CRYPTOCURRENCY MISAPPROPRIATION, HACKING, THEFT AND FRAUD ON TARGET FOR BANNER YEAR
According to one blockchain and cryptocurrency security firm,
this year is on pace to be the second highest in cryptocurrency
theft, hacking and fraud, with January through May 2020 already
seeing $1.36 billion stolen in crypto crimes.
CipherTrace’s Spring Cryptocurrency Crime and Anti-Money
Laundering Report (Report) released on June 2, 2020, revealed
that 74% of bitcoin that moved in exchange-to-exchange
transactions was cross border—highlighting the need for
compliance and regulation. In particular, the Report noted the
need for global implementation of the Travel Rule, which applies
to all US banks and Money Services Businesses (MSB), including
crypto exchange and custodial wallet providers, for transactions
of $3,000 and more. The Travel Rule requires banks and MSBs to
share the names, geographical addresses and account numbers of
both the originators and beneficiaries tied to payments of
$3,000 or more with the next financial institution in line to
handle the funds. The rule is a blow to the pseudo anonymity
associated with cryptocurrencies.
The Report also noted an expected greater scrutiny of US Bitcoin
ATMs (BATMs), as users sent more funds to high-risk exchanges
than low-risk exchanges in 2019 through BATMs. High-risk
exchanges are more likely to be used for money laundering
schemes, such as the one run by Kunal Kalra, who pleaded guilty
last year for operating a virtual currency exchange business
where he exchanged US dollars for bitcoin, including proceeds of
criminal activity, such as the sale of narcotics on the Darknet.
At the time, the case was believed to be the first of its kind
charging an unlicensed money remitting business that used a
bitcoin kiosk. But with the percentage of funds being sent to
high-risk exchanges doubling each year—so far this year, up to
eight percent of all BATM payments are sent directly to
high-risk exchanges—regulation of, and enforcement actions
involving, these exchanges are likely to increase.
Enforcement actions are already starting to materialize. Earlier
this year, the Office of the Comptroller of the Currency (OCC)
issued a cease and desist order to a US-based bank in New York
for failing to fully vet its cryptocurrency customers and
transactions in high-risk jurisdictions.
The cease and desist order noted insufficient Anti-Money
Laundering (AML) controls, including opening accounts for
Digital Asset Customers without sufficient customer due
diligence “and a lack of adequate monitoring and investigating
of suspicious transactions linked to these customers.” These
deficiencies, in turn, prevented the bank from “effectively
identifying and investigating suspicious activity linked to
crypto-related accounts,” which prevented the bank from
submitting Suspicious Activity Reports (SARs) to the US
Department of Treasury’s Financial Crimes Enforcement Network
(FinCEN). Importantly, the bank in question was required to
implement measures to update its AML and Bank Secrecy Act (BSA)
compliance programs involving digital assets.
The Report also found that the global average of criminal funds
sent directly to exchanges overall dropped 47% in 2019,
suggesting that criminals are finding it harder to offload
illicit proceeds directly into cryptocurrency exchanges. While
this suggests more effective implementation of AML measures, the
downside may be that criminals are getting smarter about
concealing the origins of their stolen funds prior to cashing
out on exchanges.
In 2019, blockchain hacks, frauds and thefts totaled $4.5
billion, with the vast majority of that amount attributed to
fraud and misappropriation versus hacks and thefts.
This year, the trend remains the same, with scams related to
COVID-19 contributing to the losses. These scams take the form
of impersonation of legitimate organizations and entities (i.e.,
the Red Cross) in order to obtain personal information and
payment in cryptocurrency, applications claiming to support
victims but, which are actually spying on users and the sale of
PPE – supposed treatments, testing kits, and phishing kits that
never materialize.
The Report identified Finnish, Russian and UK exchanges as the
top three global destinations for criminal funds last year. The
Report reiterated that earlier this year, the Financial Action
Task Force (FATF), often referred to as a global AML and
counter-terrorism financing watchdog, found that the United
States is largely compliant when it comes to regulations
relating to cryptocurrencies and virtual assets.
Given the pace at which bitcoin fraud, misappropriation, theft
and hacking appears to be occurring this year, as well as the
latest criminal cases and enforcement actions, banks and MSBs
are best advised to examine the robustness of their AML and BSA
compliance programs, particularly in light of the Travel Rule,
in order to avoid an enforcement action, losses associated with
cryptocurrency fraud or, worse yet, a criminal case.