Cryptocurrencies, Blockchain and Fraud

Understanding Security Clearances – What Blockchain Users Should Know

Main Points For Consideration:

  • Transmitting classified information requires strict adherence to complex rules.
  • Intentional misuse of security classifications can result in severe penalties.
  • Unintentional misuse of security classifications can also result in adverse actions.
  • Blockchain users doing business with the United States Government are responsible for compliance with existing security rules and regulations.
  • Proper training and knowledge may prevent unauthorized disclosure of classified information into an existing Blockchain shared ledger.

The rapid expansion of Blockchain technology demonstrates increasing involvement with government entities at the local, state and federal levels. Local and state governments are incorporating permissioned shared ledger processes for voting records, real estate records, medical records and other uses. It is not publicly known to what extent the federal government intelligence community is evaluating or using Blockchain technology. It is, however, reasonable to assume that Blockchain technology may be tested and used in a variety of roles to protect and exchange sensitive government information. If so, Blockchain technology will interact with the complex rules overseeing the use of government classified information.

What Are the Different Classification Levels?

Current descriptions of the different levels of U.S. government classifications can be found on multiple open-source resources such as:
http://govcentral.monster.com/security-clearance-jobs/articles/2330-3-levels-of-security-clearance. National security information that requires protection against unauthorized disclosure are classified at one of the following levels:

Top Secret Clearance is applied to information that reasonably could be expected to cause exceptionally grave damage to the national security to unauthorized sources.

Secret Clearance is applied to information that reasonably could be expected to cause serious damage to the national security if disclosed to unauthorized sources.

Confidential Clearance is applied to information that reasonably could be expected to cause damage to the national security if disclosed to unauthorized sources. The vast majority of military personnel are given this very basic level of clearance.

Unclassified is not technically a classification but is the default term referring to information that can be released to individuals without a clearance

What is Sensitive Compartmented Information (SCI)?

SCI information may be either Top Secret or Secret, but in either case it has additional controls on dissemination beyond those associated with the classification level alone. The “need to know” principle is formally and automatically enforced. The SCI designation is an add-on, not a special clearance level.

What is the Special Access Programs (SAP)Designation?

The U.S. Government provides security protocols for highly classified information with safeguards and access restrictions that exceed those regular classified information. In addition to collateral controls, a SAP may impose more stringent investigative or adjudicative requirements, specialized non-disclosure agreements, special terminology or markings, exclusion from standard contract investigations and centralized billet systems. This information can also be found by researching open-source sites such as: https://en.wikipedia.org/wiki/Special_access_program.

U.S. Government Documents:

To be properly classified, an individual or individual charged by the U.S Government with the right and responsibility to properly determine the level of classification and the reason for the classification must determine the appropriate classification level, as well as the reason the information is to be classified. A determination must be made as to how and when the document will be declassified, and the document marked accordingly. Individual agencies within the government develop guidelines for what information is classified and at what level. Classified U.S. Government documents must be stamped with their classification on the cover and at the top and bottom of each page. Authors must mark each paragraph, title and caption in a document with the highest level of information it contains. Persons with lower clearance levels are not permitted to have access to information classified at higher levels. Conversely, persons with higher levels of clearance have access to information from lower classifications. .

Who is Eligible for Obtaining Security Clearances?

Eligibility for access to classified information is granted only to those for whom an appropriate personnel security background investigation has been completed. It must be determined that the individual’s personal character and professional history indicates loyalty to the Unites States, strength of character, trustworthiness, honesty, reliability, discretion, and sound judgment, as well as freedom from conflicting allegiances and potential for coercion, and a willingness and ability to abide by regulations governing the use, handling, and protection of classified information. A determination of eligibility for access to such information is a discretionary security decision based on judgments by appropriately trained adjudicative personnel. Eligibility will be granted only where facts and circumstances indicate access to classified information is clearly consistent with the national security interests of the United States. Access to classified information will be terminated when an individual no longer has need for access.

