The Truth About Bitcoin Security: Beyond Hash Power, Law is the Bottom Line

marsbitPublished on 2026-03-20Last updated on 2026-03-20

Abstract

The article "The Truth About Bitcoin Security: Beyond Hash Power, Law is the Bottom Line" by Craig Wright challenges the common narrative that Bitcoin operates outside legal frameworks. It argues that the standard economic model, which assumes anonymous miners and a lawless environment, is outdated and inaccurate for large-scale transactions. Bitcoin mining is now dominated by industrialized, identifiable entities—large, publicly-listed companies and regulated mining pools—not anonymous actors. For small transactions (e.g., under a few million dollars), pure protocol security (proof-of-work) suffices, as legal action is economically unfeasible. However, for large transactions, legal and organizational mechanisms become critical. A double-spend attack by an identifiable mining pool would trigger legal consequences, including criminal charges, asset seizures, and reputational damage, making such attacks economically irrational. The mining industry’s structure—reliant on specialized ASICs, long-term capital investments, and relationships with regulated entities—creates inherent disincentives for attacks. Mining pools would face capital destruction, contributor defection, and legal sanctions if they attempted fraud. Thus, Bitcoin’s security is not solely based on computational cost but also on legal accountability and economic deterrence. The conclusion is that Bitcoin’s security relies on a dual mechanism: protocol-level security for small transactions and legal-institutiona...

​Written by: Craig Wright

Compiled by: Luffy, Foresight News

There is a standard narrative about Bitcoin and the law: Bitcoin was designed to operate outside of governments, replacing institutional trust with mathematical trust. It is permissionless, anyone can participate, and there is no central authority in control. The system relies on the cost of attack itself for security. The law is optional, external, something Bitcoin was meant to circumvent.

This narrative is wrong, yet not entirely false; it contains some truth. But as a description of how Bitcoin actually operates in real-world, high-value transactions, it is a fairy tale. And it is this fairy tale that distorts the understanding of blockchain security among economists, regulators, and even the crypto industry itself.

The Economic Version

The most rigorous version of this narrative comes from economics, not cypherpunk forums. Its core argument is concise: in a permissionless system without the rule of law, the only thing preventing a double-spend attack is the cost of amassing enough hash power to surpass the honest chain. Security is a matter of cost: the network must continuously invest enough resources to make attacks unprofitable. If the value that can be stolen exceeds the attack cost, the system is insecure.

This is a valid conclusion; its math is correct under the given assumptions. But it leads to an uncomfortable corollary: securing large-value transactions on a proof-of-work blockchain requires massive, ongoing resource consumption proportional to the value at risk. If you want to settle a billion-dollar transaction, the network must consume enough electricity and hardware to make a billion-dollar attack unprofitable. This is costly, seemingly wasteful, and appears to be a fundamental economic limit.

But note this crucial premise: *in the absence of the rule of law*. The entire conclusion rests on an assumption: the attacker operates in a legal vacuum, anonymous, untraceable, and faces no consequences beyond the direct cost of the attack itself. This is not an insignificant simplification; it is the core assumption. And in the real world, for all economically significant Bitcoin transactions, this assumption does not hold true.

Who Mines Bitcoin

The story of anonymous miners in basements ended years ago. Bitcoin mining is an industrial-scale activity, organized through mining pools that coordinate block creation, capture block rewards, and distribute earnings to participants providing hash power according to contractual rules.

As of March 2026, the top five mining pools control over 70% of Bitcoin's hash rate. The top two pools, Foundry USA and AntPool, together hold nearly half the share. They are not secret, anonymous entities: Foundry USA is a subsidiary of Digital Currency Group; MARA Pool is operated by Nasdaq-listed MARA Holdings, whose latest annual report discloses ownership of 400,000 mining machines, 53 EH/s of hash rate, and Bitcoin reserves worth over $4 billion. These are named companies with addresses, stock tickers, auditors, banking relationships, and legal counsel.

The coordination layer of Bitcoin mining (the entities actually responsible for creating blocks and distributing rewards) is highly concentrated in a few jurisdictions. Pools associated with the US account for about 42% of the hash rate; those associated with China about 41%; Singapore, Japan, the Czech Republic, and Slovenia account for most of the remainder. Pools that cannot be identified via Coinbase tags, corporate filings, or public operators represent less than 2% of the hash rate.

This is not a picture of operating outside the law, but an oligopolistic industry: a few identifiable entities operating within reach of the law. When economists model Bitcoin attackers as anonymous, legally unreachable agents, they are describing not the real industry, but a fantasy the industry itself abandoned a decade ago.

