$1.7 billion was stolen from cryptocurrency exchanges, custodial services, and in ICO exit scams in 2018. That’s a dramatic rise from the year before, despite the shrinking market. And according to the Q4 CipherTrace Cryptocurrency Anti-Money Laundering Report, that money needs to be laundered.
But here’s the kicker: with a global wave of regulations going into effect later this year, laundering cryptos will be increasingly harder to do.
CCN caught up with Dave Jevans, CEO of CipherTrace and co-chair of the Cryptocurrency Working Group at the APWG.org to find out what this means.
Like Taking Candy from a Baby
Of the total stolen funds in 2018, the majority came from exchanges and custodial services–more than $950 million. That was 3.6x more than in 2017–but why is this the case?
“Many exchanges have only been operational for two years or less. They have not invested in the security technologies and practices needed to safeguard IT systems, employees, and critical data,” Jevans explains.
“These cryptocurrency companies are at risk of having a simple file of cryptographic private keys stolen that can give the hackers $30M to $500M in profit. Yet these companies are immature in their security team funding, training and implementation.”
Jevans believes that the cryptocurrency space needs an enormous amount of infrastructure investment and education to prevent such attacks. This includes cold storage of private keys, strong anti-phishing measures including email authentication, and behavioral analytics and data sharing. “The APWG can help with this,” he says.
He continues, “Two-factor authentication of employees and customers will also help, as well as the use of ephemeral instances to reduce attackers’ chances of getting into more machines outside the exchange.”
As well as being the founder and CEO of CipherTrace, a company that develops cryptocurrency AML, forensics, and blockchain threat intelligence solutions, Jevens holds 17 patents in computer security and cryptography. He’s also been tracking criminal activity and correlating it with the price fluctuations of Bitcoin since 2011.
New AML/CFT Regulation in 2019
By quarter three of 2019, a wave of new AML/CFT (anti-money laundering and counter financing terrorism) regulations will come into effect. This will force unregulated exchanges and custodians in all major jurisdictions to become compliant.
These regulations take the form of international standards determined by the Financial Action Task Force (FATF), a Paris-based international organization to combat money laundering.
The new FATF rules will apply to the 38 member countries including the US, EU, and G20.
G20 Leaders committed to "regulate #crypto-assets for anti-#moneylaundering and countering the financing of terrorism in line with FATF standards".
➡️ FATF Report to the #G20 Leaders' Summit https://t.co/ZZECBoAZSc pic.twitter.com/njbTxzH8TL
— FATF (@FATFNews) December 3, 2018
This means that onboarding customers will involve strict KYC or the business will be fined or shut down. Exchanges will also have to allow for monitoring of their services and to report any suspicious account activity.
Beyond being an inconvenience for businesses and customers (as well as a slap in the face of those who believe in financial freedom of transactions), how will this impact the criminal activity in the space? According to Jevens, the regulations will be significant.
“Criminals will increasingly be detected and rejected at compliant companies as regulations are enforced. This will force cybercriminals into the darker alleys of the Internet and the cryptocurrency ecosystem… They will be forced to use more advanced and esoteric services to launder their funds.”
“Cybercriminals are trying to defeat anti-money laundering and crypto tracing technologies with techniques such as “crypto dusting” where they send 50,000 people a week a tiny amount of cryptocurrency that comes from a money laundering service, thus trying to taint the security tools that are used to detect it. Think of it as spamming people with dirty coins.”
Is Regulation Getting it Right?
Considering the mindboggling amount of lost funds, the lack of regulation is glaring. According to another report out today, some 60 percent of hacks may be carried out by just two groups.
Cryptocurrency exchanges were hacked out of ~$1B in 2018 by professional groups whose distinct “signatures” might be the key to defending against them. Read more in our latest blog #cryptocurrency #cryptocrime https://t.co/tD84oqxQQ1 pic.twitter.com/tCnCPbKqxz
— Chainalysis (@chainalysis) January 28, 2019
In light of this, is regulation going down the right path? And what about cryptocurrency users who believe we deserve privacy with financial transactions?
“Regulation is going in the right direction with regards to protecting investors, companies, financial institutions, and governments. With regard to people who deserve privacy with financial transactions, you still have this,” Jevans argues.
“The only transactions that are today tracked by governments are those over $10,000 or those that have ties to sanctioned individuals and governments, terrorists, and known money launderers. New regulations on cryptocurrencies do not change this.
The cryptocurrency markets are growing, getting more secure, and becoming an attractive place to invest in 2019. A lot of the scams, frauds and technically poor operations and ICOs have been weeded out, or will be soon. Regulations make for a more orderly and safe market for everyone. This is coming, and it is actually a good thing.”
What About Banks and Money Laundering?
There are plenty of examples of traditional banks laundering money, and recent episodes like that of Deutsche Bank.
Deutsche Bank & Danske Bank are accused of laundering $200+ billion.
The media calls it a “money laundering scandal.”
It’s not a scandal. It’s a crime. The people involved are criminals.
The language we use is important.
Let’s start calling these crimes what they are.
— Pomp 🌪 (@APompliano) January 23, 2019
So why does crypto get such a hard time? Jevens doesn’t let the banks off the hook either but says it’s more like comparing apples with oranges.
“Crypto gets a hard time because it is a new form of non-governmental currency, it has little regulation, and as a percentage of money transferred, it still has a high rate of international criminal use.
SWIFT handles about $1.25 quadrillion dollars per year of transfers. About $5 trillion per day of traditional inter-bank funds transfer. So a $250B banking money laundering case that spans multiple years, is a tiny fraction.
If you want to launder $250 Billion, you should use banks.
Bitcoin, on the other hand, is more closely measured with credit cards for fraud and value transferred. Bitcoin moves about $8B per day and Mastercard moves about $11B per day.
However, Bitcoin and other cryptocurrencies, despite approaching the major credit card networks in value transfers, does not have the same security and anti-fraud controls.
So as the industry matures in 2019 and the coming years, we can expect cryptocurrencies to be much more in line with the anti-fraud and anti-money laundering numbers that we see in credit card networks and bank payment systems.”
What About Traditional Money Laundering?
But isn’t it harder to launder crypto? Something like two-thirds of US $100 bills are outside the US, isn’t that more problematic?
“It is much easier to launder cryptocurrencies on an international scale than to launder small-to-mid sized amounts of USD. This is because laundering smaller amounts of crypto internationally can be done through a myriad of services, exchanges, currency shifting services, digital walla networks, decentralized exchanges, etc.
So, smaller amounts are much more easily laundered through cryptocurrencies. But large amounts (tens or hundreds of billions of dollars or euros) are better laundered through sophisticated schemes that use existing fiat banking systems.”
Looking at the Year Ahead
Beyond international AML/CFT regulations making criminals’ lives more diffid¡cults, what else does Jevans expect from 2019? (His answers might surprise you):
“Nation states will launch their own cryptocurrencies. Nation states will exploit cryptocurrencies for evasion of sanctions. And privacy-oriented coins will need to consider AML/KYC requirements and get them implemented into their protocols.”