Understanding Pitfalls of Crypto Investing and Trading

Pitfalls of Crypto Investing and Trading

As I’ve become involved in Cryptos, I’ve noticed scams being perpetrated, and so I’ve spent some time investigating and analyzing them. To the extent that I can share my perspective and help others avoid getting ripped off by rackets I’ll consider this endeavor successful.

By no means are the scams I’m about to describe exhaustive. There are as many ways to lose money due to fraud and malfeasance as there are minutes in the day – but hopefully, if my description and analysis holds-up, you may be able to consider yourself if not immune, then at least forewarned and better prepared to avoid them.

DDOS Attacks

When I first witnessed these happen I scratched my head as to what they were and why someone would bother with such an attack. I think I now understand the basics of the scam mechanics and that’s what I want to share with you, along with some possible tips for avoiding falling victim.

But before that, a disclaimer:  While I consider myself fairly tech savvy, my background is not in computer sciences (much less running scams!) I’m going out on a limb here to try and explain a tiny piece of the world as I understand it. I’ve arrived at this description simply by my own reductive and deductive reasoning. If you see something I’m missing or have significantly wrong, please feel free to let me know at izzyotomakan@gmail.com.

First of all, you may be asking, what is a DDOS attack?

DDOS stands for ‘Distributed Denial of Service’, and is when someone (or a group of people) decides to flood a website with traffic in order to overload the targeted website’s servers and cripple the site’s functionality.

Most websites can handle a reasonable amount of ‘hits’ per second without becoming overloaded. However, if a site suddenly were to have, say 100,000 simultaneous ‘hits’, its computers might have a hard time digesting that level of activity. What may end up happening is that the site servers[1] spend so much of their processing power dealing with this incoming traffic, that there is little to nothing left over to process normal day-to-day functionality (like for example, accepting a buy or sell order from a customer).

The main way DDOS attacks are orchestrated (as I understand it) is with a ‘bot army’. Unbeknownst to thousands or even millions of users, they have malware on their computers[2]. The particular DDOS related malware may actually not do anything really bad to these individual computers – but unbeknownst to the owners, they may turn the computers into infantrymen in a ‘bot army’.

When the ‘general’ says to attack a particular website, it sends a message to all the ‘sleeper cells’ in the bot-army computers around the world, telling them to try to connect to the same targeted website. Now as a regular user, you may not even know this has happened! You may see little to no difference in your computer’s performance – after all, it’s just ‘pinging’ a website a few times, nothing particularly fancy or CPU intensive. There won’t be any notifications or pop-up alerts – it’ll happen silently in the background. But multiply that activity by 100,000 and the site which is the target might be brought to its knees, unable to process that much traffic.

 “OK IZZY” – you might be saying, “I get how a DDOS is orchestrated, but why would anyone want to do it?”

Well, there are a couple of likely reasons. Firstly, the attackers may be trying to express some personal, political or social viewpoint. Much like protesters spray-paint graffiti on a corporate billboard they disapprove of, protesters can make statements directed at a particular company by reducing the functionality of their website. But this is generally though not what we are focused on here in Crypto-land. We are focused on the other main reason: to make money.

Trading With Leverage – the DDOS attacker’s Prime Enabler
Have you noticed that DDOS attacks on trading websites seem to only happen when a particular cryptocurrency is in the midst of a massive rally? Have you also noticed that when they occur, the rally tends to come to a halt, and the prices tend to drop? You might also have noticed that people in chat-rooms complain about losing money from being ‘stopped out’ of trades. This is all because a DDOS attack’s profitability depends on having a lot of traders being long a crypto with leverage.

This is all best demonstrated with an example, so let’s go into one. We’ll look at it first from the victim’s perspective, then from the attacker’s perspective.

