Unchained - Mike Belshe on What BitGo's Kingdom Trust Acquisition Means for Crypto and How Security Will Develop in the Future
Episode Date: March 20, 2018Mike Belshe, the founder and CEO of BitGo, talks about one of the biggest problems facing crypto today: security. We discuss some of the ways BitGo has resolved this issue, whether that still leads to... single points of failure, and what the company's recent acquisition of Kingdom Trust (a "qualified custodian" as defined by the 1940 Investment Company Act) means for the space -- hint, it may have to do with ETFs. We also discuss the recent violent crimes against people in crypto and how everyday people should go about protecting their funds. Mike Belshe: https://twitter.com/mikebelshe BitGo: https://www.bitgo.com/ A Wired article on the BitGo acquisition of Kingdom Trust: https://www.wired.com/story/why-a-tiny-kentucky-firm-rules-a-corner-of-the-crypto-market/ New York Times article on crimes against crypto holders: https://www.nytimes.com/2018/02/18/technology/virtual-currency-extortion.html Thank you to our sponsors: Preciate: https://preciate.org/, which is taking suggestion for new people to recognize at https://preciate.org/recognize/ Bitwise: https://www.bitwiseinvestments.com/unchained StartEngine:https://www.startenginesummit.com/ Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Hi, everyone. Welcome to Unchained, the podcast where we hear from innovators, pioneers, and thought leaders in the world of blockchain and cryptocurrency. I'm your host, Laura Shin, an independent journalist covering all things crypto.
As you heard on the podcast, last week, I was at South High Southwest, where I moderated panels and spoke with people at several crypto events.
I just wanted to take a moment to thank everyone who came out and also to those of you who came up to say hello.
I love meeting listeners, and it really means a lot to hear for me.
you, especially since when I started this podcast, I never, ever, ever would have dreamed that it would grow to become this popular and actually ever be something other people cared about.
Since I'm looking back to when I first started and when this podcast had a tiny audience, I also want to take this moment to thank my first sponsor, OnRamp, and to thank Matt Rozac, who introduced me to them.
I also want to thank Chris Curtin at Fractal Recording, who is such a pleasure to work with because he is so chill, and to Elaine Zelby, who is a master of all things podcast related.
Most of all, thank you to all you listeners who have tuned into this show, even though for most of the time I've done this podcast, I've had pretty much no idea what I'm doing.
I'll be at more conferences in April and May, and so if you see me in person, please don't be shy about saying hi.
Unchained is sponsored by Preachate. Founded by Ed Stevens, Appreciate is building the most valuable relationships on Earth.
Today, Precate is recognizing someone for a big achievement in the crypto space.
Who will be recognized today for their achievements? Stay tuned to find.
now. This episode is brought to you by StartEngine. Leaders and innovators in the crypto world are coming
together at the Start Engine ICO 2.0 summit on April 20th in Santa Monica. To register and receive a 20%
discount, visit startengin.com and enter the code Unchained 20. This episode of Unchained is brought to you
by Bitwise Asset Management. Last year, Bitwise created the world's first cryptocurrency index fund,
the Bitwise Hold 10, which holds the top 10 cryptocurrencies.
and rebalances monthly. The fund has several hundred LPs and is currently accepting accredited investors.
To learn more and invest in the Bitwise Cryptocurrency Index Fund, visit www.bitW.bitwiseinvestments.com
slash unchained. Today's guest is Mike Belchie, founder and CEO of Crypto Security Company BitGo. Welcome, Mike.
Hello, Laura. How are you? Oh, doing great. Thanks for joining the show.
Thanks for having me. We're going to get into a whole bunch of topics around
security, including the fiscal dangers, people who hold crypto right now are facing. We're going to
talk about the challenges institutions face with custody. But I wanted to dive into your background first
because I think yours is sort of the classic case of someone needing something and then just
deciding to build it yourself. And you actually were on the podcast before to discuss Segwit 2X,
which for those of you, the listeners, who don't know what that is.
there was an attempt at a hard fork that didn't quite manage to succeed and maybe a good
episode for you to check out if you're not familiar with that would be the one with New York Times
reporter Nathaniel Popper where we discussed the aftermath. But Mike, so let's fill in your personal
history. Can you tell us about your pre-Bitcoin career, how you got into the space and how you
came to found BitGo? Sure. Well, I've been a technologist for, I guess, 25 years.
now doing mostly startups in Silicon Valley.
Been in a number of good ones.
Actually, my first startup, I guess where I got the taste for it, was Netscape back before
that was a public company back in the mid-90s.
And I've always enjoyed, you know, kind of the early phase of building product ever since
then.
So that's kind of what I've done.
More recently, I've been at Microsoft when they purchased a company I had.
which was a email search company before email search was a thing.
And then I landed at Google for a while,
where I was one of the first guys on the Chrome team
and invented a protocol called Speedy,
which later became HTTP 2.0.
So if you're using your web browser right now,
you're probably using that protocol.
So that's kind of before I got into Bitcoin.
Somewhere thereafter, I started hearing about Bitcoin.
I wish, like many, I had been a little bit faster to jump in,
the first time I heard about Bitcoin, I think I thought it was a scam.
The second time I heard about it, I thought it would never work.
And I don't know, maybe somewhere around the fourth or fifth time I started reading.
And then I realized, holy cow, this is interesting stuff.
So I helped, I bought some.
I helped my friends buy some.
And kind of being the technologist of the crew, I was using cutting edge, state-of-the-art, cold storage, you know, which was on my laptop,
which I securely stored underneath my couch at the time.
I printed out the backup copies,
which were securely stored in the laundry room,
separate from the laptop.
But that was a different time,
and the value on that laptop just continued to grow.
And I worried that, you know,
something would happen to that laptop from my history at Chrome.
You know, we had seen the stats of malware growing
on the internet and just the rate at which attackers were coming out there.
And so I was afraid that someday I would go to plug that thing in and I would get malware on it.
I would lose the money or whatever.
So I started investigating for a better way.
And I found a little corner of Bitcoin that was relatively unused, almost completely unused at
the time called P2SH.
And that's Pachysh, and that's really the underpinnings of multi-sig technology for Bitcoin.
it had been introduced into the Bitcoin network at least a year prior to my having stumbled upon it then.
But that looked like a good answer to me because we can start to separate the keys that were used to secure these wallets and build a better system.
