The FBI has raised an alarm over North Korean hackers increasingly targeting U.S. cryptocurrency exchange-traded funds (ETFs). These ETFs, which are backed by Bitcoin (BTC), Ether (ETH), and other digital assets, have amassed billions of dollars in value, becoming lucrative targets for cybercriminals.
The concern is that North Korean groups like Lazarus, infamous for past high-profile crypto heists, might aim to exploit vulnerabilities within these financial products.
With the rise of cryptocurrency-backed ETFs, investors have poured substantial amounts into these digital assets.
Data from Farside Investors indicates that the cumulative flows for spot Bitcoin ETFs alone surpassed $15 billion since July 2024.
However, the massive accumulation of digital assets poses a significant risk, as hackers may target the underlying reserves of Bitcoin and Ether, potentially leading to severe financial losses.
While traditional ETFs are covered by insurance and robust regulatory frameworks, crypto-backed ETFs present a different set of challenges.
The custodians holding these digital assets must ensure the security of the physical assets, and any breach could lead to a disaster.
Jameson Lopp, co-founder and chief security officer of Casa, explained that if a Bitcoin or Ether ETF were hacked, the value of that ETF could plummet to zero almost instantly, creating market-wide panic as investors scramble to liquidate their positions.
A significant concern raised by experts is the centralization of crypto custody services. In the U.S., Coinbase stands out as the dominant custodian for most crypto-backed ETFs.
This concentration of assets within one entity could be a systemic risk for the entire market. If hackers breach Coinbase’s security, the impact could be catastrophic.
Steven Walbroehl, co-founder and CTO of cybersecurity firm Halbron, pointed out that while Coinbase has robust security measures in place, the lack of diversification in custody providers increases the overall risk for the industry.
Adding to the problem is the limited insurance coverage for these ETFs. While some firms, like BlackRock’s iShares Bitcoin Trust ETF, have insurance policies, these cover only a small fraction of the total assets under management.
For example, Coinbase’s $320 million insurance policy covers only 0.12% of its $269 billion in custodied digital assets.
Andrew Rossow, a digital media attorney, cautioned that the insurance policies might not fully protect investors, leaving them exposed to potential losses if a hack occurs.
To mitigate risks, some experts suggest that ETF issuers should diversify their custodial services or, better yet, manage their custody solutions.
Fidelity is one of the few firms that have taken this route, opting for self-custody of their digital assets.
Lopp argues that large institutions launching ETFs are capable of maintaining secure, enterprise-grade self-custody systems, which would prevent relying on third-party custodians with opaque security practices.