As public interest in cryptocurrencies continues to surge criminal organizations continue to find new ways to commit a host of financial crimes, including fraud and money laundering. The blockchain promises cryptocurrency traders to remain completely anonymous and trade on a decentralized platform. As a result, cryptocurrencies have long been used on the dark web to buy and sell illegal items. According to the Federal Trade Commission, since the start of 2021 until the first quarter of this year, fraudsters stole more than $1 billion from 46,000 people in crypto-scams; blockchain analytics company Chainanalysis’ 2022 report on ransomware payments recorded more than $692 million in extorted money during 2020, and a 1,964% increase in cryptocurrency laundered through decentralized finance protocols (DeFi), which equates to about $900 million in laundered money.
These figures reflect an industry that suffers from enormous levels of fraud. However, finance is about trust, and if the cryptocurrency market is going to have any relevance in the future, the industry must take control of the rampant crime on its exchanges. Although anonymity may be desirable for cryptocurrency traders, this desire should be less important than running safe, crime-free exchanges where the traders’ assets are protected. Governments are taking actions to eliminate crime in the cryptocurrency market, and that might be okay for investors, even if it means they have to sacrifice some anonymity.
Decentralized Finance Protocols
Before we turn to the most significant crimes riddling the cryptocurrency market, we must speak about one of the fastest-growing and most innovative sectors of the cryptocurrency economy—DeFi. DeFi refers to a class of decentralized cryptocurrency platforms, also known as protocols, that can run autonomously without the support of a central company, group, or person. DeFi protocols are built on top of smart contracts, which are programs that reside at a specific address on the blockchain—primarily the Ethereum network—and can fulfill specific financial functions determined by the smart contracts’ underlying code. In essence, DeFi is a peer-to-peer digital exchange which can be used by anyone with an internet connection. A person simply holds currency in a secure digital wallet and may transfer funds within minutes and without paying any fees.
It is easy to create DeFi tokens and have them listed on exchanges and possibly realize incredible returns, like the Shiba Inu coin which gained almost 500% in less than one month. For these reasons, many people have become excited about DeFi, and its transaction volume has grown 912% in 2021 alone. DeFi presents huge opportunities to entrepreneurs and cryptocurrency users alike. However, with the rise in transaction volume, scamming revenue rose 82% in 2021 to $ 7.8 billion worth of cryptocurrency stolen from victims.
Over $2.8 billion of the total scamming revenue came from so-called rug pulls, a scheme in which developers build what appear to be legitimate cryptocurrency projects only to take the investors’ money and disappear. There are three main types of rug pulls: liquidity stealing, limiting sell orders, and dumping. Liquidity stealing occurs when token creators withdraw all the coins from the liquidity pool, which in turn removes all the value injected into the currency by investors, driving its price down to zero. These “liquidity pulls” usually happen in DeFi environments. Limiting sell orders occur when a developer codes the tokens in a way that only they are able to sell them. The Squid Game token is a perfect example of this type of rug pull. This token rose by more than 23 million percent before funds were drained from investors who complained that they were unable to sell their tokens. Dumping is similar to a traditional pump-and-dump scheme in which developers quickly sell off their own large supply of tokens which drives down the price of the coin and leaves remaining investors holding worthless tokens.
Rug pulls have accounted for 37% of all cryptocurrency scam revenue in 2021, versus just 1% in 2020. Roughly 90% of the total value lost to rug pulls in 2021 can be attributed to one fraudulent centralized exchange from Turkey, Thodex, whose CEO disappeared soon after the exchange halted users’ ability to withdraw funds. Thodex’s CEO was recently arrested in Albania and is currently awaiting extradition to Turkey. This example shows that a rug pull does not necessarily start as a DeFi project; however, DeFi has become a common space for rug pulls where no centralized oversight makes it a prime target for cybercriminals.
The average financial scam was active for just 70 days in 2021, down from 192 in 2020. The downward trend may be because investigators are getting better at investigating and prosecuting scams. For example, in September 2021, the Commodity Futures Trading Commission (CFTC) filed charges against 14 entities which advertised themselves as providing compliant cryptocurrency derivative trading services. In reality, these entities allegedly failed to register with the CFTC as futures commission merchants and made misleading claims of having CFTC registration and National Futures Association membership.
Cryptocurrency theft grew even more, with roughly $3.2 billion worth of cryptocurrency stolen in 2021 — a 516% increase compared to 2020. Roughly $2.3 billion of those funds were stolen from DeFi protocols.