Unauthorized Disclosure of Classified Information: .

I found in open-source research that the U.S. Department of Defense states that an unauthorized disclosure is the communication or physical transfer of classified or controlled unclassified information to an unauthorized recipient. An unauthorized recipient can be anyone. Unauthorized disclosure of classified information can be either intentional or accidentally and can occur through leaks, spills, espionage, or not following proper safeguarding procedures.

Leaks are deliberate disclosures of classified information to the media. Classified data spills are accidental or intentional disclosures of classified information that occur across computer systems.

Spills are considered and handled as a possible compromise of classified information involving information systems, networks, and computer equipment until it is determined whether an unauthorized disclosure occurred.

Espionage includes activities designed to obtain, deliver, communicate, or transmit information relating to the national defense with the intent or reason to believe such information will be used to harm the United States or to the advantage of a foreign nation or transnational entity.

Unauthorized disclosure of classified information due to improper safeguarding procedures, although usually unintentional, can be just as damaging to national security as intentional unauthorized disclosures.

Duties to Disclose Unauthorized Disclosures:

Prior to receiving authorization to handle classified information, a classified information nondisclosure agreement is executed between participants. Within this agreement are requirements to receive a security indoctrination concerning the nature and protection of classified information, including the procedures to be followed in ascertaining whether other persons to whom I contemplate disclosing this information have been approved for access to it. The security training will include procedures to be taken when a security breach is discovered. Once discovered, the classified information must be protected to prevent further disclosure. Then, the disclosure must be reported to appropriate authorities who will, in turn, investigate the incident and impose sanctions, if warranted.

Gaining Knowledge of Government Regulations:

Blockchain developers and users conducting business with the U.S government as vendors, employees, or contractors may find themselves interacting with classified information. If so, they, like all others, are responsible for compliance with existing rules and regulations which oversee the exchange of sensitive information.

Conclusion: The Blockchain shared ledger system promises an unalterable time-stamped recording of events that is relatively fraud-proof and un-hackable. When considering the use of classified information, it is imperative that classified information be handled properly.

One unanswered question certainly emerges: What happens to an existing Blockchain system if an unauthorized release of classified is somehow added to the shared ledger? One result could be a freezing of the information per government regulations to prevent further use of the unauthorized leak. Another result may well involve a damage assessment conducted by authorized representatives of the government.

To prevent misuse of classified material, Blockchain developers and users will have to be mindful of the risks and consequences of unauthorized leaks.

(The above information was obtained from open-source research of publicly available web sites).

Cryptocurrencies, Blockchain and Fraud, Uncategorized

Synthetic Identity Theft – What Blockchain Users Need to Know

Main Points for Consideration:

  • Traditional Identity Theft schemes steal the identity of a known person to impersonate the victim.
  • Synthetic Identity Theft uses a Social Security Number for form a new, but fake person.
  • Synthetic identities can satisfy known loan underwriting procedures.
  • Synthetic identities create additional risk factors for Blockchain systems.
  • Synthetic identities can be formed before being included into a Blockchain system.
  • Synthetic identities may be used to impersonate known participants.

Advances in Blockchain technology can develop platforms to protect individuals’ identities from theft and also help businesses authenticate participants. But how can Blockchain provide assurances that the identities are valid in the first place? Answers may be found by understanding the threats of Synthetic Identity Theft, and how to mitigate those threats.


In a more traditional identity theft scheme, a perpetrator will steal Personally Identifiable Information (PII) to impersonate the victim. But Identity Theft has evolved into a hybrid form known as Synthetic Identity Theft where a perpetrator is not trying to impersonate the victim. Instead of stealing and impersonating the identity of actual persons, a new persona is invented by the perpetrator. This is accomplished by using a Social Security number to create a completely fictitious personal profile.

