Crime and cryptocurrency, frauds and fungibility

The recent devastating ransomware attack on Travelex has once again raised the issue of cryptocurrencies, or more specifically Bitcoin, being used for criminal purposes. At the time of writing, my bank (Barclays) as well as other high-street banks including HSBC, Virgin and Tesco Bank, all of whom rely on Travelex for foreign exchange services, are still unable to offer online exchange services or process orders for foreign currency. The company was infected with a “ransomware” virus that encrypted its data — Travelex left critical security weaknesses in the Pulse Secure virtual private network (VPN) servers unpatched for eight months — and the attackers demanded a $6m payment in Bitcoin to decrypt the data.

(Travelex has not disclosed whether it has paid the ransom.)

The scale of the damage here may have been unusual, but the attacks are not. Every single day there is another such story in the media. And while none of us may care that much if financial institutions do not implement appropriate security and have money stolen, there are attacks on hospitals and public services all of the time as well. Perhaps we ought to consider following the lead of Finland. Back in November 2019 more than 200 Finnish municipalities and public organisations had a “war game” co-ordinated by The Population Register Centre to practice their response to possible cyberattacks. I am not an expert, but I imagine that one of the things they learned was to make sure that the IT people install security patches on their computers and to make sure they have backups of their data, but I digress.

Back to the issue of ransoms. Ransomware wouldn’t be much good if the attacker could only be paid by cheques or bank transfers. This is why ransomware and cryptocurrency are a package, although ransomware datanappers are not the only criminal users of the new digital dosh. According to the Daily Mail, the police have seen an “explosion in the use of digital currency by criminals who are strolling into cafes, newsagents and corner shops to dump their ill-gotten gains in virtual currency ATMs”.

Well, let’s not panic. If you look at the actual Bitcoin transactions going on out there in cyberspace, you’ll have to admit that even crime isn’t proving the vehicle for mass market adoption that the more hysterical parts of the media might have made you think. Frankly, if the demand for Bitcoin were all about crime (and not speculation) then it would actually be worth far less than it is today. There just isn’t enough crime. Calculations based on the use of Bitcoin in this sector of the economy put its value at something like one-twentieth of the current price.

Now, I have to say that I think that these kinds of calculations are highly spurious.

First of all, such calculations are often based the value of the global market in illegal drugs. Now, while no-one can be sure of the exact size, this is undoubtedly a vast market. But it is a market that is conducted almost entirely in cash. Were these transactions to be converted to digital money, the sums involved are so vast that it would be almost impossible to create to an AI machine-learning transaction monitoring services to ignore them.

Secondly, I have yet to see any evidence that criminals are adopting Bitcoin at scale for anything else. And the reason for this is obvious: it’s not anonymous enough. Wallet addresses are pseudonyms, and once any of these pseudonyms has been linked to a mundane identity in anyway, the identities can be connected, monitored, tracked and traced. While people often refer to bitcoin as anonymous, it really isn’t. 

Why Bitcoin?

It can be made anonymous, though, right? In the world of bitcoin, smart criminals will use “mixers” or “tumblrs” that jumble together Bitcoins to obfuscate their origin. Well, whatever. If Bitcoin were to be widely used in serious criminal enterprises then the authorities would step in. What if law enforcement agencies go to the biggest miners in the world and tell them that if they continue to confirm easily identifiable mixing transactions, they will be accused of money laundering? As I write, 49% of all of the Bitcoin “power” is in the hands of five Chinese mining pools, so this is not difficult to imagine. Bitcoin’s fungibility means that it has little long-term prospect for criminal enterprise.

Wait! Whatibility?

Fungibility.

Whatever Bitcoin is, it isn’t cash for the inescapable reason that cash is fungible. This matters. Remember that IRS Ruling about Bitcoins being a commodity, so that traders would have to track the buying and selling price of each individual Bitcoin in order to assess their tax liability? No? Here’s a reminder from [CreditSlips]: “For a payments geek, the real lesson from the IRS Bitcoin ruling is that for a currency–or any payment system–to work, its units must be completely fungible”.

Fungible (from the Latin “to enjoy”) is a great word. One of my favourites, in fact. In this context, money, it means that all tokens are the same and can be substituted one for another. You owe me a pound. It doesn’t matter _which_ pound coin that you give me. Any will do. Any pound coin can substitute for any other pound coin because they are all the same: no-one can distinguish one pound coin from another. This isn’t true of Bitcoins. They are all different. and because they are all different, their history can be tracked through the blockchain, its immutable public record of all transactions.