So that was how I got into Bitcoin.
BitGo evolved straight of that.
And so for listeners, let's just define multisigua, which is a lot of.
I think maybe what a lot of people when they hear the name Bicco, they think of that as sort of like a signature service that you guys offer.
How does that work?
Sure.
Well, when you get into security, really what it's mostly about is continually breaking down any single point of failure.
So a single point of failure, a simple example is wallets at the time were just a single private key.
Right.
So you had an address, which is the hash of the public key, and the private key protected it.
But if you lose that private key, if you encrypt it and forget the password, if your heart just crashes.
If you get malware on your machine that's able to compromise it, that's a single key that can be lost.
So to secure it tighter, you can split that into multiple keys.
So the simplest example is you split it into two keys.
And now an attacker would have to get two keys.
And you can then take those two keys, you can put them on two machines.
You can take those two machines and give them to two people.
You can take those two people.
You can put them in different organizations.
You can take those organizations, put them in different countries,
put them in different jurisdictions, geographies, et cetera.
So you just keep splitting it apart.
And then you can go from two to three to four.
So each one of these can add additional security.
And there's other techniques that we use also with multi-sig related to helping with kind of backups.
The sad truth of public key infrastructure.
is that humans can and will lose key material.
And so if you have a wallet, which is dependent upon two keys,
and one of those keys is lost or compromised in any way,
you can be out of your money.
So we use backup keys.
And this is where we use an M of N model.
So we use two of three mostly at Bicco.
So additionally, you can create kind of a backup key
where instead of just having two out of two signatures or three out of three,
you can do it. So there's two out of three or two out of four. And you keep a couple of backup keys in case people do lose their keys. So all in all, that's what we do at the lowest level with multi-signature. And it's the underpinnings for a number of other security mechanisms that we provide on top of that. Well, so one thing that I was wondering about what you were describing here is I feel like there's a tension, right? If I have money, sorry, if I have some sort of crypto, then I totally get the security.
of splitting up the keys between different people and across different geographies and jurisdictions.
But there's, you know, if it's my personal money, then I need to suddenly let these other people
who hold part of my private keys know what I'm sort of doing with my money at any given time,
right? So how does that part of it work?
That's right. I mean, it's all a trade-off. So at the simplest level,
of just having two or three.
Technology is fantastic.
We can bury this behind technology
in ways that you don't even see it.
So it really looks just like
any other single signature wallet.
And we can do some automated co-signing
where some of those keys are running automated rules
that are set up in advance.
You can do others that are with close friends
so that they're actually approving.
Or you can do remote friends or other companies.
And obviously, the more parties involved
and the farther way they are geographic,
especially if there's time zone differences, you know, that can cause delays.
But, you know, at some level for the deepest security, you do want more of that.
I think increasingly this year, we're going to see multi-tiered wallets coming out where at the coldest level,
they're using a number of people that are hard to pull together and do take time to get together.
And then at the shallowest level, the more hot wallets, it's almost, you know, completely automated.
So you can use a blend of this and it allows you to mix the needs of fast access with the needs of deep cold storage.
Oh, okay. So no matter what, essentially I do have to give up some privacy to do the multi-sig.
Like there's no there's no way around that.
Well, there I was referring to time to access your funds more than privacy.
Privacy is another issue, but I think for the most part, folks that are looking for this type of security,
Of course, they're looking for privacy of their overall balances, but that's been less of an issue.
I mean, keeping it safe is first and foremost what they need.
And the privacy that you give up here is, I think, minimal.
But yeah, that's a concern.
Okay.
And then when you talked about time, is that some sort of like built-in delay for transactions over a certain threshold?
Certainly can be.
So that's one of the policies that we do offer is just the ability to say, hey, look,
If you have a transaction, it's more than, you know, $10 million, I want to have a 24-hour delay on it.
And we want to be notifying, you know, these 10 people regularly during that 24-hour period.
You can do that.
Okay.
Is that from Emin Gun-Seer's idea?
Because he was on the podcast and talked about something like that.
I actually forget the name of it.
Well, there's been time-locked transactions.
There's a number of technology mechanisms for implementing this.
He had a vault proposal that he had put together.
which was sound.
And I forget the specific details,
but it probably had something like this.
I think he was trying to push these rules
all the way down to the chain,
which I believe is a good idea, by the way.
You know, Bickgo sits on top of the chain in many ways.
We use multi-sig at the chain level,
and then we provide a couple of layers of security on top of that.
But the safest way to store your coins
is to actually move these rules into the blockchain directly.
So that hasn't happened in Bitcoin.
It could be that someday we see a secure coin that actually does push these all the way down to the chain.
Yeah, I feel like I actually might have even seen on Twitter that he said something like,
oh, there's this new token that is incorporating this idea.
But I don't remember which one it was.
Okay, so we've been kind of getting into the weeds, but I actually want to step back and just ask you,
what do you feel are the main problems around security and crypto?
overall? Well, I think we've continued to see breaches. I guess in my view, you know,
the digital world is inheriting a problem that our banks never solved, which is they never
solved security. And they've been digitally moving money in traditional banking systems for
quite some time, but they guard it and mask it with human labor and slow policies and, you know,
layers and layers of insurance, basically.
With your Visa MasterCard, of course, we're all familiar with paying three to five percent
between the purchaser and the seller back to Visa MasterCard, and that covers the fraud, right?
Why is there fraud?
Well, because it never fully solved security.
At the banking level, we have the same issues.
We have wire transfers that go at the low level, say less than $100,000, less than $50,000.
fraudulently, you know, thousands of times per day.
It's a major problem.
This is because identity is not fully solved for banks.
So as we come into the digital world where the escape is so easy,
once you manage to get your hands on the digital money,
you're out in an irreversible way,
the consequences of not having these security layers or security problems solved
is far more severe.
And that's very prominent.
We're seeing that.
So exchanges keep getting hacked.
Other businesses keep getting hacked.
I think primarily it's that, you know, people are trying to move fast.
It's a competitive world.
They're trying to build products.
And while we all say that we want to put security first, it's actually very hard in practice for companies to do that.
So oftentimes they learn the hard way and consumers go with it.
So we do know how to secure these digital assets.
It's hard.
It's not always the fastest thing to do.
somewhat ironically, it does mean going back to some of the policies that traditional finance uses
in terms of making sure that human guards are in place.
But, yeah, it's a complicated problem.
