I recently had the opportunity to testify before the U.S. Senate Committee on Banking, Housing and Urban Affairs in a hearing on “Understanding the Role of Digital Assets in Illicit Finance.” My testimony focused on the ways cryptocurrency is increasingly being used to facilitate existing and new crimes, as well as the challenges that cryptocurrency poses for law enforcement. You can read a full version of my written testimony here.
I will not repeat my testimony here. Rather, I’d like to share some brief thoughts on the hearing and, more generally, on what is needed to address the growing problem of cryptocurrency-related crime. For those with limited time or attention, the abbreviated message is this: Criminal prosecution cannot solve all our problems. Until we have regulatory clarity and a sensible enforcement strategy, cryptocurrency markets will continue to serve as havens for criminal conduct.
The Senate hearing was held not only at a time when cryptocurrency-related crime is on the rise, but also at a time of increasing concern about cryptocurrency potentially being used by Russian actors to avoid crippling sanctions. Predictably, the latter topic dominated part of the hearing.
I will not dwell on the issue of cryptocurrency and sanctions, a topic that others, including my colleague Lee Reiners, have addressed elsewhere. My point in this post is a more general one related to how and when criminal prosecution can be an effective tool in combatting cryptocurrency-related crime.
The Scope of the Problem
Let’s begin with some numbers. As described above, illegal transactions making use of cryptocurrency are on the rise, reaching a total of $14 billion last year according to the blockchain analytics firm Chainalysis. That is an almost 80% increase from 2020 and encompasses crimes ranging from ransomware and fraud to child exploitation and terrorist financing.
If the Senate hearing was any indication, some are not so concerned about these statistics. Instead, they focus on another finding in the Chainalysis report: Because overall cryptocurrency transaction volume also grew at record rates—up to $15.8 trillion in 2021, a 567% increase over 2020’s totals—the number of illicit transactions as a percentage of total cryptocurrency transactions actually decreased, measuring 0.15% of overall volume.
The latter percentage is of course cold comfort to the thousands of individuals who fell victim last year to crimes ranging from extortion to outright theft. We should also remember that it represents just one firm’s estimate, and there is reason to believe that the $14 billion figure underrepresents the actual volume of illicit transactions in what remains a murky and volatile industry. Indeed, Chainalysis itself acknowledges as much. Last year, the firm estimated that in 2020 illicit transactions were approximately 0.34% of total volume, but it later revised that figure to 0.62%—almost double the original estimate.
However one interprets the numbers, cryptocurrency’s use in criminal activity is a real and growing problem. And the risks to the public at large are increasing in severity. For example, ransomware—which relies almost exclusively on cryptocurrency for payments—is no longer simply a commercial threat, but a risk to our public health and national security. Last year, 14 of 16 critical infrastructure sectors were targeted, causing losses and disruption for entities ranging from hospitals to municipal governments.
As cryptocurrency grows in popularity as an investment opportunity, everyday Americans are also increasingly at risk for theft and fraud. For example, so-called “rug pulls” and other crypto scams pose a threat to individual investors, not all of whom are sophisticated. One needs only to look at the number of cryptocurrency ads during this year’s Super Bowl to recognize that cryptocurrency is no longer a niche product for enthusiasts or sophisticated players.
In sum: Houston, we have a problem.
The Limits of Blockchain Analytics
Another point repeatedly raised in the Senate hearing was that cryptocurrency, in some ways, makes the job of law enforcement easier. To be sure, there is some merit to this position. The transparency of public blockchain technology allows investigators, often with the help of third-party analytics companies, to trace some transfers more efficiently than through traditional methods.
I know from experience that traditional money laundering investigations can take years of painstaking work as investigators try to make sense of illicit transfers occurring through shell entities and layers of accounts. And because such transfers often occur across borders, U.S. law enforcement is often dependent on the assistance of foreign entities through Mutual Legal Assistance Treaties (MLATs), a process that is often slow and cumbersome.
But I fear that the repeated emphasis on the benefits of public blockchain analysis sometimes obscures an important reality: Criminal cases are still hard to prove. Bad actors use a variety of obfuscation techniques, ranging from chain hopping to mixing services, to hide their tracks. And even when investigators can penetrate these methods, there is still the matter of linking a real person to what is largely an anonymous series of transactions.
In some cases, identifying criminal activity and tracing it to an actual human being can take years of work even by the most seasoned investigators. Take, for example, the recent charges against a New York couple accused of laundering billions of dollars’ worth of cryptocurrency traced to the 2016 hack of Bitfinex, a virtual currency exchange. Although DOJ rightly touted its record seizure of $3.6 billion worth of cryptocurrency, it was no easy task unraveling the layers of obfuscation—let alone linking the defendants to the illicit funds. (To be clear, the charges are still only allegations, and the couple is not alleged to have participated in the Bitfinex hack.)
According to the allegations, investigators from three different federal agencies had to untangle years’ worth of complex transactions designed to hide the defendants’ identities and, in the end, benefitted from some favorable facts. The defendants, for example, were living in plain sight in New York City (and on social media) and allegedly used accounts that investigators could reach through U.S. process—including a U.S.-based cloud storage account with a highly incriminating file listing 2,000 virtual currency addresses, along with corresponding private keys. The couple also made a series of silly mistakes, such as allegedly purchasing and later redeeming gift cards that were easily traced back to their personal email addresses.