The existence of the blockchain means that clever analysts can set their bots scampering along the chain of transactions to find out where money is coming from and where it is going. While Bitcoin has a media image of secrecy, it has long been understood that blockchain analysis means that it could be surprisingly easy for a law enforcement agency to identify many users of the currency [MIT Technology Review]. So you can what is actually going on at all time. If you want to get a picture of Bitcoin’s role as the currency of crime, a good place to start is the Chainalysis report on “The 2020 State of Crypto Crime”. Chainalysis, founded by Jonathan Levin, have sophisticated tools for cyber currency transaction monitoring and are used by the FBI and such like to track down miscreant moolah.

Bitcoin isn’t fungible (unlike the £50 notes so helpfully provided to the criminal fraternity by – yes, couldn’t make this up and I will call the Daily Mail in the morning – it’s only the Bank of England wouldn’t you know it) which means that the money can be traced from wallet to wallet and that should make it easier for these detectives to get a handle on where the ill-gotten gains are heading. 

The lack of fungibility has major implications for criminals. We have just the English High Court (in the decision of AA v Persons Unknown & Ors, Re Bitcoin [2019]) determine that crypto assets such as Bitcoin are considered to be ‘property’ capable of being the subject of a proprietary injunction against a cryptographic exchange, which was indeed granted. You can see what is going to happen here: the exchange will be required to identity who owns the stolen coins and the owner will then be the subject of legal action to recover them. This owner might be entirely innocent about the origin of the coins and will say that they didn’t know that the Bitcoins they bought are the proceeds of a ransonware attack and may ask to the keep them. But, as the economist J.P. Koning points out, that’s not how property law works. Even if you accidentally come into possession of stolen property then a judge can still force you to give them back to the rightful owner.

(To recap. Bitcoin isn’t cash, because cash is fungible. If we want something to be cash, we need to make it fungible. But do we want cash? I’m always ready to listen to informed views. If you do too, then someone you should listen to is Adam Back. He is a brilliant guy. He has already forgotten more about cryptography than I could conceivably learn from now on if I dedicated the entire rest of my career to the topic. His masterful lecture on “Fungibility, Privacy and Identity” delivered to Bitcoin Israel is well worth 90 minutes of your time. Get a notepad, a cup of tea, packet of fruit shortcakes and fire up the video.)

What happens when they get anonymous on our asses?

This is why ransomware rogues convert their Bitcoins out into something more suited to the less-regulated corners of the economy. The people behind the famous “WannaCry”, which hit more than 300,000 computers in over 150 countries, took their rewards and converted them into Monero, a privacy-focused cryptocurrency that has seen some growth in its popularity over the last year or so. This, in turn, makes me wonder why criminals continue to use a payment mechanism that leaves behind a perpetual record of all transactions that anyone can look it, particularly when there are more private alternatives already in the wild. One such example is Zcash, a cryptocurrency with the added special sauce of genuine anonymity rather than the pseudonymity that, as noted, hampers the exploitation of Bitcoin for nefarious purposes. Transactions remain confidential unless the counterparties reveal their addresses by “selective weakening” of the cryptographic protection. Now, I am sceptical about whether confidential transactions will get much traction in the mass market, but that does not mean that advocates of Zcash do not have a point when they say that “If you start with a perfect electronic cash system building block, then you can build an electronic cash system with selective weakening in a way that makes sense for society” [IEEE Spectrum].

You can understand why, of course. An electronic cash system that is going to offer some forms of privacy must be built on a truly anonymous infrastructure. You can’t do it the other way round. But… a truly anonymous infrastructure provides ample opportunities for mischief and some of this mischief might be of significant harm to society as whole. So what will happen?

In Zcash, there are two types of addresses, “transparent” and “shielded”. The transparent addresses and the amounts sent to and from them show up on the blockchain as they would in bitcoin. But if a user opts to use a shielded address, it will be obscured on the public ledger. And if both the sender and receiver of funds have opted to use shielded addresses, the amount sent will be encrypted as well [American Banker].

(The idea that counterparties can choose whether a transaction is visible or not is interesting and under explored. This reminds of the idea for light transactions and dark transactions that artist Austin Houldsworth put forward and that we presented at the BCS back in 2012!)

Trying to think this through, it seems to me that there is something of a paradox here in our mental transaction models. We want our transactions to be anonymous because we are good people but we want other people’s transactions to be tracked, traced and monitored because they might be criminals. Obviously we don’t want child pornographers and terrorists to have access to anonymous electronic cash but we do want freedom fighters and oppressed minorities to have access to electronic cash.