Hopefully in the future, we wouldn't need human guards,
and we could solve it with software somehow.
But let's now dive into the exact products and services that Bicco offers
and how those have evolved over time.
We've sort of touched on this a little bit,
but I just want you to give, you know,
the overview of all your main products
and, like, which ones you started with
and when and then why you added on these new services.
Okay, sure.
Well, that's great.
We started out as a non-custodial wallet,
and we used multi-sig as a mechanism to do it.
So although securing digital currencies is difficult,
we very much believe in the ethos of what you get from Bitcoin, you know,
which is the ability to kind of hold your own asset and stay secure.
So we've been trying to make that work, I think fairly successfully for the last several years.
And just for people who, like, you know, some of this is a little bit jargony when he says
non-custodial wallet.
That means Bicco isn't holding the funds, you know, in like offline servers or anything like that.
Like you still remain in control of your funds.
That's right. What we mean by non-custodial is that you know, you're not trusting a third party like BitGo to keep everything safe. Literally, with our non-custodial product, Bitcoin can disappear off the face of the earth suddenly and you still have all of your money. And that's a key critical elements of the first phase of what we've done. That solution has been deployed to hundreds of exchanges and broker dealers and payment processors, even some hedge funds out there.
all around the world. And they like it a lot because they don't want to trust somebody else
to keep everything safe. You hear a lot in the Bitcoin ecosystem about, you know, trusted third
parties. And if you talk to security experts, they'll tell you, trusted third parties are
very difficult to manage over the long term. They often become the problem. And one of the great
things about Bitcoin is that it's created a mechanism where you can control your own assets and can
have control yourself. However, Bitcoin hasn't fully solved a problem from a usability perspective,
which is that, frankly, none of us are security experts. And securing your own keys when it's
$200 or $1,000 or maybe $10,000 is okay. But I can't tell you how many people I've spoken to that
are absolutely terrified that they've got $150,000 or $15 million or $50,000 or $50,000.
million dollars, that is completely at their own security level. Like, they're responsible for
everything. So the backups, did you put them in banks properly? Or you protected from if your house
burns down? Do you have malware on any of your computers? Is someone trying to attack you? Is there
spearfishing going on? I mean, all of these threats are real, and we usually don't think about
them. Just to give an example, we had a customer sign up with us. I think it was mid last year as
Ethereum was really going gangbusters.
And they were excited.
They loved the BitGo multi-sig wallet that they were getting with Ether.
And we signed them up, and they started using the product, no problem.
About four weeks later, they called me up.
They'd been hacked.
Now, they hadn't lost a dime through BitGo.
BitGo is safe.
And in fact, they're still a customer today.
But they had lost, on the same day, 1.5 million on Krakken and a half a million on Coinbase.
and what had happened is that they just didn't realize how important the security elements
which they needed to walk through are.
And they've seen metaphors with their traditional finance like your Wells Fargo account,
which led them to think they were safe.
Specifically, they wanted to be able to trade on the exchanges.
They created a shared account with a shared email address so that a couple of guys at their
firm could trade.
And they thought, well, gee, we're not going to use two-factor off.
I mean, if we don't need it for our Wells Fargo account, we'll probably be.
be fine. And if we turn it on, then he can use the account, but I can't use the account, right?
So net results is they didn't use two-factor off. Long story short, their email had been compromised
before they ever even owned a Bitcoin. The hackers were already in their email servers.
So the hackers saw the signups coming from Coinbase and Cracken, waited for the money to get
deposited, and took it all out. So it's an example of they had, the onus was on them to secure their
coin, they didn't really understand how to do it. They didn't understand how important it was.
The metaphors that they have from traditional finance did not lead them to success.
And as soon as they got out of a system which requires, you know, independent usernames,
passwords, shared wallets, BitGo does all of these things. Bitgo requires two-factor off. You can't
get out of it. That's whether BitGo was not compromised, but the other accounts were.
So, anyway, securing assets is something that we're just not familiar with.
So when for something like that, do you have any products or services that would help someone keep their coins on an exchange secure?
Yes. So in terms of the BITCO product line, first we have the non-custodial wallet, which is what they've been using. So they have two keys themselves. And we walk them through a more complicated provisioning process for setting up the wallet. And, and those wallets were kept secure.
Additionally, just recently Bicco has entered into an agreement to purchase Kingdom Trust,
which is a state chartered trust company, which is limited purposes bank out of South Dakota,
and the purpose of us acquiring that company, which is pending regulatory approval at this time,
is to start to offer custodial services.
So as much as it's powerful and important to make sure that we are not trusting third parties
to keep us secure all the time,
there's a number of cases where people really do need it.
So if you have a business,
and of course there's multiple parties at the business,
maybe you're running a hedge fund,
you very much want to have a security system in place
that protects against insider theft, coercion,
of course, all of the basic losses,
password loss, hard disk crash,
malware, etc.
And it's really difficult to do this inside of your office.
So a hedge fund, for instance, has never taken direct custody of assets for any other asset class.
The idea that they would do it for digital assets is scary to them.
And the types of money that they're talking about, which is hundreds of millions of dollars, makes it really important.
So they do have oftentimes fiduciary responsibilities to their customers to find the best way to secure their assets.
and they've traditionally used banks, trusts, and others that are really experts in securing
whatever the asset is.
So for these folks, we're building a custodial solution.
This is one where you actually do give the keys to a trust of third party.
I think we will continue to evolve those solutions over time so that the trust is not
the same as the trust was with a traditional bank.
Like, you know, you may have put your money with a particular hedge fund advisor.
Maybe you put your money with Bernie Madoff.
trusted that he had the assets when he didn't.
We can make it, thanks to blockchain technology, we can make it far more transparent so that
customers still get benefits of knowing that their assets are there, being able to monitor
them, while also getting benefits of the security that comes with hiring professionals to
take care of the keys.
So how does that work in just, so let's see that, I'm a hedge fund and I want to use what
will eventually be your new custody solution if this goes through.
So I know I've talked to some of the crypto hedge funds in the space and I know for instance,
they are, you know, buying hardware wallets like a ledger or treasor or whatever and putting coins
on there and then they have this elaborate method for ensuring that nobody tamper's in there.
I don't know if people have heard Ari Paul talk about this, but he says that they wrap theirs
in bubble wrap and then they create a pattern on the bubble wrap in glitter nail polish.
