Hey @yyosiqq, thank you for your thoughtful questions and for your patience while my team and I worked through them together. Please let me know if my answers to everything are helpful/you need any more clarity!
1. Cost-Benefit Analysis:
- How does the $30,000 upfront cost compare to our current security measures and their associated costs?
- Given the size of our treasury, does a $30,000 investment for potential recovery of stolen funds make financial sense?
With respect to the service, humbly speaking, there is no other crypto incident response offering in the market that includes not only the investigative response but also continuous monitoring and alerting.
In addition to that, there are critical areas of value that cannot be replicated by other providers, such as:
- The experience of the Chainalysis team, who have handled hacks at a global scale on some of the most complex cases and aided in the recovery of over $11B of stolen crypto funds;
- The network and connections of the company at Centralized Exchanges, Stablecoin Issuers, crypto ATMs, and organizations across the crypto industry for freezing stolen funds;
- And even further, the connections to International Law Enforcement and Legal Counsel to complete the asset recovery phase.
Putting some numbers around this, there are no direct comparables, but here are some reference points:
- Engaging Chainalysis after a hack happens typically costs up to $300K+, vs. this $30k retainer. Further, we are not taking on any post-hack engagements at this time.
- Monitoring and alerting alone, depending on the service, can cost upwards of $50,000 a year.
- The deterrence factor is priceless. The best outcome is you never get hacked. CIR helps deter hackers by letting them know, through co-branding and marketing efforts, that a leading global crypto investigative team is on your side.
- Engaging Chainalysis also helps boost user/member confidence. It sends a strong message to your community that you’re investing seriously in security and consumer protections, which can help accelerate growth and increase loyalty. Our customers see this as a highly effective use of capital compared to other marketing alternatives.
- And, of course - there’s no additional cost if an attack occurs. This is stated in our proposal, but just to reiterate it here, there is no additional out-of-pocket cost in the event a hack occurs. Our team is on standby, ready to deliver the best-in-the-industry response. Only when there are out-of-the-ordinary circumstances or multiple hacks within the same year would there potentially be extra hours needed beyond what is covered in the contract.
2. Usage Limitation:
- The package includes only up to 100 hours of investigative work. What happens if we need more than that in the event of a complex hack? How much will additional hours cost?
There is an important point of clarification between Proactive engagements (contracting with Chainalysis pre-hack) and Reactive engagements (contracting with us post-hack) that should help here. In Reactive cases, this is analogous to a thief stealing belongings from your home and making it all the way to the airport. This situation is exponentially more difficult with respect to time and recovery rates. Chainalysis is one of the very few investigative teams in the world to have success in Reactive cases (including tracing through mixers if necessary). In some of these very large and complex Reactive cases it has required 1,000+ investigative hours, but if we look at the middle of the bell curve and more typical cases (including ones where we’re able to respond faster), our team is experienced enough, and we have the right tools such that the majority of cases come in under 100 hours to trace and freeze asses and get to the fund recovery phase.
For Proactive incidents, the use of monitoring and alerts, as well as the emergency response communications with your team, allows us to have a better chance to ‘catch the thief in the driveway,’ so to speak, in order to dramatically reduce the number of hours required and increase the success of asset recovery. Every case and situation is different, but one example we can share is one where we were able to freeze 80% of the funds that were stolen within a 24-hour period.
Of course, we cannot make guarantees with regard to hours or recovery rates, so if additional hours are needed beyond the 100-hour cap, the cost is $400 per hour. Throughout an investigation, our team will work closely with you to give regular updates and detailed weekly reports on the work we’re doing, the time spent, the funds frozen, etc. If we begin to approach the 100-hour limit, you will be fully aware, and there will be no surprises, so you can make the best decision in terms of how to continue the investigation.
3. Scope of Coverage:
- Does the coverage include only hacks and exploits or other potential threats like phishing attacks, insider threats, and smart contract vulnerabilities?
The CIR offering covers all types of incidents that would occur when there is a technical, economic, or social exploit of your protocol/dApp or of the business. The number of attack vectors continues to grow and change as the industry and related technology evolve, and it is our position that we are here to help you with all types of crypto-related incidents that may cause damage to your business, business leaders, and funds that have been invested or staked with you.
4. Integration with Current Security Measures:
- How will Chainalysis’ services integrate with our current security measures, incident response plan, or any other third-party services we might be using?
During the onboarding process, the CIR team will work with you to develop an Emergency Response Plan framework. This allows us to understand the current tools, systems, services, and processes you already have in place. We are then able to augment what you currently have with what we bring to the table. We work from this point of understanding to set up the monitoring and alerts, establish the incident hotline, and define roles and contacts in case of emergency.
