I’ve got the key; I’ve got the secret – unlocking cryptocurrency control
by Shoosmiths LLP
This article explores the importance of protecting your cryptocurrency investment by having access to the ‘private key’. Without it, you are not really in control of that cryptocurrency and can’t prove you are the true ‘owner’ of it.
Crypto, cryptocurrencies, NFTs, blockchain – exciting, enticing, and quickly becoming a favoured source of investment.
However, buyer beware! Are you really the true ‘owner’ of your cryptocurrency?
Whether you are a fully-fledged investor in crypto or just considering a frolic into that world – this article explores the importance of protecting your cryptocurrency investment by having access to the ‘private key’. Without it, you are not really in control of that cryptocurrency and can’t prove you are the true ‘owner’ of it.
It’s no secret…
The facts and figures speak for themselves. Crypto is huge, and it’s impossible to ignore. Currently, in mid-2022, there are well over 18,000 cryptocurrencies in circulation. It shouldn’t come as a surprise to anyone then that a recent report (Capgemini’s World Wealth 2022 report) found that 71% of the high-net-worth-individuals surveyed had invested in digital assets… and that cryptocurrencies are their ‘favourite’ digital asset investment.
In the crypto world when one ‘buys’ a cryptocurrency what one is really doing is buying an allocation of ‘digital units’ of that cryptocurrency which is recorded in a digital ledger showing all allocations for that cryptocurrency (that ledger is an append-only ledger known as a ‘blockchain’). The ledger stores that allocation of digital units against a unique identifier called a ‘public address’ (a unique alphanumeric string). A cryptocurrency’s ledger is openly available for review and interrogation by anyone at any time – indeed, anyone can freely skim the ledger and see the details of the transfers of ‘digital units’ to and from public addresses and the balances against public addresses.
Each public address is derived from a unique ‘private key’ (again, a unique alphanumeric string) that was created by the person who wanted to ‘hold’ cryptocurrency at that address (that private key is usually created in the most random way possible so that no-one else can guess it). This relationship between a private key and its corresponding public address is fundamental – it’s a one-to-one relationship – and only that specific private key can be used to control any of the cryptocurrency recorded against the corresponding public address in the blockchain. It is not possible to transfer away any balance held at a public address without having the specific private key for that public address – if one tried to do this then the transfer request would be rejected, and the ledger would continue to show that the balance remains at that public address.
Golden rule #1 – the key
One of the golden rules in the crypto world is to make sure that as the true owner of cryptocurrency you have access to the corresponding private key. Without that private key you don’t have any real control over the cryptocurrency held at the corresponding public address – as you can’t, yourself, do anything directly on the blockchain with that cryptocurrency e.g. transfer or 'sell' it. When a private key for a public address is lost or forgotten that effectively means you’ve lost the cryptocurrency held at the corresponding public address – you can still see the cryptocurrency balance at that address (by looking at the blockchain) but that’s literally all you can do without the private key... just look at the balance. That’s why having access to the private key (by storing it yourself) is the only way for you to have ultimate control of the cryptocurrency. (In the crypto world, when a person stores their own private key this is known as them using a ‘self-custody’ or ‘non-custodial’ wallet for their private key.)
Golden rule #2 – the secret
The other golden rule is to make sure that no one else knows or has access to your private key – it should be kept secret. If someone else knows or has access to your private key then that is all they need to fully control the cryptocurrency held at the corresponding public address – and you can’t stop them from transferring the cryptocurrency to a different public address (which would have a different corresponding private key that you don’t know or have access to).
Not your keys, not your crypto
Now, and here’s the point, when someone says they’ve bought some cryptocurrency but doesn’t store or have access to the private key to the corresponding public address then they don’t really have any direct control over that cryptocurrency.
It’s most likely that the person bought that cryptocurrency using a third party exchange or platform – and it’s that exchange / platform that is storing the corresponding private key, not that person (in the crypto world this is known as a ‘custodial wallet’). The purchaser is therefore heavily relying on that exchange / platform to keep the private key secret and secure. This is, of course, not the same as storing the private key yourself as you don’t directly control the corresponding cryptocurrency – that exchange / platform does.
There have been a fair number of instances where third party bad actors have obtained private keys (using loopholes in cyber security or other means) and have transferred away cryptocurrency from public addresses without any permission. More recently, there have been a number of instances where those holding the private keys corresponding to their customers’ cryptocurrency purchases have re-hypothecated, commingled, loaned, transferred, or simply spent those customers’ cryptocurrency.
Yes, by looking at the ledger the ‘stolen’ cryptocurrency may be traced to its eventual location (its ultimate public address), but (a) one would need to know the public address that the cryptocurrency was being held at before it was taken, (b) it is difficult to have the cryptocurrency returned, (c) if it is returned, how much is it now worth? and (d) most exchange / platform terms of business attempt to remove proprietary rights of customers over the purchased cryptocurrency (which would put them in the position of an unsecured creditor).
If anyone asks you what the crypto community phrase “not your keys, not your crypto” means, well, now you know.