Is it a crime to attack a blockchain?

A 51 percent attack cost Ethereum Classic users thousands of dollars. But in Blockchain’s wild west—when ‘code is law’—can anything even be done?

Chinese cybersecurity firm SlowMist revealed on Thursday that it had tracked down three crypto addresses associated with the so-called “51 percent attack” that rocked the Ethereum Classic network on Saturday, haemorrhaging some $270,000 worth of funds through double-spend payments.

What swift justice! Well, not quite. The thing is, while SlowMist is edging ever closer to identifying the actual people behind the caper (and it’s looking for your help  here, friend), it’s less confident that anything can be done  about it. “We think that we can identify them, but it’s very difficult to pursue the attackers legally,” an entity going only by the name “SlowMist team” said Thursday in an interview with Decrypt.  

Yet Gabriel Shapiro, an attorney with DLxLaw LLP and frequent crypto commentator, has a different take. If you know your tort and statutory law well enough—and who doesn’t?—there might be a way to pursue the attackers in an actual Court of Law™. If you uncover their real identities, that is.

Legal avenues

To understand this better, it’s worth explaining how a 51 percent attack works. Unlike a straight-up hack, in which personal accounts are compromised, a 51 percent attack targets the blockchain itself, an entity that exists in code and has no legal liability. In a double-spend attack, funds are not robbed but simply written out of history, and replaced by new ones—a merchant might be expecting a payment that never materializes. This is the power vested, by consent, in those with the most power over the network—51 percent or more.

This means common fallbacks in “contract law” will hold little water, says Shapiro, since all participants agree to the terms of the network—and the possibility of a 51 percent attack—by simply taking part in it. “Due to the decentralized, peer-to-peer nature of a public blockchain, there are typically no clearly enforceable ‘terms of use’ that would prohibit a double-spend attack as a matter of agreement,” he says. Though some blockchains, like EOS, have tried to impose contractual obligations in their members, Shapiro is doubtful they are legally binding. So that leaves us with two options.

First, says Shapiro, a victim could invoke so-called “conversion” charges to seek damages. Conversion is said to occur when a person intentionally dispossesses (Shapiro’s word, not ours) another of a “personal movable property,” or “chattel,” which Shapiro believes would likely cover cryptocurrencies. The chattel “dispossessed,” in this case, is the funds that have been scrubbed from history. Failing that, a plaintiff could pursue a basic fraud case. “A ‘double-spend’ consists of knowingly misleading the victim into believing it has received funds that ultimately won’t be retainable,” Shapiro explains.

Under U.S. statutory law there are further options, he adds. U.S. laws applying to “hacking and other forms of attacks on networks or computer systems,” he explains, may provide legal recourse to would-be 51 percent attack victims. The problem? There’s no precedent, and the plaintiff would have to hope the existing laws, which govern general computer hacking, would be applied broadly enough to cover crypto. This is “quite possible,” says Shapiro. Through something like the “Computer Fraud & Abuse act,” law enforcement could potentially seize the assets of anybody implicated in a double-spend.

So will anybody actually do anything?

Hooray? Steady on. SlowMist has no intention of pursuing the victims (and is doubtful it could track them down anyway), insisting that “code is law”—you play the game at your own risk. Indeed, it’s this philosophy that got Ethereum Classic into this mess in the first place. In the 2016 hack on the Decentralized Autonomous Exchange, which cleaned out some $70 million worth of ether, “code is law” diehards clung to the compromised network as the Ethereum core devs—led by Vitalik Buterin—spearheaded a hard fork that would reimburse the stolen funds.

These unbending traditionalists, if they are true to their word, are in turn unlikely to pursue the engineers of the recent 51 percent attack. “That’s why also the ETC community won’t revert back their transactions and it will continue to be immutable,” says Biser Dimitrov, who ran an exchange and is familiar with the law around the subject. “‘Code is law’ and they played by the rules.” SlowMist concurs. “It is the rule of blockchain world, not the rule of human world.”


