While difficult, it is not impossible to trace back transactions, as seen with the Colonial Pipeline ransomware attack, where $2.3 million in Bitcoin was recovered from the initial $4.4 million ransom demand. Cryptocurrency’s reliance on blockchain technology can potentially allow governments to monitor the flow of cryptocurrency transactions and track financial activity. By working with intergovernmental forums such as the FATF, governments create a regulatory framework that ensures that sanctioned actors cannot easily transfer and use cryptocurrency without oversight. Experts have notably pointed to Canada, Singapore, and Japan as examples of strong AML/CFT regulations for cryptocurrency businesses aligned with FATF guidance.
Greater attention also must be paid to other types of digital assets, specifically “Anonymity-Enhanced Cryptocurrencies,” also known as “privacy coins,” such as Monero and Zcash. Compared to native cryptocurrencies, privacy coins ensure the privacy and anonymity (not the pseudonymity) of their users. Due to the private nature of these coins, data regarding their use and circulation is limited. However, there has gradually been increased pressure to regulate them. In some cases, exchanges such as LiteBit have delisted privacy coins, in part because regulators in the Netherlands have stated that they were “too high a risk.” Other exchanges in Australia, South Korea, Japan, and the United States are similarly delisting privacy coins such as Monero, Zcash, and Dash amid regulatory and banking pressures that view them as conflicting with AML and Know Your Customer (KYC) rules. In some countries, such as France, authorities are recommending total bans on privacy coins. Privacy coins present a real concern, and delisting them from exchanges does not limit their use and accessibility. However, Bitcoin remains the dominant cryptocurrency for criminal activities. Since 2013, the FBI has noted the “enormous growth” in the number of cases involving digital currency payments, with 75 percent of all cryptocurrency-based illegal activities involving Bitcoin. Continued regulation of both native cryptocurrencies and privacy coins is necessary to mitigate their uses in illicit activities.
Scams, Pump-and-Dump Schemes, and Market Manipulation Pose Risks to Investors
In the last two years, massive exit scams have dominated crypto-related crimes. In 2019, a Ponzi scheme on PlusToken, a cryptocurrency wallet, totaled $2.9 billion, and in 2020 a similar scheme defrauded investors at WoToken, a dApp cryptocurrency wallet project, out of $1.1 billion. In 2020, DeFi protocols particularly suffered from hacks and scams, with nearly 99 percent of major fraud volume in the second half of 2020 coming from DeFi protocols.
It is estimated that approximately 1,000 entities own about 40 percent of the entire Bitcoin market, thereby allowing them to have a tremendous effect on the crypto economy and have the potential to manipulate currency valuations through single trades. Referred to as “whales,” they include investment groups such as Pantera Capital, Fortress Investment Group, and Falcon Global Capital. Due to the relatively smaller size and greater volatility of the cryptocurrency market, compared to the traditional financial market, whales have an outsized impact on prices and can potentially harm smaller investors. A whale in one cryptocurrency can also adversely impact other altcoins, because they are heavily indexed on exchanges. This phenomenon was observed in February 2021 when a massive sell-off of Ether caused the coin to fall from $1,628.82 to $700 (a price drop of more than 50 percent) in the span of three minutes, and over 24 hours, the global cryptocurrency market tumbled by 14 percent, which the cryptocurrency exchange Kraken posited was due to the activities of a whale.
Unlike the stock market, pump-and-dump schemes in the cryptocurrency world—which involve bad actors spreading false or misleading information to create a buying frenzy that will “pump” up the price of an asset and then “dump” the asset by selling at the inflated price— can also last minutes instead of months, and encryption techniques allow the perpetrators to hide their identity. In the first 70 seconds of a typical crypto pump-and-dump scheme, prices increase by 25 percent on average, and trading volume increases 148 times. In some cases, organizations are created specifically to manipulate the market. A Russian-based organization called Gotbit, for example, inflates trading volumes on obscure cryptocurrency exchanges for a fee and has about 30 cryptocurrency projects as clients.
Scams also present a concern. The Federal Trade Commission (FTC) warned that since October 2020, approximately 7,000 consumers have lost more than $80 million in cryptocurrency scams, increasing “more than ten-fold, year-over-year,” with consumers losing around $1,900 on average. ICOs, where start-ups can crowdsource funding to kick-start their cryptocurrency businesses, have been the sources of multiple instances of manipulation. For example, in May 2021, consumers lost over $2 million in cryptocurrency to scammers impersonating Elon Musk. Moderators struggled to rein in the activity on Twitter, and such deceptive tactics remain prevalent on the platform. Digital asset exchanges work independently without being governed by a common forum, resulting in a highly fragmented market. In the absence of a common forum, it is difficult to detect malicious activity, and very taxing to conduct cross-market surveillance.
In the last two years, massive exit scams have dominated crypto-related crimes. In 2019, a Ponzi scheme on PlusToken, a cryptocurrency wallet, totaled $2.9 billion, and in 2020 a similar scheme defrauded investors at WoToken, a dApp cryptocurrency wallet project, out of $1.1 billion. In 2020, DeFi protocols particularly suffered from hacks and scams, with nearly 99 percent of major fraud volume in the second half of 2020 coming from DeFi protocols.