Historically, cryptocurrency thefts have been the result of security breaches in which hackers gain access to victims’ private keys. These keys can be obtained through phishing, keylogging, social engineering, etc. But with the rise of DeFi, deeper vulnerabilities have begun to emerge around the software. In 2021, code exploits and flash loan attacks—a type of exploit involving price manipulation—accounted for a near-majority of total value stolen across all services at 49.8%. In 2021, the ten largest hacks accounted for a majority of the funds stolen; seven of these ten attacks targeted DeFi platforms, including the largest theft with a stolen amount of $613 million. In that case, the unidentified hacker exploited an issue in the cryptography or coding of the DeFi platform, Poly Network, and stole tokens on Binance Smart Chain, Ethereum tokens, and USDC. The hacker ultimately returned the stolen funds.
A money launderer’s goal is simple: convert their illicitly obtained funds to clean cash. This is why money laundering underpins all other forms of cryptocurrency-based crime. If there is no way to access the funds, there is no incentive to commit crimes involving cryptocurrency. Since 2017, cybercriminals have laundered over $33 billion worth of cryptocurrency.
Surprisingly, money laundering activity in cryptocurrency is heavily concentrated. While billions of dollars’ worth of cryptocurrency moves from illicit addresses every year, most of it ends up at a small group of services. Many of these services appear to have been exclusively designed for money laundering based on their transaction histories. The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned two of the worst-offending money laundering services —Russian cryptocurrency Over The Counter broker, Suex, and cryptocurrency exchange, Chatex — for accepting funds from ransomware operators, scammers, and other cybercriminals. However, many other money laundering services remain active. In 2021, a group of just 583 deposit addresses received 54% of all funds sent from illicit addresses. One deposit address received just over $200 million, all from wallets associated with the Finiko Ponzi scheme, a scheme primarily targeting Russian speakers throughout Eastern Europe by offering them investment opportunities in its native token FNK in exchange for Bitcoin. While most cybercriminals transfer funds to addresses at centralized exchanges, usage of DeFi protocols for money laundering skyrocketed in 2021, with over $750 million worth of cryptocurrency having been transferred to DeFi platforms.
In the United States, crypto assets fall under the jurisdiction of the Bank Secrecy Act. This means that cryptocurrency exchanges must register with the Financial Crimes Enforcement Network (FinCEN) and comply with Anti-Money Laundering and combating the financing of terrorism (CFT) regulations.
For many years, the cryptocurrency community has wanted as little regulation as possible because the blockchain is a system of networked software which runs by itself and because it recognizes no jurisdictional boundaries. The community feared that any type of regulation would essentially destroy the reason why cryptocurrencies existed in the first place. But a recent DIFC Fintech conference revealed that the cryptocurrency industry is increasingly pushing for clear regulations. Approximately 95% of regulators currently have teams working on cryptocurrency regulations and the United Kingdom and the United States are actively developing regulations to control cryptocurrencies.
In the United States, earlier this year, President Biden published an Executive Order on Ensuring Responsible Development of Digital Assets, which states that the United States “has an interest in ensuring that digital asset technologies and the digital payments ecosystem are developed, designed, and implemented in a responsible manner that includes privacy and security in their architecture.”
Some of the systems which have been employed to better monitor the cryptocurrency market include: know-your-customer (KYC) guidelines during customer onboarding to cryptocurrency platforms; identity verification checks; politically exposed persons and sanctions screening; and anti-money laundering checks. However, government entities around the world are seeking additional regulations to gain more control over cryptocurrency platforms and it appears that the industry welcomes this development in an effort to skyrocket the trade of cryptocurrencies. Notably, when global cryptocurrency exchange, Binance, introduced KYC verifications, more than 96% of its customers complied.
It has also become apparent that law enforcement world-wide has improved its ability to track and seize illicitly obtained cryptocurrency. For example, in November 2021, the IRS Criminal Investigations Division announced that it had seized over $3.5 billion worth of cryptocurrency in 2021 — all from non-tax investigations — representing 93% of all funds seized by the division during that time period. Furthermore, the Department of Justice was able to successfully seize $56 million in a cryptocurrency scam investigation, $2.3 million from the ransomware group behind the Colonial Pipeline attack, and an undisclosed amount by Israel’s National Bureau for Counter Terror Financing in a case related to terrorism financing. In addition, the SEC imposed approximately $2.35 billion in total monetary penalties against digital asset market participants in 2021.
Cryptocurrency is not an untraceable, unseizable asset perfect for crime. Billions of dollars have already been seized by law enforcement, and its increased focus on implementing additional regulations shows that they do not intend to slow down. It is estimated that over $25 billion in cryptocurrency is currently held by cybercriminals on the blockchain. Unlike Fiat currency which is usually disguised in networks of foreign banks and shell corporations, cryptocurrency transactions are saved on the blockchain and are visible for everyone. Investigating these transactions presents a significant opportunity for government agencies around the world. It is likely that we will continue to see successful seizures of these assets in the future.