Cryptocurrency Fraud , Fraud Management & Cybercrime , Video
ISMG Editors: Kicking the Criminals Out of Cryptocurrency
Crypto Expert Joins ISMG Panel to Discuss Recent Revelations, Regulatory Actions Anna Delaney (annamadeline) • September 9, 2022In the latest weekly update, Ari Redbord, head of legal and government affairs at TRM Labs, joins ISMG editors to discuss important cybersecurity issues, including numerous efforts to establish new regulatory controls for the industry - and whether they go far enough to deter terrorism, money laundering and other illegal activities.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
Redbord joins ISMG panelists Anna Delaney, director, productions; Tom Field, senior vice president, editorial; and Rashmi Ramesh, senior subeditor, global news desk, to discuss:
- How terrorists are testing the waters with non-fungible tokens as a potential way to fund their campaigns;
- The limitations of the two much-anticipated digital assets regulations - MiCA in Europe and the Responsible Financial Innovation Act in the United States;
- The impact of new U.K. rules stating that crypto exchanges must now report suspected sanctions breaches to authorities.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Aug. 26 edition discussing the implications of the Russia-Ukraine hybrid war and the Sep. 2 edition discussing why hacktivists got bored with the Russia-Ukraine cyberwar.
Anna Delaney: Hello and welcome to the ISMG Editors' Panel. I'm Anna Delaney and this week we have a cryptocurrency special for you. To lead us on this adventure, we are joined by Ari Redbord, a former Treasury Department's senior adviser, and now head of legal and government affairs at TRM Labs; Tom Field, senior vice president of editorial; and Rashmi Ramesh, senior sub editor for ISMG's global news desk. Good to see you all and Ari, thank you so much for being with us.
Ari Redbord: Thank you so much for having me.
Delaney: Ari, we have a few questions for you. Tom, lead the way.
Tom Field: Ari, given everything we've seen over the first eight months of this year, what are the most meaningful crypto related regulatory actions that you have seen so far globally?
Redbord: It's a tough question. There's been so many. We live in a world where things slow down a little bit in the summer. I think what we've seen over the last three or four months is things accelerating in many respects. When I think about the real regulatory milestones, you got to start with MiCA, which is the markets and crypto assets regulation coming out of the European Union. Implementation is still to come, but what we've seen now is an agreement on the first comprehensive framework for digital assets globally. What's so extraordinary about crypto is crypto affects every aspect of policy. Environmental, consumer protection, anti-money laundering, it affects taxation and domestic finance globally. What we've seen out of MiCA is the attempt by the European Union, the European Parliament, to come up with a truly comprehensive framework to address all of the different issues. Currently, a bill has been proposed very early days in the U.S. Congress that has a lot of the same aspects. In other words, this comprehensive framework, but that is potentially years away from passage and ultimately implementation. So today, if you're talking about what is the big regulatory story over the last few months, it's certainly been MiCA. But, there's been so much more. We've spoken before about the U.S. Treasury Department, rolling out sanctions against a first truly decentralized entity or if you will, software protocol, Tornado Cash and the ramifications potentially of that. What does that look like? We've seen North Korea continue to go after DeFi protocols/bridges within the crypto space. Rashmi has written extensively on these topics and done a wonderful job of covering this space, but there's so much going on. Hard to just pick one thing, but from a regulatory perspective, it's has been pretty extraordinary this summer.
Field: Excellent. Ari, I want to get into Rashmi territory here for a moment. NFT showing support for the Islamic State has been circulating online. It's been inciting fears of a potential revival of the terrorist organizations funding. If the blockchain technology behind NFTs makes it nearly impossible for them to be taken off the internet, how do you see this potential terrorist activity ever being controlled?
Redbord: I definitely don't want to overstate the significance of what we've seen, but basically, based on a TRM investigation, we identified an NFT that was clearly created by a supporter of the Islamic State. Then over the course of the same day, we watched the creation of another three NFTs, with similar propaganda. We have not seen these NFTs move, we have not seen them necessarily be used for terrorist financing. But I think it's the big but, why I believe this is very significant is in the age of the internet, you had centralized services, you had intermediaries like Facebook and Twitter. These were go to places for terrorist organizations like ISIS and Al-Qaeda to spread propaganda. However, those platforms were able to deplatform that information and those entities that were involved in it. That was in the age of the internet. But in the age of crypto, in this world where NFTs and cryptocurrency move on an open immutable ledger, when you put something on a blockchain, it is forever. And what I think we're seeing here is terrorist financiers, particularly ISIS in this case, or ISIS supporters, move with all the rest of us to a decentralized world where there aren't intermediaries, where it's much more difficult to deplatform. The reality is when something's on a blockchain, it's forever. To the credits of intermediaries in the crypto space, we've seen NFT platforms remove this content. But the reality is, you can only move it from those centralized services. You cannot move it from a blockchain. I think, the significance here is this is the first case that we've seen of this, and we are likely to see more. I think what we could be seeing here is a sophisticated supporter of ISIS testing a little bit. I think it's early. I think it's significant in some respects for it being the first time.
