In pandemic fraud, cyber fusillades, more criminals choosing crypto to buy virtual weapons, get paid after successful attacks: FinCEN

The Skinny:

  • FinCEN is putting the virtual value sector on notice that criminals are increasingly using crypto coins and related exchanges to purchase malware packages and reap the profits of COVID-19 pandemic-related phishing, ransomware and other cyberattacks.
  • These illicit actors are also attempting to hide connections to scams and schemes by engaging “anonymity-enhanced cryptocurrencies,” also called privacy coins, and going through crypto exchanges with weak or non-existent AML programs.
  • The country’s financial intelligence unit and administer of counter-crime compliance defenses also stated it is “concerned” about foreign MSBs that are unregistered and don’t have stout AML programs doing business in the U.S. or with U.S. persons – evading regulatory and investigative scrutiny.  

By Brian Monroe
bmonroe@acfcs.org
May 15, 2020

The U.S. Treasury is putting the virtual value sector on notice that as the COVID-19 pandemic fuels new waves of fraud and hacks, criminals are increasingly using crypto coins and related exchanges to purchase malware packages and reap the profits of phishing, ransomware and other cyberattacks.

These illicit actors are also attempting to make it harder for investigators to uncover and cripple their coronavirus-themed scams and schemes by engaging “anonymity-enhanced cryptocurrencies,” also called privacy coins, and going through “tumblers,” tactics that take advantage of crypto exchanges with weak anti-money laundering (AML) programs.

Those are just some of the criminal trends, compliance vulnerabilities and regulatory focal points highlighted by Ken Blanco, director of the Financial Crimes Enforcement Network (FinCEN), in a virtual Consensus Blockchain Conference this week.

“FinCEN has observed that cybercriminals predominantly launder their proceeds and purchase the tools to conduct their malicious activities via virtual currency,” Blanco said 

“Your institutions have the opportunity, and obligation, to help identify these illicit criminal networks in your suspicious activity reporting to FinCEN, so that FinCEN can aggregate and analyze this information to identify red flags, permitting industry to spot risks.”

To read Blanco’s full statement, click here.

The missive puts more pressure on crypto exchanges – and other operations that create, sell or move virtual funds – to ensure they are not inadvertently acting as a gateway for organized criminals and hacking collectives to monetize their more aggressive digital fusillades during the pandemic.

The crypto exchange sector is still wrestling with more formalized compliance duties coming domestically and internationally, most recently in June when the Paris-based Financial Action Task Force (FATF) updated a key recommendation to include the “Travel Rule,” a requirement that critical customer details “travel” with the transaction through the various interlinked parties, with a deadline date of June 2020.

But while the rule has been a longtime staple for bank transactions, it has become a crypto industry flashpoint, with a bevy of crypto companies, associations and thought leaders offering potential solutions in dense and didactic essays, whitepapers and analyses.  

Financial crime in a time of coronavirus

Beyond just crypto exchanges and their compliance challenges, Blanco’s comments also tacitly increase the scrutiny that brick-and-mortar banks – the nexus between the realm of crypto coin and fiat value – must engage in related to their crypto exchange customers.

In essence, similar to other historical relationships with operations like money services businesses (MSBs), banks must act as a de facto regulator to their crypto clients, lest their own federal regulators uncover these relationships first and judge that institutions didn’t have enough compliance oversight.

Here are some of the financial crime trends tied to the pandemic:

