Bitcoin Risks, Crypto Risks
Bitcoin is just one kind of crypto. All crypto carries the same risks as Bitcoin.
44 separate risks and counting
Last update: November 12, 2023
Table of Contents:
- Consumer risks
- Value risks
- Theft of coins or personal info
- Loss of access to your coins
- Other loss of coins
- Scams
- Information risks
- Legal risks
- No regulation, no consumer protection, no recourse.
Banks are highly regulated, and are subject to all kinds of laws to
protect consumers, including disclosing risks. By contrast, the
Bitcoin network is completely unregulated, and the exchanges are only
loosely regulated. There are dozens of Bitcoin-related risks on
this page, and nobody is required to tell you about them. If
you lose your coins because you got scammed or make a mistake because
of something you didn't know, you usually have no recourse at all.
- If you buy something with crypto, there is zero buyer protection. With a credit card, you can dispute the charge with your credit card company if you can't resolve the problem with the merchant. With crypto, you're S.O.L.
- Your normal bank could freeze and/or close your bank and credit card accounts if you get innocently get scammed, adding insult to injury. Let's say a scammer somehow scams John Doe into sending you money to buy your Bitcoin or other crypto (or the scammer has hacked John Doe's bank account). You talk with John Doe and get a copy of his ID, and you're trading on a site like LocalBitcoins which has escrow protection, so you think you've done your due diligence, and you release your crypto. Well, once John Doe realizes he's been scammed, even months later, he complains to his bank, which complains to your bank. Your bank immediately freezes all the money in your account, denying you access to it for weeks. Your bank eventually then takes the crypto sale money out of your account and sends it bank to John Doe's bank, at which point you've lost your coins and the money that was paid for them. Your bank also advises you that it's then closing all your accounts (even your personal account even though the scam happened on your business account, even your kids' "High School"-flavor accounts, even your three credit cards which had nothing to do with the scam). It then unfreezes your accounts just so you can withdraw what's left of your money. This is exactly what happened to me.
- The price could crash, erasing your value. Bitcoin crashes are fairly common:
- 80% from 2017-18
- 50% in March 2020
- 52% between April-July 2021
- 58% between 11/21 and 5/22
- 75% between 11/21 and 11/22
From Nov. 2021 to Nov. 2022, crypto investors collectively lost over $2 billion. (CNBC) BIS estimated in 11/22 that 73 to 81% of Bitcoin buyers were in the red for that investment. (The Register) - The price is likely to crash permanently at some point, because Bitcoin is similar to a Ponzi scheme, which works only because new users keep feeding new money into the system. Once Bitcoin gets saturated with "investors", then expect a permanent crash. Bitcoin apologists argue weakly that Bitcoin isn't a Ponzi scheme, by ridiculously redefining "Ponzi", essentially creating a straw-man argument. Looking at it objectively, it's absolutely clear-cut that Bitcoin is a Ponzi-like system.
- The Journal of Monetary Economics says that Bitcoin is extremely vulnerable to severe price manipulation, and that such manipulation has actually already happened. (JME, Fortune)
- Your exchange could switch your coins to a less valuable altcoin. Coinseed inexplicably converted customers' deposits to a less valuable altcoin without their consent, and refused to process withdrawals. Customers watched helplessly as the alt coin plunged 30%. (Decrypt)
- Bitcoin could be usurped by a newer cryptocurrency, making Bitcoin worthless, or nearly so. Bitcoin isn't the only cryptocurrency, it was merely the first. Other cryptos solve some of the many problems with Bitcoin (such as high transaction fees and staggering energy use) and they could become more popular than Bitcoin, driving Bitcoin's price into the ground. Also, many governments are considering issuing their own cryptocurrency, which could likewise supplant Bitcoin.