And the reason that they do that is because then they, I suppose, photograph the pattern that it
creates. And then when they go to open it, they can see whether or not the glitter nail polish
has a different pattern or not. But obviously, you know,
this is something that he's doing in person, so he means to be able to physically access those
devices. I don't know. Is your solution something different because I don't imagine you're just
going to put a whole bunch of different physical locations all across the world for people to access.
So how will that work? Well, I think it's a great example. In that case, he's taking responsibility
for physical security of those small personal devices. That means he has to protect it from
fire. So he's got to have a backup somehow. That means he has to protect it from tampering. That's what
he's doing with the bubble wrap. He needs to protect it from just being hacked. It's only got a
small pin code. If somebody knows your pin code, that's a problem. He needs to protect it from insider
theft. What if the people that are legitimately at the firm that do know how to access it, decide that it's
time to take the $100 million and go, it's difficult to securely protect things. We don't have
anything else. Fund managers have never taken physical security.
of assets on anything else.
So he's trying to solve a difficult problem.
Another, you know, often forgotten problem that can emerge is like, okay, let's say he does that.
And then heaven forbid, you know, he should become incapacitated or pass away or whatever unexpectedly.
How does the firm recover the funds?
Did he put in sufficient backups with instructions to others such that they could recover the funds?
And if he did, how do you do that so that he didn't expose his customers to other forms of insider theft,
where now there's two or three or ten people at the firm that would have ability to access the funds?
Now, all these things are manageable and solvable.
You can come up with mechanisms for backups and you print them and you, you know,
you've got your USB storage and you can protect it from different types of attacks and you can put that into bank vaults
and you then can have one in New York and one in San Diego.
but most people have not had to secure assets where they think about all of these edge cases.
So as a custodian, we can think about all these edge cases.
We do take care of backups that are stored across geographies.
We do take care of making sure that no single person has access to enough key material.
We are able to do key ceremonies to make sure that the keys are securely generated.
We're able to do all of these processes and procedures to keep your money safe.
So if the Kingdom trust deal goes through, how is that going to look?
Is that going to be like, let's say that I'm a crypto hedge fund and I decide that I want to do business with you, then is it a similar thing where my coins are going to be held on physical devices that are somehow in your control?
Or I don't know how this works.
Because presumably things need to be kept offline, right?
Yes.
Yeah.
So first off, the product's available today.
So BitGo and Kingdom of working together for a couple of years now and evolving this product.
So one of the reasons the merger of the two companies made a lot of sense is because we have a history of working together.
We've been providing both individual accounts, individual retirement accounts, security as well as for funds for some time.
The way we do it is multiple offline vaults.
So, yeah, everything is air gap, nothing is online.
and we know the procedures and processes for using the software offline.
We use a system of checks and balances, actually, for a fund where it starts out with a fund requesting a transaction to be made.
That's verified both electronically and out-of-band, non-electronically.
Then a second request is made from Kingdom Trust over to a secondary vault, which is in a remote location.
There it has to be, again, out-of-band verified, that this really...
is, you know, Kingdom Trust. Then it gets verified all the way back to the customer again. So you've
kind of got this checks and balances system where all of the parties involved are checking
all of the other parties. And we think it's very secure. And it's all offline. And it uses
best practices and stay in the art. So then in terms of protecting against insider fraud or theft,
then is it that this is split between, for instance, let's say,
the hedge fund itself as well as BitGo.
And then do you know what I'm saying?
Right.
Is that how?
Okay.
So in the case of who holds the keys, no, we usually don't give the hedge fund a key, actually,
because even if you give one key, they tend to lose them, forget passwords, et cetera,
and that creates a big problem for everybody, including the hedge fund.
But we do separate all the keys across different groups.
No single group of people has access to multiple keys.
and in fact even myself, I cannot actually go and get people to put together enough key material.
One of the things you've been reading in the press lately is about physical threats where people
kidnap you and force you to do stuff until you get a transaction signed.
So we, of course, are very concerned about the safety of our employees, and we have built a system
where we believe that that is just not possible.
Banks have been doing this actually for some time,
you know, like the bank vaults at your traditional finance bank.
They only open during certain hours,
and you simply cannot open those vaults.
They won't open the middle of the night.
Can't kidnap the CEO of a bank,
take them down to the vault to make them open it.
By using multiple unknown locations for where the keys are,
and using many of those keys across separate teams,
and then by not disclosing to anyone,
who all of those teams are, we can actually take out this threat.
But all of those teams are within Bicco?
Technically, yes, but nobody knows who they all are.
With Amex Platinum, $400 in annual credits for travel and dining
means you not only satisfy your travel bug, but your taste buds too.
That's the powerful backing of Amex.
Conditions apply.
At MedCan, we know that life's greatest moments are built on a foundation of good health.
From the big milestones to the quiet winds.
That's why our annual health assessment offers a physician-led, full-body checkup that provides a clear picture of your health today.
And may uncover early signs of conditions like heart disease and cancer.
The healthier you means more moments to cherish.
Take control of your well-being and book an assessment today.
Medcan. Live well for life.
Visit medcan.com slash moments to get started.
Huh, okay. I don't know. That that almost sounds like a single point of failure. Almost.
It is true. Okay. No, no, no, no. I mean, you're correct. Like when you're trusting a third party, you're trusting a third party. But the problem is, is that when you have a fiduciary responsibility for $100 million or a billion dollars, you know, who's going to be able to deal with that? Are you going to take it to a bank? Or are you going to take it and try to build all the security mechanisms in your hedge fund? Of course, the hedge fund.
can't do it. So I think over time, we'll build these systems better and better. And you'll
have control over your funds. And yet we'll also be able to solve these security mitigations.
We're going to discuss best security practices, violent crimes against people in crypto and more.
But first, I'd like to take a quick break to hear from our fabulous sponsors.
Founded by Ed Stevens, Appreciate is building the most valuable relationships on Earth.
In each episode of Unchained, Preachate sponsors the recognition of an individual or group in crypto
for an achievement. This week, we are recognizing Jinglen Wang, executive director of the
Blockchain Education Network for a cool achievement. Jinglin hosted a party in San Francisco for
women in blockchain to have fun and make a new friend. She made it happen by getting donations,
organizing the event at a club, and then making sure everyone had fun. Awesome job, Jinglin,
for going above and beyond. Bitwise Asset Management is the creator of the world's first
cryptocurrency index fund, the Bitwise hold 10. The fund holds the top 10 cryptocurrencies,
by five-year diluted market cap, rebalances monthly, and takes care of secure storage and taxes.
