From crypto-service operators to crypto-forensics experts; blockchain-association representatives to a lawyer, these players and stakeholders commonly believe that the breach experienced by Patricia underscores the importance of ensuring a robust cybersecurity system in the emerging crypto industry.
Generally, these blockchain-industry players and stakeholders maintain that apart from self-regulatory measures that virtual asset service providers (VASPs) must have in place, collaboration amongst industry players is vital to achieving safety and security in the crypto ecosystem. Also important, as mentioned by some stakeholders, is the place of regulation. Without doubt, the role of regulation cannot be overemphasized.
First, days before the Patricia crypto exchange breach
Before we dive into what the blockchain-industry players and stakeholders had to say concerning the Patricia crypto exchange breach, let’s briefly highlight—at least for background and context—notable events before the breach was announced by Patricia.
Notably, Patricia crypto exchange appears to have been experiencing a number of challenges before Friday 26 May 2023, the day Patricia reported the breach to its users.
8 May 2023
On 8 May, Patricia posted an update, Payment Downtime. There, Patricia stated that due to global congestion on the Bitcoin network, users may be experiencing slow withdrawals from their fiat and crypto wallets. Patricia assured users that it was taking necessary measures to ensure that pending withdrawals were processed.
Most users who reacted to the update were unsatisfied.
11 May 2023
Patricia further posted an ‘Important Update’. In that update, Patricia informed users that it has “decided to fully move ALL operations to the new Patricia Plus app”. This, according to Patricia, is due to the global congestion on the Bitcoin blockchain. Therefore, crypto transactions were no longer supported on the old version of the Patricia app.
Users, reasonably, expected that the Patricia Universe app, would end the challenges they had been facing. After all, the Patricia Universe app “comes with more coin offerings to give [users] a diversified portfolio and a dollar fiat wallet that allows [users] trade from anywhere in the world”. The ability to be able to access their accounts and transact, including making withdrawals or deposits, seemed basic.
But Patricia’s announcement came with a but: All wallets were disabled for withdrawals until 15 May “to allow for a smooth migration process” from the old Patricia world to the new Patricia universe.
Most users who reacted to the update remained dissatisfied. Others became even more impatient.
17 May 2023
On 17 May, Patricia announced that its new Patricia Universe App was now functional and all features were fully active.
But not to the various users who responded to their update continued to complain about their inability to make withdrawals or sell their crypto assets.
Later on the same day, Patricia eventually informed users that “the migration process has not been smooth” from the old version of the Patricia app to the new one. Patricia reassured users that it was working on having this issue fixed. To ensure that the app worked optimally, it announced a “routine maintenance period” which would last from 17 May–29 May 2023. Throughout this maintenance period, both crypto and fiat withdrawals were suspended by Patricia.
This time, most users who reacted to the tweet announcing the routine maintenance and suspension of withdrawals unleashed their frustrations on Patricia.
26 May 2023
When it was 3 days to the end of what must have felt endless for Patricia users, Patricia announced the big one on 26 May 2023: “Not long ago, we were victims of a breach”.
Thankfully, according to Patricia’s 26 May Downtime Update, Patricia’s team with the assistance of law enforcement agencies have successfully traced the breach through compromised naira assets that were linked to the suspect.
Meanwhile, Patricia says it has enlisted the services of a security firm to audit its system. As soon as Patricia gets clearance to reopen the affected retail platform, Patricia Personal, users would be able to access their accounts and make withdrawals, Patricia stated.
It is now a new month of June. How are industry players and stakeholders reacting to the unfortunate development?
Industry players & stakeholders react
Seun Dania, Founder & CEO, Trade Fada, a pioneer in the Nigerian crypto industry, pointed out that the incident underscores the need for even tighter security measures across all exchanges, but not before expressing his solidarity. As Dania puts it, “As a player in the crypto industry, I would like to extend my solidarity and support to Patricia crypto exchange during this challenging time. It is unfortunate to hear about the recent security breach they experienced, and our thoughts are with the affected users and the Patricia team”. Dania also emphasized that:
Security is a paramount concern in the cryptocurrency ecosystem, and this incident underscores the need for even tighter security measures across all exchanges. It is crucial for exchanges to continually assess and enhance their security protocols to safeguard user funds and personal information.”
Speaking of safeguarding user funds, Kunle Taiwo, a certified cryptocurrency investigator (CCI) with the Nigerian Police, maintains that consumer protection in the crypto space is no longer an option. According to Taiwo, “Any novel technology brings with it a wave of early adopters. While some of these are keen to explore the potential in societal & economic benefits that may be had by leveraging the technology, others seek to apply the technology as a means to enable nefarious activities. Crypto exchanges are no exception. Hacks and data breaches have become quite common with cryptocurrency exchanges, according to blockchain data platform Chainalysis hacking remains a major barrier to cryptocurrency adoption. Cryptocurrency exchanges are a major target for hackers, with over $20 billion stolen in 2022”. He also added:
“Patricia hasn’t announced the specific cause of the breach, which in my opinion is at the detriment of its users (consumers). These trends indicate a growing potential for risk of loss for consumers who may be lower income and more vulnerable to financial shocks or and least able to weather losses from frauds, hacks, and market volatility. Recent events have highlighted the need for new standards in the crypto industry.”
