The Truth About Bitcoin Security: Beyond Hash Power, the Legal Framework Is the Bottom Line
TechFlow Selected TechFlow Selected
The Truth About Bitcoin Security: Beyond Hash Power, the Legal Framework Is the Bottom Line
Historically, no valuable economic system has ever operated entirely independent of a legal system.
Navigating Web3 tides with focused insightsBy Craig Wright
Translated by Luffy, Foresight News
A standard narrative circulates about Bitcoin and the law: Bitcoin was designed to operate outside government control, replacing institutional trust with mathematical trust. It is permissionless—anyone can participate—and has no central authority. Security is achieved solely through the cost of attack. Law is optional, external, and something Bitcoin was meant to bypass altogether.
This narrative is wrong—and yet not entirely wrong. It contains elements of truth. But as a description of how Bitcoin actually functions in real-world, high-value transactions, it is pure fantasy. And it is precisely this fantasy that distorts economists’, regulators’, and even the crypto industry’s own understanding of blockchain security.
The Economic Version
The most rigorous version of this narrative comes from economics—not from cypherpunk forums. Its core argument is concise: In a permissionless system without the rule of law, the only thing preventing double-spending attacks is the cost of amassing enough computational power to overtake the honest chain. Security is a cost problem: The network must continuously invest sufficient resources to render attacks unprofitable. If the value that can be stolen exceeds the cost of attack, the system is insecure.
This is a valid conclusion—mathematically correct under its stated assumptions. But it leads to an unsettling implication: Securing high-value transactions on proof-of-work blockchains requires resource expenditure proportional to the value at risk—massive and sustained. To settle a $1 billion transaction, the network must expend enough electricity and hardware to make a $1 billion-scale attack unprofitable. That is expensive, seemingly wasteful, and appears to represent a fundamental economic limit.
But note this critical premise: “in the absence of the rule of law.” The entire conclusion rests on one assumption—that attackers inhabit a legal vacuum: anonymous, untraceable, and bearing no consequences beyond the direct costs of the attack itself. This is not a trivial simplification—it is the foundational assumption. And in the real world, for all economically meaningful Bitcoin transactions, this assumption flatly contradicts reality.
Who Mines Bitcoin?
The image of anonymous miners operating from basements ended years ago. Bitcoin mining is now an industrial activity, organized via mining pools that coordinate block production, claim block rewards, and distribute proceeds to participants according to contractual rules.
As of March 2026, the top five mining pools control over 70% of Bitcoin’s hash rate. The two largest—Foundry USA and AntPool—collectively command nearly half. These are not shadowy, anonymous entities: Foundry USA is a subsidiary of Digital Currency Group; MARA Pool is operated by NASDAQ-listed MARA Holdings, whose latest annual report discloses ownership of 400,000 mining rigs, 53 EH/s of hash rate, and over $4 billion in Bitcoin reserves. These are legitimate companies—with names, addresses, stock tickers, auditors, banking relationships, and legal counsel.
The coordination layer of Bitcoin mining—the actual entities responsible for block production and reward distribution—is highly concentrated across just a few jurisdictions. Mining pools associated with the United States account for approximately 42% of hash rate; those linked to China, about 41%; Singapore, Japan, the Czech Republic, and Slovenia collectively account for most of the remainder. Less than 2% of hash rate comes from pools that cannot be identified via Coinbase tags, corporate filings, or publicly disclosed operators.
This is not a picture of lawlessness—it is a portrait of oligopoly: a small number of identifiable actors operating within jurisdictions where law applies. When economists model Bitcoin attackers as anonymous, legally unreachable agents, they do not describe the real industry—they describe a fictional construct abandoned by the industry a decade ago.
What a Real Attack Looks Like
Double-spending attacks on Bitcoin are not abstract. Here’s how they work: An attacker sends Bitcoin to a counterparty (e.g., deposits BTC into an exchange to receive USD), while secretly mining an alternate chain that excludes that transaction. If the attacker’s secret chain becomes longer than the public chain, it replaces it—and the original transaction vanishes. The attacker walks away with both the USD and the BTC.
