoin against theIndian rupee, including a 27% fall in a single day.Volume can also be seen to dip sharply in the weekthe notice was released.Figure 11: Bitcoin/Indian rupee closing prices for a month before and after the RBI notice(24 December 2013)Local bitcoins (INR)20 90,0001816141210864280,00070,00060,00050,00040,00030,00020,00010,000016 Nov 20 24 1 Dec 5 9 13 17 21 25 1 Jan 5 9 13 17 21 25 1 Feb20132014Closing price 52781 Vol: 3.015Data Source: http://bitcoincharts.com/charts/localbtcINR#tgCzm1g10zm2g25zvLloyd’s Emerging Risk Report – 2015

Bitcoin: risk factors for insurance 26ConclusionCryptocurrencies such as Bitcoin could play an importantrole in transforming financial services and otherindustries that many feel are ripe for disruption.Investment in the Bitcoin ecosystem of start-ups to datetotals over $660 million, which is roughly on par withthe level of early stage investments in internet start-ups 32 .This strong showing of support from the venture capitalcommunity indicates the very significant economicpotential seen for cryptocurrencies.However, there are no clear solutions on the horizon forsome Bitcoin risks, such as the currency’s price volatilityor technical vulnerabilities like a 51% attack. Individualsand institutions that are seeking to participate in theBitcoin economy must take into consideration a widerange of risk factors that come with Bitcoin’s innovativebut still maturing ecosystem.Lloyd’s Emerging Risk Report – 2015

Bitcoin: risk factors for insurance 27References1. http://coinmarketcap.com/all/views/all/2. Bitcoin creator Satoshi Nakamoto first publishedhis paper describing Bitcoin on 31 October 2008and then mined the first bitcoins on 3 January 2009http://historyofbitcoin.org/3. Reflecting this status the current Bitcoin Coreprotocol is Version 0.10.0https://bitcoin.org/en/download4. At the time of writing this report, the vast majorityof the approximately 800,000 bitcoins originallyreported missing have yet to be fully accounted foror recoveredhttp://www.nytimes.com/2014/02/25/business/apparent-theft-at-mt-gox-shakes-bitcoin-world.html?_r=05. http://www.coindesk.com/bitstamp-claims-roughly-19000-btc-lost-hot-wallet-hack/6. Moore and Vasek, There’s No Free Lunch, Even UsingBitcoin: Tracking the Popularity and Profits of VirtualCurrency Scamshttp://fc15.ifca.ai/preproceedings/paper_75.pdf7. Only confirmed thefts are included i.e. all cases ofbitcoin loss from the list have been omitted from thegraph. The Silk Road seizure by the FBI has also beenomitted.8. Financial Fraud Action UKhttp://www.theukcardsassociation.org.uk/news/EOYFFfor2013.asp9. Bitcoin USD transaction value obtained fromhttps://blockchain.info/charts/estimatedtransaction-volume-usdUK credit card dataobtained from http://uk.creditcards.com/creditcard-news/uk-britain-credit-debit-card-statisticsinternational.php10. https://en.bitcoin.it/wiki/Attacks#Attacker_has_a_lot_of_computing_powerNote: transaction censorship is something thatcould take place without 51% control of the Bitcoinnetwork. All that is required is that the currentmining block award winners collude to excludecertain transactions from inclusion inthe blockchain.11. http://www.theguardian.com/technology/2014/jun/16/bitcoin-currency-destroyed-51-attack-ghash-io12. http://www.bitcoinx.com/bitcoin-developer-gavinandresen-weighs-in-on-centralized-mining-and-theghash-situation/13. http://www.wired.com/images_blogs/threatlevel/2012/05/Bitcoin-FBI.pdf14. Price Fluctuations and the Use of Bitcoin:An Empirical Inquiry, Polasik et alhttp://papers.ssrn.com/sol3/papers.cfm?abstract_id=251675415. http://www.bloombergview.com/articles/2014-12-23/and-2014s-worst-currencywasbitcoin16. Calculated using data from World Gold Council:http://www.gold.org/17. Method 2 (and to an extent Method 1) is a reliablemeasure in liquid markets to gauge the trend asa widening measure would imply that the trend islikely to be reversed.18. See for the example the October 2014 price impactof a sale of 30,000 bitcoins on Bitstamp by an earlybitcoin adopter (pp. 7–8)http://panteracapital.com/wp-content/uploads/Pantera-Bitcoin-Letter-November-2014-1.pdfLloyd’s Emerging Risk Report – 2015

Bitcoin: risk factors for insurance 2819. 171,300 tonnes of gold have been mined throughout2011 according to the Minerals Handbook publishedby the USGS (http://minerals.usgs.gov/minerals/pubs/commodity/gold/myb1-2011-gold.pdf) and462 tonnes were mined in 2012 and 2013 accordingto USGS (http://minerals.usgs.gov/minerals/pubs/mcs/2014/mcs2014.pdf ). The price of gold wastaken as $38 per gram.20. http://www.gold.org/sites/default/files/documents/gold-investment-research/liquidity_in_the_global_gold_market.pdf21. Bitcoin: Technical Background and Data Analysis,Anton et alhttp://www.federalreserve.gov/econresdata/feds/2014/files/2014104pap.pdf22. See for example Danton Dryans, Bitcoin and MoneyLaundering: Mining for an Effective Solution, IndianaLaw Journal -http://ilj.law.indiana.edu/articles/19-Bryans.pdf23. See “Hiding Currency in the Dark Wallet”, BBChttp://www.bbc.co.uk/news/technology-29283124and “Dark Wallet’ Is About to Make Bitcoin MoneyLaundering Easier Than Ever” WIRED,http://www.wired.com/2014/04/dark-wallet/24. G. Hileman, Bitcoin Market Potential Indexhttp://www.bitcoiniq.info/26. EBA Opinion on Virtual Currencieshttp://www.eba.europa.eu/documents/10180/657547/EBA-Op-2014-08+Opinion+on+Virtual+Currencies.pdf27. Investor Alert: Bitcoin and Other Virtual Currency-Related Investments, SEChttp://investor.gov/news-alerts/investor-alerts/investor-alert-bitcoin-other-virtual-currency-relatedinvestments#.VNKXomjkdcR28. In the matter of virtual currency exchanges, DFS NYhttp://www.dfs.ny.gov/about/po_vc_03112014.pdf29. Resolution from El Banco Central de Boliviahttp://www.bcb.gob.bo/webdocs/2014/Normativa/Resoluciones/044%202014.PDF30. Bitcoin Ban Fear Fades in Thailand With ExchangeLaunchhttp://www.coindesk.com/bitcoin-ban-fear-fadesthailand-exchange-launch/31. RBI cautions users of Virtual Currencies against Riskshttp://rbi.org.in/scripts/BS_PressReleaseDisplay.aspx?prid=3024732. http://www.coindesk.com/bitcoin-venture-capital/and http://www.coindesk.com/research/state-ofbitcoin-2015/25. For example, see “The Economics ofDigital Currencies” by Ali et al http://www.bankofengland.co.uk/publications/Documents/quarterlybulletin/2014/qb14q3digitalcurrenciesbitcoin2.pdf and“Risks to financial stability and payment systemstability” http://www.ecb.europa.eu/pub/pdf/other/virtualcurrencyschemes201210en.pdf and “Impactof innovations in retail payments on monetarysystem” http://www.bis.org/cpmi/publ/d102.pdfLloyd’s Emerging Risk Report – 2015