CRYPTOCURRENCY MISAPPROPRIATION, HACKING, THEFT AND FRAUD ON TARGET FOR BANNER YEAR
According to one blockchain and cryptocurrency security firm,
this year is on pace to be the second highest in cryptocurrency
theft, hacking and fraud, with January through May 2020 already
seeing $1.36 billion stolen in crypto crimes.
CipherTrace’s Spring Cryptocurrency Crime and Anti-Money Laundering Report (Report) released on June 2, 2020, revealed that 74% of bitcoin that moved in exchange-to-exchange transactions was cross border—highlighting the need for compliance and regulation. In particular, the Report noted the need for global implementation of the Travel Rule, which applies to all US banks and Money Services Businesses (MSB), including crypto exchange and custodial wallet providers, for transactions of $3,000 and more. The Travel Rule requires banks and MSBs to share the names, geographical addresses and account numbers of both the originators and beneficiaries tied to payments of $3,000 or more with the next financial institution in line to handle the funds. The rule is a blow to the pseudo anonymity associated with cryptocurrencies.
The Report also noted an expected greater scrutiny of US Bitcoin ATMs (BATMs), as users sent more funds to high-risk exchanges than low-risk exchanges in 2019 through BATMs. High-risk exchanges are more likely to be used for money laundering schemes, such as the one run by Kunal Kalra, who pleaded guilty last year for operating a virtual currency exchange business where he exchanged US dollars for bitcoin, including proceeds of criminal activity, such as the sale of narcotics on the Darknet. At the time, the case was believed to be the first of its kind charging an unlicensed money remitting business that used a bitcoin kiosk. But with the percentage of funds being sent to high-risk exchanges doubling each year—so far this year, up to eight percent of all BATM payments are sent directly to high-risk exchanges—regulation of, and enforcement actions involving, these exchanges are likely to increase.
Enforcement actions are already starting to materialize. Earlier this year, the Office of the Comptroller of the Currency (OCC) issued a cease and desist order to a US-based bank in New York for failing to fully vet its cryptocurrency customers and transactions in high-risk jurisdictions.
The cease and desist order noted insufficient Anti-Money Laundering (AML) controls, including opening accounts for Digital Asset Customers without sufficient customer due diligence “and a lack of adequate monitoring and investigating of suspicious transactions linked to these customers.” These deficiencies, in turn, prevented the bank from “effectively identifying and investigating suspicious activity linked to crypto-related accounts,” which prevented the bank from submitting Suspicious Activity Reports (SARs) to the US Department of Treasury’s Financial Crimes Enforcement Network (FinCEN). Importantly, the bank in question was required to implement measures to update its AML and Bank Secrecy Act (BSA) compliance programs involving digital assets.
The Report also found that the global average of criminal funds sent directly to exchanges overall dropped 47% in 2019, suggesting that criminals are finding it harder to offload illicit proceeds directly into cryptocurrency exchanges. While this suggests more effective implementation of AML measures, the downside may be that criminals are getting smarter about concealing the origins of their stolen funds prior to cashing out on exchanges.
In 2019, blockchain hacks, frauds and thefts totaled $4.5 billion, with the vast majority of that amount attributed to fraud and misappropriation versus hacks and thefts.
This year, the trend remains the same, with scams related to COVID-19 contributing to the losses. These scams take the form of impersonation of legitimate organizations and entities (i.e., the Red Cross) in order to obtain personal information and payment in cryptocurrency, applications claiming to support victims but, which are actually spying on users and the sale of PPE – supposed treatments, testing kits, and phishing kits that never materialize.
The Report identified Finnish, Russian and UK exchanges as the top three global destinations for criminal funds last year. The Report reiterated that earlier this year, the Financial Action Task Force (FATF), often referred to as a global AML and counter-terrorism financing watchdog, found that the United States is largely compliant when it comes to regulations relating to cryptocurrencies and virtual assets.
Given the pace at which bitcoin fraud, misappropriation, theft and hacking appears to be occurring this year, as well as the latest criminal cases and enforcement actions, banks and MSBs are best advised to examine the robustness of their AML and BSA compliance programs, particularly in light of the Travel Rule, in order to avoid an enforcement action, losses associated with cryptocurrency fraud or, worse yet, a criminal case.