Crime and cryptocurrency, frauds and fungibility

The recent devastating ransomware attack on Travelex has once again raised the issue of cryptocurrencies, or more specifically Bitcoin, being used for criminal purposes. At the time of writing, my bank (Barclays) as well as other high-street banks including HSBC, Virgin and Tesco Bank, all of whom rely on Travelex for foreign exchange services, are still unable to offer online exchange services or process orders for foreign currency. The company was infected with a “ransomware” virus that encrypted its data — Travelex left critical security weaknesses in the Pulse Secure virtual private network (VPN) servers unpatched for eight months — and the attackers demanded a $6m payment in Bitcoin to decrypt the data.

(Travelex has not disclosed whether it has paid the ransom.)

The scale of the damage here may have been unusual, but the attacks are not. Every single day there is another such story in the media. And while none of us may care that much if financial institutions do not implement appropriate security and have money stolen, there are attacks on hospitals and public services all of the time as well. Perhaps we ought to consider following the lead of Finland. Back in November 2019 more than 200 Finnish municipalities and public organisations had a “war game” co-ordinated by The Population Register Centre to practice their response to possible cyberattacks. I am not an expert, but I imagine that one of the things they learned was to make sure that the IT people install security patches on their computers and to make sure they have backups of their data, but I digress.

Back to the issue of ransoms. Ransomware wouldn’t be much good if the attacker could only be paid by cheques or bank transfers. This is why ransomware and cryptocurrency are a package, although ransomware datanappers are not the only criminal users of the new digital dosh. According to the Daily Mail, the police have seen an “explosion in the use of digital currency by criminals who are strolling into cafes, newsagents and corner shops to dump their ill-gotten gains in virtual currency ATMs”.

Well, let’s not panic. If you look at the actual Bitcoin transactions going on out there in cyberspace, you’ll have to admit that even crime isn’t proving the vehicle for mass market adoption that the more hysterical parts of the media might have made you think. Frankly, if the demand for Bitcoin were all about crime (and not speculation) then it would actually be worth far less than it is today. There just isn’t enough crime. Calculations based on the use of Bitcoin in this sector of the economy put its value at something like one-twentieth of the current price.

Now, I have to say that I think that these kinds of calculations are highly spurious.

First of all, such calculations are often based the value of the global market in illegal drugs. Now, while no-one can be sure of the exact size, this is undoubtedly a vast market. But it is a market that is conducted almost entirely in cash. Were these transactions to be converted to digital money, the sums involved are so vast that it would be almost impossible to create to an AI machine-learning transaction monitoring services to ignore them.

Secondly, I have yet to see any evidence that criminals are adopting Bitcoin at scale for anything else. And the reason for this is obvious: it’s not anonymous enough. Wallet addresses are pseudonyms, and once any of these pseudonyms has been linked to a mundane identity in anyway, the identities can be connected, monitored, tracked and traced. While people often refer to bitcoin as anonymous, it really isn’t. 

Why Bitcoin?

It can be made anonymous, though, right? In the world of bitcoin, smart criminals will use “mixers” or “tumblrs” that jumble together Bitcoins to obfuscate their origin. Well, whatever. If Bitcoin were to be widely used in serious criminal enterprises then the authorities would step in. What if law enforcement agencies go to the biggest miners in the world and tell them that if they continue to confirm easily identifiable mixing transactions, they will be accused of money laundering? As I write, 49% of all of the Bitcoin “power” is in the hands of five Chinese mining pools, so this is not difficult to imagine. Bitcoin’s fungibility means that it has little long-term prospect for criminal enterprise.

Wait! Whatibility?

Fungibility.

Whatever Bitcoin is, it isn’t cash for the inescapable reason that cash is fungible. This matters. Remember that IRS Ruling about Bitcoins being a commodity, so that traders would have to track the buying and selling price of each individual Bitcoin in order to assess their tax liability? No? Here’s a reminder from [CreditSlips]: “For a payments geek, the real lesson from the IRS Bitcoin ruling is that for a currency–or any payment system–to work, its units must be completely fungible”.

Fungible (from the Latin “to enjoy”) is a great word. One of my favourites, in fact. In this context, money, it means that all tokens are the same and can be substituted one for another. You owe me a pound. It doesn’t matter _which_ pound coin that you give me. Any will do. Any pound coin can substitute for any other pound coin because they are all the same: no-one can distinguish one pound coin from another. This isn’t true of Bitcoins. They are all different. and because they are all different, their history can be tracked through the blockchain, its immutable public record of all transactions.