Synthetic Identity Theft – How It’s Done

Identity thieves obtain Social Security numbers using familiar techniques like Phishing schemes; forming phony websites to collect PII from victims; using corrupt internal employees who have access to PII; and even buying stolen SSANS obtained from data breaches. The fraudster will add a name, date of birth, and address to create new PII for a fictitious person. The new identity is then used establish records in public databases, credit files, phone and utility records, and social media profiles, etc. Afterwards, the perpetrators can monitor the payment history, credit score and public persona of the fake person. The new accounts established by the fraudster can be immediately used for financial fraud schemes, or, used as sleeper accounts that lay dormant for long periods of time. The dormant accounts can be sold on the black market to other criminals.

Synthetic Identity Theft Schemes – Where Are They Found?


Fictitious synthetic identities are often used to attack internet-based business transactions. As an example, the automobile industry uses internet-based sales for purchasing vehicles without face-to-face interactions with a sales person. Some dealerships have been victimized by perpetrators forming fake identities used to satisfy standard loan underwriting requirements. Financing arrangements were completed with fake personas and vehicles were delivered to other locations where the vehicles were used in other criminal activity.

These schemes have impacted government operations including Veterans’ benefits, Social Security benefits, Medicare and Medicaid programs, Health Care systems, and private medical insurance systems. For example, synthetic identities have been used to obtain health insurance policies from private insurance companies. Also concerning is the potential use of fake synthetic identities by terrorist groups to launder money through established government financial systems and/or cryptocurrencies. The laundered money can fund terrorists for living expenses, safe houses, renting cars, international travel, and purchasing restricted goods.

Fraudulent identity profiles have also been found in the mortgage process, auto insurance claims, staged accident schemes, schemes involving the IRS, Small Business Administration, FEMA, and other government entities. Within the health care industry, the government is encouraging the digitalization of medical records, and these records are based on the PII of patient. This creates more opportunities for the theft of PII.

Anyone’s Social Security number can be stolen, but certain demographic groups are specifically targeted. SSANs of minors are more likely to be stolen because the younger a child is, the longer the fraudulent identity can be used. The SSANs of elderly people, college students, and indigent people are also targeted. The fraudsters have been known to solicit financially destitute people to buy their identity.

Synthetic Identity Fraud is a Worldwide Problem

In 2017, the World Bank released a study concluding that more than 1.1 billion people in the world lack access to vital government services because they are unable to prove their identity. The World Bank Group’s Identification for Development (ID4D) initiative launched a High Level Advisory Council to advance the realization of robust, inclusive and responsible digital identification systems as a sustainable development priority.

The United States Federal Deposit Insurance Corporation (FDIC) recently estimates there are 10 million unbanked or underbanked households in the country. The FDIC defines unbanked as those adults without an account at a bank or other financial institution and are considered to be outside the mainstream for one reason or another. Many people are squeezed out of normal banking systems because of poor credit. Others choose not to participate in government systems to avoid regulation, oversight, and excessive fees.

Why is This a Concern for Blockchain Technology?

The World Bank ID4D recommends efforts to provide reliable digital identities to 1.1 billion people who want to participate in the economy, but lack provable identities. Similarly, unbanked people choosing to use alternative financial instruments, think cryptocurrencies, also desire a safe and reliable system to conduct financial transactions.

Blockchain technology is envisioned as the record keeping system for new digital identities and/or established identities. And it may be safe to assume that the immutable Blockchain distributed ledger can make it more difficult to use a stolen identity. But vexing questions continue to appear: Prior to the adoption of a Blockchain ecosystem, could a criminal or terrorist form a fake Synthetic identity only to be added to the Blockchain ledger? If so, the Blockchain may then become a hiding place for persons intent on doing harm.


Also, once a permissioned Blockchain system is formed with approved participants, could a synthetic identity be formed to impersonate a participant? If so, could a fake participant cause harm to the information being added to the Blockchain?

