One of the themes of our Cyber Conference, which is running 21-23 September 2021, is the law in relation to cyber fraud. We’re delighted that one of the world’s leading authorities on the subject, Hon James Brazier, will be speaking to us about it. He is a fintech, regtech, legaltech and intelligence specialist and consultant for corporate intelligence consultancy CiRO™ Global Risks. Ahead of the conference, I spoke to him to find out more about the issues at stake. Here’s what he had to say.
Steven: The blockchain and crypto assets are still relatively new areas for many people. Can you start by explaining some of the terminology and how the technology works?
James: To some people, this can appear to be a complicated area. However, the blockchain is simply a type of database that holds a crypto asset such as the cryptocurrency Bitcoin. Bitcoin is stored on the blockchain in a decentralised way – no single person or group has control and all users collectively retain control. Decentralised blockchains like this cannot be altered after the fact – a change either took place or it didn’t. This means that when you’re talking about tracing Bitcoin for instance, transactions are permanently recorded and viewable to anyone.
Steven: Can you tell us a little more about recent developments in this area?
James: Lots of new investment vehicles are coming onto the blockchain. Many traditional assets are being digitised and there is increased use of the blockchain in products such as smart contracts. Decentralised finance is becoming more and more popular, with the law being unable to keep up with what seem to be daily developments!
Investment in crypto assets is seen as a diversification by professional investors because the value of tokens or coins are volatile. Despite this volatility, it is commonly accepted amongst them that the interest and value of any asset on the blockchain will increase. Bitcoin’s potential use as collateral is just getting started, with growing use of bitcoin as a reserve asset on corporate balance sheets.
Steven: It sounds as though interest in the area is increasing. Are we likely to see more people dipping their toes in the “crypto pool”?
James: According to a study by Evertas, institutional investors plan to significantly increase their stakes in Bitcoin and other digital assets in the future. The research reveals a belief that over the next five years pension funds, insurers, family offices and sovereign wealth funds will ‘dramatically’ increase their level of investment in cryptocurrencies. The findings also reveal that between now and 2025, 90% of institutional investors asked expected to invest more in crypto assets like Bitcoin, and 80% expect retail investors to do the same. Pre-event analysis is an essential part of any due diligence by the institutions involved, for example it is imperative assessing provenance of the source of funds.
Steven: Because it’s such a new area, should people be wary of the blockchain and crypto assets? What can go wrong and how can we better regulate it?
Like in traditional assets, things do go wrong. For instance, the founders of BitMEX were recently charged in the US with wilfully failing to prevent money laundering and operating an unregistered trading platform. Exchanges have to ensure they have strict compliance controls in place to prevent financial crime, no matter where they are located.
The need for due diligence, regulatory compliance and investigative services has increased in recent years as the cryptocurrency and blockchain industry continues to grow exponentially. Complex litigation cases need not only an understanding of the ever-changing regulations and reliable information, – they require creativity in the solutions. Alongside lawyers, investigative teams and advisors combined their insight with intelligence and technology, to achieve a greater understanding of the people, places and assets involved and create a solution appropriate in the circumstances.
Steven: Where are compliance efforts being concentrated at the moment?
James: Regulators, compliance officers, and Money Laundering Reporting Officers are all looking at the blockchain space from a compliance perspective. However, probably the fastest developing area is the legislative frameworks being employed in multiple jurisdictions.
Against that, we have to consider how fast the cryptocurrency market is moving. Bitcoin, the first decentralised cryptocurrency, was released in 2009. Similar digital currencies have been released into the worldwide market since then. Some assets are ‘stablecoins’, such as the Gemini Dollar – a stablecoin pegged to and backed by US dollars held in reserve at State Street Bank and Trust Company. Some aim to be alternatives to Bitcoin, such as Zcash which aims to offer more privacy than Bitcoin by providing users with the option to use private transactions, keeping transaction information private. The legislative framework needs to catch up with such developments, and be future proof (as far as possible), but getting to grips with the fungibility of the crypto assets is the first headache.
Steven: One of the hardest things to understand is how a digital asset such as cryptocurrency can be stolen and therefore how it can be recovered. Can you explain?
Let’s focus on Bitcoin for the purpose of tracing and asset recovery investigations. The unit of a Bitcoin is a piece of code – a ‘virtual’ coin, that is accepted as having a value. The Bitcoin is held on the public ledger, the blockchain.