Hhhmm…..

So how might this paradox be resolved? Well, one option might be to assume that the anonymous cash will be used primarily by criminals and possession of it will be taken to be prima facie evidence of criminality, but not to ban it because free speech trumps crime according to our cultural values. Thus law enforcement resources can be targeted. Remember, in an anonymous world no-one knows you’re a dog but no-one knows that you’re from the FBI either. Hence you could argue that anonymity can actually help law enforcement to carry out old-fashioned police work (and since no-one knows you’re a bot either, I’d assume that the police will have large-scale big data analysis and pattern recognition and machine learning and all sort of other things to help them). It’s not at all clear to me that a terrorist child-pornographer will be any further beyond the reach of the law because their cash is anonymous when their mobile phone location is recorded every 50ms and their face is scanned at every street corner, but I’m open to debate.

In the mass market I can therefore envisage an environment where some kind of anonymous cash is in existence but is never used in its “raw” state, because people, companies and governments will only use the privacy-enhanced layers on top of it. Getting your ransomware cryptocurrency might remain easy, because companies don’t do proper risk analysis and don’t design secure products, but spending that cryptocurrency might become increasingly difficult.

Follow the e-money

A couple of years ago I remember going to see ComplyAdvantage to make a podcast with them. I thought the new category of regtech was interesting and that the potential for new technologies in that space (eg, machine learning) was significant, so I went of off to learn some more about and talk to a few organisations to test some hypotheses. I remember thinking at the time that they were good guys and on a good trajectory and it looks as if my opinion was well-founded (they are doubling in size this year).

Anyway, I was thinking about them because they recently sent me a new white paper “A New Dawn for Compliance” (which notes that an estimated $2 trillion is laundered globally every year and only 1-3% of these funds are identified and possibly stopped) and it nicely encapsulated something that has been touched on in a fair few conversations recently: there’s no way to hire ourselves out of the compliance mess we’re in. Even if financial services and other businesses had infinite compliance budgets, which they most certainly do not, it’s simply not feasible to hire enough people to keep up. Even if there were infinite people with expertise in the space, which there most certainly is not, bringing them on board is too time-consuming, too expensive and too inflexible to create a compliance infrastructure that can respond the new environment.

Technology is the only way out of this.

Using technology to automate the current procedures is, as always, only a small part of the solution. The UK Financial Intelligence Unit (UKFIU) receives more than 460,000 suspicious activity reports (SARs) every year (according to the National Crime Agency), yet fraud continues to rise.

Moreover as Rob Wainwright (head of Europol) pointed out last year, European banks are spending some €20 billion per annum on CDD with very limited results. In fact, he said  specifically that  “professional money launderers — and we have identified 400 at the top, top level in Europe — are running billions of illegal drug and other criminal profits through the banking system with a 99 percent success rate”. This is not even a Red Queen’s Race, it’s a Formula 1 of crime where the bad guys are ahead and we can’t overtake them.

The Fifth Anti-Money  Laundering Directive (AMLDV) which comes into force in 2020 will, I predict, do nothing to change this criminal calculus. AMLDV will cost organisations substantially more than its predecessors and these costs are out of control. According to a 2017 whitepaper written by my colleagues at Consult Hyperion, KYC processes currently cost the average bank $60m (€52.9m) annually, with some larger institutions spending up to $500m (€440.7m) every year on KYC and associated customer due diligence (CDD) compliance. In the AMLDV era we will look back with nostalgia to the time when the cost of compliance were so limited.

It’s time for a rethink.

We need to re-engineer regulators and compliance to stop implementing know-your-customer, anti-money laundering, counter-terrorist financing and the tracking of politcally-exposed persons (let’s lump these all together for the sake off convenience as Customer Due Diligence, or CDD) by building electronic analogues of passport and suspicious transaction reports and so on. In a world of machine learning and artificial intelligence, we need to invert the paradigm: instead of using CDD to keep the bad guys out of the system, we should bring the bad guys into the system and then use artificial intelligence and pattern recognition and analytics to find out what the bad guys are doing and then catch them!

Surely, from a law enforcement point of view, it’s better to know what the bad guys are up to? Following their money should mean that it is easier to detect and infiltrate criminal networks and generate information that the law enforcement community can use to actually do something about the flow of criminal funds. In any other financial services business, a success rate of 1% would call into the question the strategy and the management of the business