Technology to help regulators and compliance departments has been in development and deployment for several decades. Why do some of the laws exist in the first place? And in the world of anarchic cryptocurrencies, what have market participants done to become compliant or non-compliant with laws surrounding identification and sanctions screening? This presentation looks at coin intermediaries (commonly called cryptocurrency exchanges) and the various problems and challenges that have occurred over their existence. This includes hacks, insider thefts, exit scams, and facilitating money laundering. This was first presented at Boston University on April 23, 2019. References are in the speaker notes.

1. Regtech
What it is and why it is helpful

2. Disclaimer
● These slides contain names of specific companies. This is
for illustrative purposes only and is not intended to be seen
as an endorsement.
● The contents herein does not reflect the views or opinions of
anyone else but myself.
● I am not a lawyer.
2

3. What, why, and who?
3

4. Common acronyms
KYC - Know Your Customer
AML - Anti-money Laundering Laws
CFT - Countering Financing of Terrorism
BSA - Bank Secrecy Act
SAR - Suspicious Activity Report
PII - Personally Identifiable Information
FinCEN - Financial Crimes Enforcement Network
4

5. A (very) brief history of one example
Most of the agencies, bureaus, and departments that monitor and enforce these
types of laws, do so because of what has happened in the past
For instance, following the terrorist attacks on September 11, 2001, a series of
laws were enacted including the PATRIOT Act
“Title III of the PATRIOT Act amended the BSA to require financial institutions to
establish anti-money-laundering programs by establishing internal policies,
procedures, and controls, designating compliance officers, providing ongoing
employee training, testing their programs through independent audits.”
5

6. What does this have to do with cryptocurrencies?
6

7. Common catch phrases used by promoters
“Not your keys, not your coins”
“Trusted third parties are security holes”
Yet in a given day, the majority of on-chain activity
(~80%) is typically movement from one coin
intermediary to another
7

8. 8

9. 9

10. Relevant but that’s four years old…
… so let’s look at some recent headlines
10

11. 11

12. 12

13. A couple of specific addresses were added due to
their role in facilitating the liquidation of bitcoins
generated from the SamSam ransomware…
… what does that mean for other users in a
sanctioned country?
13

14. 14

15. Lightning Torch
Ziya Sadr—a UK national from Wales—apparently “evaded” sanctions of Iran by
using Lightning... and telling everyone on Twitter.
Because we can see the unbroken transactions between Sadr and others, there
has been speculation that someone may have violated AML/CTF requirements.
That someone could even include infrastructure providers who acted as
intermediaries (such as Twitter):
- the Torch marketing campaign was conducted off-chain via Twitter which
does have a ToS (is also prone to bot-driven manipulation campaigns)
15

16. Bitcoin and all of its clones— in theory— by design have the
ability to route around third parties as well, Coinbase even
got in trouble for pointing this out in a pitch deck in 2015
16

17. 17

18. 18

19. According to Chainalysis, last year:
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued guidance on
cryptocurrencies earlier this year in response to the Petro token.
FinCEN issued an advisory on the Iranian regime's illicit activities to exploit the financial system, including
the deceptive use of digital currency to bypass sanctions.
And in November, OFAC added cryptocurrency addresses linked to individuals to its Specially Designated
Nationals (SDN) list for the first time, setting a new precedent requiring cryptocurrency businesses and
financial institutions to be prepared to react swiftly to OFAC designations in the future.
19

20. Speaking of FinCEN...
20

21. 21

22. Powers traded ~$5 million bitcoin without filing a
SAR or obtaining a MSB license
22

23. 23

24. After all these years, why’d LBC make this
announcement?
Allegedly, walls were closing in them,
especially with their role in ransomware
liquidation.
24

25. LBC replaced BTC-e?
25

26. What happened to BTC-e?
26

27. 27

28. Isn’t there adult supervision now?
Nope, no widely used SRO (few members in
the VCA)
SRO: Self-regulating Organization
VCA: Virtual Commodity Association
28

29. 29

30. And there is a double-edged sword when an
un(der)regulated intermediary collects PII
30

31. 31

32. 32

33. 33

34. Then it turns out the still-living co-founder, Michael
Patryn (Omar Dhanani), is an ex-con who got
deported from the US for identity theft
34

35. 35

36. How many depositors at Quadriga?
92,000 depositors or 115,000 or 350,000...
36

37. Why do bitcoin holders still deposit their coins with
intermediaries even though they know it is a security
hazard?
37

38. A user on HitBTC partaking in self-incrimination...
38

39. 39

40. But special interest groups say that hacks
are on the decline? Is that true?
40

41. 41

42. Okay, and what about tracing hacks?
42

43. Elementus tracked the CoinBene “hack”
Note: CoinBene is alleged to have had ‘fake volume’ prior to
large amounts of coins being converted into ETH on
Etherdelta
43

44. 44

45. 45

46. Don’t worry, funds are safe… SAFU!
46

47. 47

48. 48

49. Briefly mentioned earlier…
… ransomware aka ‘data kidnapping’
49

50. 50

51. 51

52. According to Coveware
The total cost of a ransomware attack can be divided into two main costs:
● First, the recovery cost:
○ These expenses cover forensic reviews and assistance in rebuilding
servers and work-stations. If a ransom is paid, then that is also a
recovery expense.
● The second, and often more expensive cost of a ransomware attack is the
total cost of downtime:
○ Downtime costs are typically 5-10x the actual ransom amount and are
measured in lost productivity (slack labor and lost revenue opportunities). 52

