Cyber-criminal groups are being dismantled. But more needs to be done about the enforcement of rules that bind cryptocurrency exchanges.
May has been a turbulent month for the world’s cyber-criminals, and spirits must be high at Europol’s headquarters in The Hague. In early May, the agency, which facilitates police cooperation in the EU, simultaneously announced the takedown of the Wall Street Market and Silkkitie, two Dark Web marketplaces where illicit goods and services had been traded.
According to Europol’s press release, although the Wall Street Market did not quite acquire the economic clout of its namesake, it was ‘the world's second largest dark web market, enabling the trade in drugs (…), stolen data, fake documents and malicious software’. Three suspects were arrested by Germany’s federal investigative agency (Bundeskriminalamt), and both cash and ‘cryptocurrencies Bitcoin and Monero in 6-digit amounts’ were seized.
Several days later, two further announcements followed. In one law enforcement action, the FBI seized and shut down DeepDotWeb which, while itself easily accessible on the ‘surface’ web, was in effect a ‘yellow pages’ directory of Dark Web marketplaces, including those catering to criminals. The FBI views DeepDotWeb as a ‘gateway’ to the seamy side of the Dark Web, and alleges that the two Israeli citizens operating it had received commission payments in Bitcoin for illegal purchases made on DeepDotWeb-listed marketplaces.
In an unrelated development, Spain’s Civil Guard (Guardia Civil) arrested eight and charged a further eight individuals whom it suspects of running a cryptocurrency money-laundering ring. The group’s modus operandi was not described in much detail, but essentially involved either purchasing cryptocurrency for cash via so-called cryptocurrency ATMs or aggregating funds in bank accounts to then buy cryptocurrency from an online exchange platform.
So, what should we make of the criminal use of cryptocurrency in these cases, and is enough being done to tackle those who facilitate such activities?
First, it’s worth pointing out that, although misuse of cryptocurrency is a common factor to all the episodes listed, this does not mean that transactions in cryptocurrency are necessarily suspect, let alone illegitimate. For instance, according to estimates provided in a recent analysis, ‘illicit transactions comprised less than 1% of all economic bitcoin activity in 2018, down from 7% in 2012’. Even cybercrime often involves earning and laundering criminal income in fiat rather than cryptocurrency, as demonstrated by the US indictment against a cyber-criminal group that had attempted to steal over $100 million, which was also unsealed in May.
What we need to understand, however, is how criminals obtain the cryptocurrency they need for illicit transactions. While it is possible to ‘mine’ coins by contributing computing power towards the maintenance of a given cryptocurrency’s infrastructure, this typically requires a significant investment of resources and, in the case of Bitcoin, specialised equipment.
In some instances, cyber-criminals obtain cryptocurrency through – unsurprisingly – crime. Ironically, on the same day as Europol unveiled its most recent successes, the world’s largest Bitcoin exchange disclosed that hackers had relieved it of $40 million worth of cryptocurrency. A less spectacular variety of cybercrime, known as ‘cryptojacking’, involves surreptitious use of other people’s computers to mine cryptocurrency, typically Monero, a cryptocurrency created in 2014.
But in all other cases, cyber-criminals are likely to act exactly as most of us would in order to get, say, foreign currency: that is, go to a professional exchanger. And it is on identifying and incapacitating rogue cryptocurrency exchanges that governments should focus more.
For some time now, there has been no uniform international approach to the regulation of businesses that exchange cryptocurrency into state-issued, government-backed legal tender, also known as fiat currency. This is changing rapidly. In October 2018, the Financial Action Task Force (FATF) decided that anti-money laundering and counter-terrorist financing obligations should be extended to ‘virtual asset service providers’, including both crypto-to-fiat and crypto-to-crypto exchanges. While it will take time for states to implement this change in their domestic legal systems, the direction of travel is clear.
If it ever were possible to claim that cryptocurrency exchanges could legitimately refuse to verify their customers’ identity or report suspicious transactions to competent authorities, this position is now entirely untenable. And as compliant exchanges put more money and effort into fighting money laundering – sometimes going above and beyond what the law currently requires – it is imperative that their efforts are not undercut by less scrupulous competitors.
But enforcement actions against cryptocurrency businesses remain few and far between. The best-known example is the case of BTC-e, one of the largest Bitcoin exchanges in the 2011 to 2017 period that allegedly processed criminal transactions as its raison d'être. Also, in a striking recent development, the Dutch Fiscal Information and Investigation Service has seized servers belonging to a cryptocurrency ‘mixer’ that can ‘mix potentially identifiable or “tainted” cryptocurrency funds with others, so as to obscure the trail back to the fund's original source’. The news has caused consternation among those who view mixers as a legitimate way to conceal transactions from others’ prying eyes.
Leaving aside controversies about the legitimacy of mixers, it remains to be seen whether this action presages an era of greater enforcement against cryptocurrency businesses, including exchanges. So far, exchanges have by and large been untouched. In all likelihood, there are two related reasons for this.
For one, until states actually implement the FATF’s revised standards, their domestic regulations may not necessarily require cryptocurrency exchanges to undertake anti-money laundering checks in the same way as, for instance, banks. Secondly, less responsible exchanges can be located in jurisdictions with less than robust supervisory regimes.
Still, these obstacles are not insurmountable. Even in those states where specific regulatory obligations do not yet apply to cryptocurrency exchanges, the latter do not live in a legal vacuum. For example, they could still fall foul of general criminal laws that penalise money laundering or other criminal activity. Proving such wrongdoing can be challenging, but in cases of egregious misconduct, law enforcement action should certainly be on the table.
It is true, however, that a well-intentioned state may find an offending exchange beyond the reach of its law enforcement capacities. In those cases, one tool that governments could usefully employ is targeted financial sanctions, which prohibit individuals and companies within the relevant state’s jurisdiction from transacting with the sanctioned person.
This is precisely what the US Treasury did in November 2018 as it decreed the freezing of assets of two Iranian citizens whom it accused of acting as cryptocurrency exchangers for cyber-criminals. When announcing the designation, the US Treasury for the first time listed the cryptocurrency addresses belonging to the sanctioned individuals among other identifying information.
Unlike criminal charges, financial sanctions do not involve a formal criminal accusation and do not end with a defendant in the dock. But they still could be devastating for those affected, and so their imposition is a step that must not be taken lightly. When sanctions are used to tackle non-compliant businesses instead of the ordinary process of criminal law, we must always ask ourselves if there are good reasons for imposing them.
In a world of financial intermediaries that facilitate cryptocurrency transactions free of the constraints of borders, there are bound to be some cases where the answer is ‘yes’. And as most cryptocurrency exchanges do ever more to prevent money laundering, states should take greater action against those who fail in that responsibility.
The views expressed in this Commentary are the author’s, and do not represent those of RUSI or any other institution.