Technology to help regulators and compliance departments has been in development and deployment for several decades. Why do some of the laws exist in the first place? And in the world of anarchic cryptocurrencies, what have market participants done to become compliant or non-compliant with laws surrounding identification and sanctions screening?
This presentation looks at coin intermediaries (commonly called cryptocurrency exchanges) and the various problems and challenges that have occurred over their existence. This includes hacks, insider thefts, exit scams, and facilitating money laundering.
This was first presented at Boston University on April 23, 2019. References are in the speaker notes.
2. Disclaimer
● These slides contain names of specific companies. This is
for illustrative purposes only and is not intended to be seen
as an endorsement.
● The contents herein does not reflect the views or opinions of
anyone else but myself.
● I am not a lawyer.
2
4. Common acronyms
KYC - Know Your Customer
AML - Anti-money Laundering Laws
CFT - Countering Financing of Terrorism
BSA - Bank Secrecy Act
SAR - Suspicious Activity Report
PII - Personally Identifiable Information
FinCEN - Financial Crimes Enforcement Network
4
5. A (very) brief history of one example
Most of the agencies, bureaus, and departments that monitor and enforce these
types of laws, do so because of what has happened in the past
For instance, following the terrorist attacks on September 11, 2001, a series of
laws were enacted including the PATRIOT Act
“Title III of the PATRIOT Act amended the BSA to require financial institutions to
establish anti-money-laundering programs by establishing internal policies,
procedures, and controls, designating compliance officers, providing ongoing
employee training, testing their programs through independent audits.”
5
7. Common catch phrases used by promoters
“Not your keys, not your coins”
“Trusted third parties are security holes”
Yet in a given day, the majority of on-chain activity
(~80%) is typically movement from one coin
intermediary to another
7
13. A couple of specific addresses were added due to
their role in facilitating the liquidation of bitcoins
generated from the SamSam ransomware…
… what does that mean for other users in a
sanctioned country?
13
15. Lightning Torch
Ziya Sadr—a UK national from Wales—apparently “evaded” sanctions of Iran by
using Lightning... and telling everyone on Twitter.
Because we can see the unbroken transactions between Sadr and others, there
has been speculation that someone may have violated AML/CTF requirements.
That someone could even include infrastructure providers who acted as
intermediaries (such as Twitter):
- the Torch marketing campaign was conducted off-chain via Twitter which
does have a ToS (is also prone to bot-driven manipulation campaigns)
15
16. Bitcoin and all of its clones— in theory— by design have the
ability to route around third parties as well, Coinbase even
got in trouble for pointing this out in a pitch deck in 2015
16
19. According to Chainalysis, last year:
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued guidance on
cryptocurrencies earlier this year in response to the Petro token.
FinCEN issued an advisory on the Iranian regime's illicit activities to exploit the financial system, including
the deceptive use of digital currency to bypass sanctions.
And in November, OFAC added cryptocurrency addresses linked to individuals to its Specially Designated
Nationals (SDN) list for the first time, setting a new precedent requiring cryptocurrency businesses and
financial institutions to be prepared to react swiftly to OFAC designations in the future.
19
24. After all these years, why’d LBC make this
announcement?
Allegedly, walls were closing in them,
especially with their role in ransomware
liquidation.
24
28. Isn’t there adult supervision now?
Nope, no widely used SRO (few members in
the VCA)
SRO: Self-regulating Organization
VCA: Virtual Commodity Association
28
43. Elementus tracked the CoinBene “hack”
Note: CoinBene is alleged to have had ‘fake volume’ prior to
large amounts of coins being converted into ETH on
Etherdelta
43
52. According to Coveware
The total cost of a ransomware attack can be divided into two main costs:
● First, the recovery cost:
○ These expenses cover forensic reviews and assistance in rebuilding
servers and work-stations. If a ransom is paid, then that is also a
recovery expense.
● The second, and often more expensive cost of a ransomware attack is the
total cost of downtime:
○ Downtime costs are typically 5-10x the actual ransom amount and are
measured in lost productivity (slack labor and lost revenue opportunities). 52
72. Evolution DNM
The previous chart visualizes the time period between January 16, 2014 – March
18, 2015.
