bitcoin crime

At the FinTech Canada conference this August, leading cryptocurrency trial attorney Brian Klein gave an excellent overview of how cryptocurrencies have been used for illegal purposes and what law enforcement officials are doing to crack down on it.

Known for representing high-profile clients like Bitcoin early-adopter Erik Voorhees, Brian Klein is the founder and chair of the non-profit Digital Currency and Ledger Defense Coalition (DCLDC) and the chair of the American Bar Association’s blockchain technology, digital currency, and ICO national institute.

In his talk, Klein points to the law enforcement efforts and litigation around the Silk Road as an early example of crime with a cryptocurrency element. At the time, the closure of the online black market and related arrests made headlines worldwide.

But how have things moved on in 2018?

Cash (not Crypto) is Still King in Criminal Activity

In criminal law, cash is still king.

While cases like the Silk Road made sensational headlines, cryptocurrency rarely plays a truly innovative role when it comes to more traditional criminal activity. 

Cryptocurrency may offer advantages for long-distance transactions and online shoppers, but most criminal acts today are still paid for in cash. 

The crypto element may add a modern flair and conjure images of shadowy figures in Guy Fawkes’ masks but, for the most part, digital currencies remain a payment method rather than a new frontier in criminal acts.

bitcoin silk road
The now-defunct black market Silk Road website used to buy drugs with bitcoin

Cryptocurrencies Are the New Swiss Bank Account: Money Laundering and Tax Evasion

You might still see movies where bank robbers demand that funds be wired to a Swiss bank account, but when it comes to money laundering and hiding assets, cryptocurrency has increasingly replaced the wiring of funds to jurisdictions that favor banking secrecy. 

A key advantage of cryptocurrency is that it’s not tied to a single jurisdiction or set of laws – unlike Switzerland, which tightened its banking regulations after a large tax evasion investigation in 2008.

With cryptocurrency, there’s also no need to rely on intermediaries to handle transfers. And while a bank can be forced to turn over someone’s account information, there is no central authority for the Bitcoin system.

However, as noted in Klein’s talk, most current digital currencies operate on a public, permanent ledger. Bitcoin, for example, isn’t fully anonymous as many believe. Each transaction can be tracked, analyzed and de-anonymized — if the authorities can link a wallet address to a particular criminal – now or in the future.

The Emergence of Privacy Coins

Privacy coins circumvent some of the potential risks of making cryptocurrency transactions available on a public ledger. 

Indeed, Bloomberg noted that criminals are increasingly ditching bitcoin for privacy coins like monero and zcash. 

Monero logo

While there are different types of privacy coins, they typically obscure their ledger through a variety of methods including single-use wallets and transaction keys, as well as “coin mixing”, which involves pooling different transactions together to obscure the amount and parties involved in any given transaction. 

In his talk, Klein notes that privacy coins are a key source of concern for law enforcement and regulatory agencies.

Fraud and Initial Coin Offerings (ICOs)

Reports suggest that as many as 80% of ICOs offered in 2017 were fraudulent. 

Perhaps the largest was Pincoin, an ICO that raised $660 million during the ICO fever of 2017. Shortly after raising the money, Pincoin vanished, taking investor money with it. This is what’s known as an “exit scam.”

As a result of these scams, investors have asked securities regulators to intervene.  The problem? In the US, there’s no set answer on whether ICOs are “securities.” 

What’s a security? A security is a financial instrument, like a stock, bond or investment contract, that you are able to trade or transfer to someone else. If something is a security, it is often subject to regulation and must be registered with the regulators.

Until ICOs are classified as a security, we don’t know if they are something the Securities Exchange Commission (SEC) can regulate.

So long as they remain unregulated, ICOs fall outside the oversight and authority of securities regulators, potentially leaving investors more exposed to fraudulent activity

Although the SEC’s Chairman has previously claimed that ICOs are securities, the issue is still relatively untested in the courts. This leaves many ICOs operating in a grey area. 

