The Perils of Permissionless Crypto: Losing Access and the Limits of Self-Custody
A recent case brought before the Insurance and Financial Ombudsman scheme in New Zealand highlights a critical, and often overlooked, risk associated with cryptocurrency: the potential for permanent loss of funds due to lost access credentials. A man lost access to $11,000 worth of cryptocurrency after falling victim to a scam and subsequently being unable to recover his digital wallet, prompting a reminder that the responsibility for safeguarding these assets rests squarely with the user.
The incident unfolded when the complainant created a cryptocurrency wallet and was almost immediately targeted by scammers. They instructed him to open the wallet and transfer his holdings. Alerted by his bank to the fraudulent activity, he halted the transfers, leaving $11,000 remaining within the digital wallet. However, when he attempted to regain access later, he found himself locked out. He possessed a backup file, but was unable to locate it.
The complainant argued that the platform should reimburse his losses, claiming he hadn’t been adequately informed about the necessity of backing up his wallet and that there were insufficient warnings about the inherent risks. However, the IFSO scheme ultimately ruled against him, finding no evidence of negligence on the platform’s part.
Reasonable Care and Skill: The Platform’s Responsibility
Insurance and Financial Services Ombudsman Karen Stevens explained that cryptocurrency platforms are bound by the Consumer Guarantees Act to exercise reasonable care, and skill. The IFSO’s investigation focused on the information and prompts presented during the wallet setup process, the availability of additional information via links, the platform’s response to the reported issue, and its terms of use.
The investigation revealed that the platform clearly displayed screens explaining the importance of backing up the wallet, emphasizing that the backup was the sole method of recovery in case of lost access, and explicitly stating that the platform itself could not access or restore wallets on behalf of customers. Further explanatory information was readily available through links provided during setup.
“We found no evidence that the platform failed to exercise reasonable care and skill,” Stevens stated. “The information about backing up the wallet was presented during set-up, and additional explanations were readily available. We also noted that the platform took reasonable steps to assist [the man] once the issue was identified, but recovery was not possible without a back-up file. The platform’s terms clearly stated that customers are responsible for backing up their wallets and safeguarding access.”
The Limits of Permissionless Systems and the Burden of Self-Custody
This case underscores a fundamental characteristic of many cryptocurrency systems: the principle of self-custody. Unlike traditional financial institutions, where a bank or brokerage holds your assets and provides recovery mechanisms in case of lost passwords or credentials, many cryptocurrency wallets place the entire responsibility for security and backup directly on the user. This is particularly true for permissionless blockchains, where the very design philosophy prioritizes decentralization and the elimination of intermediaries.
Alex Sims, a professor of commercial law at the University of Auckland and an associate at the UCL centre for blockchain technologies, points to a lack of public understanding regarding these limitations. “People probably do not realise the limits on accessing cryptocurrencies and education is needed,” she said. She also noted that while some platforms do hold and control cryptocurrency on behalf of users, this particular platform did not.
The incident serves as a stark reminder that cryptocurrency is fundamentally different from traditional banking services. Stevens emphasized the need for users to pay close attention to setup instructions and understand the implications of losing access to their private keys or backup files. The lack of centralized control, while a core tenet of the technology, also means there is often no recourse for users who make mistakes or fall victim to scams.
A History of Lost Crypto: From Landfills to Forgotten Passwords
The loss of access to cryptocurrency holdings is not an isolated incident. Internationally, numerous cases have emerged of individuals unintentionally losing significant amounts of digital assets. Perhaps the most dramatic example involves a Welsh man who inadvertently discarded a hard drive containing 7,500 Bitcoin in a landfill – a loss valued at hundreds of millions of pounds at today’s exchange rates.
Another case, highlighted by Cointelegraph, involved a Redditor who lost access to approximately 2.6 Bitcoin (roughly $96,400 at the time of publication in January 2021) after formatting a new computer without verifying that the password to his private keys was still accessible. The user had mistakenly assumed the password had been saved by his password manager, but discovered it was not present after wiping the drive.
Mitigating the Risks: Hardware Wallets and Secure Backups
While the risks are real, there are steps users can take to mitigate the potential for loss. The Reddit community offered advice to the user who lost his Bitcoin, with many recommending the use of hardware wallets – physical devices that store private keys offline – and the creation of multiple, secure backups of the seed phrase (a series of words used to recover the wallet). One user suggested writing the seed phrase on both paper and a metal plate for added durability.
The core lesson remains: in the world of cryptocurrency, you are your own bank. And with that responsibility comes the need for diligence, education, and a robust backup strategy. The permissionless nature of these systems offers freedom and control, but it also demands a level of technical understanding and personal responsibility that many users may not fully appreciate.