The average number of transactions per day was 1,004 and average bitcoins per
day was 562.
However, as shown in the chart above it was not until the fall of 2014 that
Evolution hit its stride.
72
74. Evolution DNM and BitPay
Another way of looking at that same trend is the comparison: a log scale
measuring the amount of bitcoins that both BitPay (in green) and Evolution (in red)
received starting January 16, 2014.
The drop off at the end in March 2015 is related to the exit scam that Evolution
underwent (and the drop off for BitPay is related to a limitation in WalletExplorer’s
data).
74
76. According to Soska and Christin 2015
In Figure 5 and the discussion involved, prior to Operation Olympus, six large dark
net marketplaces collectively accounted for more than $600,000 in sales per day.
It is unclear how much of that activity was expressly illegal, although the paper
does attempt to break down the amount of illicit drugs being sold on the same
sites.
During the same time frame (most of 2014), volume at payment processors such
as BitPay and Coinbase were relatively flat with a few outliers during days with
speculative and media frenzies as well as ‘Bitcoin Black Friday.’
76
77. That’s a few years old, what does it look like
in April 2019?
77
81. ‘Backwards looking’ into 2015
According to Chainalysis, by hiding all the intermediate steps we can begin to learn how most of the
Bitcoin ecosystem is put together (e.g., can it be split into sub systems?, is there a dark and a lit
economy?, and what is bitcoin actually used for?).
Legend:
● Blue: virtual currency exchanges
● Red: darknet markets
● Pink: coin mixers
● Green: mining pools
● Yellow: payment processors
Altogether there are 14 major exchanges tracked in blue including (in alphabetical order): Bitfinex,
Bitreserve (now Uphold), Bitstamp, BitVC (subsidiary of Huobi), BTCC (formerly BTC China), BTC-e,
Circle, Coinbase (most), Huobi, itBit, Kraken, LocalBitcoins, OKCoin and Xapo. 81
82. Mt Gox from 2011-2014
(according to WizSec)
82
87. According to WizSec:
12hRmmSda9qSSEH656zBaKEbeisH6ZhdTm: ~335,000 BTC (exhibit 10)
Claimed to be owned by Wright and supposedly used to lend Kleiman 50,000 BTC
as part of a software development licensing and financing agreement. However,
this is actually an internal MtGox address, descending directly from Mark
Karpelès' famous 424,424.42424242 proof-of-solvency transaction in 2011
87
89. WizSec cont’d:
12C9c9VQLMrLi4Ffzq2wDvwrKnUPaAaNFp: 250,000 BTC (exhibit 10)
Same as above, claimed to be owned by Wright and supposedly used for a
250,000 BTC loan. However, this address actually belongs to original MtGox
founder Jed McCaleb
89
94. Why are (anarchic) cryptocurrencies used?
From NY Post:
Crypto’s signature qualities appeal to privacy advocates
and thieves alike. Theft, said Brian Krebs, owner of the
cyber-news site KrebsOnSecurity, is “irreversible.” What
you lose, he said, you can’t get back.
94
98. A (brief) anatomy of a hack
The first 10 blocks that included transactions from the August 2016 Bitfinex hack
were included in blocks by the following pools (listed chronologically):
• BTCC Pool (mined the first block of the hack)
• AntPool
• ViaBTC
• AntPool
• BTCC Pool
• BW Pool
• Bitfury
• ViaBTC
• F2Pool
• F2Pool
98
102. Jumio cont’d
Why is this a big deal? According to one industry source:
“These guys are huge, they’re in every crypto exchange. Sounds like a
single point of failure.
If you outsource your KYC on retail you might be getting dogsh*t. They
probably just crawl a couple publicly available databases and perhaps
do a query in a paid one like Lexis Nexis and that's it. Who would check
anyway? KYC is risk-based so it's not like there's one true way of doing
it.”
102
103. Didn’t even touch on:
- ICOs / STOs
- “stablecoins” that aren’t stable
- Gambling / casino games (Satoshi Dice, POWH, FOMO3D)
- PTK (ultimate comedy gold)
103
104. But we can turn these lemons into
lemonade…
… on the horizon is a socially useful invention
104
105. Central bank digital currency (CBDC)
Note: there are many different proposals and models
105