Waiting for Katrina: How Big Can Crypto-Hacks Get?

When Hurricane Katrina hit Florida and Louisiana in 2005, it was North America’s most destructive storm on record. With winds reaching 175mph, Katrina caused $125Bn of damage and left people wondering: was this simply bad luck or a new climate-change normal? And, more concretely, how much should insurers charge people to protect against these kinds of catastrophes in the future?

Nearly ten years later, another type of storm hit when Mt Gox discovered they’d lost 750,000 Bitcoin, worth around $500m at the time, and were forced to close their exchange. Was this hack simply an unlucky one-off? Or were hacks going to be a persistent feature of the crypto-market? And if so, how often would they happen and how big could they get? These might look like quite different questions compared to the measurement of hurricane risk, but, in practice, it’s the same problem. Here’s why.

Both events – hurricanes and hacks – are scale-invariant processes, in common with many other phenomena, such as city sizes, word frequencies, earthquake magnitudes, music downloads, and company valuations. Specifically, the frequency distribution of storm sizes can be expressed as a power curve – storm strengths occur in constant relative proportions. So, the trends you observe in smaller, frequent storms can be used to predict the trends in larger, infrequent storms. If small storms are getting more common or stronger, then you might expect that large storms will do the same, without waiting for centuries to accumulate data on them directly.

‍

The graphic above shows how digital asset fraud exhibits this same scale invariance. Scale invariance is characterised by a straight line when size against rank is plotted on log scales. The main body of the 250 crypto hack events we identified using news headlines is a straight line. To the right, the plot curves downwards because there are missing small events. $100k hacks may not be reported. To the left, the plot curves downwards because there are missing $1Bn hacks. Crypto hacks have a limited history, and given the skewed underlying distribution, this large event tail is likely under-sampled.

The implication of this distribution is that there’s a $10Bn hack out there. For example, we estimate that for a given hack, there’s a 5% chance of it being over $1Bn and a 1% chance of it being over $10bn. Or to put it another way, there are currently about two hacks per year which are over $10m. Hence, over a decade, you’d expect 20. One of those would indeed be in the Mt Gox size range, as has already been observed. Meanwhile, over 50 years, you’d expect 100 hacks. And one of those will be a counterparty flattening $10Bn Katrina.