Cryptocurrency theft and its use to launder other illegal activity is booming. This has prompted the evolution of a related industry that sits on the borderline of legality (barely legal in some jurisdictions, illegal in others): cryptocurrency money laundering. The laundering of illegally-obtained money may be illegal, but the process used may not be.
CoinMixer is one such service that is advertised on Google Search. It says of its service, "Generally there is no link between the original transactions and the final address of the coins. This process protects your privacy and prevents other people tracing your payments on the internet." While this process can help with possibly legitimate privacy concerns, it is precisely what is required for money laundering.
Menlo Park, Calif. startup CipherTrace is a firm founded on the need for cryptocurrency anti-money laundering (AML), blockchain forensics and enforcement solutions. It aids law enforcement and financial regulators in their investigations, helps enterprises to deploy real-world cryptocurrency transactional systems within regulations, and offers a bitcoin scam and theft asset recovery service.
The CipherTrace Cryptocurrency Anti-Money Laundering Report for Q2, 2018 (PDF) shows the size of the problem; and highlights some of the regulatory discussions happening at international levels. Stolen cryptocurrency alone reached more than $750 million in the first half of 2018 -- which is already nearly three-times the amount stolen in 2017. The report also adds, "The FBI noted that the value of virtual currencies contained in the Internet Crime Center 2017 reports were $58.3M,4 citing cyber actor demands the of ransom payments, typically in virtual currency such as Bitcoin."
All this currency needs to be laundered before it can be safely accessed by the criminals. This is typically done through sites offering mixers, tumblers and chain hopping services. "The more dirty crypto money that goes into the systems and the more it moves around, the harder it becomes for investigators to see through the web of action and trace a path back to the source."
Governments and law enforcement agencies are not ignoring the use of cryptocurrencies to launder illegal gains. At the 5th Annual Europol Virtual Currency Conference, which was held at the Hague in the Netherlands, Jamal El-Hindi of the U.S. Financial Crimes Enforcement Network (FinCEN) reiterated FinCEN's position. "We will hold accountable foreign-located money transmitters, including virtual currency exchangers, that do business in the United States when they willfully violate U.S. AML laws."
The cryptocurrency theft problem that fosters the cryptocurrency laundering industry shows no sign of slowing down. It ranges from the theft of individual wallets, the use of various cryptocurrencies within ransomware extortion, and major thefts from large cryptocurrency exchanges.
"Cybercriminals follow easy money," comments High-Tech Bridge CEO Ilia Kolochenko, "and many cryptocurrency owners are the perfect victims. They are virtually unable to protect either themselves or their digital assets, being susceptible even to relatively simple phishing attacks. Law enforcement is frequently uninterested in investigating and prosecuting petty offences with digital coins theft, as they are already under water with highly-sophisticated nationwide hacks."
He points out that cryptocurrency startups are often ignorant of the fundamentals of cybersecurity, and devote all their efforts and resources to survival in an extremely volatile and highly-competitive market.
"We can almost certainly expect further proliferation of security incidents related to crypto currencies. Attackers have now established impressive infrastructure purposely tailored for large-scale theft and scams with digital coins. Owners of the crypto assets should remain extremely vigilant, maintain all their devices and installed software up-to-date, install at least a free antivirus from a reputable vendor, use two-factor authentication and unique passwords, and never entrust their wallets to any third-parties unless they have a very good reason to utterly trust them."
F-Secure security advisor Sean Sullivan has advocated for a form of 'Know Your Customer' regulation to be applied to cryptocurrency exchanges. "Bitcoin exchange accounts could be required to be tied to a physical address," Sullivan said. Currently it takes just minutes -- or seconds -- to open a Bitcoin account in a third-party market. This requirement would require an activation code that's mailed to you before an account can be opened. While this wouldn't affect criminals who do business out of Russia and China, it would make their attacks far less profitable; and would make the tracking of illegally acquired cryptocurrency by law enforcement considerably easier.
"The exchanges would hate it. But given the hundreds of millions of dollars being extorted every few months, it seems appropriate," Sullivan says. "Barring this or a similar step, exponential growth of malware families delivering these threats seems to be the only other option."
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.
Previous Columns by Kevin Townsend: