Virtual Currencies: For Business and Consumers or Just for Criminals?

Remarks as prepared for delivery by Erik Barnett, HSI, U.S. Department of Homeland Security

Good morning, I work for the U.S. Government, within the U.S. government, I work for the Department of Homeland Security, within Homeland Security I work for U.S. Immigration and Customs Enforcement, also known by its acronym ICE. Within ICE, I work for Homeland Security Investigations or HSI.

HSI is the largest investigative arm of the Department of Homeland Security, and is the second largest federal law enforcement agency in the United States, second of course to the much better known, FBI.

In discussing criminal exploitation of virtual currencies, I am going to speak about HSI’s investigations.  But, as a caveat, all of the statements I will make about them are from publically available documents. And, where there has not yet been a conviction, they are merely allegations of criminal activity.

Homeland Security Investigations investigates border violations, mostly smuggling of contraband or people in and out of the U.S.  Smugglers, like all criminals, readily adapt techniques to evade law enforcement tactics or take advantage of technology that will facilitate criminal activity or make it harder to investigate.

Child sexually abusive material is a good example of this.  Twenty years ago, most of this arrived into the U.S. through the mail or parcel post.

Today, it is conveyed almost exclusively through the internet for many reasons, including the difficulties it presents to law enforcement to catch pedophiles.

As a society, we cannot be surprised by criminal exploitation of emerging technologies, because it follows a regular pattern.  In the 1930s in the United States, we began a rural electrification program bringing to very small and remote parts of the country use of the telephone.  The phone gave people the ability to grow a business through communication, or summon emergency help for a loved one.

But fairly quickly, entrepreneurial criminals began to perpetrate frauds using the telephone. The same device that provided law-abiding families with convenience and safety, provided fraudsters with greater anonymity, plausibility, and increased opportunity.

The U.S. legislature reacted to this threat with a new criminal fraud law in 1952 that punishes such activity when using the phone.

That law has now been applied to emails because of the criminal exploitation of this technology over the past two decades or so. We have even come up with new words, like Phishing to describe such criminal activity.

For law enforcement it can feel like a game of catch up, as criminals continue to seek out new targets for exploitation.  Perhaps the latest innovative technology to be exploited is virtual currencies and within that category, a sub-set known as crypto-currencies.

For those of you not familiar, a crypto-currency is defined as “Internet peer-to-peer virtual currencies having an element of cryptographic security … wherein value is electronically transmitted between parties, without an intermediary.”

This is a definition issued by the Financial Crimes Enforcement Network, FinCEN as it is known, a division of the United States Treasury.

The most commonly known crypto-currency is, of course, Bitcoin.  Bitcoin is a classic crypto-currency.  It uses a peer to peer system to both create its units of currency, and subsequently verify transfers of those units.  Every transaction is visible on the system, but the transferor remains anonymous to preserve his or her privacy.  This anonymity is built into the business model.

Now, for two reasons, it would be unfair to single out Bitcoin among virtual currencies as being exploited by criminal organizations.

Firstly, in a report issued this past March, FinCEN determined there were nine crypto-currencies in operation and two more being developed.  So, Bitcoin is not the only game in town.

Second, singling out Bitcoin would be the same as saying that Yahoo is responsible for email phishing scams.

So, please, do not take away from this that Barnett said Bitcoin this, or Bitcoin that.  Or worse that the Department of Homeland Security has something against Bitcoin.

That conclusion would completely miss the point that criminals exploit new technologies without favoritism or prejudice to any company.

To make this very clear, let me start with a non-Bitcoin virtual currency criminal case.  This past March, Homeland Security Investigations, the U.S. Secret Service and others pursued criminal charges against Liberty Reserve.  This was a criminal enterprise which used its own unit of virtual currency to allow account holders to process financial transactions completely anonymously.  You could even make the transaction anonymous to Liberty Reserve.

This was no small operation.  In court documents, the Department of Justice alleged that Liberty Reserve processed 55 million illegal transactions, laundering $6 billion for criminals.  This was profit from narcotics transactions, child sexual exploitation, and other nefarious activities.

According to court documents, Liberty Reserve was a criminal enterprise on the inside as well as out.  The “bankers” were criminals themselves, who exploited the innovation of virtual currency to allow other criminals to move illicit funds from off-shore accounts to “on-cloud accounts,” if you will.

In another case, Homeland Security Investigations seized a financial account belonging to a subsidiary of one of the largest Bitcoin exchanges, Mt. Gox.  HSI learned that bitcoins were repeatedly exchanged back and forth into U.S. dollars through the subsidiary company and Mt. Gox.

