Permissionless blockchains were constructed with a view to being sustainably secure. At the heart of blockchain consensus mechanisms was an explicit cost (whether it be work or stake) for participation in the network and the opportunity to propose blocks that would be added to the blockchain. A key rationale for that cost was to make attacks on the network, which could be theoretically carried out if a majority of nodes were controlled by a single entity, too expensive to be worthwhile. Here we demonstrate that a majority attacker can successfully attack with a negative cost, which shows that explicit participation requirements do not necessarily result in a sustainably secure network. This suggests that sustainable security arises from outside the network protocol itself that regulation the benefits of an attack.