This post also appears on Duke Law’s Lawfire blog
In the wake of the U.S. and its allies imposing unprecedented economic and financial sanctions on Russia, there has been a number of articles about the role cryptocurrency may play in undermining these sanctions (see here, here, and here). While the situation is fluid and defies easy predictions, western sanctions will certainly compel the Russian government, as well as Russian businesses and citizens, to turn to crypto to lessen the economic sting. I confidently assert this for two reasons: 1) North Korea and Iran have been leveraging crypto to evade U.S. sanctions for several years, and 2) Russia already plays a large role in the illicit crypto economy.
Going forward, the U.S. will deploy a whole-of-government approach to isolate Russia from the international financial system and western economies. This includes increasing oversight of western financial institutions who are on the frontlines of sanctions enforcement and compliance. While large financial institutions have a long track record of sanctions compliance – and the financial resources to do it – they still found themselves on the receiving end of the ten largest Office of Foreign Asset Control (OFAC) civil sanctions, totaling $4.3 billion, over the last decade. If the largest and best-resourced financial institutions in the world have struggled to comply with OFAC sanctions, what chance do lightly regulated cryptocurrency firms have in the current environment, where sanctions are rapidly unfolding?
North Korea and Iran Turn to Crypto
In 2018, Priscilla Moriuchi, who previously led the National Security Agency’s East Asia and Pacific cyberthreats office, noted that North Korea was actively targeting cryptocurrency exchanges, mainly in South Korea, to fund its nuclear missile program. And in a federal indictment unsealed last February, the Department of Justice charged “three North Korean computer programmers with participating in a wide-ranging criminal conspiracy to conduct a series of destructive cyberattacks, to steal and extort more than $1.3 billion of money and cryptocurrency from financial institutions and companies, to create and deploy multiple malicious cryptocurrency applications, and to develop and fraudulently market a blockchain platform.”
In a report from last May, blockchain analytics company Elliptic found Iran had turned to crypto mining as a way to utilize surplus energy that it cannot export due to economic sanctions. The report notes that “[i]n 2019 Iran officially recognized crypto asset mining, later establishing a licensing regime that required miners to identify themselves, pay a higher (but still very low) tariff for electricity, and to sell their mined bitcoins to Iran’s central bank.” Elliptic estimates that Bitcoin mining in Iran brought in annualized revenue of roughly $1 billion last year.
Russia and Ransomware
It is difficult to approximate the size and scope of ransomware due to the obvious reluctance of victims to report cyber incidents to law enforcement – the U.S. government estimates it has data on only 20% to 25% of domestic cyber breaches. However, a report issued last October by the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) offered some striking data points. The report analyzed ransomware trends in Bank Secrecy Act reporting filed between January 2021 and June 2021 and found that the total value of suspicious activity reported in ransomware-related Suspicious Activity Reports (SARs) during the first six months of 2021 was $590 million, “which exceeds the value reported for the entirety of 2020 ($416 million).” In fact, FinCEN noted that the expected ransomware-related transaction value for SARs filed in all of 2021 would exceed the previous 10 years combined!
FinCEN’s analysis revealed the true cost of ransomware was likely much higher; they looked at 177 unique virtual currency wallet addresses used for ransomware payments and identified approximately $5.2 billion in outgoing Bitcoin transactions from these addresses. The report also made clear that Bitcoin is the “most common ransomware-related payment method in reported transactions” with the cryptocurrency Monero being the only other observed payment method.
We still live in a fiat currency world, so hackers need some method to cash out their crypto ransom. The FinCEN report noted that attackers “primarily use foreign centralized exchanges for ransomware related deposits, including exchanges incorporated in high-risk jurisdictions that may have opaque ownership structures or that may have inadequate AML/CFT [Anti-Money Laundering/Combatting the Financing of Terrorism] compliance standards.” While FinCEN did not identify specific exchanges or jurisdictions, a recent report from blockchain analytics company, Chainanalysis, found that “roughly 74% of ransomware revenue in 2021 — over $400 million worth of cryptocurrency — went to strains we can say are highly likely to be affiliated with Russia in some way.”
