Ever since the inception of Bitcoin in 2009 and the massive growth of distributed ledger technologies, criminals have developed increasingly harmful ways to use this innovative technology to their advantage. In 2019, experts from academia, police, defence, FinTech and the government came together to identify the latest cryptocurrency risks and score them based on harm, criminal profit, feasibility and difficulty of defeat.
In this guest blog, Eray Akartuna at UCL’s Dawes Centre for Future Crime looks closer at these risks and where prevention efforts must improve, particularly given the rise in Covid-related digital crime.
From the notorious OneCoin scam to the hacking of the Mt Gox cryptocurrency exchange, cryptocurrency crimes have asserted their ability to cause large-scale disruption through exploiting an otherwise highly beneficial technology. The WannaCry crypto-worm, which encrypted NHS computers (among others) in 2017 while demanding a cryptocurrency ransom, is emblematic of how problematic such crimes can be to both individuals and public services. As the Covid-19 pandemic and associated lockdowns force many criminals to continue their offences in the digital space, it is worryingly likely that occurrences of cryptocurrency-related crimes will be on the rise.
What are the main cryptocurrency crime risks?
The Dawes Centre for Future Crime at UCL conducted a study looking into cryptocurrency fraud risks prevalent in 2019. This involved a systematic scoping review and a sandpit event attended by experts across academia, police, defence, FinTech and government. A policy brief summarising the results was released in February 2021. Identifying seven cryptocurrency crime risks of concern, experts also scored them on a number of different indicators.
Unsurprisingly ranking ‘high’ in all indicators (harm, criminal profit, feasibility and difficulty of defeat) were ransomware attacks, which encrypt user files and demand cryptocurrency ransoms to provide access. In the case of WannaCry, such an attack managed to deny people access to vital public and health services. Though these sorts of attacks are not unique to cryptocurrencies and existed before their inception, the ability to demand payments in Bitcoin (or more elusive coins such as Monero) allows attackers to make illicit financial trails more elusive and difficult to trace. More traceable and preventable money flows, such as conventional banking transactions, are therefore avoided.
Pump-and-dump schemes ranked ‘high’ in all indicators apart from harm (where it ranked ‘low’). These involve artificially inflating the price of a given cryptocurrency by buying huge amounts of it at a low price, before ‘dumping’ it to make a profit. Since no specific individuals are victimised (the only victim being the integrity of the cryptocurrency market itself), it is understandable why this risk ranked low for harm. However, since distrust in crypto-markets can discourage beneficial innovation (such as Blockchain-powered ‘decentralised’ apps that allow users to trade goods and services directly), addressing pump-and-dump schemes should by no means be a low priority.
As a semi-anonymous decentralised medium, cryptocurrencies are an ideal means of storing, transferring or converting illicitly earned wealth. It was therefore no surprise that experts identified Bitcoin ATMs as a ‘high’ risk in all four indicators apart from difficulty of defeat. Bitcoin ATMs allow users to convert cryptocurrency into cash (or vice versa), often with low ID checks. An associated risk identified was crypto-mules, namely individuals who wittingly or unwittingly allow criminals to use their wallets as ‘pass-through accounts’ for illicit cryptocurrency transfers, adding an extra layer of transactions to further distance illicit funds from their origin. Many mules are recruited due to the promise of commission for every transaction they facilitate. Acknowledging their high money laundering and terrorist financing possibilities, experts nevertheless noted that ID regulations on Bitcoin ATM transactions would largely defeat this risk.
Other risks of concern
Cryptojacking, namely malware that harvests infected computers for computing power for mining Bitcoins, was identified as another cryptocurrency crime worth concern. Bitcoin mining consumes huge levels of electricity, now equal to that of the power consumption of Switzerland. This consumption is only likely to increase as the process gets ever more competitive, further incentivising criminals of the future to enlist as many unwitting machines as possible by injecting them with cryptojacking malware.
Investment scams such as the OneCoin scheme and fake wallet providers designed to steal the cryptocurrencies of users who set up accounts with them were also cited as concerns. However, both these risks need substantial levels of initial investments by criminals to set up, especially if the aim is to deceive a large number of tech-savvy users who are likely already familiar with genuine investment opportunities and wallet providers. Experts therefore ranked these risks ‘low’ for feasibility.
The way forward
In light of these risks, the Dawes Centre for Future Crime has funded PhD projects looking further into the crime implications of cryptocurrencies. One such project involves identifying the money laundering and terrorist financing risks of new cryptocurrency-related developments, including the potential for Bitcoin satellite vaults and highly sophisticated smart contracts in the future.
Another project looks into computational approaches to understanding cryptocurrency fraud on a large-scale, with the particular aim of devising prevention measures. Such work is crucial to ensure that cybersecurity and transaction monitoring systems are sufficiently equipped to detect the latest threats. Also crucial, however, is ensuring that the perpetrators of successful and foiled cryptocurrency crimes are adequately prosecuted. Given the recency of the technology, legal precedents and evidence collection procedures for cryptocurrency crimes are not yet well established. This is why another PhD project is assessing the evidential requirements for cryptocurrency-related criminal prosecution and facilitating these using automated information extraction methods.
All these projects aim to equip law enforcement and other responsible stakeholders with a better conceptual, computational and legal understanding of the possible prevention strategies available to them. This will complement the incoming global regulations, pioneered by the Financial Action Task Force (FATF), which aim to bring virtual currency service providers under the scope of existing anti-money laundering and counter-terrorist financing obligations. Particularly post-Covid, it is crucial that such regulations are aided by greater detection and prevention capabilities, a more efficient legal prosecution framework and a better understanding of what the future may hold. These are among the key issues needing resolution to ensure that Blockchain technologies develop sustainably going forward.
The above research was funded by the Dawes Centre for Future Crime at UCL. The Centre was established to identify how technological, social or environmental change might create new opportunities for crime and to conduct research to address them.