It's an easy, secure way for long-term investors to get diversified exposure.
Bitwise is backed by Kostla Ventures, General Catalyst, Blockchain Capital, Naval Rabakant, and several others.
There are a trusted partner to individual investors, wealth managers, family offices, and large
institutions who are navigating the crypto space. The fund has several hundred LPs and is currently accepting
accredited investors. To learn more about the Bitwise Cryptocurrency Index Fund or download research,
visit www.com.com slash unchained. The growing crypto ecosystem is being challenged by uncertainties
and regulations, and Start Engine is here to help. The SEC, CFTC, and state administrators have been
issuing subpoenas by the dozens. How is this going to affect ICOs and exchanges? This is why
Start Engine is launching its second edition of the ICO 2.0 summit, co-sponsored by T0.
on April 20th in Santa Monica.
This year's theme is the path to liquidity.
Leaders in the crypto world will be coming together to discuss how to move forward
with regulated ICOs and regulated exchanges.
Come and hear crypto innovators such as Patrick Byrne, T0 CEO, Gilpincina, Nathan Latka, and many more.
To register now and receive a 20% discount, visit startengin.com and enter the code
Unchained 20 to attend this incredible summit.
I'm speaking with Mike Belchie, the CEO of Bicco.
We've talked about the Kingdom Trust deal, but haven't explored it fully. What is the significance of that deal?
Sure. Well, you know, for the last several years, people have gotten very excited about Bitcoin
digital currencies, mostly in the retail space. And the institutional markets have been
unable to participate. So we don't have funds, really. We don't have a lot of the traditional
market participants. And we're still figuring these things out. But when you do start to look
at what a hedge fund, an asset manager or any traditional finance company would need, you
in order to participate in digital currencies, they're looking for custodians.
And, you know, we've had this thing called the 1940 Investment Act around since 1940.
It defines a notion of a qualified custodian.
And, you know, the markets that we have and the structure that we have for stocks, bonds,
pretty much any asset other than crypto, is very different than what we see in the crypto world.
Now, you can love it, you can hate it, but part of its design is around safety of money,
which I think everyone actually appreciates.
So we're all familiar with Bernie Madoff.
He was a guy that said he was holding onto a bunch of assets on behalf of his investors, and he was not.
And so, you know, the SEC made updates to this just a few years ago and declared that, hey, if you have a fund, an SEC regulated fund with more than $150 million of assets in it, you are required to use a qualified custodian.
So in order for those types of folks to participate in digital currencies, we simply have to have custodians.
They play a real role which keeps customers and businesses alike safe.
And we think that this Big Go Plus Kingdom approach is the first of its kind and it's going to be enabling a whole new set of financial products and a whole new set of institutions to participate in digital.
And what are some examples of those new products and new institutions that you think can participate in this ecosystem?
them. Well, we've been hearing about them for the last several years. I'm not sure how many folks
have tried to put together ETFs, and the SEC has come down every time and said, no, no, no.
But just in January, you know, the SEC issued a new letter, and they outlined a set of questions.
They set a fairly high bar, frankly, for what's needed in order for an ETF to be approved by the SEC.
But, you know, number two on their list is custody. And they called out this exact issue, which I just
described, which is, all right, if you're going to have an ETF that's going to hold these
digital assets, who is the qualified custodian? This is standard part for the course for how
the SEC would look at any ETF, non-digital. They're just looking for a similar analog in the
digital world. And can you define qualified custodian for me? Well, the qualified custodian is defined
by the 1940 Investment Act. It's a custodian that adheres to, you know, that legislation and regulation.
but, you know, Kingdom Trust is a qualified custodian, for instance.
What custodians do, it sounds like it's complex, but it's actually fairly simple.
At the bottom of it is safekeeping of the asset.
Obviously, you need to keep everything secure.
And the digital world, that's primarily technology and security.
Above that, you have a bit of compliance that happens.
It's about, you know, make sure you've got AMIC of the customers,
making sure that the daily prices are kind of marked to U.S.
the value of the asset is marked in a regular way back to a U.S. dollar in a profitable and
verifiable way. That's pretty much what a custodian does. And who are some other people that can
benefit from a qualified custodian? Sure. So right now, BigGo is primarily focused on the institutions
that are moving more aggressively, and that is a number of funds. There's been index funds,
you know, maybe in the not too distant future, it'll be ETFs. But actually pretty much any
financial institution that's holding Bitcoin for any reason probably wants to rely on a custodian.
So if you think about how you hold bitcoins when it's yourself, that's one thing. You can hold a key.
You trust yourself, et cetera. But it's very hard to have that within a business organization where you
aren't opening yourself up to insider theft. So generally, anybody that's holding on behalf of
others is going to want to use that. Another place, though, where custodianship becomes interesting is even for just
large net worth individuals. So ironically, although digital is great because you hold your own
keys, you can keep it yourself, it's very difficult to do that. And unlike any other asset,
whether it's real estate or whether it's your bank accounts, your stocks, your bonds, there's
nobody you can go to if you lose the keys. So, you know, if you lose the deed to your house,
you go down to the city and you get them to give you a new copy of it. If you lose your driver's
license and all your ID and a fire or whatever,
You can go down to the DMV, you go to the banks.
You can get things covered.
But with your digital assets, you can't.
So once an individual gets to a large amount of digital asset, they run to this problem.
Like, wait a minute, how do I store it?
And how do I store it in a way that I can pass these millions of dollars onto my errors?
So think about the problem of like, all right, I want to pass this on to my errors.
But if I leave instructions with my lawyer describing how to access the private key,
how do I ensure that my lawyer isn't going to run away with the money right now?
Now he's a lawyer, maybe you trust him.
Maybe you don't.
Maybe you split into multiple parts.
It's relatively easy to shard a key.
It's a little harder to shard a lawyer.
So how does that work?
You use this qualified custodians.
Is that what you're saying?
Custodians certainly are a very good answer right now.
I mean, with a custodian, of course, you have to choose your custodian wisely,
but you can set up beneficiaries right when you create your account.