- Technical issues could render everyone's coins worthless. This isn't just a theoretical: a problem with Terra USD resulted in the related Terra LUNA crashing from nearly $100 to a fraction of a penny, costing investors $60 billion. (CNBC) A bug in the crypto code, or an exploit by a hacker, could make other cryptos similarly worthless. And although the Bitcoin network ostensibly runs on its own without any oversight, this article says that a group of five programmers is actually responsible for keeping things going, and that if they quit or die, Bitcoin could crash to zero.
- Quantum computers, if perfected, they could easily discover everyone's passwords. (Decrypt)
- Even stablecoins can crash. Stablecoins are crypto coins that are supposed to be pegged to fiat money. For example, Tether (USDT) is always supposed to be the same value as the U.S. dollar. But even stablecoins can be risky. At least two stablecoins crashed to be nearly worthless, Cashio (Decrypt) and Terra UST (LiveMint). Another crypto, DEI, which is supposed to be stable at $1, crashed to just 60¢. (Fortune)
- The exchange holding your Bitcoin or other crypto could get hacked, with the hackers making off with your coins (which are not FDIC-insured). This has happened lots of times already, with hackers stealing over $23 billion in crypto from 2017-2021. (Chainalysis, Ledger, Newsweek, Selfkey) The situation is only getting worse over time: Hackers took a whopping $6 billion in 2022 (USA Today), and five of the ten largest crypto hacks through 2021, happened in 2021. (CNN) In one hack alone in 2022, on Binance, hackers made off with over half a billion dollars worth of coin (Reuters). (Gemini's Twitter account also got hacked, and Gemini also lost millions of dollars in crypto to a hacker, and is alleged to have lied about it.)
- Beside stealing funds, hackers sometimes steal personal info (names, email addresses, mailing addresses, birthdates, phone numbers, social security numbers, ID selfies) from exchanges, which then allows them to access customers' other accounts, or to commit other identity fraud. This has already happened multiple times. (Idex, Coindesk) Hackers stole 5.7 million email addresses from Gemini, including mine. (Coin Telegraph) Worse, to my knowledge, Gemini never warned customers about the theft, in violation of the law. Once hackers have your email address, they target you with phishing scams, as per the next item.
- Hackers could get into your account through a "phishing" scam, where they trick you into handing over your password. For example, you might get a notification saying your Coinbase account was locked, but the notification isn't really from Coinbase, it's from a hacker pretending to be Coinbase. The message directs you to a page to log in to your Coinbase account, but it's a fake page made to look like the real Coinbase website. When you try to log in, the hacker takes your username and password that you just entered to get into your real account. In one such phishing scam, a hacker stole $12 million from a customer. (Business Insider, 2021) Another phishing scam is fake Google ads which look like they're from certain companies, but again, they take you to a fake login page that looks like the real thing, to get you to try to log in so they can steal your login info. (The Verge)
- Hackers could steal your online login with malware on your computer. It happens frequently. Here's just one example of one user losing $400k on Coinbase, with no help from his exchange, Coinbase. Like most exchanges, Coinbase doesn't even have a customer service telephone number, and their email support is slow and unhelpful. (From 2016-2021, its customers made over 11,000 complaints to the FTC, mostly about poor customer service.) (CNBC: "Coinbase slammed for what users say is terrible customer service after hackers drain their accounts") Also, "Two legal experts say the U.S. legal and regulatory system does little to compel Coinbase as well as other exchanges to adopt even stronger safeguards for consumer accounts or to refund stolen account assets. These practices stem from 'absolutely horrible' laws, arbitration clauses, and virtually zero law enforcement, according to Max Dilendorf, a lawyer who represents cryptocurrency investors." (Yahoo Finance) And as one crypto enthusiast admits, "There is surprisingly little control over the extension that get published to browser extension stores. This means that if you’re an average user, you probably won’t be able to tell a legit extension apart from a spoofed one. There’s also the chance of a developer account being hacked to push malicious code as updates to extensions. Not to mention the data privacy implications of extension “watching” everything you do in a browser."
- Hackers could steal Bitcoin you send on your computer.