How Are Law Enforcement Officers Cracking Down on Illegal Crypto Activity?

This is still relatively new territory for law enforcement agencies and governments. However, they are increasingly capable of de-anonymizing transactions and tracking criminal activity. Below are just a few of the ongoing themes of law enforcement activity in the crypto space:

  • Governments and law enforcement are collaborating on an international scale. This includes sharing information, joint investigations, and global agreements around extradition.
  • Law enforcement is increasingly capable of tracking cryptocurrency transactions, especially where the ledger is public. AI and machine learning are also making it easier to analyze the blockchain and pierce anonymity.
  • On the blockchain, transaction history is not just public – it’s permanent. This can create a permanent chain of evidence for law enforcement to review and rely on, especially over time, as new data is gathered and different wallets and accounts are identified.

Conclusion

Bitcoin has been linked to illegal activity ever since the infamous Silk Road black market emerged. The cryptocurrency ecosystem has also played host to its fair share of scams, hacks, and frauds. 

However, we should also remember that every bitcoin transaction, by design, is recorded in a permanent, transparent log. If bitcoin is used for nefarious purposes, that transaction is preserved forever.

Learned something new in this article? Subscribe to the Block Explorer newsletter.

bitcoin hack how to avoid

A small Canadian bitcoin exchange, MapleChange, was reportedly hacked in the early hours of Sunday morning, which they blamed on a “bug.” 

The little-known exchange says it is in “the process of a thorough investigation,” but “they cannot refund anything.”

In other words, if you trusted your money to MapleChange, you may not get that money back.

Maplechange hack

Hack or Exit Scam?

The suspicious nature of the announcement didn’t go unnoticed by commentators. Joseph Young, a contributor to Forbes and CoinTelegraph, called it an “exit scam.” 

Exit scam defined: An exit-scam is a shady technique in the crypto universe whereby a small, unregulated company lures money from people (usually through an exchange or an initial coin offering, ICO) before stealing it and removing all trace of the company.

The red flag came when MapleChange deleted all its social media accounts, an unnecessary move when depositors were desperate for more information.

While the speculation continues over the hack, we thought it best to put together three ways to make sure you never lose your money in an exchange hack or scam.

1. Don’t Keep Your Cryptocurrency on an Exchange, Period

All the biggest bitcoin hacks in recent history have taken place on an exchange. The Mt. Gox hack in 2014 was, of course, the most high-profile. $450 million was stolen by hackers before the exchange went bankrupt. At least four exchanges have been hacked this year alone.

Crypto exchanges are a prominent target for attackers, simply because they hold so much cryptocurrency. Many have security weaknesses that can be easily exploited. Many others are not regulated or protected by the governing authorities.

But most importantly, if you trust your crypto to an exchange, you have no control over those cryptocurrencies. It is entirely at the risk of the exchange and the safety precautions they have taken.

Instead, you should move your bitcoin or crypto off the exchange and into your own, personal cold storage.

Cold storage means keeping your cryptocurrencies offline, so they can’t be hacked. The best option is a specialized hardware device (Ledger or Trezor) are the best-known options.

ledger nano cold storage bitcoin wallet plugged into a laptop

Further reading: What is Cold Storage for Bitcoin?

2. Criteria for Choosing an Exchange: Reputation, Regulation, Insurance

Of course, we can’t stay clear of exchanges entirely. We need them to buy and sell cryptocurrency. But before you transfer any money, do your due diligence and research.

The first step is looking at reputation. Some quick research on MapleChange, for example, would have turned up very little information – a warning sign for investors.

On the other hand, trusting a major, high-profile exchange such as Coinbase or Gemini, while not 100% safe, is a more sensible solution. These giant exchanges are better regulated and have superior security features.

The likes of Coinbase and Gemini also go to great lengths to verify its users, which vastly reduces the likelihood of fraud or security breach.

Some exchanges are now fully insured, too. Gemini recently announced insurance coverage for its exchange and custody services. If you keep your money at Gemini, it is protected should the worst happen. 