And then should you pass on, there's a very known process for how your trust or your
errors can access those assets. And something else I was wondering about, is digital custody different
from other kinds of custody? Part yes and part no. We talked about, you know, we talked about,
you know, safekeeping and kind of compliance verification record keeping. The rules which apply
to being a custodian of a digital asset are the same as what be for any other asset. And from
a regulatory perspective or legislative perspective, I think that's the way it should be. However, you know,
think about custodianship, we think about banking, you know, we start to think about the existing
models that we have in our industry about how banks and custodians work. And some of that we like
when they keep our assets safe and some of that we don't like when they lose it. With digital assets,
we have an opportunity to modify custodianship so that we can still have the benefits of the digital
world. For instance, seeing your funds transparently on the blockchain anytime, even though it's
with a custodian, you can actually verify that it's still there. The second thing we can do is we can
use multisignature in very interesting ways so that you always are a participant in transactions
that are related to you. So you can still have someone else have custody, but you can participate in it,
and that's a mathematical, verifiable thing so that no one can say that you authorized something
that you didn't actually authorize. Okay. That all sounds very interesting. So what do you think
are the best things for
for everyone from users to
businesses to do to manage
their crypto like what would you
if let's say that I'm just starting out
and I meet you you know
at a bar or something and I'm telling you
oh I just bought some Bitcoin
what would you recommend to me
to do to keep it secure
well first I need more information
so for everybody it depends on how much
value you're securing. The amount of time and money that you spend securing an asset is
proportional to the value of the asset. So if you bought your first $10,000 with a Bitcoin,
I would tell you to go put it into an online Bitcoin wallet and not worry about it. You could also
use a hardware device if you like that. The ledger devices are very good. They're designed for
individuals and consumers, so they work great. If you're an individual and you are storing,
millions of dollars, then you have some more issues.
So A, you would need to use the more advanced security features, which takes some time.
You can use a lot of them directly from BitGo.
Specifically, you'd want to have some amount of redundancy in case something should happen
to use so that you can pass your assets onto your errors.
And there's some mechanisms for doing that.
You may actually, if you want to just avoid the technology, you may just want to be able
give it to a bank.
You know, so a kingdom-style individual account could be useful for a small multiple-million
dollar type of account where you need a beneficiary and whatnot.
Now, if you're a business, it's a different story.
So businesses come of all forms.
Some are looking to just buy and hold.
Others are transacting.
And depending on the situation there, you may need multiple wallets.
You may need just one wallet, and then how you secure it is going to depend on how much money is in it.
With an institution, typically will help the institution identify key players that will be active participants on the wallet.
We'll make sure that their backups are all set up right, and we'll lead them into cold storage.
Okay, and earlier when you were talking about how if one of the key players died or something,
then they would still need to let people know how to get in.
How do you manage something like that?
So BitGo provides that today.
That's something we've been doing for several years now.
So with BitGo, you can have multiple people on a wallet that share that wallet in a secure way.
One of the challenges of Bitcoin and digital currencies is that the blockchain just knows about keys, right?
And so you can create a wallet with many keys.
but to the blockchain, all of those keys are equal.
It doesn't know that one of those keys is held by the CFO,
one of those keys is a controller,
and one of those keys is some lower ranking employee.
Bickgo allows you to have a layer on top of the blockchain,
which defines all this.
So you can give particular rights to the CFO,
which are differentiated from the folks who are spending money,
which is differentiated from a secondary team,
which is for backup purposes.
You can then route approvals between these teams as appropriate for your business.
What we find is that each of the businesses that comes to us has slightly different needs in terms of how they run their back office and how they want to manage their compliance and their risk.
Hopefully that makes sense.
And I wanted to also go back to this question about exchanges.
Obviously last year or two years ago now, there was an issue where BitFinex was hacked.
And Bicco was involved in helping to secure the funds on Bipfinex.
So what exactly happened there?
Well, you know, BitFINX has never fully released the details of what happened.
I'll tell you a few things.
I mean, BidFinex was breached.
They were hacked.
They were pretty significantly breached for a long period of time.
And eventually the hacker was able to steal the money.
But what service were you providing?
Because presumably it was a service where that shouldn't have been able to happen, correct?
Well, in the non-custodial model, remember, the customer still has two keys and is a critical part of security.
In this case, the customer did not keep all of their authorizations separate on separate machines, independent from everybody, and it did lead to a breach.
So I would love it if BitFINX would publish the full report so that everyone could know exactly what happened.
Obviously, for confidentiality of our customers, we can't release it ourselves.
But they did admit fault within just 24 hours or so publicly that it was on them.
So this is the kind of thing where for the service you were offering, there was a way to do it.
that would keep things secure and they didn't follow that protocol? Is that what you're saying?
That's absolutely right. So, I mean, after that event, of course, there were a number of audits,
both internal and extra, done on the BITCO service. The BITGO service itself did not have any flaw,
was not breached in any way. Obviously, if you don't keep your keys and your credentials
safe and secure and you let attackers to get them, then things can happen. We made a couple of changes.
we no longer trust our customers to keep their policies protected.
We know that no longer trust that they will keep their policies protected,
and we lock them down more.
But there was nothing wrong with the model that they were using.
It's also a good example of why custody actually is necessary in a lot of cases.
At the end of the day, BitFINX, they have a lot of things to do.
They want to run an exchange.
They probably never actually wanted to hold the asset direction.
If you look at other types of exchanges for other asset classes, the exchange never holds the asset.
This is a pattern which is unique to digital currencies.
And so their job is to go make a great trading application, yet they are saddled with security.
And what they really want to do is to be able to have their cold storage, just be super secure.
I don't think that they are ever going to be the best at doing that.
And hiring that out to somebody else could be a beneficial thing for everyone involved.
I know, wait, so there was something I didn't quite follow there.
You're saying that most exchanges actually don't handle their cold storage?
Oh, I didn't say that.
No.
The way digital currency exchanges have evolved, initially, there was no bank that you go to.
There was no custodial solution.
So they had no choice except to take custody directly.
And in fact, even today, there's basically none.
There's no independent custodian that will hold digital currencies for you.
Now, Kingdom and Bicko are the first one here in the United States.
So now these solutions are emerging.
Anyway, these guys grew up, these exchanges grew up without having the option of giving someone else custody.
They didn't have any reputable vendors, but this is emerging.
as the foundation of the ecosystem gets stronger.
By the way, are you familiar with,
did you see the SEC letter that came out mid-January
about what it would take to have ETFs be successful?
