News

Senior Associate Kate Gee and Associate Elliott Fellowes outline common types of crypto fraud and what businesses can do to protect themselves in Fraud Intelligence.

Kate and Elliott’s article was published in Fraud Intelligence, 21 July 2021, and can be found here.

Frauds involving cryptocurrencies are now valued in the billions. In the economic uncertainty caused by the pandemic, cryptocurrencies have become an increasingly popular – yet volatile – investment.  At the same time, cyber criminals are actively pursuing new, creative opportunities for fraud or to launder money through cryptocurrency systems.  This is expected to continue, as the economic impact continues to be felt.

With new cryptocurrencies being launched regularly and as the exchanges evolve, the cryptocurrency environment is becoming increasingly complex.  Individuals, corporates and financial institutions using cryptocurrencies for domestic and global payments must maintain a sharp focus on risk and stay alert to potential fraudulent activity.

What is the appeal of cryptocurrencies and other digital assets?

Around 30 million people worldwide own Bitcoin.  In recent weeks, we have seen wild volatility in the value of cryptocurrencies. Bitcoin lost over 40% in just a week, while Ether dropped 22% in a day.  Despite Tesla’s recent announcement that it would buy $1.5 billion of Bitcoin – and subsequent retraction from its position that it would accept Bitcoin as payment – Bitcoin’s value currently stands at around half the record high of $64,829 which Bitcoin reached in April this year. That volatility is not deterring investors and the market for cryptocurrencies remains remarkably strong.

For many, the appeal of cryptocurrencies lies in its digital, anonymous and decentralised nature.  Cryptocurrencies utilise blockchain technology to ensure that each unit of the currency can only be spent once without needing the oversight of a trusted, central authority (such as a bank). Essentially, blockchain allows transaction data to be recorded in a “block” which is cryptographically linked to the previous block in the transaction chain.  This means that each block cannot be modified (as each subsequent block would need to be altered) and the transactions can be independently verified. Further, fully copies of the blockchain are held by multiple participants in the system, meaning that in theory there is no centralised server as a point of failure.

As mentioned above, these features remove the need for centralised, traditional financial institutions in order for participants to engage with cryptocurrencies. Much of the initial popularity in cryptocurrencies was seen as backlash against banks following the 2008 financial crisis. However, as we start to see governments introducing limited regulation and making plans to issue their own digital currencies or stablecoins, we can expect the appeal of digital assets to continue both amongst individuals and institutions. But with increased participation comes increased opportunity for criminality and fraud, and the features which make cryptocurrencies so appealing may increase exposure to significant risks.

What are the risks of dealing in cryptocurrencies?

Cyber criminals only need computer power and internet access to break into digital wallets or exchanges, or to fraudulently entice a payment. Once a payment is made, the same factors which make cryptocurrencies so appealing also mean that the payment is often irreversible and difficult to trace.

Cyber crimes are on the rise.  To protect against the risks involved, companies should conduct a robust risk assessment around the dangers presented by cryptocurrencies and a considered authentication process before committing to a payment using cryptocurrency.

The FCA provides succinct advice to those considering investing in cryptocurrencies, saying that “cryptoassets are considered very high risk, speculative investments” and “if you invest in cryptoassets, you should be prepared to lose all your money”.  Therefore, a simple way for companies to protect themselves against the risks associated with cryptocurrencies is to avoid investing in them or using them at all – though this is an extreme approach.

What precisely are fraudsters doing?

The cryptocurrency exchanges represent a centralised target for hackers and fraudsters. However, the holders and users of cryptocurrencies and other digital assets also face other risks: hacking of the digital wallet, fake ICOs, Ponzi schemes resulting in the misappropriation of the tokens, dealing with fake or unregulated brokers, or making payments by way of a wholesale fraudulent cryptocurrency exchange platform.  Companies considering using cryptocurrencies should be wary of internal risks, for example employees or contractors misappropriating cryptocurrency and digital assets due to gaps in internal security systems or by unauthorised access to the key.

The primary concern motivating the growing governmental opposition to cryptocurrencies is that they can be used to facilitate fraud, money laundering and other criminal activities on the dark web.  When one combines the anonymity and opacity of digital assets with the widespread misunderstanding of the crypto systems, it can be the perfect cover for an elaborate fraud.  Furthermore, the features of a cyber scam are often similar to those of a legitimate transaction involving a digital asset – and  therefore difficult to spot.