Of course, many types of criminal cases can turn on jurisdictional advantages or lucky breaks. But cryptocurrency-related crimes, as a category, can be particularly challenging. Even as investigators get better at detecting chain hopping and other obfuscation techniques, there remain many opportunities for criminals to cover their tracks, including through the use of decentralized exchanges that do not follow anti-money laundering rules. And because of cryptocurrency’s defining features, law enforcement can still hit a brick wall when trying to link an anonymous set of transfers to an identifiable defendant.
It does not help that part of the cryptocurrency market remains opaque and beyond the reach of U.S. prosecutors. As I emphasized during my testimony, criminal investigators are only as successful as the information available to them. If a cryptocurrency exchange used by a criminal is complying with know-your-customer (KYC) and other requirements that help bridge the gap between illegal activity and a person’s identity, that can sometimes give investigators the leads they need to develop a case.
But not all platforms comply with existing regulations, and many operate in jurisdictions with less stringent requirements, sometimes with the specific goal of catering to criminals. As one point of reference, consider that last summer the Financial Action Task Force (FATF) (an intergovernmental organization that sets standards for combating money laundering and other threats to the international financial system) found in a review that 70 of 128 reporting jurisdictions had not yet implemented FATF’s revised standards for virtual assets. This led the organization to conclude that “there is not yet a global regime to prevent the misuse of virtual assets and [virtual asset service providers] for money laundering or terrorist financing.”
Moreover, the industry continues to evolve, and not always in ways that are favorable to law enforcement. Cases that are already difficult may face additional obstacles as more platforms move to a decentralized model not run by a single entity (therefore making them more difficult to police) or if more anonymous instruments such as privacy coins gain wider adoption.
So let’s celebrate law enforcement victories and the advances made in blockchain analytics that make illicit transfers easier to trace. But let’s also be clear-eyed about the challenges that remain.
Criminal Prosecution Is Not Enough
If cryptocurrency-related crime continues to rise—as I expect it will—and it takes substantial resources to combat it, where does that leave us?
An obvious first step is to increase the resources devoted to investigations and asset recovery. This means reallocating existing law enforcement funding and personnel priorities to address the threat. It also means hiring new prosecutors and agents with the training and expertise to investigate these crimes, which present unique technical and jurisdictional challenges.
DOJ has made some promising strides on this front, establishing a National Cryptocurrency Enforcement Team, led by my former colleague Eun Young Choi. Likewise, the FBI has stepped up its game with the formation of a new Virtual Asset Unit. Still, more can be done, and Congress should ensure that DOJ and investigative agencies have the resources they need to keep up with a fast-moving and evolving threat.
But we should not lose sight of the fact that criminal prosecution remains a limited tool. This is true in many categories of illicit activity, but it is particularly true with respect to cryptocurrency-related crime for the reasons described earlier. Even as blockchain analysis improves, and as DOJ and agency partners devote more time and personnel to the problem, only a portion of illegal conduct can be investigated and prosecuted at the federal level. Consider again the time, resources, and good fortune that were required to charge the New York couple described above. Such cases are not always easily replicated, let alone at scale.
So while criminal prosecutions are absolutely necessary and worthwhile, they cannot by themselves solve our growing problem of cryptocurrency-related crime. This may sound like an obvious point, but it is worth emphasizing given the oft-repeated claim that criminal investigations have become easier in the cryptocurrency era.
What else can we do? Of course, regulatory enforcement can help. The Securities and Exchange Commission (SEC), for example, has brought a number of cryptocurrency-related enforcement actions in recent years, and it has shown that it views unregistered digital asset offerings, such as Initial Coin Offerings (“ICO”), as fair game for enforcement actions. The Commodity Futures Trading Commission (CFTC) has also entered the enforcement game, viewing Bitcoin and other virtual currencies as commodities and therefore subject to the CFTC’s enforcement authority over fraud and manipulation in commodity spot markets.
But cryptocurrency-related crime continues to thrive, and regulators have not kept pace. Part of the problem can be traced to priorities and resource allocation, but—as was discussed at the Senate Banking hearing—there is also the glaring problem of a lack of regulatory clarity.
As many readers know, cryptocurrencies and other digital assets are sometimes challenging to define under our existing regulatory architecture, and they arguably fall within the authority of an alphabet soup of regulatory bodies (not limited to the SEC and CFTC). Without clearer regulatory guidance on how digital assets should be categorized and managed, and without a framework for enforcement defining which agency will take the lead and under what circumstances, our approach remains piecemeal and insufficient.
Congress thankfully has begun to recognize this reality, and the recent hearings are a promising start. Industry and government stakeholders have also been busy crafting proposals to address the deficiencies of our current approach. Hopefully sensible legislation will come sooner rather than later. While we wait, the cryptocurrency industry continues to grow—as do the opportunities for criminal activity.
Shane T. Stansbury is the Robinson Everett Distinguished Fellow in the Center on Law, Ethics, and National Security and a Senior Lecturing Fellow at Duke University School of Law. Previously, he served for more than eight years as Assistant United States Attorney in the Southern District of New York (SDNY).
The views expressed in this post are those of the author and do not represent the views of the Global Financial Markets Center or Duke Law.