In the same vein, Adedeji Owonibi, Senior Partner, A&D Forensics, who does a lot of work in this area, reemphasized the need for crypto exchanges to implement robust cybersecurity systems:
I will add that this underscores the need for periodic cyber security checks on your system. Penetration testing and vulnerability assessment will have to be an ongoing operation within our exchange systems and for founders, Never commingle customers funds with your operational fund. I can’t emphasize that enough for young startup founders within Nigeria crypto space. Some even argue there was never a hack in Patricia, many believe they were rug-pulled. Proper investigation however, will reveal what went wrong and help clear doubt, we at A&D forensics will be glad to help with this.
Owonibi believes that crypto asset service providers, especially local operators, need to improve on their cybersecurity.
Cybersecurity is indeed at the heart of the existence and operations of any digital service platform, including platforms that offer cryptoasset or digital asset services. Centralized crypto exchanges, as the most accessible gateway to the crypto market presently, have serious work in this regard. Just as it obtains with compliance, cybersecurity never stops. And it isn’t cheap either. This is exactly what Ruth Iselama, Founder & CEO of Bitmama, who couldn’t say much due to the current status of the breach, also pointed at when she emphasized the importance of cybersecurity for crypto exchanges:
“Crypto exchange operators must put adequate cybersecurity measures in place. This is especially important early on, before the exchange scales. Besides, cybersecurity is not cheap. Because details of the reported breach are currently unavailable, I’m however unable to comment further on the incident.”
Just as cybersecurity is inescapable for digital platforms, so are cyberattacks. Even in the traditional banking and financial system, cyberattacks are not uncommon. But most often than not, breaches from such cyberattacks are unreported or underreported, and understandably so. No bank or other financial institution wants to risk reputation loss, erosion of trust, or a bank run or loss of customer base. This is asides possible sanctions, and even civil suits.
Chukwuemeka Ezike, Vice President (Media and Publicity) of the Stakeholders in Blockchain Technology Association of Nigeria (SiBAN) and Community Manager at EMURGO Africa, maintained that being nascent, the crypto industry must experience teething times. Besides, he pointed out, “even well-established operators in the banking sector have suffered similar incidents in recent times. The difference is that there is a bigger war chest to keep operating while eradicating the threat and recovering the system to full operation”. Also, Ezike noted that digital assets are still a new and emerging space, with a number of support systems to help protect users from such incidents still considerably missing, especially relative to the regulated banking and financial system. “Regulations that implement fund insurance, as obtainable with deposit banks for example, ensure operations continue with no pause when such an incident occurs”, he asserted.
Reinforcing the need for crypto exchanges and other service providers in the crypto space to keep improving their operational systems, Ezike maintained that this is required at both infrastructural and administrative levels:
“At this stage, we can’t say if Patricia had the best cybersecurity playbook or how they managed their process, but when it is properly audited and if it publicly shares the insights from the incident, we can then point out the weakness. But I understand that such incidents are not usually reported publicly, as this is also a security practice. For the current situation faced at Patricia, I will say that the crypto industry is growing, and at the growth stage, a lot of weaknesses will be discovered. This is what makes a better system implementable for all. The industry acts as a community to keep improving its operations both at infrastructural and administrative levels.”
But since users of these crypto exchanges would not know whether the management of the crypto exchanges they use are improving their operations, including their cybersecurity, both at infrastructural and administrative levels, where does this leave them? Are users automatically liable for taking the risk of trading digital assets or leaving their funds on centralized crypto exchanges like Patricia?
Stephen Azubuike*, Partner at Infusion Lawyers, noted that cyber attacks on crypto-trading platforms are “reasonably foreseeable risks” and therefore both platforms and users must be prepared for such risks. In the words of Azubuike who also blogs on law-related issues at Stephen Legal:
“Cyber attacks on crypto trading platforms such as Patricia form part of the reasonably foreseeable risks users must put into consideration. Most platforms like Patricia may not guarantee absolute security against all possible threats. As a notable crypto exchange in the space, Patricia had assured users of their accounts safety based on industry-standards of cyber security deployed by Patricia. To a large extent, users count on this assurance before depositing their digital treasures in wallets warehoused on Patricia.”
So what is the way forward? Industry players drop suggestions.