To execute such an attack at any meaningful scale, the attacker must sustain control of a majority of hash rate. On today’s network, that means controlling over 400 EH/s. No individual can achieve this. The only feasible path lies at the pool layer: either a single large pool deviates from honest mining—or multiple pools collude.
So now ask: What happens to that pool after the attack?
The attacker—a named, publicly listed company or well-known mining pool brand—has just defrauded an exchange. The double-spending victim knows it was cheated, and blockchain records will clearly identify which pool built the attack chain (via Coinbase tags). The defrauded exchange has legal counsel, insurance, and regulatory relationships—and the pool itself depends on those same exchanges to convert mining revenue into fiat currency.
The attacker is not anonymous. The victim is not helpless. The system connecting them is not lawless.
The Enforcement Participation Constraint
The standard economic narrative gets half of it right. For small-value transactions—say, a $5 coffee or a $20 online purchase—no one will sue; legal costs exceed losses. Hiring a lawyer costs more than the coffee. Within this range, law truly is irrelevant; protocol-layer security stands alone, and the pure economic model applies.
But law’s irrelevance is inversely proportional to transaction size. A $5 million double-spend against a known mining pool—accompanied by asset freezes and exchange balance seizures—is entirely different: This is wire fraud, computer fraud—exactly the kind of case prosecutors take up, insurers pursue, and exchanges cooperate with.
The real question isn’t whether law applies to double-spends—of course it does. It’s whether anyone will choose to enforce it. Not for small amounts; yes, for large ones. There exists a threshold—the enforcement participation constraint: Below it, legal costs exceed expected recoveries; above it, legal action becomes worthwhile.
Recent enforcement actions in crypto roughly indicate this threshold: Binance paid $4.3 billion to settle with the U.S. Department of Justice, FinCEN, and OFAC; BitMEX settled for $100 million.
These were compliance violations—not double-spends. Intentional double-spending triggers not only civil liability but criminal charges carrying prison time and asset forfeiture.
The conclusion is straightforward: The “no-law” model applies to small-value transactions—but not to large ones. The dividing line isn’t at the $1 billion level; it lies in the multi-million-dollar range—depending on jurisdiction, the victim institution’s capacity, and the attacker’s identifiability. For pool-led attacks, identifiability approaches 100%.
Why Collusion Fails
Even ignoring law, mining pool attacks suffer structural weaknesses overlooked by the standard model: Pools rely on other people’s machines.
Pool operators coordinate block production, but much of the actual hash power comes from external contributors—companies and individuals who connect their machines to the pool in exchange for a share of rewards. These contributors can leave at any time. They join pools to earn money. If pool returns decline, they switch to competitors.
Covert double-spending degrades return quality: The pool diverts hash power from honest mining to secret chains—if the attack fails, nothing is earned. Contributors see lower, more volatile payouts and more invalid blocks. They need not know an attack is underway; they only need to notice this pool underperforms others—and they leave.
Once an attack is detected—or even suspected—a new wave of departures follows. Remaining contributors face reputational risk, hardware blacklisting, exchange account scrutiny, and potential impacts on custodial contracts. For a company owning hundreds of millions of dollars’ worth of dedicated mining rigs, the rational response once its pool is publicly implicated in fraud is immediate withdrawal and disassociation.
One more point often missed: If the attack fails (i.e., the honest chain remains longer), the attacker loses all investment spent building the secret chain. Honest miners need do nothing special—just keep mining. Satoshi’s longest-chain rule activates automatically: Once honest hash power exceeds the attacker’s, the attack chain is orphaned. The protocol itself enforces rejection. Honest miners don’t form alliances or mount defenses—they simply continue normal operations. Meanwhile, attackers must engage in abnormal behavior, sustain it continuously, and watch their coalition bleed contributors.
The result: A pool’s hash power is not fixed during an attack—it erodes continuously. Simple simulations show that a pool starting with 31% of global hash rate may lose the vast majority of its externally contributed hash power within hours after distorted returns become observable—leaving only its own proprietary hash power. For most pools, that represents only a tiny fraction of total hash rate. An attack that looks nominally feasible collapses as contributors flee.
The Capital Problem
The standard model completely ignores a deeper issue: capital specificity.
