The IRS is Coming for Your Bitcoin Wallet

When you buy a cryptocurrency, like Bitcoin, you need to put it somewhere. Since a Bitcoin is only computer code, you must store it digitally. You need a digital wallet. Just like any digital software, you can connect your wallet to the internet or use it offline. Wallets connected to the internet are termed ‘hot wallets’ while those used offline are termed, ‘cold wallets’. Since hot wallets are connected to the internet, they are more vulnerable to hacking. This is why cryptocurrency owners are encouraged not to put too much of their money in hot wallets. In fact, the best cold wallets are those which are actually USB devices that never connect to the internet.

People have their cryptocurrencies stolen every day. Sometimes individuals are scammed and sometimes whole crytocurrency websites are taken over. If you have your cryptocurrency stored on an online exchange, nothing can stop them from closing up shop and making off with your money.

Then, there’s the problem of anonymity. Most people believe that they will have complete anonymity when they deal in Bitcoins. After all, even though the blockchain allows anyone to see what transaction is taking place, it’s impossible to connect the wallet used in the transaction to any owner, right? Not exactly. If you buy a product in Bitcoins, it must be shipped somewhere. Wouldn’t it be possible to connect the mailing address to an owner? Doesn’t the online exchange store its members’ personal information?

And then there’s the pesky problem of the government. In my opinion, it is only a matter of time before all cryptocurrency activity must be reported to the government. Evolution to this stage will be done in an incremental manner. In December, 2020, the Financial Crimes Enforcement Network (FinCEN) of the Treasury Department submitted a proposal which seems to reveal how this goal will be achieved. As in most cases of invasion of privacy, a higher motive is used as an excuse. In this case, the motive will be national security. “The proposal seeks to establish appropriate controls to protect United States national security from a variety of threats from foreign nations and foreign actors, including state-sponsored ransomware and cybersecurity attacks, sanctions evasion, and financing of global terrorism, among others.” The key words here are “appropriate controls”.  Expect this to mean that cryptocurrency exchange sites must hand over user information when the government presents enough evidence to justify doing so. Take this to mean that they must have enough proof to show that national security depends on getting this information.

The problem is that any cryptocurrency exchange, at any time, can be charged with money laundering. To avoid such charges, the exchange must gather information on who is transferring funds to whom. This is why every main cryptocurrency exchange maintains control over its users’ wallets. This fact was largely ignored by users of the Coinbase site until Coinbase handed over 13,000 accounts to the IRS in 2016. The problem, however, can be circumvented if the user employs offline storage in hardware wallets. Herein lies the problem; not for the user, but for the IRS. Yes, the IRS now encourages tax payers to report cryptocurrency use on their 1040 forms, but that’s just to cover themselves in case they later learn you have been dealing in Bitcoins but lied about it on your tax form.

The IRS no longer worries much about online cryptocurrency storage because they can monitor sales through blockchain transactions and, if they need to, use the exchanges to unmask any shady or lucrative transactions. However, once an exchange user moves their cryptocurrency to an offline wallet, the exchanges no longer have access to the wallet and the IRS cannot get any help from them. In fact, the IRS admits that users of cryptocurrencies have figured this out. As they noted in their report, “while research exists on the analysis and tracking of blockchain transactions, there is a portion of this cryptographic puzzle that continues to elude organizations – millions, perhaps even billions of dollars, exist within cryptowallets, but the value cannot be realized because of the challenging cryptographic problem…secure embedded hardware devices have emerged in recent years to hold the public and private keys securely, offline from an internet connected computer.” To put it bluntly, the IRS wants to get control of these offline wallets in any way possible.

To this end, they have put out a contract on those using such wallets. The use of the word, ‘contract’, here is intentionally ambiguous as both meanings come into play. The IRS wants to sign a contract with any cybersecurity expert or company that can compromise these hardware wallets. They know that this is possible for, as they state, “despite best cyber security efforts, even secure embedded hardware devices may possess vulnerabilities in hardware, software and firmware that allow for the unintentional disclosure of information.” Now, they are not stating that they will hack into a person’s computer to steal these wallets. They are more coy than that. They state that if they ‘accidentally’ come across one of these wallets in the course of a criminal investigation they would like to have the ability to see what’s in it.

But not all hardware wallets are created equal. An exploit that may work on one particular wallet may be useless against another, more secure, wallet. But what the IRS wants is an exploit that can work on any wallet, and that’s where the problem comes in. This means that software and firmware exploits are out of the question. It seems to point to an attack that focuses on how the wallet connects to the computer, but the better hardware wallets will take steps to insure that the boot process for the wallet is secure.

There are, perhaps, actions the U.S. government could take under the banner of national security. They could, for example, require that all manufacturers of hardware wallets include a backdoor that could be accessed if needed. After all, that’s what China does. If these companies balked at this idea, and they probably would, the government could require that all hardware wallets be shipped through a government inspection site for national security reasons. In this scenario, it would be the government, itself, that could install a backdoor. I’m not saying any of these actions would be actually taken but they are worth keeping in mind.

But since it is the IRS that is so interested in these hardware wallets, it is more likely that they worry more about money than national security. They probably have reason to believe that cryptocurrency transactions with hardware wallets could be used to avoid income taxes. Of course they are. However, it would be very hard, if not impossible, for any firm to come up with an exploit that could open any hardware wallet. In fact, if they did, they would have a product that any country would pay a high price for. Keep in mind that an estimated 20% of Bitcoins have been lost or are unrecoverable, usually because the owners have lost the keys to their wallets. Hundreds of billions of dollars in Bitcoins in locked wallets are just waiting to be recovered. Even if the developers of a master key exploit took only 10% of what was in these locked wallets, they would be billionaires. Why should they, then, accept a government contract for far less?

But, in the midst of the current government spending spree, the IRS needs money. This contract is a long shot and they probably know it. However, it does make Bitcoin users nervous. They now know that the IRS is watching them and, in that case, they may declare their Bitcoin transactions when they file their income tax, simply to play it safe. If the IRS can establish an atmosphere of fear, they only need to send a threat to Bitcoin users to increase their revenue. In any event, for the IRS, this contract is a win-win situation.

One thought on “The IRS is Coming for Your Bitcoin Wallet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s