What a Real Attack Looks Like

A double-spend attack on Bitcoin is not abstract. The process is: an attacker sends Bitcoin to a counterparty (e.g., to an exchange for dollars), while secretly mining an alternative chain that does not contain that transaction. If the attacker's secret chain becomes longer than the public chain, it replaces it, and the original transaction vanishes. The attacker gets the dollars and keeps the Bitcoin.

For such an attack to be significant, the attacker needs to control a majority of the hash rate for an extended period. In today's network, that means mastering over 400 EH/s. An individual cannot do this. The only feasible attack path is through the pool layer: either a single large pool deviates from honest mining, or multiple pools collude.

Now ask: what happens to that pool after the attack?

The attacker (a named public company or well-known pool brand) has just defrauded an exchange. The double-spend victim knows it was cheated; the blockchain record will show which pool built the attack chain (the Coinbase tag clearly identifies it). The defrauded exchange has legal counsel, insurance, and regulatory relationships, and the pool itself relies on these exchanges to convert mining revenue into fiat currency.

The attacker is not anonymous, the victim is not helpless, and the system connecting them is not outside the law.

The Law Enforcement Participation Constraint

The standard economic narrative is only half right. For small transactions—a $5 coffee, a $20 online purchase—no one will sue; legal costs exceed the loss. Hiring a lawyer costs more than the coffee. In this range, the law is indeed irrelevant, protocol security is everything, and the pure economic model applies.

But the irrelevance of law is inversely proportional to the transaction amount. A $5 million double-spend against an identifiable pool, involving asset freezes and exchange balance seizures, is a different matter entirely: this is wire fraud, computer fraud, a case prosecutors would take, insurers would pursue, and exchanges would cooperate with.

The real question is not whether laws against double-spending exist—they do. It's whether anyone is willing to invoke them. For small amounts, no; for large amounts, yes. There is a threshold, which can be called the law enforcement participation constraint: below this line, legal costs exceed the expected recovery; above it, legal action becomes worthwhile.

Recent enforcement actions in the crypto industry roughly indicate this threshold: Binance paid $4.3 billion to settle with the DOJ, FinCEN, and OFAC; BitMEX settled for $100 million.

These were compliance violations, not double-spend attacks. A deliberate double-spend would trigger not only civil liability but also criminal charges leading to prison time and asset forfeiture.

The conclusion is straightforward: the "no law" model applies to small transactions; it does not apply to large ones. The dividing line is not at the billion-dollar level but in the few million dollar range, depending on the jurisdiction, the victim institution's capabilities, and the attacker's identifiability. For pool-led attacks, identifiability is close to 100%.

Why Coordinated Attacks Fail

Even ignoring the law, pool attacks have structural weaknesses the standard model overlooks: pools rely on others' machines.

The pool operator coordinates block creation, but much of the actual hash power comes from external contributors: companies and individuals who connect their machines to the pool for a share of the rewards. These contributors can leave at any time; they join the pool to make money. If the pool's earnings decline, they move to a competitor.

A covert double-spend attack degrades earnings quality: the pool diverts hash power from honest mining to a secret chain, earning nothing if it fails. Contributors see lower, more volatile earnings and more invalid blocks. They don't need to know an attack is happening; they just see this pool performing worse than others and leave.

If the attack is detected or suspected, a further exodus occurs. Remaining contributors face risks associated with fraud: hardware could be flagged, exchange accounts scrutinized, hosting contracts affected. For companies with hundreds of millions in dedicated mining hardware, the rational choice upon a pool's public involvement in an attack is to leave immediately and distance themselves.

Another often-overlooked point: if the attack fails (the honest chain remains longer), the attacker loses all investment in building the secret chain. Honest miners need do nothing special; they just keep mining. The Nakamoto protocol's longest-chain rule automatically applies: if honest hash power exceeds attack hash power, the attack chain is orphaned. The protocol itself is a rejection mechanism. Honest miners aren't联盟ed; they aren't defending; they are just doing their normal work. The attacker, conversely, must act abnormally and sustain it, all while their coalition bleeds participants.

The result: an attacking pool's hash power is not fixed but continuously erodes during the attack. Simple simulations show: a pool starting with 31% of the network's hash power could lose the vast majority of its external contributed hash power within hours if the earnings distortion is observable, eventually being left with only its own hash power. For most pools, this is only a small fraction of their total stated power. An attack that seems nominally feasible becomes infeasible as contributors flee.

