2021 has been a rollercoaster year for the cryptocurrency market. The price of a Bitcoin — one of the popular cryptocurrencies — climbed to an all-time high of just over US$60,000 ($79,439) mid-March, before fluctuating sharply due to Tesla CEO Elon Musk’s tweets and the tightened focus by the Chinese, US and German regulators.

For those unfamiliar, cryptocurrencies are a deregulated digital currency, meaning that they are not controlled by an authority or a central bank. They are touted to offer many benefits, including the ability to reach audiences without access to financial institutions, as a computer with an internet connection is all it takes to pay for the coins.

Cryptocurrency transactions also have far lower fees than telegraphic transfers or credit card transactions, as they do not require an intermediary or a foreign exchange service between the sender and receiver.

Furthermore, these transactions offer some form of anonymity. While such transactions require crypto addresses — a digital identification that a person uses to transact on the cryptocurrency market — users can hold one or many crypto addresses without revealing their identity. This is because users can use a new address for each transaction, as recommended by Satoshi Nakamoto, Bitcoin’s presumed pseudonymous creator.

This is in contrast to the money transfer practice in traditional financial institutions, wherein the identities of the sender and the receiver can be easily known, be it through their bank account names or credit card numbers.

The anonymity provided by cryptocurrencies has not gone unnoticed by cybercriminals or terrorist groups. The digital currency has been increasingly used to pay for illegal purchases such as weapons, stolen data and drugs to avoid detection by law enforcement.

The dark side

“Because of the less robust nature of cryptocurrency exchanges as compared to traditional financial institutions, cryptocurrencies can be moved and laundered more efficiently than fiat currency. This is exacerbated by the use of cybercriminal tooling and tradecraft to further anonymise transaction efforts,” says Mike Sentonas, CTO of cybersecurity technology company CrowdStrike.

One example of such efforts to anonymise transactions is the usage of alternative coins (altcoins) such as Monero, says Vicky Ray, principal researcher at Unit 42, the global threat intelligence team of cybersecurity solutions provider Palo Alto Networks. Unlike Bitcoin or Etherum, Monero does not have a transparent blockchain where transactions can be viewed. It advertises itself as a “leading cryptocurrency focused on private and censorship-resistant transactions [where] the sender, receiver and amount of every single transaction are hidden,” he adds.

Along with the rise of Bitcoin, the value of Monero has surged from just US$35 last March to US$240 as of May 24. The increasing value of this anonymous currency could mean that there is a financial incentive for cybercriminals to not only use this currency to evade law enforcement, but to also acquire more so they can exchange it for hard cash.

Cryptocurrency fuelling crime?

As the world becomes more connected, cybercriminals have realised that the massive number of computers, mobile devices, servers and the large volume of data stored on them are a target rich environment. What if one could “kidnap” the data stored on these devices, and force the user to pay for the data in cryptocurrency?

This is where ransomware comes in. The general modus operandi of such malware is that it uses an exploit to infiltrate a system, device or network, before encrypting the user’s data to render it inaccessible and unusable. It then demands a ransom payment — usually in the form of cryptocurrencies — to decrypt the data.

See also: Bitcoin's volatility eases, sending bullish signal for some

In its 2021 cybersecurity threat report, Palo Alto Networks said: “As long as attackers keep getting paid, these demands will continue to rise.” The report also highlighted that last year, ransom demands averaged around US$847,344 and were often requested in the form of Bitcoin or Monero. This amount can vary dramatically depending on the ransomware family.

Although there is no direct correlation between the rise in investment value of cryptocurrencies and the growth in ransomware, Ray acknowledges that the rise in cryptocurrency values has made ransomware more profitable for cybercriminals. As such, more are turning to this method when conducting cyberattacks. Case in point: The average ransom paid by organisations in the US, Canada, and Europe increased from US$115,123 in 2019 to US$312,493 in 2020 — a 171% year-over-year increase.

New ransomware trends

Palo Alto Networks recently revealed that 16 ransomware families have displayed the ability to conduct exfiltrate data and use “double extortion” techniques. These families not only encrypt the target’s data, but also exfiltrate files first to coerce the victim into paying the ransom. The exfiltrated files are then posted, or threatened to be published, on to a public or dark website. Since such targeted data can be “quite critical and sensitive”, the victim will be compelled to pay the ransom to not get that data leaked, says Ray.

To make things worse, cybercriminals are also developing Ransomware as a Service (RaaS). Unit 42 says the RaaS subscription- based model is simple to execute, exceptionally effective, and potentially profitable — both from direct payments and sale of valuable information.