The existence of the blockchain means that clever analysts can set their bots scampering along the chain of transactions to find out where money is coming from and where it is going. While Bitcoin has a media image of secrecy, it has long been understood that blockchain analysis means that it could be surprisingly easy for a law enforcement agency to identify many users of the currency [MIT Technology Review]. So you can what is actually going on at all time. If you want to get a picture of Bitcoin’s role as the currency of crime, a good place to start is the Chainalysis report on “The 2020 State of Crypto Crime”. Chainalysis, founded by Jonathan Levin, have sophisticated tools for cyber currency transaction monitoring and are used by the FBI and such like to track down miscreant moolah.

Bitcoin isn’t fungible (unlike the £50 notes so helpfully provided to the criminal fraternity by – yes, couldn’t make this up and I will call the Daily Mail in the morning – it’s only the Bank of England wouldn’t you know it) which means that the money can be traced from wallet to wallet and that should make it easier for these detectives to get a handle on where the ill-gotten gains are heading. 

The lack of fungibility has major implications for criminals. We have just the English High Court (in the decision of AA v Persons Unknown & Ors, Re Bitcoin [2019]) determine that crypto assets such as Bitcoin are considered to be ‘property’ capable of being the subject of a proprietary injunction against a cryptographic exchange, which was indeed granted. You can see what is going to happen here: the exchange will be required to identity who owns the stolen coins and the owner will then be the subject of legal action to recover them. This owner might be entirely innocent about the origin of the coins and will say that they didn’t know that the Bitcoins they bought are the proceeds of a ransonware attack and may ask to the keep them. But, as the economist J.P. Koning points out, that’s not how property law works. Even if you accidentally come into possession of stolen property then a judge can still force you to give them back to the rightful owner.

(To recap. Bitcoin isn’t cash, because cash is fungible. If we want something to be cash, we need to make it fungible. But do we want cash? I’m always ready to listen to informed views. If you do too, then someone you should listen to is Adam Back. He is a brilliant guy. He has already forgotten more about cryptography than I could conceivably learn from now on if I dedicated the entire rest of my career to the topic. His masterful lecture on “Fungibility, Privacy and Identity” delivered to Bitcoin Israel is well worth 90 minutes of your time. Get a notepad, a cup of tea, packet of fruit shortcakes and fire up the video.)

What happens when they get anonymous on our asses?

This is why ransomware rogues convert their Bitcoins out into something more suited to the less-regulated corners of the economy. The people behind the famous “WannaCry”, which hit more than 300,000 computers in over 150 countries, took their rewards and converted them into Monero, a privacy-focused cryptocurrency that has seen some growth in its popularity over the last year or so. This, in turn, makes me wonder why criminals continue to use a payment mechanism that leaves behind a perpetual record of all transactions that anyone can look it, particularly when there are more private alternatives already in the wild. One such example is Zcash, a cryptocurrency with the added special sauce of genuine anonymity rather than the pseudonymity that, as noted, hampers the exploitation of Bitcoin for nefarious purposes. Transactions remain confidential unless the counterparties reveal their addresses by “selective weakening” of the cryptographic protection. Now, I am sceptical about whether confidential transactions will get much traction in the mass market, but that does not mean that advocates of Zcash do not have a point when they say that “If you start with a perfect electronic cash system building block, then you can build an electronic cash system with selective weakening in a way that makes sense for society” [IEEE Spectrum].

You can understand why, of course. An electronic cash system that is going to offer some forms of privacy must be built on a truly anonymous infrastructure. You can’t do it the other way round. But… a truly anonymous infrastructure provides ample opportunities for mischief and some of this mischief might be of significant harm to society as whole. So what will happen?

In Zcash, there are two types of addresses, “transparent” and “shielded”. The transparent addresses and the amounts sent to and from them show up on the blockchain as they would in bitcoin. But if a user opts to use a shielded address, it will be obscured on the public ledger. And if both the sender and receiver of funds have opted to use shielded addresses, the amount sent will be encrypted as well [American Banker].

(The idea that counterparties can choose whether a transaction is visible or not is interesting and under explored. This reminds of the idea for light transactions and dark transactions that artist Austin Houldsworth put forward and that we presented at the BCS back in 2012!)

Trying to think this through, it seems to me that there is something of a paradox here in our mental transaction models. We want our transactions to be anonymous because we are good people but we want other people’s transactions to be tracked, traced and monitored because they might be criminals. Obviously we don’t want child pornographers and terrorists to have access to anonymous electronic cash but we do want freedom fighters and oppressed minorities to have access to electronic cash.

Hhhmm…..

