red 
On March 14, the Financial Action Task Force (FATF) released a landmark report aimed at strengthening the fight against ransomware.
In Combating Ransomware Financing, the global anti-money laundering and countering the financing of terrorism (AML/CFT) watchdog highlights key money laundering risks and red flags related to ransomware activity. It also outlines best practices for the public and private sectors to combat illicit financing involving this prolific form of cyber-cyberism.
Warning that ransomware continues to generate hundreds of millions of dollars in crypto-asset revenue for attackers annually, the FATF report cites a number of key features of money laundering related to ransomware attacks, including:
- monetization of ransomware proceeds using Virtual Asset Service Providers (VASPs) in countries that have not implemented FATF AML/CFT standards;
- using banknotes to open accounts with virtual asset service providers (VASPs) that can be used to launder funds on behalf of attackers;
- attackers transfer funds through numerous unhosted wallets, including using complex chaining techniques;
- using decentralized finance (DeFi) applications to exchange funds between different cryptoassets and blockchains, a technique known as “chain-hopping”; and
- usage mixers and privacy coins to obfuscate the flow of funds.
The report then makes a series of recommendations that countries should implement to combat ransomware financing, including:
- ensuring that VASPs comply with AML/CFT requirements, including Travel rule;
- making ransomware a predicate crime for money laundering, to ensure successful case management;
- requiring suspicious activity reporting (SAR) by non-traditional entities, such as insurance companies and digital forensics firms, where they have access to information about ransomware-related fund flows; and
- applying investigative strategies to detect the flow of funds related to ransomware attacks.
Regarding this last point, the FATF has repeatedly emphasized the importance of blockchain analytics in detecting money laundering related to ransomware. The report states that: “Blockchain analysis, combined with traditional investigative techniques, can enable investigators to obtain the information needed to identify online ransomware criminals and their affiliates, as well as track the movement of illegal earnings.”
At Elliptic, we’ve previously noted numerous examples of how blockchain analytics enable the identification and disruption of ransomware laundering – such as the Colonial Pipeline ransomware attack, where US law enforcement was able to track down and recover nearly 80% more of the $4 million ransom.
According to the FATF, blockchain analytics is essential for law enforcement agencies looking to investigate ransomware. The report notes that public sector agencies should provide “development, access and training in blockchain analytics and monitoring tools” and goes on to stress that “governments should familiarize themselves with blockchain analytics and monitoring capabilities”.
We couldn’t agree more, which is why we’ve developed industry-leading blockchain analytics training and education programs that enable investigators and analysts to advance these capabilities.
To learn more about how to use blockchain analytics in ransomware detection, see our special article on detecting ransomware-related cross-chain laundering or watch our webinar on these topics.
ChipMixer has been removed due to illegal crypto activity
On March 16, law enforcement agencies in the US and Europe announced the takedown of the prolific ChipMixer – a cryptocurrency mixing service that Elliptic’s research shows was used to launder more than $840 million in illicit transactions.
In a coordinated operation, German, Swiss, American and other law enforcement agents managed to disable ChipMixer – which had been operating since 2017. The US Department of Justice (DoJ) also announced criminal charges against Minh Quốc Nguyễn, the alleged operator of ChipMixer. According to the DoJ, the platform facilitated more than $700 million in Bitcoin transactions linked to cryptocurrency thefts, including grand thefts committed by North Korean cybercriminals, as well as money laundering from ransomware, credit card theft and other crimes.
The removal of ChipMixer represents an important blow against illegal cryptoasset users. As we’ve written elsewhere, regulators in the US are also increasingly focused on singling out mixers that enable illegal activity – such as mixers Blender and Tornado Cash, which the US Treasury Department sanctioned last year.
You can read Elliptic’s full analysis of ChipMixer here.
US Treasury to report on DeFi risks
The US Treasury Department plans to release an assessment of risks in the DeFi space. In a March 13 speech, Treasury Assistant Secretary for Terrorism Financing Elizabeth Rosenberg spoke about the illicit financial risks associated with cryptoassets, including the activities of North Korean cybercriminals.