Russia’s nexus to ransomware is further evidenced by the fact that the only two cryptocurrency exchanges sanctioned by the U.S, Treasury Department were Russian based. Last September, Treasury’s OFAC added SUEX OTC, S.R.O. (Suex) to its list of Specially Designated Nationals and Blocked Persons (SDN List), “meaning that all of SUEX’s property and interests in property that are subject to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with SUEX.” Treasury’s order noted that “over 40% of SUEX’s known transaction history is associated with illicit actors.” Treasury followed this up by designating crypto exchange Chatex in November, 2021. Treasury found that over half of Chatex’s known transactions are “directly traced to illicit or high-risk activities such as darknet markets, high-risk exchanges, and ransomware.” Suex and Chatex shared a co-founder and investor, Egor Petukhovsky, and Treasury found Chatex was “providing material support to Suex”
The Impact of Russian Sanctions on Crypto Adoption and Unintended Consequences
In a recent Washington Post article, Juan Zarate, a former assistant secretary of the Treasury and deputy national security adviser in the George W. Bush administration, played down the possibility that Russia would turn to crypto by noting that: “The challenge for the Russian economy and individuals, in this context, is the immaturity of crypto as part of their financial system doesn’t allow them at scale to circumvent the multinational sanctions being imposed.” While this may be true now, crypto markets are not static, and history demonstrates crypto can evolve rapidly (for example, Fitch estimates Stabelcoin assets grew by around 450% to $156 billion in 2021). And when you are talking about a nation state, the question is not whether they can buy a coke with crypto, but whether they can store and transfer large amounts of wealth with it. Of the three functions of money – medium of exchange, unit of account, and store of value – the one crypto best fulfills now, albeit poorly, is as a store of value. Most importantly for Russia, this value can be exclusively controlled by them (no need banks or foreign central banks).
It is telling that the initial round of sanctions announced by the U.S. and its allies did not include cutting Russian banks off from the Society for Worldwide Interbank Financial Telecommunication (SWIFT) (in his press conference on Thursday February 24, President Biden said that “right now it’s not the position that the rest of Europe wishes to take”). While there were many legitimate economic reasons not to do this, one unsaid reason was surely a concern that such a move may lead Russia to embrace alternative payment systems, including cryptocurrency.
After the initial round of sanctions were criticized for being too weak, the U.S., European Union, Canada, and the U.K. announced new sanctions against Russia on February 26th that include removing selected Russian banks “from the SWIFT messaging system” and “imposing restrictive measures that will prevent the Russian Central Bank from deploying its international reserves in ways that undermine the impact of our sanctions.” These new sanctions put most of the $630 billion in foreign currency reserves held by the Russian central bank out of reach and all but guarantees the Rubble will crater. The sanctions also further incentivize the use of crypto by the Russian government and Russian businesses and consumers. Their problem is that there is not nearly enough liquidity in crypto to dig out of the hole they are about to find themselves in. The real risk to western businesses is that desperate Russians will go full cowboy and aggressively ramp up ransomware attacks. This will happen with or without the Kremlin’s blessing given the stakes involved. Last Thursday, President Biden warned: “If Russia pursues cyberattacks against our companies, our critical infrastructure, we are prepared to respond.” If another Colonial Pipeline-type attack occurred, it may very well spark a series of tit-for-tat retaliatory measures that could quickly spiral out of control.
Western Crypto Companies are on Notice
The unprecedented economic sanctions imposed on Russia and Russian entities over the weekend will not be painless for western financial institutions and non-financial businesses. I suspect we may see one or more western financial institutions face a severe liquidity crunch, which will only be ameliorated through central bank lender of last resort facilities. Western financial intelligence units, including FinCEN in the U.S., will also significantly ramp up their enforcement posture to ensure western financial institutions are not knowingly or unknowingly facilitating money laundering or sanctions evasion on behalf of the Russian government and affiliated entities. This applies to cryptocurrency exchanges and related businesses, which do not have the best track record on this front.
In 2015, FinCEN assessed a $700,000 civil money penalty against Ripple for willfully violating “several requirements of the Bank Secrecy Act (BSA) by acting as a money services business (MSB) and selling its virtual currency, known as XRP, without registering with FinCEN, and by failing to implement and maintain an adequate anti-money laundering (AML) program designed to protect its products from use by money launderers or terrorist financiers.” Then last October, OFAC published an industry-specific brochure titled “Sanctions Compliance Guidance for the Virtual Currency Industry,”which revealed that “in many cases, OFAC has observed that members of the virtual currency industry implement OFAC sanctions policies and procedures months, or even years, after commencing operations.”
The cryptocurrency sector has had ample warning: violating U.S. sanctions and money laundering laws will not be tolerated any longer.
Lee Reiners is the executive director of the Global Financial Markets Center at Duke Law
The views expressed in this post are those of the author and do not represent the views of the Global Financial Markets Center or Duke Law.