Further reading: Cryptocurrency Insurance: What is it? (And Do You Need It?)

3. Holding Money on an Exchange? Choose One with Cold Storage

Sometimes, of course, holding money on an exchange can’t be avoided. If you are trading regularly, you may need quick, instant access to your money on an exchange.

If that’s the case, be sure the exchange keeps 95% or more of funds in cold storage. Cold storage keeps crypto offline and significantly more secure from hackers.

This advice was echoed by Binance founder, Changpeng Zhao, on Twitter in the wake of the MapleChange attack.

CZ binance cold storage advice

Coinbase, for example, holds 98% of all funds in cold storage. The remaining 2% are insured, so the risk of losing your money is much lower.

Conclusion

You’ll probably hear a lot about bitcoin’s safety and security in the wake of this hack. But it’s important to remember that bitcoin and its underlying system, blockchain, has never been hacked.

Hacking and theft only occurs through weak exchanges and poorly maintained wallets. In other words, storing your bitcoin safely is the most important decision you can make.

To sum up, always keep your cryptocurrencies offline, in cold storage, ideally on a hardware device you own, not an exchange. If you do use an exchange, ensure it is reputable, regulated, insured, and offers cold storage options.

Stay safe out there.

Note: this article was edited on 29th October. A previous version claimed that $6 million was stolen in the hack before the exchange in question re-opened communications and confirmed otherwise.

Further reading: 8 Cryptocurrency Best Practices (Keep Your Crypto Safe!)

Learned something new in this article? Subscribe to the Block Explorer newsletter.

We’re working to bring you an all new BlockExplorer.com. Can we ask for your help? Please take a few moments to answer the below questions. We’ll compile the answers and share with you, our readers, in the coming weeks. From all of us at Block Explorer, a sincere thank you!

About three years ago, a so-called crypto-anarchist, deep into libertarianism, hired me to write a book that included content railing against government anti-money laundering regulations. As he saw it, there is essentially nothing wrong with financially supporting terrorist organizations,  smuggling drugs or other contraband items. (Hell, there was nothing wrong with terrorism to him; one man’s terrorist is another man’s freedom fighter). People can do what they want as long as they don’t harm others. Drugs and prostitutes (for instance) delight individuals. And, therefore, the government, which, by the way, does a lousy job of literally minding its own business should focus on “minding its own business”.

Five years later and knowing more on money laundering, I think large-scale smuggling and certainly funding terrorists may have more negative social and economic ramifications than my well-meaning friend opined. This is  partly because unrequited criminal laundering turns us into a criminal society – after all why work ethically when we can make far more money in illicit activities. Above all, successful money laundering means more drugs on the streets, more drug-related crime, more fraud, more corporate embezzling, and more terrorism, among a host of other social ills.

What  is money laundering?

money laundering

 

Money laundering, at its simplest, is the act of trying to make money that comes from nefarious Source A look like it comes from “clean” Source B. If caught, the perpetrator can’t use that money, since law enforcement would seize it. Source A involves funding ISIS, smuggling cocaine, engaging in corrupt political businesses, or benefiting from fraudulent business schemes, as examples.

If I were involved in any of these activities and would want to retain my stash, I’d be advised to go through the following three steps:

  1. Placement – Find a place to stash my money. If I wire the trove to my banks Capital One or Charles Schwab, they’d have to tell the government I’m suddenly depositing millions in checks. So I need to find a resilient hiding place.
  2. Layering – Money launderers can teach me all sort of schemes like wiring money between different accounts in different names in different countries, or purchasing high-value items (boats, houses, cars, diamonds) to change the form of my money. I can also change my money’s currency – and this is where cryptocurrency comes in. So, I can change my dirty dollars into Bitcoin and then again into Monero or Dash to better hide its source – now there’s a way to evade the cops!
  3. Integration – At this point, my money re-enters mainstream society as though it comes from a legitimate source. I’ve strategized in such a way that my startling fortune is innocuous and can slip under the radar.

