This piece was kindly produced for The Cobden Centre by Europol as part of the The Cobden Centre’s guide to policy makers on blockchain.
Introduction
Blockchain technology is a revolutionary combination of cryptography and peer-2-peer-networking concepts that enables new financial systems, utilising transferable units of account (“virtual currencies”). Many of the financial systems built on blockchain technology are decentralized and allow for a complete disintermediation of payment processors. Anyone can access such permissionless systems to receive units of account without relying on a third party. Bitcoin can be considered a technological breakthrough and disruptive technology – the underlying blockchain technology offers a number of different opportunities for citizens, businesses and businesses, for instance in the areas of identity management, voting system or the management of digital assets. Another promising use of a decentralised ledger would be to keep track of all IoT devices sold allowing users to check for updates while manufacturers could notify the user once there is a need to patch the device.
Criminal Abuse
The criminal abuse of virtual currencies and Bitcoin in particular has been sufficiently covered in the literature. Bitcoin is abused by criminals due to the key attributes the system offers such as particularly irreversible transactions, fast payments, absence of central control and a certain degree of privacy given the pseudonymous nature of the transactions.
It is not only the preferred payment system in the Darknet[1], particularly hidden services within Tor, where drugs, weapons, counterfeits, compromised payment cards, malware and criminal services are traded, but also increasingly adopted for different types of cybercrime. Bitcoin features heavily in police investigations, particularly in cases of ransomware, payment for criminal goods and extortion.
However, the very features of Bitcoin combined with underreporting of crime in general make it difficult to estimate to what extent Bitcoin facilitates crime; nevertheless the volumes featuring in law enforcement investigations is noteworthy. The sellers on the Darknet website Silk Road sold goods and services worth an equivalent of $1.2 Billion (over 9.5 million of Bitcoins) in revenue over a period of a bit more than two years from 2011 to 2013. Current volumes are difficult to assess due to a much larger fragmentation of the markets but there is evidence of a broadening user base in the Darknet. The volumes of Bitcoins being used for other types of crimes (victim to criminal and criminal to criminal payments, incidents of hacking and malware, fraud, money laundering etc.) are also expected to be significant.
Legislation
EC3 advocates a balanced approach to virtual currency (VC) legislation. While excessive regulation may stifle innovation there is a need for clear and harmonised legislation at EU level.
An overly restrictive legislative approach or even a ban would affect legitimate users of virtual currencies, many of whom are investors hoping for their virtual currency funds to appreciate in value to sell them at a later point or those using VC as a payment method.
It should be noted that even a complete ban of virtual currencies would not affect the ability of criminals to exchange virtual currency funds. An advanced blockchain technology allows for completely decentralised virtual currency exchanges that would be difficult to effectively regulate.
While the decentralised technology itself cannot be regulated, the centralised entities should be able to identify their customers upon law enforcement (LE) request. EC3 supports legislation that sets common requirements for key centralised entities, such as VC exchangers which, given the nature of their activities, are covered by the latest 4th amendment to European Anti-Money Laundering Directive.
The Directive mostly formalises practices that have already been put in place by most Exchangers in order to prevent payment fraud and money laundering. It legitimises the industry and forces the illegitimate exchanges to either cease operations or move abroad.
It should be noted that the majority of the largest Exchangers already have comprehensive Know Your Customer (KYC) policies in place and they should be protected from competitors who decide not to invest into compliance. At the same time, the legislation should not pose a significant hurdle and excessive red tape to legitimate businesses as otherwise these would be overrun by illegitimate entities with zero compliance costs. Such situation would make it harder for law enforcement agencies to track virtual currency transactions and confiscate virtual currency funds.
Therefore, the key providers of VC services should not be subject to excessive regulations. For instance, measures that would require country-by-country registration and state-level registration would place an unnecessary burden on VC exchanges and other service providers that would essentially prohibit presence of VC businesses due to high compliance costs.
Increasing the legal burden on these businesses and thus raising their operating costs would make the compliant businesses less competitive in comparison to uncompliant service providers. This would also make it difficult to obtain information for law enforcement agencies (LEA).
As stated before, most virtual currency exchange platforms are already conducting KYC procedures in order to prevent damages caused by payment fraud and are cooperative towards law enforcement as it legitimises their business and the virtual currency industry as a whole. These services are an indispensable ally for law enforcement when it comes to identifying the sender or recipient of a virtual currency transaction. In fact, LE would not be in a position to effectively trace criminal virtual currency transactions without the assistance from both VC exchangers and payment processors.
Europol, recognising the importance of developing and maintaining good working relationships with the exchangers and payment processors, hosted the first meetings between European and US Law Enforcement and the largest exchangers with the aim of more efficient crime fighting and crime prevention.
However, Europol would like to raise the following two points that are not covered by existing legislation:
- At the moment the majority of the exchangers requests a scanned copy of identification document as well as proof of address. This approach is increasingly becoming insufficient as many criminals create synthetic online identities using compromised IDs purchased in the Darknet or collected via other illegitimate means.
For this reason, Europol suggests additional means of authentication, for example a high resolution copy of an ID accompanied by another photo containing a “selfie” of a person holding his/her ID and a sheet of paper with a custom information including the name of the exchanger, date and an authentication information provided by the exchanger.
This measure would significantly reduce the registration of accounts using falsified information and enhance the relevance of the data provided by the exchangers to LE in the context of an investigation. As this additional level of verification may create an additional burden for already registered users so this additional step may not be required immediately; instead it may be triggered by certain user actions, such as a request for fiat or VC withdrawal.
- Increasing numbers of investigations lead to identification a false suspect, due to mixers/tumblers used by criminals to obfuscate their transactions. It is therefore recommended to take legal action against digital currency mixers/tumblers, designed to anonymise transactions, which burdens the work of law enforcement agencies to detect and trace suspicious transactions.
Future developments
Virtual currencies are likely here to stay in one form or another. Bitcoin can be seen as the first attempt at a globally distributed and decentralised und unregulated digital currency. It remains to be seen whether it will retain its dominant market share and status of as leading cryptocurrency. There will be a constant inflow of new cryptocurrencies based on the underlying Blockchain technology offering innovative features with the ambition to coexist along Bitcoin and perhaps even supersede it. It is more likely than not that the “next bitcoin” currency will have greater privacy protection features, making the investigation of its criminal abuse significantly more difficult. Law enforcement should therefore leverage the current situation and engage in a productive cooperation with the relevant VC industry.
The behaviour of criminals using cryptocurrencies will continue to be shaped to some extent by successful LE activity against criminal activity.
Therefore, increasing the efficiency of LE investigators is likely to result in the following developments in terms of the criminal abuse of VCs:
- an increasing use of mixers;
- the move of exchange services to the darknet and other platforms, making mapping of infrastructure difficult or impossible;
- an increasing adoption of alternative VCs being adapted to provide a higher degree of anonymity, such as currencies with inbuilt mixing capabilities or hidden public keys;
- new criminal products on the market such as the offer of VC accounts opened by money mules;
- a combination of bitcoin and traditional payment mechanisms, such as debit and credit cards;
- the emergence of bitcoin wallets providing increasing anonymity through built-in mixer services;
- the emergence of P2P exchangers without any KYC policies;
- criminal abuse of smart contracts[2].
[1] Computer network that can only be accessed with specific software. Darknet the infrastructure is difficult to trace and take down.
[2] Contracts stored on a blockchain that have the ability to self-execute after the predetermined conditions are met.