Bitcoin mining hardware—ASICs—is not general-purpose. A Bitcoin ASIC does exactly one thing: compute SHA-256. It cannot mine Ethereum, serve web pages, or run machine learning models. Once excluded from profitable mining, it becomes worthless scrap metal with a power cord.
Major mining pool operators hold billions of dollars in ASICs, hosting contracts, power agreements, and Bitcoin reserves. MARA Holdings alone discloses over $5 billion in combined ASIC and Bitcoin assets. Foundry USA aggregates hash power from dozens of companies—each with massive capital exposure. A successful double-spend might yield tens of millions—but the capital risk from identification, sanctions, and exclusion runs into the billions.
This is no longer a flow-cost problem—it’s a stock-cost problem. Attackers risk not just a few days’ mining income, but the full productive value of irreplaceable capital. That fundamentally changes the economics.
In the standard model, security demands continuous investment proportional to value at risk. In reality, identifiable, capital-intensive pool operators are secured by the threat of permanent capital destruction.
Ironically, the original economic critique itself acknowledges that stock-cost deterrence—were it present—would be extremely powerful. It merely assumes PoW lacks such deterrence because attack hash power can be rented, deployed, and discarded. That was broadly true in 2012—but absolutely false in 2026. Mining is now a capital-intensive industry, with fixed infrastructure, long-term power contracts, and hardware incapable of repurposing. Stock costs are real—the economic models just haven’t caught up.
Two Mechanisms, One System
We arrive not at a rejection of the economic model, but at its localization. Bitcoin does not have one security mechanism—it has two, operating simultaneously:
- For small-value transactions: Pure protocol security applies. Individual transactions are too small to justify legal action; security relies on the cost of assembling attacking hash power. This mechanism works—it matches the standard model’s description and supports high throughput. Millions of small payments can run entirely at the protocol layer, with very low per-transaction security cost.
- For large-value transactions: Law + organizational mechanisms take over. An attacker’s gains are no longer determined solely by protocol costs—they are sharply offset by legal penalties, exchange freezes, liquidity friction, reputational ruin, capital impairment, and self-implosion of the attack coalition as contributors exit. Under this regime, the pure flow-cost model overestimates attack profitability—because it ignores all post-onchain consequences faced by identifiable attackers.
These two mechanisms do not conflict—they complement each other: The protocol layer handles traffic; the legal layer handles value. Together, they produce a security environment far more robust than either could achieve alone.
The Real Insight
The deeper conclusion is not about Bitcoin—it’s about how we view technology and institutions.
The cypherpunk narrative treats law and protocol as substitutes—mutually exclusive alternatives—and positions Bitcoin’s meaning as the choice of protocol. The economic critique accepts that framing, then questions whether protocol alone suffices. Both sides remain trapped in the same flawed binary.
In reality, protocol and law are complements:
- Protocol provides the foundation: transaction ordering, immutability, censorship resistance, and cost-based deterrence against casual attacks.
- Law provides the superstructure: identity, accountability, sanctions, recovery, and penalty-based deterrence against sophisticated, high-stakes attackers.
Neither layer alone is sufficient; together, they cover the full spectrum.
This should come as no surprise. Historically, no valuable economic system has ever operated entirely outside legal institutions. Banks, securities markets, insurance, telecommunications—even the internet itself, once hailed as existing beyond government reach—did not. The question has never been whether law will enter Bitcoin—but when, and through what channels. The answer is: Law is already deeply embedded—through the very industrial structure of mining.
Miners do not need regulatory mandates to comply. Driven by the plain economic logic of pooling, specialization, and scale, they have voluntarily moved into states of regulatory identifiability. The very forces that make mining efficient—risk-sharing via pools, capital commitment in ASICs, and reliance on exchanges for fiat conversion—are the same forces that make mining legally identifiable.
Bitcoin’s security does not depend on operating outside the law—but on being embedded within it. Protocol handles the small stuff; law handles the big stuff. The industrial structure of mining is the bridge between them. That structure was not imposed by regulation—it evolved naturally from mining’s own economics. And this is the most fundamental misjudgment in the standard economic critique of Bitcoin security.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
@CsTominaga
