Blockchain-related businesses looking to up their compliance game need to rethink their resistance to working with regulators and law enforcement agencies if they want to remain in business.
The final day of the CoinGeek Conference in New York saw Bitcoin Association Founding President Jimmy Nguyen moderating a panel titled, “Investigating Criminal Activity on the Blockchain.” The panel examined the steps the sector needs to take to counter the lingering public perception that Bitcoin was created for the sole purpose of facilitating illicit and criminal activity.
Joining Nguyen onstage were Blockchain Intelligence Group’s Director of Government & Strategic Affairs William Callahan; BlockTrace founder and CEO Shaun MaGruder; Special Agent, IRS Criminal Investigation Richard G. Reinhardt; and Merkle Science director/VP of Business Development Ian Lee.
Lee, whose company builds software that helps companies detect, investigate, and analyze risk in digital currency transactions, says criminals have come to understand ‘crypto’ as programmable money. When exchanges impose weak know your customer (KYC) and anti-money laundering (AML) policies—like only imposing checks on transactions over 2 BTC—criminals simply write scripts that break up large transactions into chunks smaller than 2 BTC and route them through a number of wallets.
The rise of technologies such as DeFi and NFTs have further complicated criminal investigations, as smart contracts often involve multiple senders/receivers. Lee said the lack of a central entity overseeing smart contracts means all transactions simply pass through, creating a “very, very real” risk of money laundering.
Lee said Merkle Science is developing bespoke products to assist DeFi and NFT platforms “break apart” smart contacts to ascertain if there’s any dodgy dealings inside, while also employing tools that combine on-chain info with off-chain data such as IP addresses to assist investigators’ efforts to identify bad actors.
Fear of the darknet
BlockTrace’s MaGruder says his firm has built an API aggregation layer called Fusion that incorporates data from tracking firms such as Cybertrace, Elliptic and others to effectively perform “compliance on the entire blockchain.” Among the benefits of attributing individual addresses, address clusters and clustering algorithms is “highlighting high-risk transfers from darknet markets to U.S.-based exchanges.”
Callahan, a former Drug Enforcement Agency supervisor at the time of the infamous Silk Road darknet market, agreed that the situation has improved dramatically from the days when tech was far more manual-intensive, basically humans entering data in Excel spreadsheets. What used to take weeks can now be done in minutes thanks to Blockchain Intelligence Group’s QLUE investigative software tool.
But the arrival of better tech hasn’t deterred criminals, with Callahan noting that crypto has become a major conduit for the illicit drug trade. Reinhardt, the coordinator for cybercrime at the IRS field office in New York, echoed this point, saying the proceeds of illegal Fentanyl sales are increasingly transiting through Bitcoin ATMs and P2P exchanges.
Reinhardt, who said the IRS has “a big initiative” to track crypto transactions in pursuit of tax evaders, revealed that investigations often begin with info from a U.S. Attorney’s office. For a case in which a corporate email is compromised and wire transfers are subsequently redirected, the IRS will follow those wires to the associated bank accounts. The IRS will then “do some covert stuff”—including the use of confidential informants—to get the crypto wallet addresses linked to those accounts, after which the agency will employ the services of companies such as those on the stage beside Reinhardt to track wallet activity.
The idea that businesses could plead ignorance as to the origins of money flowing through their systems will no longer fly. MaGruder said exchanges need to get proactive about disabling dodgy accounts, because if he can see the same wallet address being responsible for 40 transactions from Russia’s Hydra dark market, then so can the exchange that receives those transfers.
Stupid human tricks
Besides email/DeFi hacks and smart contract exploitations, MaGruder noted the frequency of ‘man in the middle’ attacks, such as when a long-time HODLer finally decides to sell his hodlings and downloads software to update his hardware wallet. In the process, the careless HODLer downloads a Trojan back door and, after entering the wallet’s seed phrase, gets cleaned out.
Merkle’s Lee picked up on this point, noting that security failures often come as a result of human error, not technical snafus. Proper training in both cybersecurity and AML policies are crucial in maintaining a strong defense against illicit actors. But at one company he worked with, Lee said their ‘compliance officer’ was a former pancake-flipper with zero compliance experience on his resume.
Callahan said all players in the digital currency sector have a role to play, not only in building ‘safe systems’ but alerting sketchy actors that their business isn’t welcome and that any attempts to game your system will result in you being kicked off the system and reported to the authorities post-haste.
Travel rules
The Financial Action Task Force (FATF) has been pushing its members to apply the so-called Travel Rule to digital currency transactions, obligating companies to “obtain, hold, and transmit required originator and beneficiary information” so appropriate actions can be taken should a transaction prove criminal in nature.
Lee said this requirement causes issues in the blockchain space because most digital currency transactions are from one private wallet to another, and few individuals controlling private wallets are likely to freely volunteer the identifying information required by the travel rule.
If a wallet with which a Merkle client transacts is an exchange, the client is required to comply with the travel rule. Merkle’s attribution data set allows wallet monitoring to ascertain the associated risks and, through partnerships with a number of travel rule providers, most Merkle clients will be able to ensure travel rule compliance by November.
Nguyen noted that the FATF’s definition of ‘virtual asset service provider’ isn’t strictly limited to digital currency exchanges and thus all companies in this space need to assess whether their operations trigger this rule.
Reinhardt said the bigger blockchain-based firms were becoming more responsible, while smaller exchanges “are there for a reason.” Banks need to educate themselves on these smaller exchanges rather than plead ignorance after the fact. This way, agencies like Reinhardt’s can do their job and the banks aren’t exposed to possible prosecution.
Callahan recalled the increasingly stiff penalties the U.S. government imposed on the traditional banking sector in the 2000s due to its ties to transnational money laundering rings. Callahan said the feds were now looking at crypto platforms for similar failures to appropriately vet their clients.
BSV leads the way
From its inception, the BSV blockchain has been focused on the need to ensure legal compliance. Nguyen asked the panel what ecosystems could do with apps or protocol elements to assist compliance efforts, such as including more metadata embedded in transactions to assist monitoring efforts.
Lee, whose company added BSV support earlier this year, said that “if you’re building on BSV, you’re in good hands,” thanks to the protocol’s proactivity in creating a safer ecosystem. On the metadata question, Lee said the challenge was what people were willing to provide. Some info may be extremely useful but people may not wish to put it on an immutable public ledger. Certain data points could be retained by exchanges, who would include only metadata on the blockchain indicating their participation in a transaction, with the ability to provide further info should a particular transaction be flagged.
MaGruder suggested the ecosystem would benefit from crafting a template for a universal response file to subpoenas, as current subpoenas produce different responses from every exchange. MaGruder said this foundation could include scripts that could be normalized, easily ingested and adjusted to analyze transactions.
Lee offered a three-point strategy for companies, starting with ensuring that your compliance team is properly trained, which will give regulators confidence in your ability to conduct adequate cyber security. Secondly, not everything has to be done yourself: there are reputable custodial providers and external blockchain monitoring providers with which you can partner. Finally, proactively engage with regulators, as they will help you structure your business so it conducts itself in a compliant manner.
Watch CoinGeek New York 2021 Day 3 here:
New to blockchain? Check out CoinGeek’s Blockchain for Beginners section, the ultimate resource guide to learn more about blockchain technology.