Rashmi Ramesh: I know you mentioned MiCA earlier. Then there's the Responsible Financial Innovation Act in the U.S. What do you think are the limitations of these much anticipated regulations?
Redbord: I think they're both extraordinary to the extent that they take on this idea of a comprehensive framework where they are touching all of the issues. With MiCA, there's an agreement on. I think we're going to start to see over the next few months, maybe next year implementation. I think the limitations there are is it's critical that regulators within Europe. I think they have the expertise and the capabilities that the European Parliament envisioned when they reached agreement on this bill. So I think that it's always one thing to pass significant legislation. It's another thing for regulators to implement it across a pretty diverse continent of expertise or capabilities of resources. But I think that like you're in a great place when you've at least reached agreement. I think the limitations that we see today in the United States, is that we're in a political environment where it's very difficult to reach agreement on something that's comprehensive. I think that's why we may see component parts move much more quickly than we'll see a true comprehensive framework. For example, I think one thing we're seeing in this space right now is relative agreement on stable coins. In the wake of the collapse of Terra, a stable coin, we've seen global regulators start to move to this idea of "any stable coin project must be backed by non-crypto reserves of some kind," at different levels, potentially 100% levels. We've seen the New York Department of Financial Services say you can't be a licensed stable coin issuer in the state of New York, unless you can show reserves. We've seen in other jurisdictions. The U.K. has put out some guidance that may eventually end up as policy or as law on the same topic. In July, I think we thought we were going to see a bill on stable coins move out of the House Financial Services Committee within the U.S. Congress. We did not see that based on what was reported to some concerns from Treasury. But we're likely to see some movement on that this fall, as Congress comes back. I think the limitation of the Gillibrand and Lummis bill in Congress is just the broad nature of it in a political environment where it's very difficult to get anything passed. We have elections coming up in November. I think that there's a lot of focus on that, as opposed to necessarily passing legislation at the moment. But if there was one area where I think we could see some movement, at least, it's on stable coins, because interestingly, even industry now, I think, for the most part, has come around to this idea of consumer protection, requiring some level of reserves for these projects to ensure that there's not a terror 2.0.
Ramesh: Something I hear very often out there is that there are barely any platforms that are truly decentralized. But for those that are, how do authorities enforce regulations in a space that does not rely on the presence of intermediaries?
Redbord: There's no question, this is the question of the moment. How do we regulate a truly decentralized space? The reality is that many, even DeFi projects today, and this is what FATF - the Financial Action Task Force - the global standard setter on AML has said is, just because you call yourself DeFI or decentralized doesn't mean you necessarily are. But there are truly decentralized projects today. And the question for regulators is, how do we regulate in that space? I think, we could look to the fallout from sanctions against Tornado Cash I mentioned earlier on the show, and that is the question - are sanctions effective when they just involve the software protocol? While you can screen for sanctions, and this is what we do at TRM. We screen for sanctions on the front end, we work with DeFi protocols in order to do that. There's always a way in directly to the smart contract when you're talking about software that lives on blockchains. I think it's a combination of things. But I think you will see more and more discussion by regulators, I would say in the next year or so, in the DeFi space, and how to think through these challenges. If folks are looking for something to read beyond FATF, there's a good guidance coming out of ADGM, which is the Abu Dhabi Global Market, on exactly this issue. How should we be thinking about DeFi? What if it is not truly decentralized? How do we deal with it when it truly is decentralized? That's just one place that we've seen some good guidance, or at least discussion on DeFi right now. But it's still something that there's not a whole lot of guidance on. I'll just say what the DeFi space is looking for, from our conversations with clients and others is some of that regulatory guidance. What is the expectations for sanction screening by a decentralized protocol? What can and should be done? I am not entirely sure that's a satisfactory answer. But the reality is, it's very much a work in progress and something that regulators are discussing all the time.
Delaney: This week, we heard news that crypto exchanges and must now report suspected sanctions breaches to U.K. authorities. This comes under new rules brought in surrounding concerns that Bitcoin and other crypto assets are being used to evade restrictions imposed in response to Russia's war in Ukraine. Using cryptocurrencies to dodge sanctions was already legal in the U.K. Ari, what's unique about these changes?
Redbord: We had some robust conversations, I think, including with this group, when Russia invaded Ukraine and what was going to be the impact or the use of crypto to evade sanctions. I think the reality is that Russia cannot use cryptocurrency to evade sanctions at scale. This is a country that had its central bank designated. We're talking magnitudes, you can't prop up a G20 economy overnight using cryptocurrency. But what we will inevitably see is Russian oligarchs sanction Russian individuals attempt to use crypto to evade sanctions. Why? Because they've used everything historically to evade sanctions, high value art real estate in London. I think that the reality is that yes, anything that can be used will be used. This is not a sea change in policy of any kind. With the U.K. saying, if you're a cryptocurrency business, you're just like any other financial institution. This has been said before in other context, and that is, you have a reporting obligation when it comes to sanctions exposure if it's one of your clients, a sanctioned entity or individual. Have you engaged with a sanctioned entity or individual? What they've done is just said, "Hey, look, crypto assets, and crypto asset providers, are our money service businesses, they are financial institutions with those same reporting requirements. OFAC for years in the United States, which is the sanctions regulator at the U.S. Treasury Department, has made clear that those same reporting requirements exist for crypto businesses as they do for other financial institutions. I think it's interesting but I don't necessarily think it's a sea change in policy. I think it's probably just putting down on paper, what the expectations have maybe been for some time for crypto businesses in this sanction space in the U.K.
