User menu

Pirating Private Keys

Tue, 05/21/2019 - 12:10 -- admin25

by Andrew N. Speer

If you handed everyone in a courtroom an exhibit containing the username and password to your client’s bank account, did you commit malpractice? What if you put that information on the projector for anyone in the courtroom to see? In cases involving cryptocurrency, attorneys may inadvertently do the functional equivalent of this, exposing clients to risk of asset loss by treating cryptocurrency like traditional financial assets.

To litigators, cryptocurrency can be defined as two lines of text, consisting of numbers and letters. That is it, two lines of text, one called a “public key” and the other a “private key.” Public keys are known to the world. Anyone can see the key number, the amount of cryptocurrency associated with it, and send funds to it. This public key is like a telephone number. Anyone can find your phone number in a phone book, see where you live, and call you, but the owner of the house located at the address is undisclosed.

“Private keys” determine ownership and are unique lines of text, like the deed to a house (in a universe without central appraisal districts). There is only one deed stating who the current owner of the address in the phone book is, but you wouldn’t know who that is from the phone book. Holding a private key makes the holder the only owner of that unit of cryptocurrency.

To transfer cryptocurrency, private keys are sent to public keys, much like one person deeding property to another. There is only one deed stating who the current owner of a property is, and only one private key at any point in time. While deed transfers are lengthy processes, transmitting private keys only requires a few seconds. Much like a new deed existing with a new name on it, the text of the private key permanently changes numbers upon transfer that only the new owner knows. This makes all transactions irreversibly one-way. There is no crypto-judicial system or concept of fraud permitting reversals. All sales are final. For this reason, unredacted private keys should never be disclosed.

Four main ways exist to store cryptocurrency (including private keys): exchanges, hot wallets, cold wallets, and paper wallets. Exchanges are online, similar to Fidelity. Hot wallets are apps or computer programs. Cold wallets are USB keys, often with physical buttons to unlock them. Paper wallets are printouts of public and private keys, sometimes with a QR code. To minimize hacking risks, most investors hold 25 percent of their cryptocurrency in exchanges, and 75 percent in cold or paper wallets.

Exchanges, hot wallets and cold wallets may provide transaction history statements. These might include a private key. Text strings with 30+ digits starting with S or 5 should have the last 10 digits redacted. (Bitcoin private addresses start with S or 5, other cryptocurrency private addresses start with different numbers; research and redact accordingly.) In camera review can determine if these numbers are private addresses, exchange ID’s, or transaction ID’s, which look similar.

Hot and cold wallets have a master code called a “seed code,” holding all private and public keys in that wallet. This is a list of words, usually twenty-four, in a specific order, all of which are more than four letters long. Seeds are written down the first time a wallet is used. They can be used to establish that a person owns a hidden cold wallet. However, if you obtain the seed, you can clone the wallet and transfer the private keys it contains. Broadcasting that seed exposes a party to risk. An attorney should never disclose unredacted copies of seeds in discovery or in court. Redacted copies should ALWAYS have the first four letters of each word in a seed code removed.

 Paper wallets are the equivalent of a physical shares of stock, and attorneys may want to use them as exhibits to establish ownership of cryptocurrency. Unlike a share of stock, paper wallets display private addresses as text or sometimes as a QR code. The mere act of producing a picture of a paper wallet can render it worthless. Attorneys must redact all private keys and QR codes on paper wallets prior to production or use in court. Failing to do so allows someone to write the private key down or take a picture of a QR code, and transfer the private address in an irreversible one-way transaction.

 If an attorney follows these rules, they can avoid major mistakes that expose both the attorney and their client to significant risk.

Andrew N. Speer is a family law attorney at O’Neil Wysocki, P.C. He can be reached at andrew@owlawyers.com.

Back to Top