The Capital Problem

The standard model completely ignores a deeper issue: capital specificity.

Bitcoin mining hardware, ASICs, are not general-purpose equipment. A Bitcoin ASIC does one thing: compute SHA-256. It cannot mine Ethereum, cannot be a web server, cannot run machine learning. Once excluded from profitable Bitcoin mining, the hardware is worthless—just scrap metal with a power cord.

Large pool operators own billions of dollars in ASICs, hosting contracts, power agreements, and Bitcoin reserves. MARA Holdings alone discloses over $5 billion in combined ASIC miners and Bitcoin assets. Foundry USA aggregates the hash power of dozens of companies, each with significant capital exposure. A successful double-spend might yield tens of millions, but the capital risk from being identified, sanctioned, and excluded is measured in billions.

This is no longer a flow cost problem; it's a stock cost problem. The attacker risks not days of mining revenue, but the entire productive value of irreversible capital with no alternative use. This fundamentally changes the economics.

In the standard model, security requires ongoing investment proportional to the value at risk; in reality, for identifiable, capital-heavy pool operators, security is backed by the threat of permanent capital destruction.

Ironically, the original economic critique itself acknowledges that stock cost deterrence, if it existed, would be extremely powerful. It just argued proof-of-work lacks this deterrence because attack hash power can be rented, deployed, and discarded. This was roughly true in 2012, but it is absolutely not true in 2026. Mining is a heavy-capital industry with fixed infrastructure, long-term power contracts, and hardware that cannot be repurposed. Stock costs are real; the economic models just haven't caught up.

Two Mechanisms, One System

What we get is not a refutation of the economic model, but a localization of its application. Bitcoin does not have one security mechanism, but two operating simultaneously:

  • For small transactions: Pure protocol security is effective. Individual transactions are too small to warrant legal action. The system relies on the cost of assembling attack hash power for security. This mechanism works, fits the standard model description, and supports high throughput. Millions of small payments can run entirely on the protocol layer, with very low per-transaction security cost.
  • For large transactions: Legal + organizational mechanisms take over. The attacker's payoff is no longer determined solely by protocol costs but is significantly reduced by legal sanctions, exchange freezes, liquidation friction, reputational ruin, capital impairment, and the self-destruction of the attack coalition as contributors flee. Under this mechanism, the pure flow cost model overestimates the attack payoff because it ignores all the consequences the identifiable attacker faces after the on-chain action concludes.

The two mechanisms are not in conflict but complementary: the protocol layer handles volume; the legal layer handles value. Combined, they create a security environment far more robust than any single mechanism could be.

The Real Revelation

The deeper conclusion is not about Bitcoin specifically, but about how we view technology and institutions.

The cypherpunk narrative frames law and protocol as substitutes—choose one, and Bitcoin's point is to choose protocol. The economic critique accepted this framework and then questioned whether the protocol alone could suffice. Both are trapped in the same false dichotomy.

In reality, protocol and law are complements:

  • The protocol provides the base layer: transaction ordering, immutability, censorship resistance, using cost to deter casual attacks.
  • The law provides the upper layer: identity, accountability, sanctions, recovery, using severe penalties to deter heavyweight attackers.

Neither layer alone is sufficient; together they cover the full spectrum.

This should not be surprising. No valuable economic system in history operates entirely outside a legal framework. Banking, securities, insurance, telecommunications, even the internet itself—once proclaimed to be beyond government—do not. The question was never *if* law would come to Bitcoin, but when and through which channels. The answer is: law is already deeply embedded, through the industrial structure of mining itself.

Miners did not need to be forced into compliance by regulation. They moved towards a legally identifiable state driven by the basic economic logic of pooling, specialization, and scale. The very forces that made mining efficient (pooling for risk-sharing, ASIC capital investment, exchange relationships for liquidation) are the same forces that made mining legally identifiable.

Bitcoin's security does not depend on operating outside the law, but on being embedded within it. The protocol handles small matters; the law handles large ones. The industrial structure of mining is the bridge connecting the two. This structure was not imposed by regulators; it evolved naturally from the economics of mining itself. This is the most fundamental misjudgment in the standard economic critique of Bitcoin security.

Related Questions

QAccording to the article, what is the fundamental flaw in the standard economic narrative about Bitcoin security?

AThe fundamental flaw is that the standard economic model assumes attackers are anonymous and operate in a legal vacuum, which is not true for economically significant Bitcoin transactions. In reality, the mining industry is highly concentrated among identifiable, legally reachable entities in regulated jurisdictions.