Chukwuemeka Ezike, one of the deputies at Stakeholders in Blockchain Technology Association of Nigeria (SiBAN), the blockchain association recognized by the Federal Government as a stakeholder in the recently approved National Blockchain Policy, believes that the incident calls for more collaboration amongst operators in the crypto ecosystem:
“This incident is a call for operators to find a way to open sources of information and knowledge sharing among themselves to help prevent and properly improve the way things are done, as we might not have the resources to equip them with sophisticated security systems. We are hopeful that such an incident helps operators implement better systems for their users, and we are confident that the crypto asset market will keep thriving.”
But on what specific baselines or standard measures the crypto industry could adopt towards ensuring a safer and more secure crypto ecosystem in the country? Kunle Taiwo, who has investigated crypto-related crimes, answers, pointing out that “recent events have highlighted the need for new standards in the crypto industry”. For this reason, “certain baselines should be set as standard measures for crypto exchange consumer protection”. Taiwo generously highlighted some standards as reproduced below:
- Using enterprise-grade security. As crypto has grown more popular and valuable, it has become a big target for hackers;
- Empowering customer education. When people are proactive as a result of sound crypto knowledge, they can easily beat bad actors;
- Strong governance. Having a robust compliance and investigation team that helps exchanges identify and manage the risks threatening their business is vital.
- Transparent operations. To enhance transparency for customers, crypto exchanges can aim to educate consumers about the technology and crypto assets and provide regular updates and reports on projects.
- Segregation of funds and insurance. Exchanges should never commingle operation funds with customer funds. Also, though this requires regulatory support, insurance protection that safeguards crypto-related deposits against breaches or related incidents to a reasonable extent is something worth considering.
- Insider Threat. There must be measures This typically occurs when a current or former employee, contractor, vendor, or partner with legitimate user credentials misuses access to the detriment of the organization’s networks, systems, and data.
Looking at a way forward, Stephen Azubuike*, who heads the Dispute Resolution Practice at Infusion Lawyers, pointed out that Patricia users, particularly, will wish to be assured by Patricia that their funds are safe. But the question, he noted, is how much information Patricia is able to or ready to disclose to its users and the members of the public, considering the nature of the incident. Azubuike, on the operating contract, stated as follows:
“The first port of call in determining the contract between Patricia and its users is the relevant standard Terms of Service (ToS). Relying on its ToS, Patricia currently limited access to the platform for security reasons in view of the reported security breach. This is understandable for the purpose of risk management and other imminent security measures. Similarly, under the ToS, Patricia owes no obligation to its users to disclose the details of its risk management or its security procedures. This is okay especially as a move to guarantee the integrity of Patricia’s security processes.”
But do Patricia users not have the right to know what is really going on since their funds are now at risk? To this, Stephen asserted that since the safety of Patricia’s security features have been questioned, users have the right to know how well Patricia had set up adequate rules and protocols to guarantee the safety of their funds in the first place. Proper and thorough investigation appears inevitable, he said.
On possible liability on Patricia’s part, Stephen noted that the outcome of the ongoing investigations, Patricia’s Terms of Service (ToS), and applicable laws would determine this:
The investigation outcome will assist in determining the level of liability on the part of the firm. This is notwithstanding the disclaimer and limitation clauses which sought to limit the liability of the firm. For instance, under Patricia’s ToS, the firm sought to, among others, exclude liability for “any loss of funds or assets due to hacking, cyber attacks, Bugs in the system or any other security breaches.” The interesting thing is that in excluding its liability, Patricia appeared to acknowledge that this is to “the maximum extent permitted by law”. At any time users consider legally ventilating their grievances, Patricia’s ToS provides that the governing law shall be the laws of the State of Lithuania. It further states that any claims or disputes will be settled in courts in Vilnius (capital of Lithuania), unless legislation or international conventions mandatorily prescribe otherwise.
Seun Dania, one of the pioneers in the Nigeria blockchain industry who has continued to support collaboration between innovators and regulators in the country, believes that collaborative efforts within the industry is imperative. With such approach, safety and security of users of both local and foreign crypto platforms can be better protected. In Dania’s words:
In situations like these, it is encouraging to see the collaborative efforts within the crypto industry. It is imperative that all exchanges work together, along with law enforcement agencies, to trace the criminals behind the breach. By sharing information and collaborating, we can collectively strengthen our defenses and prevent future incidents. It is well known that the blockchain is one of the most transparent technologies and criminals cannot get away with much. I am confident that they will be tracked and apprehended soon. While the lack of specific details about the breach may raise concerns, it is important to have faith in the management of Patricia to address the situation appropriately. They have undoubtedly prioritized the investigation and are working diligently to gather the necessary information. We trust that Patricia’s management is taking the necessary steps to resume operations and make all affected customers whole again. This unfortunate event serves as a reminder for both exchanges and users to remain vigilant and proactive in implementing robust security measures. By doing so, we can continue to foster a secure and trustworthy environment within the crypto industry, ultimately benefiting all participants involved.