So how might this paradox be resolved? Well, one option might be to assume that the anonymous cash will be used primarily by criminals and possession of it will be taken to be prima facie evidence of criminality, but not to ban it because free speech trumps crime according to our cultural values. Thus law enforcement resources can be targeted. Remember, in an anonymous world no-one knows you’re a dog but no-one knows that you’re from the FBI either. Hence you could argue that anonymity can actually help law enforcement to carry out old-fashioned police work (and since no-one knows you’re a bot either, I’d assume that the police will have large-scale big data analysis and pattern recognition and machine learning and all sort of other things to help them). It’s not at all clear to me that a terrorist child-pornographer will be any further beyond the reach of the law because their cash is anonymous when their mobile phone location is recorded every 50ms and their face is scanned at every street corner, but I’m open to debate.

In the mass market I can therefore envisage an environment where some kind of anonymous cash is in existence but is never used in its “raw” state, because people, companies and governments will only use the privacy-enhanced layers on top of it. Getting your ransomware cryptocurrency might remain easy, because companies don’t do proper risk analysis and don’t design secure products, but spending that cryptocurrency might become increasingly difficult.

Crime of the (new) century

Here’s something that I’m surprised we don’t see more of. Pavel Lerner, the CEO of the cryptocurrency exchange Exmo Finance, has been released by kidnappers after the payment of a $1 million bitcoin ransom. According to the Financial Times, the Ukrainian interior minister specifically labelled the crime “bitcoin kidnapping and extortion”. I would have asked for Monero, rather than traceable bitcoins, but there you go.

Given the number of Bitcoin millionaires wandering around — I bump into them at every conference I go to these days — you would have imagined that the more enterprising and forward thinking members of the cosa nostra (the coder nostra, as I call them) were out in force. Stand around outside Consensus or Money2020 and bundle most anyone into a van and drive them off into the desert and you’re sure of a Bitcoin, Ripple, Ether or Bitcoin Cash payday. It’s a puzzle that this doesn’t happen all the time, although it’s entirely possible that it does and that I never get to hear about it because I’m not rich enough, just like those Silicon Valley sex parties.

So is kidnapping for cyber-ransom the defining crime of the 21st century? Actually, I suspect not. What if, rather than traditional money–related crimes such as kidnapping and extortion, there were much better crypto-crimes invented in parallel to the new forms of crypto-money made available by technology? Is there such a crime that is unique to this virtual world? Not a virtual shadow of a crime that has been around since year zero, but a wholly new crime for the virtual world? Actually, one such crime was invented many years ago. It’s the “assassination market” that I wrote about in “Before Babylon, Beyond Bitcoin“.

An assassination market is a prediction market where any party can place a bet (using anonymous crypto-currency through the TOR network) on the date of death of a given individual, and collect a payoff if they “guess” the date accurately. This would incentivise the assassination of specific individuals because the assassin, knowing when the action would take place, could profit by making an accurate bet on the time of the subject’s death.

Here’s how the market works. Someone runs a public book on the anticipated death dates of public figures. If I hate a pop star or politician, I place a bet on when they will die. When the person dies, who ever had the closest guess wins all of the money, less a cut for the house. Let’s say I bet a fiver that a specific TV personality is going to die at 9am on April Fool’s Day 2018. Other people hate this personality too and they put down bets as well. The more hated the person is, the more bets there will be.

April Fool’s Day comes around. There’s ten million quid bet on this particularly personality. I pay a hit man five million quid to murder the personality. Hurrah! I’ve won the bet, so I get the ten million quid and give half to the hit man. I don’t have to prove that I was responsible for the assassination to get the money and no-one can pin the crime on me because I paid the hitman in untraceable anonymous electronic cash as well: I’m just the lucky winner of the lottery. If someone else had bet 31st March and murdered the television personality themselves the day before, then it would only have cost me a fiver, and I would have regarded that as a fiver well spent.

This is a rather an old idea that originated, as far as I know, with Jim Bell, who back in 1995 wrote an essay on “assassination politics” that brought the idea to the popular (well, amongst a nerd subgroup) imagination. I suppose it was inevitable that the arrival of digital currency would stimulate thought experiments in this area and it was interesting to me then (and now) because it showed the potential for innovation around digital money even in the field of criminality. If I hire thugs to lure a cryptobaron to a hotel room and then beat him up to get a $1m in bitcoins from him (as actually happened in Japan recently), that’s just boring old extortion. If I use Craigslist to lure a HODLer to a street corner and then pull a gun on him and force him to transfer his bitcoins to me (as actually happened in New York back in 2015), that’s just boring old mugging.

 

Now, as I explained in the FT some years ago, Bitcoin is not a very good choice for this sort of cyber-criminality. It’s just not anonymous enough for really decent crimes or the darkest darknets. Hence my scepticism about the claims that Bitcoin’s long term value will be determined by malevolent money mischief. But as I explained to students at Winchester College last week, if there were to be an actually untraceable cryptocurrency then an assassination market is a much better bet for the coder nostra than the physically demanding felony of kidnapping.

