Nowadays, cybercrime is often mentioned in the same breath as crypto assets such as bitcoin and Ether. While this may be understandable given the much-quoted anonymity of such assets, the question remains whether they really are a suitable target for fraudsters. After all, authorities and financial intermediaries are still able to trace and analyse payment flows many years further down the line. This is highlighted by cases such as MtGox and Silk Road, for which proceedings are still ongoing even years after irregularities came to light, with ever more involved wallets being identified.
While offences on the Internet are nowadays summarised under the term “cybercrime”, they were also committed prior to the emergence of crypto assets. Well-known fraud patterns include phishing. Here, forged e-mails are sent in which it is claimed that confidential data – such as online banking access data – should be transmitted to the bank in question once more. This data in turn allows criminals to access the affected bank accounts. Spying on data using malware – so-called “Trojan horses” – can also be used for identity theft and for obtaining banking data.
An increasing number of instances of cybercrime linked to crypto assets is currently being reported in the media, although the fraud patterns are familiar. The only difference compared to the well-known methods of fraud is that instead of Swiss francs or euros that are being preyed upon, it is now bitcoins or Ether. With respect to the aforementioned issue of identity theft, so-called “SIM swapping”, in particular, is enjoying growing popularity in the world of cryptocurrencies. In these cases, fraudsters gain control of a smartphone’s SIM card, and then empty out the wallet saved on it.
The Internet is not a “safe haven”. Even prior to the distribution of crypto assets, the increase in cybercrime had therefore led to corresponding national and international measures already being adopted in order to combat criminal activities. At a European level, the European Cybercrime Centre (EC3) was established in 2013 as part of Europol. To improve cross-border cooperation between the authorities, the Joint Cybercrime Action Taskforce (J-CAT) was added as part of EC3 in 2014. Corresponding structures were also established in individual European countries. In 2015, for example, the Bavarian Central Office for Cybercrime (Zentralstelle Cybercrime Bayern – ZCB) was set up at a German federal-state level. It not only pursues criminal cases, but also contributes to the development of new tools to combat crime and offers further training courses in the area of cybercrime. As the Swiss Federal Council communicated in a press release of 31 January 2019, a centre of expertise for cybersecurity will be launched in Switzerland as well.
When criminals get their hands on online banking access data via phishing and Trojan horses, the affected funds are usually transferred to Asia. Even where such fraudulent activities are recognised quickly, tracing the funds and ensuring the prosecution of the guilty parties becomes increasingly difficult each time a transaction is made to a new jurisdiction.
In contrast, if wallets are hacked and crypto assets are moved, the transactions remain saved unchanged on the blockchain and can be traced in a transparent manner. In particular, analysis programs for blockchains – so-called “chain analysis tools” – work on this basis. These contain and maintain databases which enable the analysis of addresses, transactions and coins on the blockchain. During this process, addresses are assessed by the analysis tools in question – based on, among other things, a known link to terrorist financing, the Darknet or risk countries. A corresponding risk score is then generated over several steps during the transaction analysis.
Simplified chain analysis illustration
For banks that are active in the area of blockchain banking and that offer corresponding services, it is a matter of course to make use of such tools in order to mitigate risks – this too applies to Bank Frick. Financial intermediaries also use such products, and even authorities are looking at them.
The media have already reported on initial cases in which the investigations of authorities have yielded success thanks to the ability to trace blockchain transactions. These bodies are increasingly working together, as demonstrated by the solving of an IOTA fraud case in 2018, which saw British, German and European authorities join forces to counter crypto theft.
Statistics in the area of cybercrime also reveal a high estimated number of unreported cases. For companies whose IT systems are infiltrated by Trojan horses, it is often simpler to pay a relatively small amount in bitcoins to have the malware removed and the associated IT problems rectified. Should they report the attack, these companies fear this could have a negative effect on their reputation.
And yet it is extremely important to bring as many cases as possible to light. After all, it is the only way to develop a database of fraudulent wallets using a chain analysis tool, which makes it almost impossible for fraudsters to continue disposing of the assets in these wallets.
Against the backdrop of the fact that it will still be possible to trace transactions on the blockchain even after several years and given that the available data is improving continuously, interesting opportunities in the area of criminal prosecution are emerging in the brave new financial world.
As regards monitoring, the question being asked is in fact how far such research should or needs to go. The possibilities offered by chain analysis are almost unlimited and stretch right back to the origin of tokens or coins through mining. However, it should be noted that in most cases it is not a single coin whose path is traced. Rather, significant mixing takes place on the blockchain due to the division in accordance with the transaction principle. But does an analysis looking back over up to 1,000 steps (or hops) – i.e. individual transaction steps – even make sense?
The following questions arise here:
- Can it be proven – and is it relevant – that four grams of marijuana were purchased three steps earlier? And can this wallet still be used seriously?
- Is it allowed for a coin to be used that 100 steps previously came into contact with Silk Road?
- Is the user at fault if he or she exchanges fiat for crypto assets on a trading platform (exchange) and the coins in question are tainted?
- If between an exchange without a KYC process and a clean wallet there is another clean wallet, are all of the assets then deemed legitimate? And, if not, how can this legitimacy problem be resolved?
The question of whether crypto assets will win through in the near future and actually serve as an alternative to traditional payment methods will greatly depend on whether clear requirements are issued by the regulator which transfer the currently applicable due diligence obligations from the traditional to the new world. The Financial Action Task Force on Money Laundering (FATF), whose recommendations for the combating of money laundering are implemented by member states in their national legislation, has already got the ball rolling in this regard. In October 2018, FATF Recommendation 15 was passed, which contains new definitions of “virtual assets” and “virtual asset service providers” (e.g. exchanges), making it clear that member states need to expand their regulations with respect to the combating of money laundering and terrorist financing to incorporate virtual assets.
These initial rough requirements were further fleshed out at the end of February 2019 in an Interpretative Note. It is therefore clear that regulation will come with regard to exchanges. By this point at the latest, the acceptance of funds without knowing the client (KYC) and clarifying the source of the funds (SOF) will be a thing of the past.
This development should be welcomed by everyone involved, as greater legal certainty contributes to professionalisation and thus to the further development of the market. Together with the increasing expertise of all market participants and their services, crypto exchanges – as well as the overall market of blockchain-based business models – are moving in the right direction and therefore becoming more attractive for professional and institutional investors. Market demand will also drive exchanges themselves to implement voluntary regulation and/or licensing in order to win further clients.
In the area of cybercrime, authorities will in future work together even more closely at different levels and across borders – common regulatory framework conditions are not to be ruled out here. The new market for cryptocurrencies is thus on track to come of age.