One of the advantages of Bitcoin is that it can be stored on hardware, the code is saved to a secure hard drive for example. This process is called cold storage. It protects the currency from being stolen digitally. Of course the hard drive could be taken, but the Bitcoin would be no use to anyone unless they had the “key” or authentication details to access it and reintroduce it to the internet. When the Bitcoin is stored on the internet (hot storage) there is a risk of it being stolen by being diverted.
As we know, all digital things are subject to security vulnerabilities. These vulnerabilities may come in the form of hacks or data breaches. However, as the blockchain, and the public addresses and transactions within blocks, can be examined using software programmes, much like traditional asset tracing, you can identify where the coin came from and where it may currently be located.
Steven: What do we know about the hackers who try to steal crypto assets?
Technology helps us follow flows of cryptocurrencies through wallets and the blockchain. But it is the human behaviour behind the transactions that we wish to understand if we want to protect crypto assets.
Hackers with technical knowledge and understanding of international law are especially dangerous. They have no real motivation to stop committing crimes and their methods for covering their actions will only become more sophisticated. Also important is the intended response by the victims, such as fear – arguably one of the most commonly manipulated emotions and often used in ransomware attacks. Understanding and recognising the motivations displayed by fraud perpetrators can help understand how we assess the situation.
The intelligence gathered in an investigation is assessed in behavioural profiles that provide a rich picture of each individual involved, accounts used, transactions undertaken and the devices used to authorise those transactions. We can use transaction details to see spend, the hours and days when someone tends to transact, use of IP masking, and the time period between geographically disperse payment locations, to name a few. What a target does may be a better indicator of motivation than who they say they are and what they are doing.
Steven: How big is the scale of fraud in crypto assets?
James: When searching for terms such as “crypto-exchange” or “buy Bitcoin” the first few pages of search results may contain fake exchanges. Fraudsters will lure their victims with grandiose promises, such as fast profits, stating you can get a big reward for a small contribution. Another tactic may be blackmail. Ponzi schemes and various pyramids have become classics of the crypto industry fraud.
Americans lost over $80m in cryptocurrency scams between October 2020 and April 2021. According to figures from the Federal Trade Commission, more than 7,000 people reported losses — about 12 times more than the same period a year before. The median loss was $1,900 per person, with people in their 20s and 30s the worst hit.
The blockchain, including Bitcoin, are being used by some organised criminal syndicates because of its alleged privacy benefits. “There’s a transition to committing crimes in cyberspace, like acquiring cryptocurrencies to launder money … and the pandemic is accelerating it,” said Santiago Nieto, head of the Mexican finance ministry’s financial intelligence unit.
There is a lot of money involved and that is a significant motivator.
Steven: Where do you see the biggest challenges in policing cyber fraud?
James: One of the biggest topics for discussion at the moment is whether cyber fraud should be treated as a criminal or civil matter. There are laws in many jurisdictions increasing regulation covering crypto assets. However, using those regulations to pursue fraudsters remains difficult. You could tell the police, but nothing may come of it or progress may take a long time to resolve. Then there is the issue of whether you will get your money back through a proceeds of crime seizure or court order. Another option is less obvious but bringing your own civil fraud claim through the application of the legal principles of tracing can be quicker and more fruitful.
The evidential challenges of pseudonymity on the blockchain are becoming less of a problem, where we can link the target’s bitcoin transactions to ‘real-world’ activity. Once the human entities behind the fraud are identified, the court could act to provide relief.
Basic principles, such as the provenance of any information must be assessed, and all tactical options are available to the victim. Sophisticated fraudsters use obfuscation and typically follow a strict communications protocol that ensures tracking or tracing the source of their calls or communications are disguised from the investigator to avoid detection. This is typical because the fraudsters do not like their identity to become known for obvious reasons.
Typically, emails and IP addresses are used with multi-layered VPN and proxy services across multiple jurisdictions. It is in the interests of the fraudsters to protect their digital infrastructure from outside interests for as long as possible. We have seen this across a number of cases where the ‘scams’ have gone on for a long time, targeting hundreds of victims.
The approach to uncovering these types of frauds is painstakingly long, tracing the full amount of information before, during and after the event means we can assess the risks and provide the advice on the best course of action to recover the lost monies.
Steven: How do you see the blockchain and crypto assets developing?
James: With the expected value of Bitcoin, and other digital assets still climbing and the excitement rising, even the biggest players in traditional currencies are getting involved. For example, the likes of Mastercard have announced a new global start-up engagement program dedicated to supporting fast-growing digital assets, blockchain and cryptocurrency companies.
Of course, this means there will be more opportunities for scammers to trick people who want to get involved. Getting professional advice has become essential.