These possibilities may not be surprising to persons who use ledgers for normal accounting and business purposes. The ledgers can accurately record numbers and information. As accountants and auditors will certainly attest, ledgers can also accurately record falsified information. The ledger system cannot guarantee the integrity of the information before entries are made, and neither can Blockchain. Only people can determine the integrity of other people.

Mitigating Synthetic Identity Theft:

Synthetic Identity Theft schemes can defeat known preventative measures such as credit checks, locking down credit, changing passwords, two-factor authentication because the schemes do not necessarily involve obtaining credit. The fight against Synthetic Identity Theft will be waged by combining known preventative measures with improved Artificial Intelligence (AI) to study behavior, and Biometric verification, such as voice, face, fingerprints, and DNA to verify the identity of actual persons. As such, maintaining a balance between Security and Privacy will always present challenges.

Conclusion: The intention of raising these issues Synthetic Identity theft is not to discredit the Blockchain infrastructure. Instead, and just like any other new technology, it is imperative to understand risk factors as the technology is developed and implemented. Identifying and understanding risk factors should result in strong measures to mitigate the risks. Blockchain developers and end users will certainly need to develop and improve counter-measures to mitigate Synthetic Identity Theft threat vectors.


Cryptocurrencies, Blockchain and Fraud

The Ghosts of Enron May Haunt Blockchain


The spectacular collapse of Enron exposes million of dollars of fictitious revenues.

As predicted by many, Blockchain technology is becoming a disrupter in business enterprise models and governmental applications. The simplicity of a shared ledger among participants that creates a safe, chronological and unalterable record of events is showing signs of success. This, in turn, attracts attention from more and more people searching for technology to improve their business model. The shared ledger of Blockchain is similar to a ledger-based accounting system as found in Generally Accepted Accounting Principles (GAAP). One caveat to consider: The ledger can accurately record numbers, but cannot measure the truthfulness of the transactions or the integrity of the people behind the transactions. It has always been possible, and will always remain possible, that incorrect or fraudulent numbers can be accurately recorded in the journals and ledgers. The information then flows into the financial statements. The success of GAAP accounting therefore depends on the honesty of the participants.

Open vs. Closed Blockchain models

The original 2009 Blockchain model was incorporated into Bitcoin protocol as an open-sourced ledger system where untrusted participants called Nodes evaluate and approve each transaction before being added as a new block to the existing Blockchain. In this model, the Nodes did not have to know or trust each other. Since the Bitcoin ecosystem was open-sourced, any one with access to the internet could obtain the free software and participate in the mining process for Bitcoin. The design makes it impractical, but not impossible, for sufficient numbers of nodes to band together and override the Blockchain ledger. This became known as the 51% attack where over half of the existing Nodes work together to exert control over Blockchain transactions.

Subsequent Blockchain systems using only trusted participants (Nodes) in a closed environment have shown promise in a variety of business and government applications, and have fueled the interest and growth of Blockchain. But how does Blockchain affect the world of fraud?

There is no accounting system, computer software or hardware, that can prevent fraud schemes or prevent determined people to cheat and steal from one another. Accounting systems are designed to standardize record keeping protocols to create reliable records of financial transactions. Corrupt people working together, of course, will find ways to defeat any control system to lie, cheat, and steal. To counter the fraudsters, we rely on GAAP accounting rules, government regulators, and highly trained auditors to enforce the rules to create reliable financial reports.

Blockchain cannot prevent fraud. However it can be argued that a closed Blockchain system where Nodes are chosen may be a valuable ally in preventing and discovering known schemes such as – Business Email Comprise (BEC)schemes, Email Account Compromise (EAC) schemes, employee embezzlements , theft of Intellectual Property, corrupt vendor schemes, bribery and kickback schemes, and a host of others. These schemes may escape the eyes of management or auditors by hiding in blizzards of transactions . But Blockchain may serve as a deterrent since varying Nodes must unanimously approve each transaction before being added as a new block.

A strong argument can be made that having other participants (Nodes) reviewing and approving transactions before being added to the Blockchain may make such schemes more difficult to perpetrate and more likely to be discovered at early stages.