I don't think so, no. Why?
Well, it's a great letter.
The SEC set a very high bar
in terms of what needs to happen
in order for ETFs to be approved.
And they raised a number of questions
about, you know, market manipulation and other things, but a huge part of that was custody.
The SEC said, how can we have an ETF until we have a good, reliable 1940s Investment Act
compliant custodial solution available for digital currencies?
And I think that very much is relevant here.
So the exchanges that exist today, they're like financial institutions, but they haven't had
anyone that they could go to as an independent qualified custodian in the past. And that's changing.
Well, so that's actually something I was going to ask you about because earlier when you said that
the service that you'll offer with Kingdom Trust is the only one like that. So obviously we've had
this announcement about Coinbase custody and then Ledger is offering, I'm just blanking on the
name. Is it Ledger Enterprise, I think is the name?
which is their own custody solution.
And then there's also another project that I know about that hasn't been announced yet.
So how does your service differ from those other ones?
Well, the main thing is it's shipping today and probably the largest cold storage installations in the world.
So Coinbase did announce that they're going to have a product.
And I'm sure they will have a good product.
They do a lot of good stuff.
But, you know, Coinbase is a consumer company.
Their main job is signing up 100,000 new consumers every day.
And I think they do that reasonably well.
Obviously, they've had a lot of site outages at peak periods.
But I think that's going to be their main focus, whereas we're an institutional product.
So I think Coinbase getting into the institutional space is going to be a different challenge for them.
Ledger is a great solution.
They've been building hardware wallets.
use actually a ledger device as part of a Bitco solution if you want. We do support that as like
one key of many in the BitCo products. They're a little bit more of a role-it yourself. So they provide
underlying technology. And then if you want to go and open up satellite offices and multiple
geographies so that you can do multi-sig around the world, you can do that. But they don't provide
a service around it. So actually, I'm not 100% familiar with all of what they're offering on their
enterprise product. But when I last spoke with them,
they made it pretty clear that they wanted to support just kind of the underpinning hardware and technology.
So it's more of a roll it yourself type of solution.
And so, but what you were saying about Coinbase earlier about how they mainly are more retail focused.
I actually think, I mean, with GDACs, as far as I understand, there's that, you know, the clients there are institutional players or tend to be a little bit more.
So I don't know if this is like exactly completely new for them.
Because I mean, who do you think are the customers for these kinds of products?
Well, I mean, I think you could ask Coinbase better if you want to know who their customers are.
I mean, no, generally like including for what you're doing with Kingdom Trust.
Well, so I mean, a tremendous number of folks have come out of Coinbase to BitGo actually in the last six months.
I think the first thing that really highlighted it for hedge funds was when we had the Bitcoin Cash Fork back last August.
At that time, a number of these folks had literally $100 million balances that they had just stored at Coinbase.
And these were long hold players.
And suddenly they realized, wait, I've got millions of dollars of Bitcoin cash and I can't get it.
How do I get it?
And that was when they realized that there's a big danger in not having access to the keys themselves.
Now, Coinbase, they finally did release the Bitcoin Cash, but it opened people's eyes to this
issue of how do I make sure that I've got a custodian that's going to keep me safe through Fork and
things like that.
So let's also talk about what you're seeing in terms of the clients that are coming to you.
What do you believe is the average crypto hedge fund manager's understanding of security
best practices?
Well, the early ones that came in are actually relatively close.
good on their understanding, but they don't have technology solutions combined with policies and
procedures that they want. And I think they actually are aware of their own shortcomings. In terms of
the average hedge fund, I would say it's actually really low. I think these guys primarily have been
dealing with different types of assets in the past. And their job is around building that fund,
and that's their expertise. They're certainly not security experts. So,
pretty much all of the funds have been clamoring to find a solution, and a lot of them have
been coming to Bick-O.
And do you see any kind of misconceptions or sort of outrageous, I guess, ideas around how to keep things
secure where you feel like, whoa, whoa, whoa, if you're going to be in charge of other
people's money, maybe you need to get this part straight?
Well, I think when they're coming to us, I feel pretty good.
I mean, we're trying to provide that for them.
They shouldn't have to worry about all of these details.
So they're looking for Bicco to help solve those problems.
One of the challenges that I have had to answer a few times, but people get it.
Sometimes they'll say, hey, we want to be able to make withdrawal and have the money two minutes later.
Well, you know, that's okay for small amounts of money, but that's just not okay for large amounts of money.
it's just a fact that when you want to deeply secure large amounts,
I'm talking about hundreds of millions of dollars here,
it's not going to be at your fingertips every minute.
So there's been a little bit of expectation setting there
where they kind of want real-time access,
but they also want it super secure.
And this is a trade-off that, of course, they have to choose between.
And once they hear the reasons why they get it,
and then you combine that by using a married hot wallet plus cold wallet solution.
And this is one of the, you know, and the beauties of what Bickgo is doing with first,
it's non-custodial hot wallets that we did now combined with the custodial solutions that we'll have.
You can actually do both and still have real-time access and the vast majority of your funds are deeply secured.
And this thing about using a time delay for security, do you think that that's something that will ever be,
that we, you know, won't need someday?
Do you think that the technology could evolve to a certain level where they can store hundreds of millions of dollars but then also have access within two minutes and keep it secure?
Maybe. I think it's so far away away. And I don't think it's the right thing to be worried about. I think the first thing we need to be thinking about right now is security of the assets. And the fact is that when somebody comes to you and says that they're lower shin, you don't know that it's Laura Shin.
Right now, I do not know that I'm talking to Laura Shin.
I'm pretty sure.
I met you in person.
I recognize your voice.
But if I had a staff of customer support people and you're calling into them and saying
your lower shin, how do I know your lawyer shit?
So obviously we can use technology.
We have private keys.
We have many private keys.
But how do we know that Laura Shin wasn't hacked on her private key?
How do we know that she wasn't fished on her two-factor authentication?
All of these things matter.
The only way that you can do this today, and this is just the way.
the way it is, is to take things slow for the large amounts of money.
In the future, maybe we'll get there.
But right now, we've got big problems.
Like, if we want this industry to grow up and get serious, we need to solve the security
problem.
You can't have the underlying asset disappear.
It's just not acceptable.
So the first thing we need to do is lock it down, even if that does mean it's
a little bit slow to access.
