President Joe Biden has said he’ll take on hackers’ payment method of choice — cryptocurrency — in the fight against ransomware gangs. But any such effort faces a massive challenge: getting the rest of the world on board.
Congress and administration officials are increasingly pushing for oversight of cryptocurrency after a spate of cyberattacks in which criminal hackers hobbled the operations of a major East Coast gas pipeline, halted production at one of the nation’s largest meatpackers and breached an IT software vendor that supplied hundreds of companies. Each time, the hackers demanded millions — and sometimes tens of millions — of dollars in bitcoin.
But tracking, regulating or otherwise restricting a currency designed to elude governmental control is inherently an international task, and one that has proven more complicated than other types of global crimefighting. Given a host of diplomatic and technological barriers, pursuing hackers’ wallets can be even more difficult than pursuing the hackers themselves.
Countries are moving at vastly different paces to tackle the abuse of virtual currencies, leaving regulatory gray areas where small cryptocurrency exchanges can hide. Many countries disagree on what transactions to permit and how tightly to control them. And experts warn of a persistent divide between well-resourced governments and those with less economic power.
“Developed nations will have consistent standards, and other countries will not, and that’s always going to be the way it is,” said Andrew Jacobson, a former financial crimes investigator for New York state who is now a lawyer in the cryptocurrency group at Seward & Kissel LLP.
The fuel for ransomware
The ability for cyber criminals to hide in the vast and complex cryptocurrency world has emboldened ransomware gangs, who have been demanding increasingly large sums to unlock their victims’ files. The average ransom payment in the first quarter of 2021 was $220,298, a 43-percent increase from the previous quarter, according to the security firm Coveware. In 2020, the FBI reported receiving 20 percent more ransomware complaints than it had in 2019.
At a press briefing in early July, White House press secretary Jen Psaki said Biden’s strategy against ransomware would involve "expanding cryptocurrency analysis to find and pursue criminal transactions."
Lawmakers are also getting engaged. Late last month, Sen. Elizabeth Warren (D-Mass.) urged Treasury Secretary Janet Yellen to lead the development of “a comprehensive regulatory regime for cryptocurrencies” in the U.S., citing, among other issues, their “use in cyberattacks that can disrupt the financial system.”
And earlier this month, Anne Neuberger, the deputy national security adviser for cyber and emerging technology, focused in on the global challenge. "If we want to disrupt ransomware money-laundering networks, we need to be able to rapidly trace and interdict them around the world," she said at a conference.
One disappears, another pops up
Cryptocurrency’s role in cybercrime isn’t new, but efforts to rein it in have so far floundered in an environment where criminals can simply move from well-regulated sites to shadier corners of the ecosystem.
It is easy to set up a cryptocurrency exchange, and there are hundreds of them around the world. The largest exchanges are hosted in a handful of countries, including the U.S., China, Singapore and several European nations, some of which have strong oversight regimes. But regulatory maturity and strictness vary widely, and there are many small, obscure exchanges where ransomware operators can convert their cryptocurrency into dollars, euros or rubles.
International experts have identified a group of countries that are struggling to combat cryptocurrency abuse and other forms of money laundering, including Ghana, Myanmar, Pakistan and Syria.
“You get into countries in Southeast Asia or in Africa or Eastern Europe, and they might not have adopted anything or have the resources for enforcement at all,” said Casey Jennings, another member of Seward & Kissel’s cryptocurrency practice. “It really does come down to whack-a-mole.”
Some countries, including Bolivia, Nepal and Turkey, have chosen to simply ban cryptocurrency, but technology experts say that does not prevent its adoption but merely blinds regulators to its illicit use.
A weak global response
Existing international coordination around cryptocurrency abuse has been scattershot.
There is no U.N. agency devoted to harmonizing countries’ cryptocurrency rules. Instead, the nexus of global regulatory efforts is the Financial Action Task Force, which the Group of Seven nations created in 1989 to combat money laundering. As part of its work, FATF publishes periodic reviews of national and regional cryptocurrency regulatory regimes.
Receiving a bad FATF evaluation “can have a significant and major impact on [a country’s] ability to function in the global financial system,” including by jeopardizing access to loans, said Jesse Spiro, the former chief government affairs officer at the cryptocurrency consultancy Chainalysis.