  • COVID-19 as Lure: FinCEN and U.S. law enforcement have seen reports of cybercriminals leveraging COVID-19 themes as lures, often targeting vulnerable individuals and companies that seek healthcare information and products or are contributing to relief efforts. 
  • Healthcare vulnerabilities: This type of cybercrime in the COVID-19 environment is especially despicable, because these criminals leverage altered business operations, decreased mobility, and increased anxiety to prey on those seeking critical healthcare information and supplies, including the elderly and infirm.
  • Adapting to Opportunities: Because of increased remote work by many companies and government institutions worldwide, many distinct threat vectors, risk considerations, and mitigation strategies are being used by criminals and bad actors.  
  • Remote exploits: FinCEN is aware that cybercriminals are targeting vulnerabilities in remote applications—including virtual private networks and remote desktop protocol exploits—to steal sensitive information and compromise transactions. 
  • One fish, two fish, three Phish: Whether with COVID-19 lures or not, cybercriminals and malicious state actors are using wide-scale phishing campaigns, malware, extortion, business email compromise, and other exploits against remote platforms to steal credentials, conduct fraud, and spread disinformation.
  • Scams and spam: Many prevalent scams involving virtual currency payments exploit COVID-19, from extortion, ransomware, and the sale of fraudulent medical products, to initial coin offering investment scams, which will likely continue to grow during the pandemic.
  • Undermining Due Diligence: Criminals are also working to undermine “know your customer” processes in the remote environment. Virtual currency businesses should remain vigilant against attacks targeting their onboarding and authentication processes, for example “deepfakes” manipulating digital images and account takeovers facilitated by credential stuffing attacks. 
  • Digital assurance: Financial institutions should consider the risks of the current environment in their business processes, and the appropriate level of assurance needed for digital identity solutions to mitigate criminal exploitation of your products and platforms. 
  • Better virtual vigilance: Even financial institutions that typically manage their lines of business remotely, such as some virtual currency exchangers, may find themselves more exposed given the changing threat environment.

Anonymity-enhanced coins mirror anonymous beneficial ownership structures

Virtual exchanges may also face more risks of being infiltrated by illicit entities if they can’t accurately drill down to see what individuals or companies are tied to which transactions – a key hurdle in some crypto transaction chains.

There remain “significant issues that concern us in the virtual currency space,” Blanco said, including:

  • Privacy vs. anonymity: Risks associated with anonymity-enhanced cryptocurrencies, or AECs, remain unmitigated across many virtual currency financial institutions. 
  • Risks vs. rewards: We expect each financial institution to have appropriate controls in place based on the products or services it offers, consistent with the obligation to maintain a risk-based AML program. 
  • Coin purse: This means we are taking a close look at the AML/CFT controls you put on the types of virtual currency you offer—whether it be Monero, Zcash, Bitcoin, Grin, or something else—and you should too. 
  • Regulators, investigators are coming: To be sure, FinCEN and our delegated examiners at the IRS are focused on this.

There are even parallels between coins that offer privacy shields and one of the country’s – and really the world’s – most persisting financial crime vulnerable. anonymous shell companies with opaque beneficial ownership structures, according to Jim Richards, the former top AML officer for Wells Fargo, in an analysis of the statement.

“I agree with Director Blanco that anonymity-enhanced cryptocurrencies are a key risk,” he wrote. “Just as anonymity-enhanced legal entities are a key risk: lack of a federal standard that legal entities disclose their beneficial ownership, and provide that information to a publicly-available central registry, remains the biggest risk facing the American AML/CFT regime.“

Unregistered foreign MSBs flouting AML a ‘concern’ for FinCEN

FinCEN also touched on another vexing vulnerability for the country’s fincrime defenses: foreign MSBs doing business in the U.S. or with U.S. persons that don’t have stout AML programs.

The bureau is “increasingly concerned that businesses located outside the United States continue to try to do business with U.S. persons without complying with our rules,” including registering, maintaining a risk-based AML program, and reporting suspicious activity, among other requirements. 

“If you want access to the U.S. financial system and the U.S. market, you must abide by the rules,” Blanco said, adding that FinCEN wants banks to include “detailed information” about suspected unregistered foreign MSBs. “We are serious about enforcing our regulations, including against foreign businesses operating in the United States as unregistered MSBs.” 

FinCEN stated it is also trying to put more of the information in crypto-related SARs to good use.

Since 2013, FinCEN has received nearly 70,000 SARs involving virtual currency exploitation. 

Just over half of these reports originated from virtual currency industry filers.

Others came from traditional financial institutions that “also have a unique window into illicit financial flows involving virtual currency, such as banks that may see ransomware payments made by customers or MSBs that see funds transfers derived from account takeovers,” Blanco said, exhorting institutions to not skimp on the details as they can make or break ongoing cases.  

This reporting is “incredibly valuable to FinCEN and law enforcement, especially when you include technical indicators associated with the illicit activity, such as Internet Protocol (IP) addresses, malware hashes, malicious domains, and virtual currency addresses associated with ransomware or other illicit transactions.”