What Happened at Enron?

The investigation of Enron exposed a massive accounting fraud causing the collapse of the seventh largest company on the Fortune 500 company list and the sixth largest energy company in the world. The $100 billion company was a financial house of cards that concealed massive debt from the Board of Directors, internal and external auditors, investors, and regulators. Attempts to compare present-day capabilities (Blockchain) to historic fact patterns (Enron)can be tricky if the past cases are no longer relevant to current conditions. However, it can be demonstrated that fraudulent financial statement abuses are commonplace today. Here are some of the main accounting abuse issues found by SEC regulators in the Enron investigation:

  • Executives fraudulently used Reserves within Enron’s wholesale trading businesses to manufacture and manipulate reported earnings.
  • Executives manipulated Enron’s “business segment reporting” to conceal losses at Enron’s energy business known as Enron Energy Services (EES).
  • Executives manufactured earnings by fraudulently promoting Enron’s broadband unit, Enron Broadband Services (EBS).
  • Executives used Special Purpose Entities (SPEs) and company partnerships to manipulate Enron’s financial results.
  • Executives profited from illegal insider trading techniques to sell large amounts of Enron stock at inflated prices.
  • Executives made False and Misleading statements concerning Enron’s financial results and the performance of its businesses. These misrepresentations were also contained in Enron’s public filings that generated unlawful proceeds of approximately $63 million.


Given the advancements of Blockchain technology, some may argue that frauds like Enron may have been prevented or discovered earlier had Blockchain systems been implemented. A closer look at the above listed SEC findings indicates a strong, collusive collaboration within the top executives at Enron.

Could Collusion among Corrupt Corporate Executives Defeat Blockchain Advantages?

One would have to assume that corporate executives would be aware of the accounting procedures of a company. If executives were instrumental in designing and adapting Blockchain to their business model, could they appoint themselves as Nodes, or use complicit subordinates as Nodes to implant fraudulent information into the Blockchain? We do know that corrupt Enron executives at the highest levels of the company conspired to hide debt, manipulate profits, and falsely inflate stock prices for their selfish benefit. They successfully concealed the fraud from other company officials, internal and external auditors, bankers, and regulators. They worked hard to find the gray areas of GAAP accounting to justify their actions.

Blockchain developers are fearful of the dreaded “51% attack” that could undermine the advantages of Blockchain. The same concern could be raised by the possibility of corrupt collusion between Nodes to bake fraudulent transactions into the Blockchain, or work together to avoid the scrutiny of other participants.

Conclusion: The internal controls in the best designed GAAP accounting system remain vulnerable to collusion between fraudsters, and Blockchain may be no different. The corrupt Enron executives argued at many judicial proceedings that they were within the gray areas of accounting and therefore did not commit the alleged crimes. Fortunately, juries and judges disagreed and stiff prison sentences followed.

The lessons of Enron can provide guideposts to the applications of present-day technology: The success of any system will depend on the integrity of the participants. The numbers do not lie but liars can make the numbers.

The Ghosts of Enron will always remind us that when people are involved, fraud will find a way.

Cryptocurrencies, Blockchain and Fraud

Cryptojacking – What You Should Know

   

Main Points to Consider

  1. Cryptojacking attacks are exploding in numbers.
  2. Cyrptojacking uses the computing power of hijacked computers to mine for cryptocurrencies.
  3. Cyrptojacking runs in the background slowing the system, increasing electricity usage.
  4. Illegally mined cryptocurrencies are laundered into the wallets of criminals.
  5. Preventive measures include training to avoid poor cyber hygiene habits.

Why Are They Attacking Me?

When presenting CyberFraud information to business groups and Senior Citizen groups, I am often asked “Why are they coming after me?  The answer is threefold.  First, the crooks want your money and Intellectual Property, and everybody gets that.  Second, they want the Personally Identifiable Information (PII) of you, your clients, your customers, your kids, and your grandkids.  Selling freshly stolen PII is very lucrative in underground criminal markets such as those found on the Dark Web.  Third, they want your computers.

