The IRS wants help breaking into cryptocurrency hardware wallets — small physical drives unconnected to the internet that are used by some crypto owners to securely store their cryptographic keys, which unlock their virtual currency funds.
The security of hardware wallets is a problem for IRS investigators, Vice reported. The IRS Criminal Investigation agency and its Digital Forensic Unit may take possession of a hardware wallet as part of a case, but may be unable to access it if the suspect does not comply. This means that authorities can’t investigate the “movement of currencies” and it may “prevent the forfeiture and recovery” of the funds.
“The decentralization and anonymity provided by cryptocurrencies has fostered an environment for the storage and exchange of something of value, outside of the traditional purview of law enforcement and regulatory organizations,” according to document posted on the agency website in March 2021. “There is a portion of this cryptographic puzzle that continues to elude organizations—millions, perhaps even billions of dollars, exist within cryptowallets.”
About 20 percent of all Bitcoin — $100 billion worth — is locked in wallets, according to crypto research firm Chainalysis.
“There’s SO MUCH lost Bitcoin out there, it’s like the 21st century of sunken ships with treasure aboard,” Adrian Sanabria, a cybersecurity expert, told Vice’s Motherboard.
Here are 3 things to know about the IRS plan to hack crypto hardware wallets in tax investigations
There are software wallets and hardware wallets. If you dabble in bitcoin or other cryptocurrencies, then you may be able to store your private keys in a software wallet, business tech news website ZDnet reported. “But if you are serious about crypto, are mining your own bitcoins, or have serious cash invested in crypto, then a hardware wallet is something that you need to seriously consider.”
ZDnet featured five hardware wallets that it says it chose for price, durability, reputable manufacturer and ease of use. They range from $51 for the Ledger Nano S, a wallet where everything is protected by a PIN code, to $179 for the Trezor Model T, which claims to be cutting-edge.
“Hardware bitcoin wallets put you in complete and total control over your private keys,” ZDnet claims. The IRS is working on changing that.
The IRS is calling on researchers and contractors to bring it solutions to hack into hardware wallets — not a one-off solution, but tools that it can reliably use in multiple cases going forward, according to Vice.
“Do you research vulnerabilities on cryptocurrency wallets? We’d love to hear from you,” the IRS said.
Some people hold thousands of dollars in bitcoin or other cryptocurrencies and don’t use a hardware wallet. You don’t need one to buy, store, or send bitcoins or any other cryptocurrency. “However, where hardware wallets shine is the improved security that they offer compared to an app that lives on a smartphone, computer, or in the cloud,” ZDnet reported. “Having a device that puts an air gap between your private keys and other apps, the internet, and the bad guys offers vastly improved security from hackers and viruses.”
Hardware wallets are considered safer than desktop or smartphone wallets, mainly because they don’t connect to the internet at all. This reduces the risk of attack because the devices can’t be tampered with remotely. A good hardware wallet ensures that private keys never leave the device. They’re normally held in a special place in the device that doesn’t let them be removed, according to Binance’s blockchain and cryptocurrency education portal academy.
Since hardware wallets are always offline, they must be used with another device. They’re built so they can be plugged into infected PCs or smartphones without any risk of the private key leaking. From there, they interact with software that allows the user to view their balance or make a transaction.
Listen to GHOGH with Jamarlin Martin | Episode 74: Jamarlin Martin Jamarlin returns for a new season of the GHOGH podcast to discuss Bitcoin, bubbles, and Biden. He talks about the risk factors for Bitcoin as an investment asset including origin risk, speculative market structure, regulatory, and environment. Are broader financial markets in a massive speculative bubble?
Once the user creates a transaction, they send it to the hardware wallet. At this point, the transaction is still incomplete. It still needs to be signed by the private key in the device. Users confirm that the amount and address are correct when prompted on the hardware device. Then it is signed and sent back to the software, which broadcasts it to the cryptocurrency network.
The IRS has stepped up its plans to track fraud and enforce tax collections related to cryptocurrencies. As “more and more criminals choose hardware wallets to protect their ill-gained bitcoins, the feds clearly want methods to access them to find key evidence,” Vice reported.
Smartphone or software wallets are convenient, while hardware wallets can be cumbersome because two devices must be used to actually send funds, according to Binance.
Faced with a physical threat, a user might be forced to unlock a hardware wallet for an attacker. No successful hack has retrieved private keys from a hardware device in a real-world scenario, Binance reported. Manufacturers are quick to patch vulnerabilities but researchers have demonstrated attacks against popular wallets.
Supply chain attacks can also undermine the security of a hardware wallet before the user even takes ownership. A hacker can tamper with it to weaken security and steal funds after the user has deposited coins.
Another limitation is that “hardware wallets involve taking custody into your own hands. Many consider this an advantage as no third party is responsible for managing your funds. But this also means that if anything goes wrong, there is no recourse,” Binance Academy reported.
The IRS’s plan to hack crypto hardware wallets in tax investigations “seems like overkill,” according to Nicholas Weaver, a senior researcher at the International Computer Science Institute at UC Berkeley. “For most of these devices a choice of ‘Either give us the password or rot in jail for contempt’ might be sufficient,” Weaver told Motherboard.