The government’s response to money-laundering

Anti-money laundering regulations

In the United States, the Department of Justice, the State Department, the Federal Bureau of Investigation, the Internal Revenue Service and the Drug Enforcement Agency join forces in catching money-launderers like me. State and local police investigate cases under their jurisdiction. On the international stage (and when it comes to blockchain), organizations like the United Nations, the World Bank, the International Monetary Fund and the Financial Action Task Force on Money Laundering (FATF) send in their troops. The last has 33 member states and organizations, as of 2018.

Cops combine legislation with law enforcement.  In the United States, legislative acts include:

  • The Bank Secrecy Act (1970) – Financial institutions have to report all single transactions above $10,000 and multiple transactions totaling more than $10,000 to or from a single account in one day. When it comes to the blockchain industry, this includes money service businesses (MSB), too. Bankers who violate this rule can serve up to 10 years in prison.
  • The 1986 Money Laundering Control Act – Any aspect of money laundering is a crime punishable by fines or jail.
  • The 1994 Money Laundering Suppression Act – Banks have to establish their own money-laundering task forces to weed out suspicious activity in their institutions. When it comes to blockchain-based financial institutions, customer due diligence (CDD) rules are no different.

In truth, it’s a perpetual chase of cops vs. robbers, with the robbers mostly slipping through even as cops set the traps.

How do AML rules impact ICOs?

ICOs, also known as token sales, can fall foul of anti-money laundering regulations with their digital tokens.  While “utility tokens” that only give investors access to the startup’s features are ok,  it is the “security tokens” that may offer investors equity or some form of an investment return that are problematic.

This is where a growing number of ICOs interest themselves in Know Your Customer (KYC) and Anti-Money Laundering (AML) regulations for reasons that include the following:

  1. Establish credibility with banks – After all, banks don’t want to trip up with organizations like FinCen, a bureau of the U.S. Department of the Treasury, that snoops into whether financial institutions are adhering to KYC.
  2. Long-term legitimacy – It’s good for your bottom line. You don’t want the government to bust your booty as happened in 2014 with Mt. Gox, the largest Bitcoin exchange, after the US Department of Homeland Security (DHS) seized suspicious money from its U.S. subsidiary account.
  3. Improved public perception – You appear more legitimate. You’re more likely to interest investors. The Dutch Authority for the Financial Markets (AFM), for one, warns consumers to avoid ICOs:

“Due to their unregulated status and the anonymous nature of the transactions involved, ICOs are attractive for the laundering of money obtained by criminal means. .. Because of these risks, there is a strong possibility that investors will lose their entire investment.”

With your compliance to KYC/ AML rules, you prove the AFM wrong.

4. Expanded reach – You’re more likely to attract investors in countries with rigid KYC/AML regulations like US, UK and Canada.

5. Avoid Regulatory Fines – There have been cases of regulatory bodies fining or suffocating ICOs that smell suspicious. With the Mt. Gox case, more than 3,000 customers lost some, or all, of their investments. You really don’t want that happening to you! AML in practice?

Our most recent guide to all there’s to “KYC: A  Practical Guide for Blockchain Entrepreneur and Investor” gives you the overall picture.

Really, it reduces to three steps:

  • Identify and do background checks on depositors.
  • Report all suspicious activity. (For example, if a background check revealed that depositor A works in an oil rig, and he deposits $2,000 every two weeks, a series of ten $9,000 deposits over two weeks should worry you.)
  • Build an internal task-force to identify laundering clues.

The rest is up to you.

hand-coin

The process of ‘Know Your Customer’ (KYC) is simple. Say you want to invest in an ICO, you may be particularly anxious that no organizations or individuals connected with or funding criminals and terrorists share the platform with you. KYC also refers to parties involved in other anti-government activities like money-laundering, smuggling, or coming from countries under sanctions. Even if you don’t care, the government does.