They are where the money isn’t

When most of us think about bank robbery, we think about people inventing complex derivates and amassing fortunes while the institutions that house them amass fine, bankruptcies and bailouts. But it turns out that your grandparent’s bank robberies are coming back into fashion. American Banker says that violent bank crime has become increasingly less common in the past decade, but that the rate of robberies has ticked back up in recent years.

At first I thought this might be a hipster revolt, like with vinyl records, but that doesn’t seem to be the case. So I’ve no idea. I don’t understand bank robbery. I remember getting into an interesting discussion about bank robbery at a lunch a while back. We were talking about risk and risk analysis. I was trying to make some points about why proper risk analysis like this is a more cost-effective way to proceed than (for example) panicking about newspaper stories on hacking, and that led to a train of thought around cost-benefit analysis for the robber, not the bank. Are robbers put off by thick doors and barred windows and such like? Are robbers deterred by visible, physical symbols of security? Come to that, should be bother with physical security at all in banks?

This is a fair point. So it set me thinking: if you are an amoral sociopath desperate to amass as much money as possible, are you better off robbing a bank or working for it? As a responsible father, I want to help my sons chart the best course for life. Right now, they are at University studying socially useful subjects in science and engineering. Having myself studied science only to become trapped in mortgage serfdom and forced to work until I drop, I am trying to persuade them to become Somali pirates or Wolves of Wall Street, without much success so far. So I understand that side of the equation, but am less certain of the other. Remember that old paper “The Decision-Making Practices of Armed Robbers” by Morrison and O’Donnell. It’s a study of armed robbery in London and one of my favourite papers. It is based on first-hand research (viz, the analysis of over 1,000 police reports and interviews with 88 incarcerated armed robbers).

While it’s about the UK rather than the US, I’m sure the thought processes of the perpetrators must have some similarities. Crucially, the paper notes that “almost all of these robbers evaluated the offence as having been financially worthwhile (aside from the fact that they were eventually caught and punished for their crime)”. So robbing a bank seems like good idea, if you exclude the possibility (in fact, the likelihood) of being caught. I suppose this is standard Jordan Belfort, Bernie Madoff thinking thought isn’t it? Unless people believe they will be caught (and these people don’t) then they only consider the upside.

(One of the interesting snippets it contains is that a great many of the armed robbers in the UK use imitation firearms even though they could have access to real ones. I imagine that in the US the use of imitations is vastly less prevalent, since it’s presumably harder to buy an imitation gun than a real one there.)

So, what to do? While glancing back over the paper I note that the authors say that it doesn’t seem practical to “expect financial institutions and commercial properties to reduce counter cash much more than they already have”. That may have been true when the paper was written a few years ago, but it clearly isn’t true now, since both bank branches and businesses in many countries are becoming cash free. And this is a good thing, because as we all know there is a direct and measurable relationship between the amount of cash out there (more on this later) and the amount of crime. As the paper says, “even when the amount of money obtained was quite small (an element often touted in support of the irrationality of economic criminals), it must be recognised that even apparently small sums may be adequate for the offender’s immediate needs. Hence, gains may be subjectively much larger than they appear”.

Bank robber or management consultant?

 

It’s a stick up

The rewards of armed robbery seem to me, then, as an educated middle-class professional, to be rather low. Yet they are still sufficient to attract the robbers, because their needs are immediate and limited. I want a holiday home in the South of France but the guy in the Nixon mask isn’t robbing a bank to pay his way through college or to obtain seed finance for a start up, he just needs to buy a car or some drugs or whatever. This paper seems, then, to indicate that so long as there is some cash in the till, there will be robberies. This is not an observation confined to banking. A study of the American Electronic Benefit Transfer (EBT) program found that “the EBT program had a negative and significant effect on the overall crime rate as well as burglary, assault, and larceny”.

What they are talking about here are US programmes where benefit recipients are paid electronically and given cards that they can use in shops instead of being given cash. The authors found a 10% drop in crime correlated with the switch to EBT. It seems pretty overwhelming evidence, and even more so if you read the paper, which notes no impact on crimes that do not involve the acquisition of cash. If we can to stop armed robberies, that would surely be an excellent social benefit to the move to cashlessness and would help us to explain the nature of appropriate regulation to legislators.

But back to the specific point about the relationship between bank cash and robberies. With the rewards from robbing banks and businesses falling  armed robbers, like everyone else, follow the money – literally – and so cash-in-transit (CIT) robberies are now the preferred option. We see the same in Europe where countries that have much higher usage of ATMs have much higher CIT robbery rates than countries that have lower ATM usage (see, for example, Sweden and Denmark).

Overall, then, we see another early indication of the emerging post-cash era: Spending on physical bank security is being reduced and spending on virtual bank security is being increased. We do, indeed, live in interesting times.