If you have other pieces in place (which is often the case), that is great, and we are happy to work with or include them in the holistic plan as and if you see fit.
5. Chainalysis’ Track Record:
- Out of the total incidents Chainalysis has responded to, how many resulted in successful recovery? What’s the average percentage of assets recovered?
For a variety of reasons (client confidentiality, active investigations, ongoing legal proceedings, etc.), we cannot answer all of these questions precisely as asked, but a few things we can share:
- Since our founding in 2014, Chainalysis has aided in the successful recovery of over $11 billion of stolen crypto funds.
- In over 80% of Reactive cases, Chainalysis investigators have been able to give our customers valuable information that leads to recovery of more than what their CIR fee was, demonstrating strong ROI.
- The ability to trace funds through various types of complex platforms is a crucial part of the Chainalysis incident response offering and the ability of our customers to recover funds successfully. This applies to identified mixer platforms but also unidentified mixers and new bridging protocols between blockchains.
- We have been successful even against the most sophisticated threat actors. If you haven’t already, I’d encourage you to read our blog post here on the Axie Infinity Hack, “$30 Million Seized: How the Crypto Community Is Making It Difficult for North Korean Hackers To Profit.”
6. Response Time Commitment:
- Is there a defined SLA (Service Level Agreement) regarding how quickly Chainalysis will begin their investigative work once they’re alerted?
The official and contractual SLA for response to incidents is 8 hours. However, it is in both of our interests to move as quickly as possible to contain the possible exploit and limit the damage. Our international team is on-call 24/7/365 and is aware of accelerated times of exploit activity (for example, after work hours on Fridays is a known high-risk window). With CIR, you will have a direct hotline to the global team if you need to report an incident that you notice (for example, an internal social exploit of an employee that compromised funds). We will also tie in the alerts and monitoring that we set up to the hotline so all of that information flows into the same queue for rapid assessment and action as needed. It is better for all parties to address the incidents with as much speed as possible. We have never come across any incidents where the contractual SLA has come into question.
7. Conflict of Interest:
- Given Chainalysis’ extensive network, are there any potential conflicts of interest we should be aware of, particularly if another client is implicated in a hack against us?
If you have specific potential conflicts of interest or concerns, please let us know, and we can address them directly. However, we do not ever ‘represent’ clients in any legal or contractual circumstances. We think it is highly unlikely because we do thorough due diligence on each of our clients, but in theory, let’s say that one of our clients happened to be some type of financial bot that took advantage of a vulnerability in your system and created a series of financial arbitrage events that drained your system and caused damage to your users or organization (perhaps something like the Mango exploit). In that situation, we would work with you to handle the incident and, ideally, freeze the ‘stolen’ funds in question.
After the funds are temporarily frozen at the exchanges or stablecoin issuers, we deliver an ‘Intelligence Report’ for you (or whomever the victims are at your protocol) to use to work with either law enforcement or legal counsel to get a permanent freeze on the funds and begin the actual recovery phase, which is handled in the court system predominantly. This is where the law enforcement or legal counsel will have to pick sides and would potentially have a conflict of interest. However, again, this situation has never arisen, as the intentional bad actors and scammers have no interest in being a client of Chainalysis, and our internal vetting processes serve to block them if they try.
8. Transparency and Reporting:
- What level of transparency and reporting can we expect from Chainalysis during and after an investigation? How will sensitive information be handled?
Throughout the entirety of our contract (so, before, during, and after a potential incident), we work with complete confidentiality. This is paramount for you to trust us and for us to do the work we are here to do to keep your system(s) as safe as possible and respond to any incidents that may occur.
With respect to transparency, we only communicate with you directly. Only if you give us authorization to talk with outside parties will we do so. For example, you may give us permission to talk with exchanges to notify them of stolen funds and to initiate a temporary freeze. However, we would not be authorized to discuss your situation with anyone else.
The vast majority of the information is already on the public blockchain, but even though that is the case, we only discuss externally (even in the case of a press release, etc.) with your express permission and consent. We can also help, if needed, with sensitive internal and external messaging to stakeholders, investors, community members, etc.
During an incident, we establish a dedicated War Room (through Telegram or other communication tech of your choice) in order to share information with speed and still retain confidentiality, and protect the sensitive nature of the situation.
9. Exclusivity and Priority:
- If multiple Chainalysis clients are hacked simultaneously, how will Chainalysis prioritize its responses? Do all clients get equal attention, or are there factors that could lead to prioritization?