53. 53

54. ~98% of these payments were paid in bitcoin
Remaining via dash or monero
54

55. What’s a specific example of ransomware?
#WannaCry
55

56. 56

57. 57

58. 58

59. 59

60. Are you running infrastructure that is used to
process proceeds of illicit activity?
60

61. 61

62. 62

63. Guess which US payment processor allegedly
liquidated funds from the GRU?
63

64. 64

65. 65

66. 66

67. 67

68. Darknet markets (DNMs)
68

69. 69

70. Let’s turn back the clock a few years
70

71. 71

72. Evolution DNM
The previous chart visualizes the time period between January 16, 2014 – March
18, 2015.
The average number of transactions per day was 1,004 and average bitcoins per
day was 562.
However, as shown in the chart above it was not until the fall of 2014 that
Evolution hit its stride.
72

73. 73

74. Evolution DNM and BitPay
Another way of looking at that same trend is the comparison: a log scale
measuring the amount of bitcoins that both BitPay (in green) and Evolution (in red)
received starting January 16, 2014.
The drop off at the end in March 2015 is related to the exit scam that Evolution
underwent (and the drop off for BitPay is related to a limitation in WalletExplorer’s
data).
74

75. 75

76. According to Soska and Christin 2015
In Figure 5 and the discussion involved, prior to Operation Olympus, six large dark
net marketplaces collectively accounted for more than $600,000 in sales per day.
It is unclear how much of that activity was expressly illegal, although the paper
does attempt to break down the amount of illicit drugs being sold on the same
sites.
During the same time frame (most of 2014), volume at payment processors such
as BitPay and Coinbase were relatively flat with a few outliers during days with
speculative and media frenzies as well as ‘Bitcoin Black Friday.’
76

77. That’s a few years old, what does it look like
in April 2019?
77

78. 78

79. What other ways can transfers be visualized?
79

80. 80

81. ‘Backwards looking’ into 2015
According to Chainalysis, by hiding all the intermediate steps we can begin to learn how most of the
Bitcoin ecosystem is put together (e.g., can it be split into sub systems?, is there a dark and a lit
economy?, and what is bitcoin actually used for?).
Legend:
● Blue: virtual currency exchanges
● Red: darknet markets
● Pink: coin mixers
● Green: mining pools
● Yellow: payment processors
Altogether there are 14 major exchanges tracked in blue including (in alphabetical order): Bitfinex,
Bitreserve (now Uphold), Bitstamp, BitVC (subsidiary of Huobi), BTCC (formerly BTC China), BTC-e,
Circle, Coinbase (most), Huobi, itBit, Kraken, LocalBitcoins, OKCoin and Xapo. 81

82. Mt Gox from 2011-2014
(according to WizSec)
82

83. 83

84. 84

85. 85

86. The Craig Wright and David Kleinman estate claims
86

87. According to WizSec:
12hRmmSda9qSSEH656zBaKEbeisH6ZhdTm: ~335,000 BTC (exhibit 10)
Claimed to be owned by Wright and supposedly used to lend Kleiman 50,000 BTC
as part of a software development licensing and financing agreement. However,
this is actually an internal MtGox address, descending directly from Mark
Karpelès' famous 424,424.42424242 proof-of-solvency transaction in 2011
87

88. 88

89. WizSec cont’d:
12C9c9VQLMrLi4Ffzq2wDvwrKnUPaAaNFp: 250,000 BTC (exhibit 10)
Same as above, claimed to be owned by Wright and supposedly used for a
250,000 BTC loan. However, this address actually belongs to original MtGox
founder Jed McCaleb
89

90. 90

91. SIM swapping
91

92. 92

93. 93

94. Why are (anarchic) cryptocurrencies used?
From NY Post:
Crypto’s signature qualities appeal to privacy advocates
and thieves alike. Theft, said Brian Krebs, owner of the
cyber-news site KrebsOnSecurity, is “irreversible.” What
you lose, he said, you can’t get back.
94

95. Real-time monitoring?
95

96. 96

97. 97

98. A (brief) anatomy of a hack
The first 10 blocks that included transactions from the August 2016 Bitfinex hack
were included in blocks by the following pools (listed chronologically):
• BTCC Pool (mined the first block of the hack)
• AntPool
• ViaBTC
• AntPool
• BTCC Pool
• BW Pool
• Bitfury
• ViaBTC
• F2Pool
• F2Pool
98

99. Sometimes service providers are a risk too
99

100. 100

101. 101

102. Jumio cont’d
Why is this a big deal? According to one industry source:
“These guys are huge, they’re in every crypto exchange. Sounds like a
single point of failure.
If you outsource your KYC on retail you might be getting dogsh*t. They
probably just crawl a couple publicly available databases and perhaps
do a query in a paid one like Lexis Nexis and that's it. Who would check
anyway? KYC is risk-based so it's not like there's one true way of doing
it.”
102

103. Didn’t even touch on:
- ICOs / STOs
- “stablecoins” that aren’t stable
- Gambling / casino games (Satoshi Dice, POWH, FOMO3D)
- PTK (ultimate comedy gold)
103

104. But we can turn these lemons into
lemonade…
… on the horizon is a socially useful invention
104

105. Central bank digital currency (CBDC)
Note: there are many different proposals and models
105

106. 106

107. Questions / comments?
tim@postoaklabs.com
@ofnumbers
107