Some types of common crypto fraud are:

• Fraudulent or scam Initial Coin Offerings: an Initial Coin Offering or ICO of a new cryptoasset can target unsophisticated potential investors, who are unfamiliar with digital currencies and the related technology. Fraudsters have been known to completely fabricate ICOs, by copying technical whitepapers from existing legitimate cryptocurrencies, complete with fake interfaces, non-existent teams and imagined reviews.
• Ponzi Schemes: a ponzi scheme promises returns based on the success of a nonexistent company, but actually pays earlier investors using money invested by later investors. In themselves, they are not new – but in recent years, we have seen (real or fake) crypto investments used as the vehicle for a traditional ponzi scheme.  Two high-profile Crypto ponzi schemes are PlusToken, which defrauded investors out of $2.9 billion, and the $1 billion WoToken fraud.
• Market Manipulation: In common with non-crypto market manipulation, sophisticated fraudsters can seek to manipulate the markets in which cryptocurrencies or related derivative products are invested and traded – for example, front-running, tail-gating, spoofing or churning.
• Pump and Dump Schemes: commonly (but not exclusively) seen at the ICO stage of a cryptocurrency, a bad actor may make false claims to increase demand for the currency, thereby increasing its value to an artificial peak which leads to significant losses to investors when prices fall shortly thereafter.
• Theft: Criminals can simply steal digital assets by hacking into investors’ digital wallets and stealing their currency, or by setting up fake wallets or crypto exchanges to misappropriate money or crypto investments.

By way of recent example of a high profile crypto-fraud, in May this year the Irish health system had its data encrypted by a group of hackers, who demanded US$20 million ransom in Bitcoin for the encryption key.  Although the situation was ultimately resolved without payment of the ransom, the attack caused significant disruption to the health service, to its patients and to treatment plans.  Crimes like this are facilitated by the existence of this less traceable method of digital payment. The blockchain technology which underpins most cryptocurrencies is highly secure and provides strong levels of privacy and confidentiality – to the benefit of both legitimate and illegitimate users alike.

Crypto fraud is a growing concern worldwide. Other forms of crypto fraud include hacking, fake cryptocurrency brokers and fraudulent crypto-currency exchange platforms. In the UK, in 2020 alone, around £113 million was lost through fraudulent cryptocurrency investments. The FCA’s January 2021 announcement that all crypto-asset businesses active in the UK must register shows that regulatory change is coming to tackle crypto fraud.

How are governments responding to these developments?

As major economies plan to launch their own digital currencies, governments are becoming increasingly hostile even to well-backed new market entrants. For example, Facebook’s proposed digital currency, now called Diem, received a remarkably hostile reception, even though this was set to be a “stablecoin” with its value linked to a basket of traditional currencies.  Most recently, it has abandoned plans to secure a payment licence from Switzerland’s FINMA watchdog, chosen to move its operations to the U.S. and partnered with crypto-friendly bank Silvergate to issue a dollar-backed stablecoin.

It seems likely that the cryptocurrency market will come under far stricter scrutiny and regulation, and exchanges will be subject to increasing obligations to ensure that payments are traceable.  Government backed digital currencies employing blockchain technologies look likely to radically disrupt the existing cryptocurrency ecosystem. One anticipated effect of these developments is the decrease in new unusual or eccentric digital currencies like Dogecoin, which was launched in 2013 as a parody of Bitcoin: its value rose 15,000% to 76 cents in the first half of 2021 – and so proved to be an unexpectedly wise investment choice to early adopters.  Time will tell how – if at all – the unregulated cryptocurrencies we know today can respond to and weather these changes in the regulatory landscape, or whether their value will be dramatically decreased.

It is clear that governments of the world’s major powers are waking up to the risks posed by cryptocurrencies, including the threat they pose to the use and stability of traditional fiat currencies:

• The Financial Conduct Authority (FCA) now requires that all crypto-asset businesses active in the UK must register with the FCA under the Temporary Registration Regime, and be compliant with the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.
• Since September 2020, the EU has been considering plans to regulate blockchain and digital currencies, as part of its Digital Finance package, emphasising that any legislation “adopted in the field of crypto-assets should be specific, future-proof and be able to keep pace with innovation and technological developments“.
• In January 2021, the now US Secretary of the Treasury, Janet Yellen, told the US Senate Finance Committee that cryptocurrencies are “a particular concern” with many cryptocurrencies being used “at least in a transaction sense, mainly for illicit financing. And I think we really need to examine ways in which we can curtail their use”.