There have been stories where funds have been frozen or confiscated while the government inspected the company’s transactions. In 2014 for instance, more than 3,000 customers lost some, or all, of their investments in Mt. Gox, the largest Bitcoin exchange, after the US Department of Homeland Security (DHS) seized money from its U.S. subsidiary account.

I assure you, most token buyers would rather go through the quasi-onerous motions of KYC than have their crypto booty confiscated!

In a similar way, if you’re thinking of running a cryptocurrency exchange, a cryptocurrency ATM, or an ICO, you’d like people who participate in your token sales and incoming funds to be “clean”. Either way, FinCen, a bureau of the U.S. Department of the Treasury, requires ICOs to adopt KYC regulations. Finally, if you’re a money service business (MSB), you’d certainly want KYC to be your rule since banks, large corporations, and public bodies are all KYC-crazy.

As a client, this is what KYC means

Most credible bitcoin exchanges like Bitstamp, Coinbase, or Kraken will ask you to do the following:

  1. Confirm your phone number You’ll enter a code the company sends to your mobile phone.
  2. Provide personal IDYou’ll likely need to attach one or more of the following: a scan of your ID or driver’s license, a recent utility bill, and/ or a copy of your birth certificate or passport. The types of required ID documents depend on the bitcoin exchange and on the amount you want to trade, with larger amounts requiring stricter verification.  

Expect a growing number of ICOs, particularly those that are MSBs, to ask you for some of those documents, too.

Most major platforms verify your identification within one to three hours. Slower businesses may take up to a week.

As a business owner, here’s what KYC means

The process is simple:

  1. Establish customer identity – Collect basic identity documents or data like the following: IP address, name and address validation, citizenship, birth date, a photo of government issued ID (Driver’s License, passport, ID card), Social Security number or Tax Identification, bank statement, recent utility bill.
  2. Understand the nature of the customer’s activities (to satisfy yourself that the source of their funds is legitimate) – Check that they’re allowed to take part in a token sale (e.g., they are not on a sanctions list). IdentityMind Global, a service that offers risk management and anti-fraud services for e-commerce platforms, deals with this problem by comparing a selfie of the individual to the picture in the government issued ID.
  3. Monitor the customer’s activities – As of January 1, 2017, The New York Department of Financial Services (NYDFS) required an ongoing monitoring program that includes checking that the client’s financial transactions and accounts match their risk profile.

Some concerns are that individuals from sanctioned countries could hide their location and buy tokens from US companies. IdentityMind prevents this by looking at the IP address and determining, first, if the prospective clients uses a proxy (and if so, which kind), and, second, if it employs the Tor network or a VPN. If either is used, the application is denied. When it comes to money laundering, IdentityMind imposes EDD for contributors over a certain dollar amount.

EDD: Advanced KYC

There are three tiers of due diligence:

  • Simplified Due Diligence (“SDD”) – Situations where the risk for money laundering or terrorist funding is low, and you only need a partial KYC.
  • Basic Customer Due Diligence (“CDD”) – Information obtained for all customers to verify the identity of a customer and assess the risks associated with that customer. Here’s where you’ll need the complete KYC.
  • Enhanced Due Diligence (“EDD”) – Additional information collected for higher-risk customers to avoid possible risks.

Since this sounds like a lot of work and you have enough on your plate, some ICOs, or blockchain companies, dispatch identifications to third-party KYC providers, who, in turn, send documents to call centers around the world where clerks review information. Other blockchain companies, like data marketplace Datum, seek more confidentiality for their clients and review the data themselves.

Dealing with upset customers

Admittedly, KYC frazzles some people’s moods. Crypto enthusiasts, for instance, tend to disagree with the government’s “interference” ideologically, on the grounds that cryptocurrency should be anonymous, or at least, pseudo-anonymous. Others find the KYC requirements irksome and intrusive.

To modify such customers, you may want to make your requirements clear ahead of time, show how KYC protects investors, and that even if they disagree – “Sorry, guy, but we need this information to comply with FinCen’s Know your Customer requirements.

After all, know thy client saves you and your customers oodles of stress and money.