Neither the subsidiary company nor Mt. Gox had registered as a money services business, as required by law.

Now, while failing to register might seem to be a mere technical violation, there are obligations for these businesses to implement anti-money laundering measures and file reports about potential money laundering by criminal or terrorist organizations.

Mt. Gox was again in the news in the past two months when it sought bankruptcy protection in both Japan and the U.S., but also claimed to have stolen almost $500 million worth of bitcoins.  It later “found” $100 million worth of bitcoins.

Last month, FinCEN released a report on illicit finance in Darknet marketplaces.  They cited an academic study by Infosec Institute in the U.S. that studied 25,000 random TOR addresses in the Darknet.  Of that number, 28 percent classified as hacking sites and 23% cybercrime.  In other words, a majority engaged in illegal activity and the payment method of choice within TOR was bitcoin.

About six months after Liberty Reserve and Mt.Gox, the U.S. Justice Department announced the arrest of the operator of the Silk Road website, which would rival any open air drug market, selling to anyone using a crypto-currency, which was the only means of payment accepted by Silk Road.

According to the Justice Department’s charging documents, 9.5 million bitcoins were accepted by Silk Road’s administrator.  By one recent estimate, only 4 million bitcoins were actively in circulation during this same time frame, meaning that most likely, the vast majority of bitcoins passed through the hands of drug traffickers.

Two months ago, the U.S. Justice Department filed charges against two men who ran an underground money exchange business accused of selling bitcoins to customers of Silk Road.  One of those men was reportedly the Vice Chairman of a foundation promoting Bitcoin as a virtual currency payment system.

Also in January, Homeland Security Investigations filed a criminal complaint, in coordination with the FBI, alleging that a man in the United States accepted bitcoins on the website Black Market Reloaded in exchange for sale of a deadly toxin, with the express knowledge it would be used to kill a human being.

These U.S. law enforcement actions involving virtual currencies occurred just in one calendar year.  The track record indicates that criminals are likely to continue to exploit this technology, certainly if there is little done to combat them.

Unfortunately, because we often take a stance of caution and raise concerns, law enforcement and regulators are sometimes tarred with an “anti-innovation” label.

This is true with the internet, for instance, when law enforcement or policy makers raise concerns about criminal piracy of movies, software, and books.  We are very often labeled anti-internet or anti-internet freedom.

Law enforcement recognizes the potential value to society of virtual currencies. There is great potential for bringing financial capacity through mobile banking systems in developing countries where financial infrastructure may be lacking.

Virtual currencies may offer decreased transaction costs and elimination of fees associated with normal bank accounts, practical benefits for most businesses and consumers.  But law enforcement also recognizes that virtual currencies must play by the same rules that create trust in financial institutions.  Because, ultimately to succeed, they will need to be seen by consumers and businesses as reliable and not as the backbone of an underground criminal economy.

To accomplish this, virtual currencies need to engage in self-policing through industry-proven anti-money laundering controls.  They also need to eliminate anonymous transactions and should be regulated universally with harmonized rules.

Let me break these down briefly.

Anti-Money Laundering Controls

Self-policing against money laundering is a hallmark of the financial industry worldwide.  Establishing appropriate anti-money laundering controls results in banking systems not plagued by criminal activity or terrorist financing.

But the track record on self-policing of crypto-currencies is poor. Between 2009 and 2013, only 70 suspicious transactions within crypto-currency systems were reported to U.S. regulators.  Remember, in the same time period, all of the transactions of Silk Road used a crypto-currency.  Now, admittedly, utilization of anti-money laundering controls is not voluntary for certain industries.  In a case investigated by my agency last year, HSBC forfeited $1.25 billion dollars to the United States for failing to exercise due diligence and have in place appropriate anti-money laundering controls.

But the standard anti-money laundering controls are not going to be burdensome for virtual currencies, at least not now.  A recent study found that since 2012, 40% of bitcoin transactions were for less than an entire coin and 20% were for a tenth of a bitcoin.  Even at today’s bitcoin value, most suspicious activity reports, and certainly cash transaction reports, would apply to far larger transactions.

However, if the industry grows, as is anticipated, introducing these measures now will ensure proportionate efforts are in place later, when there may be significant, and potentially suspicious, transactions on a frequent basis.

The good news here is that Mt. Gox and some other recent enforcement activities seem to have stimulated dialogue within the crypto-currency community that adoption of these measures may well be necessary.  Not to preclude government regulation, but as a means to establish greater public trust in the business model.

Anonymity

Let me talk about the importance of purging anonymity from virtual currencies.

