In her monthly Expert Take column, Selva Ozelli, an international tax attorney and CPA, covers the intersection between emerging technologies and sustainability, and provides the latest developments around taxes, AML/CFT regulations and legal issues affecting crypto and blockchain.
Talk about ending a stellar career at the United States Department of Justice with a bang. The DoJ’s first-ever “crypto czar,” Michele Korver, advised government attorneys, federal agents, the Department of the Treasury’s Financial Stability Oversight Council and the U.S. delegation to the Financial Action Task Force on cryptocurrency matters, and she developed cryptocurrency seizure and forfeiture policy and legislation. While she was wrapping up her last day on the job, an affiliate of the notorious “REvil” gang, which is best known for extorting $11 million in Bitcoin (BTC) from meat processor JBS after an attack on Memorial Day, executed the single biggest global ransomware attack on record to kick off the July 4 holiday weekend.
Related: Meet DoJ’s Crypto Czar: Expert take
REvil’s supply chain-targeted ransomware attack successfully spread malware to thousands of businesses in at least 17 countries that outsourced their IT department to Kaseya, a privately held company based in Dublin, Ireland. It did so in one fell swoop, thanks to Kaseya’s compromised IT management software, VSA — resulting in a $70 million payday in Monero (XMR). If REvil is successful, they could perform a second attack on the businesses that chose to pay the Mondero demand. According to a recent report by Cybereason titled “Ransomware: The True Cost to Business,” 80% of businesses that choose to pay a ransomware demand are targeted a second time. REvil could then turn around and launder the illicit proceeds on dark web markets, as outlined in a report issued by Flashpoint and Chainalysis.
Criminals prefer using cryptocurrency tumblers/mixing services or privacy coins like Monero when paying for illicit goods and services in order to obscure the trail back to the fund’s original source, points out Korver, who co-authored an article titled “Surfing the First Wave of Cryptocurrency Money Laundering” in a journal issued by the DoJ. As she writes:
“Criminals follow common paths when placing, layering, and integrating their ill-gotten cryptocurrency. Those paths go through several primary domains, including institutional exchanges, P2P exchangers, mixing and tumbling services, and traditional banks. [...] Some of these primary domains, such as P2P exchangers and mixing services, appear to more directly cater to criminals in need of laundering cryptocurrency.”
For example, Korver explains: “To first possess cryptocurrency, criminals [including cyberattackers and ransom demanders] must set up wallets. Those wallets might be under their exclusive control [un-hosted wallets], or they might be custodial wallets hosted by a third-party service provider, such as an institutional exchange. Once in a wallet, funds can be sent to mixing services or gambling sites to obscure their historical trail. From there, the funds can be converted to fiat currency through exchanges, P2P exchangers, or kiosks. Sometimes, the funds will then be sent to bank accounts or cryptocurrency debit cards where they can be used to buy things or pay off debts. While this is the typical way in which the primary domains appear in the PLI process, criminals can use the domains in almost any way they want: Wallets can be used to mix funds; P2P exchangers can be used to integrate the funds; and kiosks can be used for layering. Criminals can also repeat the steps of the PLI process to further obfuscate the origin of the ill-gotten funds, though they incur additional costs and risk every time they repeat the cycle.”
In the context of ransomware payments, the number of which has increased by around 500% since the onset of the COVID-19 pandemic, Korver goes on to say that “Victims of ransomware attacks have relied on P2P exchangers. With the rise of ransomware as a standardized criminal enterprise, an increasing number of victims have been forced to purchase cryptocurrency in short order. It has been estimated that 9% of Bitcoin transactions are attributable to ransomware or some other form of cyber extortion payment. If it takes days or weeks to open a validated account at an institutional exchange, a P2P exchanger can offer cryptocurrency at a moment’s notice, and victims are willing to pay this speed premium. Victims have noted that ‘the processing times [at a registered institutional exchange] were far beyond the scope of the immediacy posed by the ransom’ and that a P2P exchanger was a better option for obtaining cryptocurrency in a hurry.”
Prior to Korver’s arrival at the Financial Crimes Enforcement Network, FinCEN authorities proposed a rule taking aim at transactions involving unhosted cryptocurrency wallets, which are generally software installed on a computer, phone or other device. The cryptocurrency in an unhosted wallet are controlled by an individual, who can receive, send and exchange their crypto assets person-to-person with other unhosted wallets, or on an exchange platform, without revealing their identity — making it more difficult to trace and scrutinize transactions for Anti-Money Laundering and Counter-Terrorist Financing compliance risks.
These concerns are shared by the Financial Action Task Force (FATF), the intergovernmental body responsible for setting AML standards. The updates proposed by the FAFT to its 2019 guidance expand the definition of a Virtual Asset Service Provider (VASP) to include several noncustodial cryptocurrency businesses, meaning they will be subject to AML/CFT regulations. Peer-to-peer decentralized exchanges/structures (except for rules that apply to all entities, like targeted financial sanctions) remain under review.
As cryptocurrencies — along with ransomware attacks — become more mainstream, Korver will advance FinCEN’s leadership role in the digital currency space by working across internal and external partners to bring forward strategic and innovative solutions to prevent and mitigate illicit financial practices and exploitation.
The views, thoughts and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.