Chinese cybersecurity firm SlowMist revealed on Thursday that it had tracked down three crypto addresses associated with the so-called “51 percent attack” that rocked the Ethereum Classic network on Saturday, haemorrhaging some $270,000 worth of funds through double-spend payments.

What swift justice! Well, not quite. The thing is, while SlowMist is edging ever closer to identifying the actual people behind the caper (and it’s looking for your help  here, friend), it’s less confident that anything can be done  about it. “We think that we can identify them, but it’s very difficult to pursue the attackers legally,” an entity going only by the name “SlowMist team” said Thursday in an interview with Decrypt.  

Yet Gabriel Shapiro, an attorney with DLxLaw LLP and frequent crypto commentator, has a different take. If you know your tort and statutory law well enough—and who doesn’t?—there might be a way to pursue the attackers in an actual Court of Law™. If you uncover their real identities, that is.

Legal avenues

To understand this better, it’s worth explaining how a 51 percent attack works. Unlike a straight-up hack, in which personal accounts are compromised, a 51 percent attack targets the blockchain itself, an entity that exists in code and has no legal liability. In a double-spend attack, funds are not robbed but simply written out of history, and replaced by new ones—a merchant might be expecting a payment that never materializes. This is the power vested, by consent, in those with the most power over the network—51 percent or more.

This means common fallbacks in “contract law” will hold little water, says Shapiro, since all participants agree to the terms of the network—and the possibility of a 51 percent attack—by simply taking part in it. “Due to the decentralized, peer-to-peer nature of a public blockchain, there are typically no clearly enforceable ‘terms of use’ that would prohibit a double-spend attack as a matter of agreement,” he says. Though some blockchains, like EOS, have tried to impose contractual obligations in their members, Shapiro is doubtful they are legally binding. So that leaves us with two options.

First, says Shapiro, a victim could invoke so-called “conversion” charges to seek damages. Conversion is said to occur when a person intentionally dispossesses (Shapiro’s word, not ours) another of a “personal movable property,” or “chattel,” which Shapiro believes would likely cover cryptocurrencies. The chattel “dispossessed,” in this case, is the funds that have been scrubbed from history. Failing that, a plaintiff could pursue a basic fraud case. “A ‘double-spend’ consists of knowingly misleading the victim into believing it has received funds that ultimately won’t be retainable,” Shapiro explains.

Under U.S. statutory law there are further options, he adds. U.S. laws applying to “hacking and other forms of attacks on networks or computer systems,” he explains, may provide legal recourse to would-be 51 percent attack victims. The problem? There’s no precedent, and the plaintiff would have to hope the existing laws, which govern general computer hacking, would be applied broadly enough to cover crypto. This is “quite possible,” says Shapiro. Through something like the “Computer Fraud & Abuse act,” law enforcement could potentially seize the assets of anybody implicated in a double-spend.

So will anybody actually do anything?

Hooray? Steady on. SlowMist has no intention of pursuing the victims (and is doubtful it could track them down anyway), insisting that “code is law”—you play the game at your own risk. Indeed, it’s this philosophy that got Ethereum Classic into this mess in the first place. In the 2016 hack on the Decentralized Autonomous Exchange, which cleaned out some $70 million worth of ether, “code is law” diehards clung to the compromised network as the Ethereum core devs—led by Vitalik Buterin—spearheaded a hard fork that would reimburse the stolen funds.

These unbending traditionalists, if they are true to their word, are in turn unlikely to pursue the engineers of the recent 51 percent attack. “That’s why also the ETC community won’t revert back their transactions and it will continue to be immutable,” says Biser Dimitrov, who ran an exchange and is familiar with the law around the subject. “‘Code is law’ and they played by the rules.” SlowMist concurs. “It is the rule of blockchain world, not the rule of human world.”


Get The Daily Debrief In Your Inbox

2019 © Decrypt Media, Inc. All Rights Reserved.

2019 © Decrypt Media, Inc. All Rights Reserved.

Get The Daily Debrief In Your Inbox