QWhat is the 'enforcement participation constraint' mentioned in the article?

AThe 'enforcement participation constraint' is a threshold value. Below this line, the cost of legal action exceeds the expected recovery amount, so the law is irrelevant. Above this line, legal action becomes worthwhile to pursue. For large-value transactions, legal mechanisms are activated.

QWhy would a mining pool attempting a double-spend attack likely see its hash power decrease?

AExternal contributors (hash power providers) join a pool to earn stable rewards. An attack would lead to lower, more volatile, or invalid block rewards. Contributors, noticing the poor performance, would rationally leave for a more profitable pool. If the attack is detected, contributors would also flee to avoid association with fraud and potential legal or reputational risks.

QHow does the article describe the relationship between protocol and law in securing Bitcoin?

AThe article describes protocol and law not as substitutes but as complementary mechanisms. The protocol provides the base layer security for small-value, high-volume transactions. The law provides an upper layer of identity, accountability, and sanctions for large-value transactions, deterring major attacks from identifiable actors.

QWhat key factor, besides legal consequences, deters large mining pools from attempting attacks?

AThe massive capital specificity of their investment deters them. Mining ASICs are worthless for any other purpose. A successful attack might yield millions, but the risk of being identified and sanctioned could lead to the destruction of billions of dollars in capital value from specialized hardware, frozen assets, and lost business relationships.

Related Reads

Near Returns to the AI Stage: Transformation into a Public Chain Due to 'Payroll Difficulties,' Agent and Privacy Emerge as New Growth Narratives

NEAR Returns to AI Origins: From Payroll Struggles to Blockchain, Now Focusing on AI Agents and Privacy NEAR Protocol's journey began not with grand blockchain ambitions, but from a practical hurdle: its AI startup founders, including Transformer paper co-author Illia Polosukhin, couldn't efficiently pay international developers in 2017. This led them to pivot and build a high-performance, scalable blockchain. After years navigating various crypto narratives like sharding and cross-chain interoperability, NEAR is now leveraging its AI roots to re-enter the AI arena. A key driver is its "NEAR Intents" layer, which abstracts complex cross-chain transactions. Users simply state their goal (e.g., swap BTC for ETH), and a solver network finds the optimal route. This system has processed over $20B in cross-chain volume, generating significant fee revenue. A major growth area is private transactions via "Confidential Intents/Swaps," which hide trade details until settlement to protect against MEV and front-running. Remarkably, private swaps recently accounted for over 40% of NEAR's transaction volume, highlighting strong demand but also potential regulatory scrutiny. With its AI-founder pedigree, NEAR is positioning itself at the intersection of blockchain, AI agents, and privacy, aiming to become infrastructure for the emerging agent economy while navigating the challenges of its rapid adoption.

marsbit2h ago

Near Returns to the AI Stage: Transformation into a Public Chain Due to 'Payroll Difficulties,' Agent and Privacy Emerge as New Growth Narratives

marsbit2h ago

From Ethereum to AI's 'CROPS': What Exactly is This Set of 'Slow Variables' That Vitalik Repeatedly Emphasizes?

In recent discussions, Vitalik Buterin has frequently emphasized the concept of "CROPS," a framework defining core values for Ethereum's development. CROPS stands for Censorship Resistance, Capture Resistance, Open Source, Privacy, and Security. Initially outlined in the Ethereum Foundation's "EF Mandate," it represents a commitment to user sovereignty, ensuring that the network resists external control, remains open, protects privacy, and prioritizes security. The relevance of CROPS extends beyond Ethereum's foundational principles, becoming crucial in the context of AI integration. As AI agents begin handling wallet operations and automated transactions, the risk increases that users may cede control over their digital assets, privacy, and intentions to centralized AI service providers. A "CROPS AI" would therefore emphasize local execution where possible, privacy-preserving remote model calls (e.g., using zero-knowledge proofs), and transparent, verifiable processes to maintain user agency. Vitalik highlights a significant convergence between "CROPS Ethereum access layer" and "CROPS AI." Both address the same fundamental challenge: how users can access powerful services—be it blockchain data via RPCs or AI models—without exposing sensitive information or relinquishing ultimate control. This intersection points toward a future digital entry point that is more private, secure, and user-controlled. Ultimately, CROPS is not merely an abstract ideal but a practical guidepost. It steers development—from protocol resilience and wallet design to AI agent safety—towards a future where users retain self-sovereignty even as digital systems grow more complex and powerful. In an era of accelerating AI adoption, these "slow variables" of censorship resistance, openness, privacy, and security may define Ethereum's enduring value.