Some kinds of malware look for a Bitcoin address on your computer's
clipboard, and replaces it with the address of the hacker. So
when you copy and paste an address to send some Bitcoin, you really
send it to the hacker's address, and lose all your Bitcoin. (ZDnet,
Krebs)
- Hackers have stolen tens of millions of dollars of Bitcoin through sim-swap attacks, in which the hacker is able to get the victim's text messages routed to the hacker's phone. So the hacker gets access to a victim's crypto account at an exchange, requests a withdrawal to the hacker's account, the exchange sends a verification code to the victim's phone, but the message actually goes to the hacker's phone, so the hacker can approve the withdrawal. In 2020 one victim is said to have lost $24M through a SIM swap attack and in 2021 another lost $36M the same way. (Daily Beast, PC Mag)
- The site that generates your paper wallet could steal your address, and your coins. The owners of the BitcoinPaperWallet website are alleged to have stolen 125 Bitcoins ($7M as I write this) from people who generated paper wallets on the website. (Coindesk)
- Your coins could be stolen from your hardware wallet. One person lost his entire life savings of $600,000 after he downloaded what he thought was the software to his hardware wallet from Apple's app store. It had the right name and logo, and lots of 5-star reviews, and Apple supposedly vets apps in its store. It turned out that the app was fake, and whoever published it made off with the user's life savings. (WaPo) Also, hackers have been able to hack into hardware wallets like Trezor. (Medium)
- Hackers could steal coins from smart contracts. Newer cryptos such as Ethereum offer the ability to do something called "smart contracts" (which I don't pretend to understand), and this is one of their supposed advantages over Bitcoin, which doesn't have that feature. But this is just one more thing that hackers can attack. Hackers have stolen coins from smart contracts multiple times, with hackers making off with millions and millions of dollars worth of coins. (Medium, Reuters, arsTechnica) That could be your own coins, or coins that belong to your exchange (which might go out of business following the theft, taking your coins with it). In another case, a hacker exploited the smart contract feature to mint four quadrillion new coins. (Gizmodo)
- Hackers sometimes steal personal info from places other than exchanges. For example: "Ledger, a secure hardware wallet provider, was hacked in July and lost 272,000 customer records. So while the crypto remains safe in a protected thumb drive, the individual customers are now the targets for a large amount of criminal activity. All of the stolen customer records were dumped onto RaidForum this month and the customers now face a tidal wave of social engineering hacks which have already begun." (PaymentsJournal)
- The exchange or website holding your coin could go bankrupt
or out of business (taking your access to your coins with
it). Again, this isn't just theoretical, it's happened numerous
times:
- 2014-2020: Mt. Gox, ACX, FCoin
- 2021: Blockchain Global, MyCryptoWallet
- 2022: FTX, BlockFi, Celsius, Babel Finance, Genesis, Hodlnaut, Voyager, Zipmex
- 2023: Bittrex US, CoinLoan, Genesis, Haru Invest (probably, they froze withdrawals in June)
- BlockFi is the only one I know that emerged from bankruptcy (10/23), but did so by paying its customers as little as 39.4% of their balances. (Reuters)
Unlike banks, exchanges aren't FDIC-insured, so when they fail, the government doesn't bail you out. Bitcoin cultists rail about how crypto is liberating because you can use it without the oppression that comes with government money (huh?), failing to realize the irony that the numerous bankruptcies in the crypto space and customer losses happen precisely because crypto isn't regulated by the government. When's the last time anyone lost their oppressive U.S. dollars when their bank collapsed?
When Celsius was about to go bankrupt, its executives cashed out millions of dollars in crypto first, making sure they were made whole while leaving their customers holding the bag. (CBC) Following that, while in bankruptcy, with customers anxiously waiting to see if they could get any of their funds back, employees got $2.8M in bonuses. (Fortune) Sometimes CEOs of bankrupt cryptos get arrested for fraud, like with Sam Bankman-Fried of FTX and Alex Mashinksy of Celsius, but that doesn't help customers get their money back.