Joe the Victim
Joe has just read on a site that NEWCOIN is the ‘next greatest thing’ – it’s going to be the new bitcoin x 1000. So he logs into Poloniex where he has 1 bitcoin stored and decides to buy some NEWCOIN with it. When he gets into Polo, he is amazed to see that NEwcoin has already gone up 100% in the last hour and he figures it’s a safe bet that it will go up at least another 20% in the next hour. Let’s also assume that Newcoin is at that moment trading 1:1 versus bitcoin (for simplicity) and that 1 bitcoin is worth $2500.

He could just sell his 1 bitcoin and buy 1 Newcoin. This way, if he’s right and it goes up 20%, he will have made 20% x $2500 = $500. But Joe feels like playing it a little riskier and going for more. He instead transfers hit 1 bitcoin into his ‘Margin’ account, and now Poloniex allows him to buy 2.5 Newcoins with his 1 BTC as collateral. If he is right and Newcoin goes up 20%, then his profit will be 20% x $2500 x 2.5 = $1250! A 50% return on his capital of $2500!

Now Joe knows that with leverage, while his possible gains are magnified, his possible losses are also magnified. So he tells himself that he will watch Newcoin trading tick-for-tick, keeping his finger on the ‘close position’ button. If it starts to go against him and he loses, say, $500, he can click that one button and Poloniex will close out his trade by selling all the Newcoin he bought on margin.

So Joe buys 2.5 Newcoin with his 1 BTC as collateral, and keeps his eyes glued to the trading screen.

Suddenly, the screen doesn’t seem to be refreshing and the site doesn’t seem to be updating. At first he tells himself that it’s probably nothing, but then when it does refresh he sees that Newcoin has dropped in value from 1:1 versus BTC (or 1.0) to 0.90.. a 10% drop! But since he’s used leverage he’s actually lost 2.5x that 10% on his initial investment, or 25% of his $2500 = $625. “OK” – he tells himself, “this is too much pain – time to close the position”, and so he clicks ‘Close Position’.

But his screen has frozen again.

By the time that it refreshes, he is notified that not only did he not ‘close his position’ at 0.90, but during the time his screen was frozen, the price of Newcoin dropped first to 0.8, and then immediately to 0.7. Unfortunately for Joe, when the price dropped to 0.8, that triggered an automated forced liquidation. But because the system was slowed (due to the DDOS) and new buy-orders couldn’t be processed, the next closest level to sell into was 0.7 – and that was the level at this his position was closed out at!

He looks at now refreshed screen and sees: price of Newcoin: 0.95 (ok, not too bad!), but his account balance: 0 Newcoin (they were liquidated) and only 0.25 BTC – he’s lost 75% of his money!! And adding insult to injury, NewCoin is only barely lower!

Mike the Villain

Mike is very proud of the fact that he commands a ‘bot army’. With the push of a button, he can set 100,000 unsuspecting computers around the world to simultaneously try to connect to any single website – overwhelming the servers of the target and causes its systems to freeze up as they try to process the backlog.

He has noticed that NewCoin has been rallying enormously and he thinks the stage is set nicely for him to make some money with an attack.

Newcoin is trading at 1:1 versus BTC, and so Mike enters two trades:

1) He shorts 20 BTC worth of NewCoin @ 1.00 (which in this case, means he shorts 20 Newcoins)

2) He enters a buy order for 20 Newcoins, but at a price much lower – in this case, at 0.70.

With those two trades entered, Mike presses his ‘attack’ button. A DDOS attack has now been launched against Poloniex.

Mike knows that during the attack, it will be very hard for people to enter new orders – Buys or Sells. Some people might be trying to enter ‘Buy’ orders, but given the fact that the system is frozen (and people expect DDOS attacks to usually push the price lower) he anticipates only a very small number of people will try and execute new buy orders. He also knows that even if some of those buy orders are entered, they will likely be more than offset by people entering ‘sell orders’, as they fear a price drop.