The European Central Bank (ECB) last October indicated that it planned to issue its own digital currency, the digital euro.  Responses to its consultation that ran from 12 October 2020 to 12 January 2021 showed broad public support for its launch with 2 out of 5 respondents supporting greater visibility of digital euro transactions to tackle money-laundering and other risks.

The US Federal Reserve has recently announced that it will continue to explore a digital US dollar, with the publication this summer of a discussion paper to “help stimulate broad conversation”, describing it as a “high priority project”.  This, however, is anticipated to be a digital version of the fiat dollars issued by the Federal Reserve.  Similarly, and despite further clampdowns in China on the digital trading market and cryptocurrency services earlier this year, China is trialling its digital Yuan.  This is set to be a digital version of the normal (fiat) Chinese Yuan, deployed on a blockchain controlled by the central bank and positioned for both domestic and international use.

The launch of digital currencies by major central banks seems to be at least a few years away. In the meantime, what can businesses do to protect themselves against crypto fraud?

The first line of defence is of course deploying the obvious countermeasures which all businesses should take in terms of digital security, including the use of encryption, endpoint security, VPNs, firewalls and antivirus software.  Staff should be trained to be watchful for phishing scams, whether in the form of texts, emails or phone calls. Yet, if a business is hacked, or subjected to a scam or ransomware, a company is well-advised to act quickly in order to maximise the chance of being able to identify where money has gone.  There are certain important steps which the company can take.

Importantly, and despite their characteristics, cryptocurrencies are not beyond the reach of the law. In 2019, the English High Court held that Bitcoins are property which can be the subject of injunctions. This landmark decision was made during an application to support efforts to recover a ransom payment made to hackers in Bitcoin.  Significantly, the judgment also endorsed much of the UK Jurisdiction Taskforce’s recent legal statement on crypto assets and smart contracts.

The judgment in AA v Persons Unknown [2019] EWHC 3556 (Comm) arose from a ransomware attack, where hackers accessed the computer system of a Canadian insurance company and installed malware which encrypted the system. The hackers then demanded a ransom for the encryption key. The hackers initially demanded a US$1.2 million payment in Bitcoin to decrypt the company’s system. The company’s English insurer arranged for a specialist incident response company to liaise with the hackers and a payment of $950,000 was agreed. The insurer then arranged for the Bitcoin equivalent, 109.25 Bitcoins, to be transferred to the hackers, who then sent the decryption software.

The insurer then rapidly worked to recover the extorted Bitcoins by hiring consultants who located them at a well-known Bitcoin exchange and discovered that 96 of the 109.25 Bitcoin paid remained in the account. The insurer then brought proceedings to recover the Bitcoin, as they had been paid under extortion. The English High Court granted a proprietary injunction over the remaining 96 Bitcoin to facilitate their recovery.

This case – and the recent interim decisions in (1) Lubin Betancourt Reyes (2) Custodial Management Solutions Limited v (1) Persons Unknown x 3 (2) Tether Holdings Limited (3) Binance Holdings Limited (LM-2021-000083 and H10CL251) – show the importance of taking rapid action in a favourable jurisdiction – such as England & Wales or Gibraltar – when faced with crypto fraud. If digital payments can be tracked and injunctions are rapidly obtained before the assets are dissipated, a positive result can be achieved. Likewise, if a business is defrauded into making a cryptocurrency or other payment, that can also potentially be recovered if rapid action is taken.

What does the future hold?

Digital finance has been developing at speed over the last ten years, but legislation and regulation has been slow to follow.  Not only has the global pandemic caused greater need and use of digital finance, so too has it brought greater economic uncertainty and instability.  More regulation is needed to reduce the risks, build market confidence and ensure financial stability.

Blockchain applications have many potential legitimate applications beyond currency, including the secure sharing of medical data, cross-border payments, supply chain and logistics monitoring, real estate processing and voting mechanisms.

The direction of travel is very clear. The world’s major financial powers plan to stringently regulate cryptocurrencies, while also launching their own digital currencies. If the US and the EU launch digital currencies with a stable value, which also provide a private and secure payment method for people acting lawfully, the arguments now made in favour of cryptocurrencies will be radically undermined. Speed and confidentiality are often cited as the benefits of cryptocurrencies. Yet, within a few years, major digital currencies may be launched which provide those benefits, but which are far less volatile than cryptocurrencies, since they will be backed by central banks.

The initial wave of cryptocurrencies was unregulated. However, it now seems that government backed digital currencies using blockchain technologies are set to radically disrupt the global financial system. Until these central bank backed digital currencies are launched, alongside robust systems of cryptocurrency regulation, businesses must continue to carefully guard against crypto fraud.