Crypto.com made news for sloppily sending over $400M in crypto to the wrong recipient. (Luckily, they were able to get it back.) Mistakes like this can easily break an exchange. And it wasn't the first time Crypto.com screwed up a transaction: Once they sent $7.2 million instead of the correct $68, and did not get the money back. (The Verge)
- The exchange could face financial problems and freeze withdrawals. Even when an exchange doesn't explicitly go bankrupt, they could deny customers access to their own coins. Again, not theoretical, it's happened at numerous exchanges, including Gemini, Coinflex, Haru, BlockFi, and Celsius (the last two of which eventually did go bankrupt).
- The exchange might arbitrarily deny you access to your coins, for reasons other than their facing financial problems. Exchanges sometimes lock customers out of their accounts for a bogus reason, or even no reason at all. As per above, if this happens to you, you might get no help from the exchange. (Example: Coinbase, GYEN, 2021)
- Your login might inexplicably stop working. The websites at the exchanges are notoriously buggy. I've had multiple exchanges reject the code from the 2FA Google Authenticator app, or reject my good password. I was lucky and eventually gained access to my coins, but others haven't been so lucky. If this happens to you, you usually can't call the exchange, because they generally don't even have customer service phone numbers. Some have chat support, which in my experience is generally incompetent. You might be stuck with email support, which often will send you a generic form-letter response, if they bother to reply at all. Two separate sets of customers who were locked out of their Coinbase and Binance accounts and got no help from the exchanges are now suing, but legal experts are saying they have an uphill battle given that crypto is largely unregulated. (Decrypt 6/21, NBC 8/21) This is easily believable, as I can't even register an account with Binance because they never send the verification email message, and never responded to my Support request about that.
- You could lose the password to your coins.
And unlike your bank or PayPal account, there's no "forgot password"
feature. Loss of coins from lost passwords is common.
The NY Times reports that about 20% of the Bitcoin in existence ($211
billion as I write this in summer 2021) appear to be stranded from
lost passwords. (In January 2022, Chainanalysis estimated
that 3.7M Bitcoins were lost, worth $66.5 billion at the time.)
One programmer lost
the password to his hardware wallet containing 7002 Bitcoins (a
whopping $400M as I write this). Another person lost $232
million from a forgotten password, and yet another $2
million from a forgotten password. In the last case, due
to the size of the potential bounty, he was able to hire one of the
best hackers in the world, who successfully cracked the hardware
wallet and retrieved the coins. For folks like you and me, there
is essentially no hope.
As one crypto developer admits, "Handing [a newbie] a seed phrase might as well be telling them to carry around their life savings in a lockbox that is opened with a single key, and has a lock that can’t be changed. To most people, this is insanity, not empowerment." - You could lose access if you lose your phone, or upgrade your phone. Some exchanges have you use a mobile app like Google Authenticator which generates a unique code that you enter every time you log in (in addition to your password). Some exchanges prompt you to write down a "recovery key" in case you lose access to your phone, but some don't. If you don't have a recovery key and your phone gets lost, stolen, or broken, bye-bye Bitcoin. Or, if you upgrade to a new phone, the Google Authenticator info doesn't get backed up and transferred to your new phone. If you forget to manually transfer the Authenticator info before you erase or dispose of your old phone, then you likewise lose access to your account.
- You could lose access to your paper wallet. You could forget where you put the paper, or it could be damaged by fire or water, or someone could steal it. If you make extra copies and store them in various places to avoid damage, you've increased the possibility of theft.
- You could lose access to your hardware wallet. You can store Bitcoin on your computer or a small piece of hardware like a USB thumb drive. Those could be damaged, stolen, lost, or could malfunction. (In my lifetime I've had multiple hard drives and thumb drives fail, and I'd never have a piece of hardware be the only access to money that I needed.) There have been multiple cases in which people who threw away computers, forgetting that they had Bitcoin on them, and then that Bitcoin was gone for good. And as per above, even if you have your device, you could forget or lose your password.
