Despite a global downturn in crypto usage in 2022, illicit cryptocurrency transactions reached an unprecedented $20.1 billion. As a result, a massive uptick in sanctions from the US government and increasing scrutiny about cryptocurrency use as a whole have given it a bad rap that is not always deserved. Indeed, experts estimate that only .15% of all crypto transactions are illegal.
We talked to Seth Sattler, Chief Compliance Officer of DigitalMint, which operates bitcoin ATMs and works on ransomware transactions, about the current state of crypto, what characterizes an illicit transaction, and how companies can protect themselves from cybersecurity threats linked to digital payment.
What are illicit cryptocurrency transactions?
When it comes to this activity, “illicit cryptocurrency transactions” is something of a misnomer, just like the term “crypto crime,” because if you look at the history of criminal activity, aside from ransomware, which is heavily involved in cyberspace, every other crime we see are simply financial crimes that have moved over to crypto. Stealing with credit card scams, Nigerian prince scams, romance scams—even sex trafficking and human trafficking, which are the most egregious of them—aren’t crypto crimes, they’re financial crimes that are conducted using crypto.
Why do people have this misconception about crypto?
It’s a kind of confirmation bias. We hear all these news stories about stolen credit cards and dark marketplaces. If you were to go on those websites 15 years ago, before Bitcoin was as prevalent as it is right now, you would see MoneyGram and PayPal and Visa as payment methods. So it’s not like people weren’t able to purchase and participate in that illicit activity. The pseudo anonymous aspect of crypto added to the perception that it was only used for crime. And then Silk Road happens, the largest online drug market of all time is shut down, and Bitcoin is found on a flash drive. But it’s not that crypto created these criminal activities. It’s just that it gave them a new mechanism to use.
Which of these crimes are the most concerning right now? Why are they occurring with so much frequency?
The biggest issue right now is on the fraud side, and that encompasses everything from FTX to the romance and investment scams, the kind of thing we see referred to as “pig butchering.” It comes down to a lack of awareness. There’s not enough education out there for individuals to recognize what is and what isn’t a proper investment mechanism. Now you have all these scams where some individuals are solicited on Facebook, Discord or other social media platforms about this great investment opportunity. If a scammer is sending 10,000 messages a week, one or two people might reply and those two people might fall for it.
Who are the threat actors involved?
We’ve seen everything from an individual running his own scam to full-on organized crime with call centers in India and Pakistan, where the scam is run like a professional business. The same thing is true on the ransomware side. It’s very easy to purchase ransomware, so almost anyone can perpetrate this kind of crime, but then there are nation-state actors doing it on a larger scale as well.
Are there gray areas for legality or regulation for crypto transactions?
At DigitalMint, we have an identifiable ID required for every transaction, but there are other organizations where you can purchase $100, $1,000 without an I.D. on file. When you think of dark market sites, the average credit card is under $20. So if you purchase one of these inexpensive credit cards, and you go to a place where you don’t need an I.D. on file for the first 200 hours, you can get away with some of that activity. It’s hard to report, but technically, the vendor is not violating any regulatory regime by not requiring anything up to that point.
You also have transaction limits, so ATMs, exchanges, and other crypto vendors often only do a certain number of transaction hours a day. And we have one of the smallest industry monthly limits. But we’ve seen other ATMs allow you to do 100,000 to 200,000 hours in a month in cash transactions. Again, they are not violating any jurisdictional laws. But at the same time, if you don’t have the controls in place, the scam or the potential for high volume and high value scam victimization exists. So there’s that side of it on the, we’ll say, gray area red flag where it’s legitimate but looks illegitimate. Similarly, mixing services like Tornado Cash are not inherently illegal but they are incredibly high risk and notorious for fraudulent activity.
What can companies do to prevent illicit transactions?
I always say education is the most important thing we can do. We should educate the broader community on what legitimate crypto opportunities look like and the scam typologies out there and what cybersecurity is needed to protect your systems and what to do if you do get attacked. But then we also need to educate the institutions involved.
We can also use the controls at our disposal. I come from a banking background and built models to detect this activity. When I came to crypto, I did the same thing. We as a company have returned about $8 million of fraud money back to victims just through those controls. Chainalysis and TRM and Elliptic and similar tools will flag websites associated with dark marketplaces and illicit activity.
It’s also important to keep law enforcement informed. Law enforcement is actively trying to disrupt ransomware gangs, and the more victims that report that they were attacked the better chance there is that they can find patterns in these transactions and can find where the money’s going. Within our own industry, it’s in everyone’s best interest to share best practices and trends and all of that so we can continue to earn trust and ensure that people understand cryptocurrency and its benefits.