Illegally gaining access to your computers and cyber systems to plant Malicious Software (Malware) feeds a diverse array of scams.  Malware can be designed to lock up your computers for ransom payments, known as Ransomware.  The Malware is often used to lurk in the background to conduct reconnaissance on your business and personal habits for Business Email Compromise scams, the Malware can locate and extract your trade secrets, the Malware can turn your computer into a robot to conduct other cyber-attacks, or the Malware can plant back-doors allowing access to persons intent on damaging or destroying your systems.

What is Cryptojacking?

Ransomware attacks are now decreasing in numbers.  This is not necessarily good news because the attacks still cause millions of dollars in losses and, the malicious software is changing and diversifying to avoid detection. So here comes Cryptojacking to overtake Ransomware as the top cyber threat.

Simply explained, Crytpojacking is the process of hijacking your computer to mine for cryptocurrencies.  In our discussions of Bitcoin and other cryptocurrencies, we talk about the different ways you can obtain Bitcoin.  Basically, you can get Bitcoin by exchanging fiat currency, such as U.S. dollars, to buy Bitcoin from exchanges or other persons; you can incorporate exchanging Bitcoin for goods and services through your business model; or you can mine for Bitcoins.  Mining is the process of solving complex mathematical algorithms to obtain Bitcoin.

When Bitcoin first appeared in 2009, the mining process could be done on home computers.  But each time an algorithm was solved, the next algorithm was more difficult.  More computing power was necessary as the level of complexity continually increased.  Soon, it became necessary to pool the resources of individual computers to solve the algorithms. The mining pools necessarily became larger and larger.  The Bitcoin miners discovered that increased mining power required not only more computer capabilities, but also required more electricity to run the computers and the cooling systems to protect the computers from overheating.

To overcome this challenge, hackers are now hijacking our computers to mine for cryptocurrencies.  The infected computers are banded together to harness the combined computing power for mining purposes.  Voila, no expensive mining pools, no electric bills, little risk of detection, huge profits, and opportunities to launder illegally obtained cryptocurrencies into their own wallets.

Victims of Cryptojacking have noticed their devices slowing down, increased electric bills, and additional heat from their systems.

What Can I Do to Prevent Cryptojacking?

Cryptojacking hackers use techniques found in other computer intrusion schemes to overtake the computers.  They exploit poor cyber hygiene practices such as opening unsolicited emails and attachments, clicking on suspicious websites, using corrupted apps, and identifying weaknesses in the cyber system itself.  The best known preventative measures include updating software systems, immediate use of software patches, changing passwords, strengthening firewalls, continuous monitoring of cyber systems, and continuous training of individual users to recognize cyber attack vectors.

Conclusion: This seems like the same song in a different dance, doesn’t it? As we identify and beat down current threats, the bad actors come up with something new to poison our cyber environment. As we move towards a connected world in the Internet of Things, we can expect the scoundrels to develop and improve their attack capabilities.  Al Capone would be proud of them.

              

                            

Cryptocurrencies, Blockchain and Fraud, Uncategorized

Cryptocurrencies, Fraud Schemes, and Money Laundering

  In many presentations I have done to explain Bitcoin and other virtual currencies, the most difficult part for people to understand is how a virtual currency, which cannot be seen or held in our hands, can represent value.   In fact, critics of buying and trading in virtual currencies maintain that virtual currencies will never be a reliable form of commerce.  I am not promoting or demoting the idea of virtual currencies, but it is now unmistakable that virtual currencies have gained worldwide acceptance.  One can argue that virtual currencies will never replace fiat currencies, which is probably true.