The Patricia breach is truly unfortunate. Hopefully, investigations will significantly assist Patricia in its recovery efforts. Above anything else, the safety and security of user funds is paramount.
First, users, stakeholders, and the members of the public expect Nigeria to adopt global best practices in the crypto space in order to help minimize the risks often associated with crypto. The current stance of the Central Bank of Nigeria (CBN) on crypto-related transactions in the banking and financial system is understandable. This is considering the risks and threats that crypto may have on the safety and soundness of the financial system. No regulator will be happy to welcome or embrace it, however the name such innovation is called. But the CBN cryptocurrency directive comes with its own risks and threats too, given that it does not really promote accountability and transparency in the emerging crypto market. This in itself is a potential danger to the financial system.
Second, Nigeria cannot afford to continue to take one step forward and three steps backward. We don’t have all the time in the world. Things move fast, especially in the digital assets space. We need to allow our laws and regulations, as well as our statutory agencies, work for the Nigerian people in the emerging crypto market. Three regulations come to mind here. The Money Laundering Act, 2022, enacted by the National Assembly following the need for Nigeria to comply with the recommendations of the Financial Action Task Force (FATF) is one. This Act can greatly help in minimizing the risks associated with crypto, if permitted to apply, rather than the CBN cryptocurrency directive, which has practically—and questionably—suspended relevant laws and regulations. Amongst other critical concerns, the Money Laundering Act, 2022, requires VASPs to adopt anti-money laundering compliance in order to ensure accountability and transparency in the digital assets sector. This is a critical area the Nigerian Financial Intelligence Unit (NFIU) should be trusted by the Nigerian government and relevant regulators, including the CBN, to come in. Also, the Finance Act 2022, an executive bill enacted by the National Assembly, recognizes digital assets as a form of changeable assets. The Finance Act 2022 subjects digital assets to capital gains tax of 10% on gains made from disposing of such digital assets. Lastly, the Securities and Exchange Commission’s (SEC) ‘New Rules on Issuance, Offering Platforms and Custody of Digital Assets” (the “New Rules”) of May 2022 is also very relevant here. Sadly, this SEC framework has also been practically rendered inoperative—from inception till date—due to the same CBN cryptocurrency directive that denies access to bank accounts to entities and individuals in the crypto industry, and entities and individuals who carry out crypto-related transactions. Three steps forward, nine steps backward.
Thankfully, the National Blockchain Policy—commendably approved by the Federal Government of Nigeria under President Buhari administration in May 2023—is now active. The Policy clearly states that “[t]he Nigerian Government recognises cryptocurrency as one of the components that will catalyse the adoption of Blockchain Technology”. Hence, as a policy direction, “the Nigerian Government, through this Policy” will “[provide] a framework for the use of cryptocurrencies, among others, which can help to mitigate risks such as money laundering and fraud”. As rightly stated in that Policy, “[t]his can help to build trust in cryptocurrency and make it more accessible to businesses and individuals in Nigeria”. And as directed in the Policy, Nigerians expect the Federal government to “establish a regulatory framework that enables the safe, responsible and optimal use of cryptocurrencies in Nigeria in a way that ensures consumer protection, market stability and financial inclusion”. The government should also endeavor to take steps towards achieving the policy directive of “[working] with industry stakeholders to develop standards for the listing and trading of cryptocurrencies on regulated exchanges in Nigeria”.
Given the ever-increasing adoption of cryptocurrencies or cryptoassets by Nigerians, it is in Nigeria’s best interest to adopt a risk-based approach to crypto regulation. Bans, in whatever shape, do not put anything in good shape. If it bought Nigeria some time in 2021, it is now killing time in 2023. In fact, CBN itself stated in that cryptocurrency directive that this directive was temporary pending “substantive regulation”. If not overdue already, now is the time to prime consumer protection and investor safety in the country. After all, are we not transiting to a digital economy? In that digital economy, both privately-issued digital assets and central bank-issued digital currencies, will have roles to play. No, this is not Godwin Emefiele speaking, but data in today’s digital economy. I imagine that this is what crypto users—including Nigerians who use Patricia—would also expect.
*Disclosure: Stephen Azubuike is my partner at Infusion Lawyers. He heads the Dispute Resolution Practice of the law firm.
Senator Ihenyen is the Founding Editor, CAB. He is the Lead Partner at Infusion Lawyers where he heads the Blockchain & Virtual Asset Practice. The immediate former President of SiBAN, Senator is also the former General Secretary of Blockchain Industry Coordinating Committee of Nigeria (BICCoN), and former General Secretary of Fintech Alliance Coordinating Team (FACT).