There has already been a determination by our society that some level of transparency is appropriate in financial transactions to prevent misuse by criminals and terrorist organizations.  It is now common-place that you cannot spend more than $10,000 in cash, at a U.S. business for instance and in many other countries, and not have a report filed with the federal government.

You cannot cross most borders without declaring currency of amounts similar to this.  Banks are regularly looking for suspicious activity as part of their obligations and making reports to law enforcement.

Now, let’s compare that to some crypto-currencies that have near complete anonymity during internal transactions within the system. Anonymity is not only built into the business model, but in some cases bragged about or sold as a feature.

A disturbing trend already observed within crypto-currencies is what I call an “auto-launder” service, which takes funds and washes them, giving back something not linked to the person or the chain of transactions at all.

Now, people can argue these virtual currencies are not truly anonymous because the transaction itself is visible to all users.

And further, they may argue that when the currency is removed from the system and exchanged into fiat currency, there may be an identity associated with that transaction.

The first argument fails because knowing of a transaction, but not who conducted it, is not transparency.

As to learning an identity when exchanged for value outside of the virtual currency system, we already know that some exchangers do not implement proper anti-money laundering controls or even register with regulators, who would evaluate these for reasonableness.

But even if the exchanges have the right controls in place, all law enforcement will see is the end of the chain, not the links in the middle or even the beginning.  The oft-used phrase by police to “Follow the Money,” will be a hollow call.

Without seeming alarmist, the stakes are high if we get this wrong.  If we’re not able to follow the money, criminal organizations will easily risk the loss of one conspirator and a certain sum of money to profit overall from a system that conceals their trail.  Public safety will be jeopardized, for very little benefit.

Certainly eliminating the anonymity in virtual currencies is an appropriate balance to that concern.

Regulation

As to regulation, the financial industry is already highly regulated.  FinCEN has recently made clear that virtual currencies fall under current regulations.  So, no one is proposing special regulations for the internet that do not apply to brick and mortar banking facilities.
Now, innovators and entrepreneurs may recoil at the word regulation.

But, importantly, we’re not talking about new social networks or even business to consumer innovations.  We’re watching fledgling companies engaging in significant financial transactions through a technology we have already seen exploited by criminals.

And with possibly large stakes.  On November 22, 2013, $147 million worth of bitcoins was transferred, without being cashed out for fiat currency.  This transaction, of only 1.6% of the bitcoins in existence, might have been an inter-company transfer by a bitcoin exchange as a housekeeping measure.  But the exchange reportedly refused comment, leaving commentators to claim that the largest ever bitcoin transfer was, as are all Bitcoin transactions, anonymous.

And the cumulative value of bitcoins as of April 1 is around 4.36  billion euros or 6 billion dollars, quite a lure for organized crime.

Let’s get away from Bitcoin and talk about Litecoin for a moment.

Seemingly quiet in the shadow of its more well-known competitor, there were 11,593 separate Litecoin transactions last Wednesday.  Litecoin had a value yesterday of 9.75 euros, making the existing litecoins worth 263 million euros or 364 million dollars.

We have historically regulated financial industries to protect them from criminal misuse but also to protect the financial institutions from becoming victims of crime themselves.

To be clear, the regulations must be universal, or nearly so.  They should be harmonized with other countries so virtual currencies are not faced with contradictory guidelines that can harm international business development.  This would avoid gaps in regulatory oversight and ensure that law enforcement has reciprocal money laundering laws internationally when we pursue criminals across borders.

Now, I want to be very clear, I am discussing law enforcement type regulation.  I am not weighing in on whether crypto-currencies are even a “currency” by governmental standards, or  are subject to tax or whether they are legal or illegal or should be in any particular jurisdiction.   Those decisions are for other authorities and regulatory bodies.

I am also not opining at all whether crypto-currencies are practical or secure.  This seems to be a very legitimate question based upon findings by researchers and open source material. But the public will eventually determine the value of this payment system.  My point obviously is that trust and reliability will factor into the decision that is ultimately made.

Conclusions

The French poet and philosopher Paul Valery wrote, and I am paraphrasing, “the future is no longer what it used to be.”

Unfortunately, this is not true with the criminal’s exploitation of new technology.  Too often, we see how quickly something innovative is manipulated for illicit purposes and the future usually is what it used to be with criminal organizations.

But that does not mean it has to be that way.  We have a unique opportunity to get ahead of this, to see, based upon the past year or two, what the next five years will likely look like if we do not make some changes in how we look at this new technology to eliminate the criminal exploitation that will undoubtedly occur.

And as importantly, with an appropriate level of private and public cooperation, we can see a robust industry in virtual currencies with a strong reputation as appropriate intermediaries of online commerce.

I am happy to answer questions or just field comments.  Thank you.