This model allows “affiliates” to utilise existing ransomware software to execute attacks, and earn a percentage of each successful ransom payment. Given this incentive, Unit 42 expects more cybercriminals to follow this model for all sums of money.

Unit 42 also observed that ransomware engagements throughout last year were more complex, leading to longer breach response times. Most notably, the information technology sector saw a 65% increase in ransomware incident response cases from 2019 to 2020.

While the dangers of illicit money in the form of cryptocurrencies are still mainly confined to the cyber realm, one might wonder if these digital money can be used to finance crime in the real world. Do businesses face risks when this illicit money is used to finance operations like terrorism?

Not yet. A 2019 RAND report highlighted that large sums of cryptocurrency are hard to manage and spend anonymously, and cryptocurrencies still require infrastructure. Moreover, “cooperation between international law enforcement and the intelligence community, and developments in regulation and enforcement” currently deter criminals from using cryptocurrencies to finance operations in the real world.

However, the report adds: “We see little current evidence of the adoption of cryptocurrencies by terrorist organisations or the motivation to do so, but that very well might change as countermeasures shut off funding [in the physical space] and as the cryptocurrency technology changes.”

Illicit finance

Despite these challenges, the anonymity of cryptocurrencies has not stopped regulators from devising new ways to combat illicit finance. “Now there are already surveillance technologies that can at least understand trends and patterns,” explains Radish Singh, Southeast Asia Financial Crime leader at Deloitte. Such tools can point to when cryptocurrencies have been converted into hard currency, for example.

Emerging technologies such as artificial intelligence (AI) have also been employed to resolve this problem. Cloud-based AML (Anti Money Laundering) Transaction Monitoring Software provider Tookitaki, for example, is developing an AI-based solution prototype to detect money laundering via cryptocurrencies.

“Powered by Federate AML knowledgebase, a growing, centralised repository of money laundering typologies sourced from financial institutions, AML experts and regulators, our AI solution could detect money laundering cases using cryptocurrency via crypto exchanges or their combination with banks,” says Tookitaki’s spokesperson.

But Singh says that such instruments are not yet widely used — many financial institutions have not integrated these technologies into their existing workflows and on-premises solutions. Tookitaki has partnered with Hewlett Packard Enterprise (HPE) to deliver their AML solution as a subscription model using HPE GreenLake for Big Data. By using the solution, UOB saw the AML models it uses for name screening and transaction modelling achieving 96% prediction accuracy in the “high priority” category.

“Our as-a-service model delivered through HPE GreenLake differentiates the solution by offering the agility, flexibility and scalability of the cloud experience while ensuring businesses still have control and governance when deploying AI-optimised infrastructure platforms and solutions on-premises,” says a HPE spokesperson.

Regulating the industry

Singh also notes that the lack of global standards over cryptocurrency regulations has led to a lack of oversight of the digital currency. Most countries have been slow to develop a “clear and structured strategy” to regulate cryptocurrencies. A wait-and-see attitude in certain jurisdictions has left the global regulatory environment beholden to the lowest common denominator.

Nydia Remolina Leon, research associate for Data, AI and governance at Singapore Management University (SMU), says that regulators have already taken the first step to regulate the cryptocurrency space.

The first set of standards issued by the International Financial Action Task Force (FATF) was published in June 2019. This came in the form of an Interpretive Note to Recommendation 15 on New Technologies, which further clarifies the FATF’s previous amendments to the international standards relating to virtual assets.

This move follows earlier attempts by national jurisdictions to regulate cryptocurrencies. New York state regulators, for instance, moved to license crypto exchanges and wallet providers before FATF regulations were adopted.

“Even the industry and the big players who want to provide good services and to just exploit the benefits and potential of digital assets and cryptocurrencies in general want to be regulated,” Leon tells The Edge Singapore. Stronger frameworks provides all players greater legal certainty.

But is there a risk that over-regulation will stunt the growth of the industry? No, say Wharton Business School business legal experts Brian Feinstein and Kevin Warbach. Studying the impact of cryptocurrency regulations on trading activities at global crypto exchanges, they found no systematic evidence that cryptocurrency regulations have any effects on trading volumes.

Still, the amount of cryptocurrencies used for dark money transactions is, reckons PwC crypto leader Henri Arslanian, “way lower than people think”. Last year, only 0.34% of crypto-transactions — amounting to US$10 billion — were linked to illicit transactions. The United Nations report that the estimated amount of money laundered globally in one year is around US$800 billion to US$2 trillion.

But in the defence of national security and cybersecurity, every dollar — or “coin” — in the hands of criminals and terrorists is one too many. 

Photo: Bloomberg