Globally, regulations concerning investor protections are scarce. Countries such as Bulgaria, Ghana, Guatemala, Honduras, Hungry, Kenya, Kuwait, and Poland, among others, have no cryptocurrency legislation and only warn investors and consumers about the risks regarding the industry and its volatility. Coupled with the unique characteristics of new assets and frequent changes to market structures, inconsistent regulatory guidance makes the cryptocurrency industry highly susceptible to abusive practices, thus impacting investors and markets. Moreover, the lack of guardrails to protect investors, particularly smaller ones, allows market manipulators and other bad actors to operate with impunity.
Cybersecurity Challenges Present Risks to the Growing Crypto Sector
One of the biggest challenges for cryptocurrency is uncertainty regarding cybersecurity and the integrity of transactions. Stakeholders are increasingly concerned about the authentication, authorization, and confidentiality limitations of cryptocurrency transactions as they evaluate engaging in this new sector. Although moving transactions on a blockchain is generally reliable and secure, there are several vulnerabilities that can affect a cryptocurrency’s network. From mining pools to wallets to smart contracts to specific mechanisms within the protocol that verify transactions, each component has its own unique set of vulnerabilities that can cause double spending (where a user could make a company of a coin or token then send it to another party while holding onto the original, as an example) or force a platform to upgrade to a system that is favorable to hackers, distributed denial of service (DDoS) attacks, or the theft of encryption keys. In August 2020, for example, Ethereum Classic suffered a 51 percent attack that resulted in $5.6 million worth of the currency being double spent.
Another significant vulnerability withing the ecosystem is data quality. One of the main arguments made by proponents of blockchain technology and cryptocurrency is that data cannot be revised once it has been recorded in the blockchain. Platforms can only take responsibility for the quality and accuracy of information once it has been input, meaning that the data being pulled from organizations and individuals must be trustworthy. A corrupted oracle—a scalable relational database architecture that manages and processes data across wide and local area networks—could cause a domino effect across the entire network, particularly if blockchain oracles are centralized. (This is known as the “Oracle Problem.”)
As the DeFi sector continues to grow with the support of institutional investments, so too do the number and variety of cyberattacks. Most recently, in August 2021, the Poly Network—a DeFi provider that allows users to transfer tokens tied to one blockchain to another network—suffered a cyberattack where $600 million was stolen by hackers who exploited a vulnerability in its system. The attack is considered the “biggest [hack] in the decentralized finance history.” Given that the hacked systems operate differently, reports indicate that the companies have struggled to work together to address the fallout of the attack. Losses stemming from hacks, fraud, and thefts in the DeFi sector totaled around $474 million from January to July 2021. Most attacks have been conducted by outside agents, though 24 percent have been inside jobs.
Graphic 8
Cryptocurrency Hacking
According to CipherTrace, the average value taken by cryptocurrency criminal actors in 2019 was 160 percent higher than in 2020, suggesting that the crypto space’s cyber defenses are improving. Overall, from 2018 through 2020, cryptocurrency hacking totaled $2.97 billion.
Source: Chainalysis’s 2021 Cryptocurrency Crime Report
In 2014, the Cryptocurrency Security Standard (CCSS) was introduced to provide guidance on the secure management of cryptocurrency. It is managed by the CCSS Steering Committee, which is composed of the main stakeholders of the cryptocurrency ecosystem. Currently, the committee includes companies such as BitGo, Deloitte, PwC, Ciphrex, C4, and ShapeShift, among others. The CCSS is designed to complement existing industry standards, primarily the Payment Card Industry Data Security Standard (PCI DSS), which is used by major payment brands such as American Express, Discover Financial Services, JCB International, MasterCard, and Visa. However, given the decentralized nature of the cryptocurrency industry, as well as the networks themselves, it is difficult to standardize security across the entire ecosystem, compared to a centralized network that is managed and overseen by a single entity. In addition, the CCSS is limited to the secure management of wallets, unlike the PCI DSS standard, which is applied to an entire transaction flow (e.g., from the technology used to acquire transactions, to how information on the transaction is treated, to the management of all subsequent processing steps). As a result, additional security standards are necessary to secure all components functioning in the cryptocurrency environment.
Environmental Impact of Cryptocurrency Mining
Another major challenge confronting cryptocurrency is its environmental impact. With the world’s attention on tackling climate change and reducing emissions by 2050, the environmental impact of cryptocurrency mining has come under increasing scrutiny. Bitcoin, for example, consumes an estimated 97.68 terawatt-hours per year, according to the Cambridge Centre for Alternative Finance. The graphic below shows Bitcoin’s electricity consumption over time.
In addition to mining, moving money—whether through cash, credit cards, or cryptocurrency—consumes energy and generates some environmental cost. Bitcoin, Ethereum, and Ripple notably uses more energy per transaction than Visa and Mastercard. Below, the graphics showcase how much energy is consumed for Bitcoin mining and the energy used to facilitate transactions among Bitcoin, Ethereum, and Ripple.