But what he’s really counting on is for many of the people who are long NewCoin with leverage to simply press the ‘Close Position’ button. He doesn’t actually need too many people to do it. In fact, he needs just a few to ‘get the ball rolling’. Not only is it more likely that some ‘close position’ orders will get through (because it’s a simple 1-click!) , but because there are no new buy orders entering the system, the ‘bid stack’[3] will be quickly taken out and the price will gap-lower. This will create forced liquidation events in leveraged-long accounts which will create new system-generated sell orders. Ie, these sell orders will get processed because they are initiated on the server side – they don’t even need the user to click ‘close position’! This creates a self-reinforcing loop: as the price goes down, more liquidation sell-orders are triggered, which causes the price to drop more… which causes more liquidation sell-orders.

After about 10 minutes, Mike cancels the DDOS attack and looks at his account page.

Good news (well, for him)! His buy order of 20 NewCoins was filled at his price of 0.7! Of course, he knows that it was mostly done through triggered liquidations (and so is a consequence of others losing out), but he doesn’t care. He just made 30% on 20 Newcoins (valued at 20 x $2500 x 30%) = $15,000. Not bad for 10 minutes worth of work!

Is It Poloniex’s Fault?

Personally, I don’t think so. There are always people out there looking to game the system, even if it means effectively picking the pockets of others. That being said, to the extent that these events keep happening at a site, the onus is on the site to make sure that their systems are resilient enough to fend off DDOS attacks. From what I can tell, Polo seem to have beefed up their tech as well as potentially even reimbursed some victims. From my vantage point, they seem to actually be doing a pretty good job. 

Is/Was Poloniex ‘In On The Scam’?

While I can’t say definitely no (as i just don't know), I can tell you that logically, even if the owners had no moral compass, it makes little to no sense for them to try to rip off their own customers – and certainly not in this way.

When trying to figure out who or what is behind activity, I like to rely upon the Latin phrase ‘Cui Bono?’ which means, ‘Who benefits?’ So I ask myself, would it be in Poloniex’s interest to try and fleece their own customers?

Considering just how much money Polo makes legitimately, I think this is exceedingly unlikely. In any given 24 hour period, Polo may trade 300k BTC – that’s approximately $USD 750 million equivalent. Even if on average they only make 0.25% in commissions per trade, that’s nearly $2 million a day in revenues, or ~$700 million annually in a market that’s growing by leaps and bounds.

To risk their business reputation (and so the viability of the business itself) by trying to rip-off their own customers in such a scam would be such an illogical move (even ignoring the morality of it, which is obviously horrendous) that I tend to consider any allegations that they conspired to defraud their customers as being without merit.

So What to Do to Avoid Falling Victim?

Simply put – in addition to watching out for ‘pump and dump’ campaigns (more on those in a future post), be extremely wary about trading with leverage. If you don’t invest with leverage, then you cannot be ‘stopped out’ of your trades (at a loss) due to temporary market swings (whether artificially manipulated or not).  I’m not saying don’t do it – that’s not for me to say to anyone – but hopefully after reading this article you’ll be more aware of the risks and so may tread more cautiously if you do go down that route.

Furthermore, if you decide to trade with leverage, you’re probably best served avoiding smaller/newer trading sites. It may seem enticing to trade on sites that offer high degrees of leverage, but if the site hasn’t invested in the technological/defensive infrastructure to fend off a DDOS attack, you could be in for a rough ride. Said differently, if I were to think like Mike the Villain, I would naturally gravitate towards newer/smaller trading sites that both offer leverage as well as are potentially more vulnerable to DDOS.

If you enjoyed this article or my XRP valuation piece, please feel free to drop me an email to say hello. I really enjoy hearing from readers. thanks! Izzy

---

[1] You can think of servers as just commercial-grade computers for managing websites.

[2] Raise your hand if you’ve been using a computer for more than 5 years and have never come across either a virus or piece of malware on a computer you’ve been working on. And…. I see exactly zero hands going up.

[3] The bid stack is the list of all buy-orders on the books – for different sizes and prices.