Good question. Simply put, we ensure that we have enough staff on standby to handle the potential of incidents, even though that is statistically much higher than the actual incident rate. Historically, we would prioritize our Proactive clients over Reactive clients (those who came to us after an incident happened). However, due to both a recent surge in Reactive cases as well as increased focus and investment in our Proactive offering, we are no longer taking on Reactive cases as of July of this year. This is another step to ensure that we are always prepared to do world-class work for our Proactive clients, even if there is an unfortunate surge in incidents that happen at the same time.
All Proactive clients are treated the same, but we will assign lead investigators who are in the best position to lead a particular case either because of specialty, jurisdiction, or other compelling factors.
10. Renewal and Updates:
- What’s the process for renewing after the initial 12 months? Are there price escalations? How frequently does Chainalysis update its techniques, tools, and knowledge to adapt to the ever-evolving landscape of crypto threats?
Great question. Right now, we only offer 12-month contracts, so renewals are handled annually. During the service period, we will have a scheduled touch base at least every quarter and typically have many additional touch points throughout the year. These touch points include topics such as:
- Adjustments to the monitoring and alerts, either as a result of changes you have with your contracts/protocol, etc., which require us to update or add to the monitoring or we have potentially added new features or capabilities to the CIR offering.
- Hack/exploit updates when, through our work, we come across new attack vectors that should be considered. An example of this is when we recently helped identify and broadcast a new social exploit targeting Web3/DeFi founders where threat actors were impersonating crypto VCs and sending malware through fake meeting links. (Here is the link that explains this recent scenario which we helped bring broader awareness to: https://hashkey.capital/content.html)
- Trend analysis from our R&D team as we learn about macro trends regarding incidents and emerging threats. We will share these findings periodically as they are discovered and analyzed.
With respect to price escalations, we are in a position where, every year, we must provide a win-win for us and our clients in order to earn their business. With the ever-changing space, there are likely things we will need to add or change about the service to make sure we can provide a complete solution. As an example, within the past four weeks, we added our use of HyperNative to provide monitoring and alerts. We did this to enhance the speed and success potential. Even though we provided this added value, the price was not increased to our customers. There are no price escalations written into the contract. Again, we need to earn your business year after year and must do so by providing outsized value for the price.
11. Legal Considerations:
- How does Chainalysis handle jurisdictional differences when working with Law Enforcement Agencies worldwide? Could there be any legal implications for our platform based on where we operate as well as coverage issues for members who operate in certain jurisdictions?
We do not restrict your work with law enforcement or where you may do business. As noted in questions 7 and 8, we work with you as your advisor and can give you recommendations on where it is likely best to engage law enforcement or legal counsel based on the likelihood of success, but you always maintain the decision of what to do and which law enforcement agencies to work with or not. We are an international organization, and each jurisdiction has different sets of rules and restrictions, so we simply provide information and tracing to help you make the decisions that are right for you. Again, we always operate with confidentiality at all times to keep your business activity and decisions private.
- How will our association with Chainalysis be publicized to act as a deterrent? Is there data to support that having Chainalysis on retainer genuinely deters potential hackers?
Our Proactive customers often publicize their association with Chainalysis through co-branded posts on their social accounts, which we amplify through Chainalysis’ social channels. They will often pair those posts with links or notes that guide potential hackers to instead submit their findings for money through a bug bounty program such as Immuni.fi to encourage positive behaviors and actions. Here is one example that also incorporates a meme to fit with the current social culture of Twitter: Morpho: https://twitter.com/i/web/status/1645794825990725633
As a Proactive CIR client, you will be able to post an exclusive badge that you can use on your website to create another visual touch point and signal to illicit actors that you take security very seriously and have the best incident response team in the world ready to take action if they choose to test their luck.
If you have additional ideas for broadcasting the partnership, we’d love to discuss them. As an example of additional ways to publicize our partnerships, we are developing blog posts, AMAs, Twitter Lives, and Discord discussions with other Proactive CIR customers.
With respect to definitive data on deterrence, there is not a statistical sample size large enough in this emerging industry to do so. However, anecdotally, the rate of incidents for our Proactive CIR clients is less than 1/10 of the average rate of hacks in the industry in general. There is no statistical proof due to sample size, but thus far, Proactive CIR clients have experienced a 10x reduction in the likelihood of having an incident compared to the industry average. Like a guard dog with razor teeth behind the fence, we cannot prove statistically the impact that would have on a thief’s likelihood of carrying out their attack, but the observations and historical studies show a very significant behavioral change when the risk of being caught or exposed is elevated.
13. Feedback from Other Clients:
- It could be valuable to speak directly with some existing clients of Chainalysis (like Axie Infinity or Morpho Labs) to understand their experience, satisfaction levels, and any challenges faced.
Absolutely. I’d be happy to connect you with the team at Abracadabra, Aura, or Dolomite, as I’m their Account Executive at Chainalysis, and I think all three teams would be happy to chat.