As Elliptic’s research has shown, North Korean cybercriminals have launched attacks on the DeFi ecosystem and laundered their funds through DeFi applications to engage in chain jumping. Referring to this type of activity, Rosenberg noted that “my team is actively working on and will soon publicly release an assessment of the risk of illegal financing on DeFi”.
The Treasury report will offer an important look at how US financial watchdogs view the space and may offer ideas on how the US might approach the challenge of DeFi regulation. To learn more about financial crime issues in the DeFi space, read Elliptic’s DeFi report.
The EU adopts smart contract measures
Speaking of DeFi, the European Parliament passed a law with important implications for the DeFi space. On March 13, it voted to adopt the Data Act, which establishes regulations that ensure a consistent approach across the EU to data accessibility on digital platforms.
Under the measure, smart contract developers would have to ensure that the contracts they implement on the blockchain allow transactions to be terminated or terminated. DeFi industry participants have criticized the measures as impractical for compliance and a threat to innovation, given that a key feature of smart contracts is their immutability.
The crypto industry is clamoring for information amid the threat of further bank de-risking
Last week we described how recent instability in the banking sector has led to questions about the availability of banking services for crypto firms. This week, the crypto industry pressured US regulators to ensure that the recent failures of Silicon Valley Bank (SVB) and Signature Bank will not only worsen banks’ de-risking of the crypto sector.
On March 16, the Blockchain Association – an industry association of which Elliptic is a member – it was stated on Twitter that it has sent Freedom of Information Act (FOIA) requests to major banking regulators in the US to understand whether regulatory activities have contributed to the deliberate and systematic debanking of crypto firms. The Blockchain Association’s announcement came on the same day news reports surfaced suggesting that the Federal Deposit Insurance Corporation (FDIC) required any Signature Bank customer to have Singature’s crypto portfolio of business — claims the FDIC denies.
To learn more about regulatory activity related to banks and cryptocurrencies, check out our timeline here.
SEC votes on cybersecurity rules
On March 15, the Securities and Exchange Commission (SEC) issued a proposed rule to strengthen companies’ cybersecurity oversight obligations. The agency’s rule would require regulated securities market entities to establish, maintain and enforce cybersecurity policies and to conduct an annual review of the adequacy of their cybersecurity arrangements.
Citing the new cybersecurity requirements, the SEC explained: “The financial services sector is increasingly under attack from cyber threat actors who use ever-evolving and sophisticated tactics, techniques and procedures to cause harmful cybersecurity incidents. This poses a serious risk to the US securities market.”
The SEC’s proposed rules apply to a wide range of firms, and would also apply to crypto companies that are registered or that the SEC determines should be registered as broker-dealers because they deal in securities. In light of the SEC’s aggressive push, this could mean that a growing number of crypto firms face the expectation of enhanced cybersecurity requirements.
The Netherlands plans to strictly enforce MiCA, even at the risk of driving away business
Speaking of enforcement, regulators in the Netherlands are already sending signals that they will take a tough stance on pending EU cryptocurrency rules. In an article published on March 17, Laura van Geest – Chair of the Dutch Authority for Financial Markets (AFM) – stated that “we see no reason to be lax in enforcement” when the EU Markets in Crypto Assets Regulation (MiCA) comes into effect under expectations during 2024.
MiCA provides a comprehensive regulatory framework for EU member states and is due to be voted on by the European Parliament next month. Under MiCA, cryptoasset service providers (CASPs) will have to apply for registration with local authorities in at least one member state and can then travel across Europe.
But, according to van Geest, this will not lead to the AFM “lowering our supervision to the lowest level in order to be able to compete with other countries”. Instead, she says the Netherlands will implement MiCA to high standards to address risks such as fraud and market manipulation: “Even if that may mean some of the providers will look elsewhere.”
DeFi Financial Services Compliance