marsbit2h ago

From Ethereum to AI's 'CROPS': What Exactly is This Set of 'Slow Variables' That Vitalik Repeatedly Emphasizes?

marsbit2h ago

Zcash Bug Could Have Minted Unlimited ZEC Undetected

A critical vulnerability in Zcash's Orchard shielded pool, discovered by researcher Taylor Hornby on May 29, 2026, could have allowed an attacker to create an unlimited amount of undetectable counterfeit ZEC. The flaw, involving an under-constrained element in the Orchard circuit, existed from the pool's 2022 activation until an emergency fix was deployed by June 2, 2026. Hornby identified the bug using AI-assisted auditing tools and confirmed its exploitability in a test environment. Due to Orchard's privacy features, which hide transaction amounts and history, there is no cryptographic way to prove whether the vulnerability was exploited before the fix. While Shielded Labs assesses prior exploitation as unlikely, this uncertainty has sparked a debate on proving supply integrity in privacy-preserving systems. In response, Shielded Labs and other developers are exploring a network upgrade, potentially involving a new shielded pool and formal verification of the circuit rules to prevent future vulnerabilities and allow verification of the ZEC supply's integrity. ZEC's price fell nearly 45% following the disclosure.

bitcoinist2h ago

Zcash Bug Could Have Minted Unlimited ZEC Undetected

bitcoinist2h ago

Silicon Valley 'Startup Guru' Steve Hoffman: Web3 + AI Could Be a Trap

Silicon Valley investor and "Godfather of Startups" Steve Hoffman warns that combining Web3 with AI is likely a trap, not a promising venture. In an interview, Hoffman argues that while AI is a foundational technology touching all industries, Web3 adds complexity, friction, and regulatory risk without solving mainstream consumer or business needs. He advises founders to focus on deep, specialized applications where startups can out-iterate giants, rather than on generic features easily replicated by large tech companies. Hoffman observes that Silicon Valley will lead foundational AI research, while China excels at rapid, large-scale application and commercialization, particularly in robotics. He stresses that AI-driven autonomous agents capable of collaborative, multi-step tasks are 2-4 years away, which will cause significant job displacement. The solution is not to slow AI but to redesign business models around human-AI collaboration and reform social systems like education and retraining. For startups, Hoffman recommends focusing on vertical, expertise-heavy domains to build defensibility. He sees major opportunities in AI fraud detection and cybersecurity. Key founder mindsets include systemic thinking over feature-focus, relentless customer centricity, building adaptive teams, and deeply understanding AI's capabilities and limits. Hoffman is also leading a non-profit initiative to establish university centers aimed at training future leaders in responsible, human-value-aligned AI innovation.

marsbit3h ago

Silicon Valley 'Startup Guru' Steve Hoffman: Web3 + AI Could Be a Trap

marsbit3h ago

Token Inefficient, Economy Tokenless

The article "Tokens Aren't Economical, Economics Aren't Tokenized" analyzes a pivotal shift in the AI industry from a technology-driven narrative to one dominated by capital efficiency. It highlights two concurrent trends: a severe capital shortage due to the exorbitant and recurring costs of compute (e.g., OpenAI's high burn rate) and a wave of corporate spin-offs where major tech companies are separating their AI units (like Kuaishou's Kling and Baidu's Kunlunxin). The core argument is that AI's "anti-internet" business model, where user growth increases costs rather than profits, has created a disconnect between high valuations and actual cash flow. Spin-offs address this by allowing AI assets to be valued independently. Within a parent company, they are seen as cost centers, but as standalone entities, they are priced based on their growth potential and scarcity in the primary market, leading to massive valuation premiums (e.g., Kling's estimated value tripling post-spin-off). The industry is at an inflection point, moving from "model worship" to "value realization." The competition is evolving from a pure compute (GPU) race to a broader focus on systemic efficiency and full-stack engineering (involving CPUs and orchestration) to achieve viable commercialization. The year 2026 is framed as a critical moment where the industry must definitively answer how to economically translate AI capability into tangible business value, reshaping the sector's future power structure.

marsbit3h ago

Token Inefficient, Economy Tokenless

marsbit3h ago

Trading

Spot
Futures
活动图片

Hot Categoriesright-arrow

Hot Tagsright-arrow