- Your phone-based wallet could crash, leaving you unable to access your coins. One phone-based wallet I used crashes consistently when I try to access a certain menu item. It occurs to me that if that happened when simply trying to access my coins, I'd be screwed. The app developer doesn't offer support.
- The developer of your phone-based wallet could lose your coins. The developer of a phone-based crypto wallet made a mistake that made $300M of users' coins simply vanish. The coins were Ethereum, a competing cryptocurrency to Bitcoin. (Guardian)
- You could accidentally send your coins to the wrong address. If you do that, they're gone, man. Remember, Bitcoin transactions are irreversible. Even if that address is owned by someone, you likely won't know who it is and it's impossible to find out. Even if you do know who they are, will you trust that they'll return your coins to you? But more likely, the address isn't owned by anyone, in which case your coins just vanish and it's impossible to retrieve them. That's exactly what happened to one user, who mistakenly sent a whopping $500,000 of crypto to the wrong address, losing it forever. Not surprisingly, many crypto enthusiasts were quick to blame the user rather than the inherent riskiness of crypto itself.
- You could lose your coins if you transfer to the wrong kind of address. Let's say you want to transfer your coins from one exchange to another. On the receiving exchange, you get the receiving address, and paste that into the form on the sending exchange. Well, when you got that address on the receiving exchange, if you weren't careful, you might have gotten an address for a cryptocurrency other than Bitcoin. (There are hundreds of them.) If you send Bitcoin to an address that's not a Bitcoin address, your coins will be gone forever.
- You could lose your coins if you send on the wrong network. Even if you use a proper address for your particular cryptocurrency, if you send it on the wrong network, you've lost your coins. The sending and receiving exchange must use the same network. Helpfully, some exchanges don't even bother to tell you what network they use so it's impossible to know whether you're doing it right or not.
- Communication from even reputable companies could be scams. The very first tweet sent from Apple's Twitter account was a Bitcoin scam, because scammers hacked Apple's account. The tweet promised that if you sent Bitcoin to a certain address, Apple would send it back along with some extra. In fact, the hackers just took all the coin and sent nothing back. Sometimes the scammers just convincingly impersonate the reputable company: I saw a YouTube video in which the hacker's channel looked liked the Apple channel (with the name "Apple", no special characters), offering that same, fake deal about supposedly sending back extra Bitcoin if you sent your own Bitcoin first.
- Apps could be scams. An app called iEarnBot was supposed to use bots to buy and sell customers' crypto, giving customers a return on their deposit. Instead the developers apparently just stole the depositors' crypto. There are probably dozens of similar stories about similar apps. (BBC)
- Even apps in the app stores could be scams. The companies that run the app stores (like Apple and Google) imply or outright state that they've vetted the offerings in the store. But they don't do it completely, because it's nearly impossible. As a result, a customer downloaded a Bitcoin app from Apple's app store to run his hardware wallet, thinking it was the real app from the hardware manufacturer. It wasn't, and the scammer made off with $600,000 of the customer's Bitcoin. (WaPo)
- The founders of an exchange could pull an "exit scam"
(aka "rug pull") taking the assets and disappearing. In 2021,
the founders of one exchange disappeared, taking $3.6 billion of their
customer's assets with them. (Yahoo
Finance) The founder/CEO of Canada's largest
cryptocurrency exchange (QuadrigaCX) was found to have been stealing
$215 million of client's coins. He supposedly died, but many
believe that he faked his death and is still alive. (Bitcoin.com)
- The developers of the coin you bought could pull an exit scam. That's what happened with SQUID and YEAR coins, where the developers took the money and ran. SQUID coin-holders lost $12 million. (Crypto Briefing, 2021)
- The company you invested your Bitcoin with could pull an exit scam. Bitconnect promised massive returns on invested coins. But after customers invested their coins, the company stole the $2 billion of investors' coins, and Bitconnect folded. (TheNextWeb, FBI)
- If you sell Bitcoin for USD on a P2P exchange, there's a high chance that you'll be scammed. After you send the Bitcoin, the buyer will reverse the payment (even cash deposits at a bank, even bank wires), and then the buyer will have his cash and your coins, and you'll have neither. I'm out $36,200 because of such a scam, in which I received payment with a bank wire, which all the Bitcoin-info websites was rock-solid secure because wires can't be reversed. Well, as I learned, they can. Most attorneys I contacted had no interest in this case, and one told me that I could expect to spend $50,000 trying to recover the $36,200, so it wasn't worth it.