But FATF’s assessments are based on self-reported data, raising questions of accuracy.
Regulations on cryptocurrency have increased in recent years. In 2013, “the ecosystem was certainly more of a Wild West environment,” Spiro said. But since 2018, he added, global pressure has prompted more countries to crack down on virtual currency abuse and implement more sophisticated rules.
But conflicts and inconsistencies still make money-laundering regulation a patchwork system. One European Union law prohibits compliance with certain U.S. sanctions against Iran. And countries differ on the scope of key rules. For example, hedge-fund managers in the U.S. do not face the same anti-money-laundering requirements as managers in many other countries.
Hiding in even harder-to-reach places
Criminals have responded to regulatory efforts with technologies designed to stymie transparency.
Self-hosted cryptocurrency wallets, which allow people to keep their funds on home computers rather than exchanges, are harder to monitor. Decentralized exchanges likewise hamper regulators because they collect less information about transactions. Both are more popular with ransomware gangs than traditional platforms, according to cryptocurrency experts.
The FBI can sometimes trace ransom payments made in cryptocurrency, and when it obtains hackers’ private keys, it can also recover some of the money. In June, authorities seized more than half of the $4.4 million ransom that Colonial Pipeline paid to its attackers. But hackers also use “privacy coins” such as Monero, which, unlike Bitcoin, keeps its ledger of transactions private.
Putting the squeeze on
The U.S. does have tools it could use to strengthen global regulatory efforts, such as expanding assistance to struggling countries, prodding allies into action and sanctioning the most problematic cryptocurrency exchanges, industry experts say.
It wouldn’t be difficult to target aid, Spiro said. “Most of the illicit funds that we’re able to see in this ecosystem wind up in just a few exchanges,” he explained.
And U.S. officials could stress to their foreign counterparts that “if they clean up their act, that also helps with the foreign investment,” said Chris Painter, who was the United States’ top cyber diplomat from 2011 to 2017.
The departments of State and Treasury are leading federal efforts to help other countries implement regulations such as “know-your-customer” rules, which require financial institutions to collect personal information about their clients, a National Security Council spokesperson said. The spokesperson added that Treasury was “providing training to priority jurisdictions” and promoting adoption of FATF standards.
But Biden and Congress have work to do. The State Department still lacks a cyber bureau and a lead cyber diplomat, and Spiro said Treasury’s Financial Crimes Enforcement Network is understaffed and under-resourced.
The Biden administration could also prod multilateral bodies such as the G-7 and the Group of 20 to streamline national regulations and support training efforts. Agreements within these bodies could pave the way for broader standards.
In October 2020, G-7 finance ministers vowed to combat the growing threat of ransomware and said “payment services should be appropriately supervised and regulated.” Since then, major attacks have prompted the U.S. and its allies to make ransomware a national security priority, which Painter said creates “much more possibility of action among the big players.”
But the United States’ strongest weapon may be the financial leverage it wields in global markets.
Exchanges located in other countries have to comply with U.S. laws if they want to serve American customers or access the U.S. financial system to convert virtual coins into dollars. The more foreign cryptocurrency exchanges meet U.S. standards, the easier it will be for a U.S.-led coalition to convince other countries to adopt similar laws.
To accelerate this process, some experts want the U.S. to deploy its sanctions authority far more aggressively. Dmitri Alperovitch, the executive chair of the Silverado Policy Accelerator, said Treasury should seriously consider sanctioning exchanges that refuse to comply with anti-money-laundering regulations. Those exchanges would then become global pariahs, since other sites would face penalties for fulfilling their transactions.
“That would be quite devastating to most of these exchanges,” Alperovitch said.
Even most people who use self-hosted wallets eventually shift their virtual funds onto exchanges in order to cash out. Rogue exchanges frozen out of the U.S. financial system and shunned by their peers wouldn’t be able to complete these transactions, which Alperovitch said are “a big part of their businesses.”
“This is a really critical issue,” Alperovitch said, “Cryptocurrency is the oxygen that fuels the ransomware fire, and we absolutely have to tackle it.”
Read more: politico.com