And then secondarily, we can start to figure out how to make that faster.
So in 2017, we saw a number of physical crimes against people who owned crypto in different countries around the world.
This is something you alluded to earlier.
And we've even seen these crimes here in the U.S.
There was a Japanese woman who was actually murdered over what was a relatively small amount of Bitcoin.
I think it was I did the exchange.
I did the conversion on it.
And it was like 100,000.
And most of the other crimes are around, you know, like millions of dollars at least.
But there were some other people who were kidnapped for ransom in places like Ukraine and Turkey.
And then others were held at gunpoint and forced to transfer money from their private address to or from their, you know, crypto address to the address of the mugger.
So are there security measures that people can take to keep them from being the victim of such a crime?
Yes.
You know, we have a love-hate relationship with banks.
We forget the part that we love.
But these types of physical threats don't happen kind of on the U.S.
dollar side of things today.
And yet now they're happening on the digital side.
And why is it?
It's because as individuals, if we have direct access, we can cough up the money to the attacker.
But when it's at your bank, it's a lot harder to get away with it.
So the banks are providing a service in terms of keeping safety of asset.
and that's what they're designed to do.
Now, what we don't like about the banks is that they're slow and cumbersome and they got
processed and cost a lot of money and wire transfers are expensive, et cetera.
So can we get to a world that is a better blend of that?
I believe we can.
I think you do it with a combination of personal and institutionalized storage.
So if you've got, if we really got to a world where a large percentage of your net worth
is in crypto, you really probably probably.
shouldn't hold it yourself. If the attackers know that it's at your house, if the attackers know
that they can get you, you are vulnerable. And this is a unique problem to digital. So what you can do
is you can take that. You give it to a qualified custodian, which is a regulated trust company
type of thing for the vast majority of your funds. And you blend that with a hot wallet. So the hot
wallet is a small amount of money. You know, it's kind of like, you know, the cash in your wallet.
You're not as worried about you don't want to get mugged, but when you get mugged, you usually don't get held at gunpoint and murdered and things like that.
There's always some amount of risk that we carry with the cash that we have on person.
But we can do the same thing in the crypto world, where large amounts of money, they're stored with professionals far away from you.
Make sure that the attackers know this, right?
So make sure people don't think you have tons of Bitcoin on you.
If they think that you've got Bitcoin, it's already too late.
Once they've kidnapped you, you'll be in trouble.
So I hope this problem gets better fast, but it looks like it's probably going to get a little worse before it gets better.
Why do you say that?
Because I think right now there are a lack of solutions that are institutional holding of money.
The people that do have large amounts of Bitcoin are prominent and known.
And I think unless you're storing with a mechanism which is immune to this and making that publicly known,
you know, there's going to be a few more of these.
So something that was a little bit funny is that your employee, Jameson Lopp, replied to a tweet
that I made about Nathaniel Popper's story on this topic.
He wrote about, you know, the different kidnappings and muggings that were happening in this space.
And I tweeted that, you know, part of the reason it's happening is that there haven't been good
custody solutions yet. And Jameson replied that he thought good custody solution was an oxymoron
and it was a regression to legacy trust models. However, in the New York Times story, he's also
featured as one of the people who protects his crypto by letting it be known that he has a gun.
So, you know, the average person isn't going to take these kinds of measures. So I just kind of wanted to get your take on
Jameson's opinion here.
And so it sounds like you think that reverting to the legacy trust model is sort of the way
that this is going to go.
Is that correct?
No.
Let me give you three answers to it.
I mean, first off, I love Jameson.
He's fantastic for a number of reasons.
But frankly, he's a little bit off the deep end in terms of how to secure your Bitcoin.
In that article, you see a video of him firing a semi-automatic AR-15, which pretty
the rest of the world wants to ban.
So, yes, you're right.
If you want to have a small army, that is one way to protect your Bitcoin.
He's also publicly made it clear that he is going to take extreme measures and move
to a remote undisclosed location and, you know, kind of wall himself off from the rest of the
world.
So you're right.
If you like that lifestyle of having your own gun, your A.R. 15's in the house and, you know,
isolating yourself from the world, maybe you don't need a custodium.
Now, the challenge is, how do we?
get to a world where you're not having to just trust all custodians. And I think we're going to
see the pendulum swing a little bit both ways. So today, you're responsible for your own
keys, your own custody. And then that creates a set of problems. The custodial options aren't
there yet. There are not a lot of good brands available that will hold it, that you can trust
from a technology perspective, that you can trust from a regulatory perspective, that you can trust
from a just risk perspective.
Bicko's trying to build that with our solution.
Now moving to that, you're right.
That could look like the legacy model.
But now, can we do something that blends the two?
And I think we can.
And actually, I think the underpinning that we need for it is multi-sig.
And it is a blend of allowing you to have some of the keys,
but not all of the keys.
And also to have a set of policies and rules around that wallet,
which are defined by you and the way you like it.
So when you use these things together, it's a combination of hot and cold wallets.
It's a combination of keys across different parties.
We are not going to revert back to the legacy models.
You can see your money on the chain, which is totally different from anything we have with banks today.
So anyway, I agree with Jamison in part.
If we were to revert back to the legacy models, that would be very bad.
But I disagree that all custodianship is just card-border.
launch, oh, that's just the legacy model.
Yeah, it sounds like you are painting a future where there's, it's a little bit like
Goldilocks, you know, there's the one extreme and then the other.
And then this sounds like some sort of blend that you guys are working on.
So maybe we will get there.
All right.
Well, it's been great having you as a guest.
Where can people get in touch with you or see your work?
We're easy to reach at Bitco.
So I'm Mike at Bitco.com.
If you're interested in our sales, we get sales at biggo.com.
All of our products are pretty much available online.
You can kick the tires on them.
And if you like them, give us a call.
Great.
Well, thanks for coming on the show.
Great.
Thank you very much for having me, Laura.
Thanks so much for joining us today.
To learn more about Mike, check out the show notes inside your podcast episode.
Also, be sure to follow me on Twitter at Laura Shin.
New episodes of Unchained come out every single Tuesday.
If you haven't already, rate, review, and subscribe on Apple Podcast.
If you like this episode, share it with your friends on Facebook, Twitter, or LinkedIn.
Unchained is produced by me, Laura Shin, with help from Elaine Zelby and Fractual Recording.
Thanks for listening.