- Payment Methods. I had Bitcoin because one of my vendors insisted on paying with it. In trying to sell it, and knowing that Bitcoin scams are common, I read several crypto and financial websites about the safest payment method to accept, and they were all in agreement that the safest is Bank Wire because, they said, bank wires can't be reversed. Well, as I learned, they can be reversed. I'm out $36,200 because of a scam. (A lawyer advised it would cost me around $50,000 to try to recover it.)
- Exchanges. Even large, popular, established website
can give wildly inappropriate information, or make massive
omissions. For example, Investopedia, in comparing Coinbase to
Binance, says, "Coinbase is the winner due to customer satisfaction
and regulatory history." They failed to mention that Coinbase is
facing a class-action lawsuit from angry customers who were locked out
of their accounts and then blown off by Coinbase support. Then
again, for that matter, so is Binance. But the article didn't
mention either suit. (The Binance suit was filed well
before the article was written, and the Coinbase suit was filed three
weeks after; Investopedia is either clueless or has no interest in
keeping its site updated.)
Similarly, for its review of the Voyager exchange, Business Insider referenced only the antiquated Better Business Bureau (seriously?!), and not a more modern service. Had they done so, they could have reported that Voyager has a whopping 80% negative reviews on TrustPilot (a lot worse than a competitor such as BlockFi, which has "only" 25% negative reviews there). Likewise, Business Insider gave Voyager 3.75 out of 5 for customer service, even though Voyager doesn't even have a customer service telephone number! All support has to go through tedious email (and it's not very good, according to the TrustPilot reviews). Oh, and then Voyager went bankrupt, taking customer funds with it. - If you buy or sell Bitcoin on a P2P exchange, you risk arrest, prosecution, and jail. Just ask Sal Mansy, sentenced to a year in jail for doing exactly that.
- You buy or sell Bitcoin for USD (not goods or services), AND
- The other parties are not registered MSBs, AND
- You sell at some (unspecified) large volume and frequency, AND
- You advertise your services to the general public. For example, you place an ad on LocalBitcoins, a peer-to-peer (P2P) exchange.
Consumer risks
Value risks
Theft of coins or personal info
Loss of access to your coins
Other loss of coins
Scams
As many of these cases show, Bitcoin scams are common and exist even in places you'd think you could trust.
Information risks
This section refers to the fact that it's easy to get bad information, and that information can hurt you.
Legal risks
I'm not a lawyer, this is not legal advice, this is just my layperson's understanding, yada yada yada.
Some people have been arrested and sentenced to jail for doing nothing more than trading Bitcoin. So let's see what's legal and what's not.The legal way to buy or sell Bitcoin is to do so through a
registered Money Services Business (MSB). That's a
company that's obtained a registration from the U.S. Financial Crimes
Enforcement Network (FinCEN). That includes the Instant
Exchanges mentioned above. It's like how when you exchange
your money at the airport or bank for another country's currency, you
don't have to be registered as a currency exchanger, because the
travel desk and your bank is.
You can also pay for goods or services with Bitcoin, or
receive payment for goods/services in Bitcoin. The
feds have blessed this as absolutely kosher.
However, the feds consider the following combination to be
illegal. If you do all these things, then
you're risking legal repercussions.