Discussion Points to Consider:

  1. Currently, there are about 2000 virtual currencies
  2. Anyone can create a virtual currency
  3. Bitcoin was the first cryptocurrency and is the most well known
  4. Cryptocurrencies are easily converted to and from government-approved currencies (Fiat Currencies)
  5. Cryptocurrencies appear in multiple fraud schemes
  6. Cryptocurrencies are used to launder proceeds from criminal activity

Although virtual currencies have been in existence since the late 1990’s, they lacked reliability and acceptance for conducting financial transactions.  The release of the Bitcoin ecosystem in 2009 disrupted the financial systems in the world’s first virtual currency using cryptology to provide advanced anonymity, and the Blockchain to solve the “double spending” problem.   Thus, Bitcoin became the first convertible, de-centralized, math-based, cryptocurrency.  Bitcoin became convertible to and from fiat currency, de-centralized because transactions could be conducted Peer-to-Peer without government oversight, based on the mathematical solutions of increasingly complex algorithms, and concealed by cryptology.  The structure of Blockchain technology proved that an owner of Bitcoin could not double spend the same Bitcoin.

                What Are Virtual Currencies?

Virtual currencies can be described as a Digital Representation of Value functioning as a Medium of Exchange that does not have Legal Tender status.  All that is required to hold value is Trust and Adoption.  Bitcoin gained in prominence because of the ease of use and semi-anonymity, but government regulators in the United States and around the world have wrangled Bitcoin into a heavily regulated world of banking.  Bitcoin rivals such as Monero and Zcash now offer better anonymity.  Ethereum is another virtual currency which serves as the basis of Smart Contracts (digitalized contracts) for use in commerce.

What is Blockchain Technology?

Blockchain is described as a Distributed Ledger where all transactions are agreed on by Nodes, or participants.  Once approved, the transaction is time-stamped and added as a new Block to the previous Block.  Each new block is individually identified by a unique hash code and is digitally tied to the previous block by incorporating a portion of the hash code.  In this manner, the Blockchain provides an irreversible record of all transactions in ascending chronological order. 

The Blockchain used in the Bitcoin platform is open to the public, meaning that anyone can freely obtain the software program and become a Node in a Non-Permissioned environment.  Nodes can then “Mine” for Bitcoin for their own use or earn Bitcoin fees for approving transactions of other users of Bitcoin.  In this Public format, the Nodes have no need to know or trust each other.  Hybrid forms of Blockchain have been formed to create a Permissioned and Private system where the Nodes know and trust each other.  In both Non-Public and Public Blockchains, each transaction is recorded on a ledger, but the identity of the person or persons behind the transaction is not disclosed.  This is accomplished by using Public Keys to record the transactions, and Private Keys that allow entry into the Blockchain.  Therefore, the identity of the person or persons conducting the transaction remains anonymous.

How are Cryptocurrencies Used in Fraud Schemes?

Cryptocurrencies are emerging as a payment of choice in many fraud schemes.  More and more, we see bad actors avoid government oversight of financial institutions by demanding payment from victims in the form of cryptocurrencies.  And why shouldn’t they? Cryptocurrencies provide anonymity, speed, and worldwide acceptance for the transfer of funds from victims to the perpetrators.  Four main areas of concern are; (1) cryptocurrencies being used in Securities Fraud matters; (2) cryptocurrencies being stolen directly from victims; (3) cryptocurrencies used as payments in Ransomware and Extortion schemes; and (4) using cryptocurrencies to pay for illegal products and services on the Dark Web.

How are Cryptocurrencies used in Securities Fraud Schemes?

 Currently, one of the hottest investment markets involves high-risk Initial Coin Offerings (ICOs), and these ICOs often result in significant losses to unwary investors.  Certainly, there are legitimate ICOs to consider.  However, regulators have found that many are ripe with fraudulent misrepresentations that can result in significant losses to investors.  ICOs can provide a means for startups to avoid high costs of regulatory compliance found in Initial Public Offerings (IPOs).   ICOs involve crowdfunding centered around cryptocurrencies and sold to investors as Utility tokens or Asset-based tokens.  Tokens are promoted as Future Functional Units of Currency.  A holder of utility tokens can exchange value for a good or service in the future while asset-based tokens are backed by an underlying asset.  Some ICOs can fall outside of existing regulations and escape normal monitoring by government regulators.  We have seen cases where scammers will use ICOs in Pump and Dump schemes and Advance Fee schemes.