Delaney: Great, nice clarification there. Not a week goes by where we don't hear about yet another cryptocurrency scam, and we see lawmakers reviewing whether consumers' protections are sufficiently robust. Last month in the U.S., Representative Krishnamoorthi wrote to five cryptocurrency exchanges, asking for details about the written policies and efforts to combat crypto-related fraud. Ari, are we likely to see steps from the federal government to protect consumers and investors and curb crypto fraud anytime this year?
Redbord: I think that we've already seen it happen. Regulation can only do so much I think what you're also seeing is there's always going to be bad actors. When I was a prosecutor, I used to only focus on bulk cash smuggling and networks of hawalas and shell companies and high value art and real estate and all these other ways people launder funds. If crypto is going to grow and succeed, you're going to see more and more financial crime, not less. That's just the nature of a growing economy. If you're seeing less, quite frankly, it's probably because the economy is not flourishing. I would say that there's only so much regulation can do. But what you have seen is a true focus by law enforcement in the U.S. and globally, to stop or at least investigate fraud and financial crime. This has been an incredibly busy summer, when it comes to the U.S. Department of Justice, bringing cases involving scams, fraud, in the ICO space - the initial coin offering space. We saw DOJ and SEC bring actions involving insider trading by a former coin base employee. So we've seen a ton of activity in this space to kind of go after this stuff. I will say that I think one thing that's lost in some of this, because I hear all the time is, "There's so much fraud and financial crime in crypto." I think one thing we're seeing now are the fruits of kind of building up that law enforcement capability. We're doing a TRM Talks next month with part of the National Cryptocurrency Enforcement Team (NCET) from DOJ. As I was putting this together, I realized that it's exactly a year since the DOJ set up the National Cryptocurrency Enforcement Team. And exactly two years since we saw the cryptocurrency enforcement framework from the DOJ. I say that because I think we're just starting, they build out these capabilities within the Department of Justice. We talked, I think Rashmi even wrote about the SEC building out their enforcement capability. We've seen all this over the last year, 18 months. Now we're starting to see the cases. I don't know that there's like this proliferation that is new, but we're seeing more prosecutions, more investigations. I think that's honestly a good thing. Because, I'm a strong believer in the crypto economy. But in order for any of it to work, we have to stop these hacks. We have to stop bad actors from taking advantage of it because no one's going to put their money in crypto or transact with crypto if they don't think it's going to be there the next day. I think that's what's so critical and that's why these enforcement actions and prosecutions are so important.
Delaney: We have one final question. What has been the most ridiculous, bonkers, craziest crypto story of this year?
Field: Razzlekhan - Crocodile of Wall Street, I still can't get it out of my head.
Redbord: There's a terrific piece by Nick Bilton in Vanity Fair, on the deep dive into that story. I think it's certainly more to come. It looks like they are likely negotiating a plea agreement of some kind, I think we'll get a lot of interesting information once there's a plea. It's super interesting story. At the end of the day, what we had is the largest seizure of anything in U.S. history. That's what is an etraordinary story.
Delaney: Ari, I think in that same article in Vanity Fair, the journalist compares them to the modern day Bonnie and Clyde. I think it's rare that you have massive criminal operations conducted by a couple. When they are, they're always fascinating. There's a great backstory.
Delaney: Rashmi, what's taking your interest this year?
Ramesh: It's a recent one. A Web3 security company, which offers smart contract auditing services, did not audit its own smart contract, and became the victim of an exploit. Two people ended up taking about 450 NFTs instead of the two they were supposed to. Ironic still is that the NFTs that they took were from a collection of art featuring bad guys stealing NFTs.
Delaney: Not so smart, after all. It's great. Ari, well, you must have the craziest one, surely?
Redbord: In your last question we were talking about the renewed or now we're starting to see prosecutions and investigations. Homeland Security Investigations did a cool investigation, something called the Baller Ape Case, which was an NFT rug pull, where people were excited. The FOMO around this was huge, like, Bored Ape Yacht Club. It resulted in a rug pull, which are very hard to investigate, but we're now seeing law enforcement have the tools that they need to track and trace the flow of these NFTs. They built a case and charged individuals. I think what we're seeing now, again, is that the NFT space for a long time is in the Wild West. I think what we're seeing more and more capability to investigate and ultimately prosecute cases.
Delaney: Ari, it's fascinating to see how the crypto space is evolving. There's certainly no dearth of topics to discuss. So we appreciate your time. Thank you, Ari, Rashmi and Tom. Always a pleasure.
Field: Thank you.
Redbord: Thanks, everybody.
Delaney: Thanks for watching. Until next time.