Investors in Bitcoin are at risk from Market Manipulation of Bitcoin prices.  Bitcoin, known for volatile price changes, is vulnerable to current-event price swings where illicit actors take advantage of news events to manipulate the prices.  Regulators are scrambling to keep pace as increasingly complex investments are expanding across national borders. 

Question: How do you steal cryptocurrencies?   Answer: Steal the Private Keys.

The Public Keys allow access to the Blockchain ledger to record transactions, but the Private Key unlocks the currency.  Therefore, the sophisticated thieves target the computers and smart phones of the owners to learn how the cryptos were purchased, which bank accounts were used to transfer fiat currency, passwords, security questionnaire answers, contacts with other persons transacting in cryptos, websites visited to buy and sell cryptos, and above all, the identity of the Private Keys.  If Private Keys are found, the criminal can permanently transfer the currencies into their own wallet.

Third-party repositories of Private Keys can become hacking targets.  Also, willing buyers and sellers will find one another in on-line forums to meet in person to buy and sell cryptos.  People carrying cash and/or their Private Keys are then susceptible to robbery, referred to as Stage Coach robberies. 

Ransomware and Extortion attacks are directed to large and small businesses, health care organizations, governmental entities, or other businesses holding sensitive information.  Bitcoin is the most common method of transferring the extortion amount, but other cryptocurrencies offering more complete anonymity are also used.

The Dark Web is the part of the internet accessible only by special programs and are available to anyone.  The Dark Web is used by actors to sell stolen goods, sell Malware and other cyber infections, stolen identities, stolen credit cards, pornography, illegal drugs, and actually any other tool of criminal activity. Cryptocurrencies such as Bitcoin, Monero, and ZCash are used to buy and sell illegal items or services. Tumbler and mixing services are also found on the Dark Web.

What About Money Laundering with Cryptocurrencies?Sophisticated criminals are often burdened by their own success, that is, hiding the money from regulators and investigators can be difficult.  Everybody loves cash but spending too much cash only tips-off authorities monitoring cash transactions.  Cryptocurrencies make it possible to easily hide, transfer, and clean the illicit money.

Money laundering is usually explained in three steps: Placement, Layering, and Integration.  Placement means that the dirty money is placed into the financial system, usually the Federal Reserve financial system in the United States.  Layering means the money is transferred through multiple accounts to confuse the financial trail.  Integration means that the dirty money is then transferred into legitimate accounts and businesses to distribute cash and/or purchase expensive assets.

Cryptocurrencies are purchased using the approved (Fiat) currency of a country.  The purchases of cryptocurrencies can be done through government-approved exchanges, or through unregulated exchanges.   

Current emerging money laundering threats with cryptocurrencies are found in multi-national exchanges, online gambling sources, and mixing/tumbling services. Online gambling is gaining legal acceptance in the United States and other countries and offers multiple, diverse opportunities to cleanse the dirty money. Mixing and tumbling services will take individual cryptocurrency transactions and tumble them through multiple wallets to obliterate the trail of transactions. Mixing and tumbling services are not necessarily illegal, however, nefarious operations abound on the Dark Net.  

Conclusion:  Criminal actors now have assortments of tools to bounce illegally obtained fiat currencies through multiple cryptocurrency transactions, multiple wallet addresses, and multiple countries in blizzards of transactions at a very high rate of speed.  Moving and hiding proceeds from criminal fraud schemes has become faster, more efficient, and harder to detect than ever before.  So, the cat and mouse game continues.  While authorities become better at identifying and following cryptocurrencies, the bad actors adjust and adapt to advances made by the good guys.