As cryptocurrencies march toward mainstream adoption, a persistent misconception seems to have taken root among policymakers: That cryptocurrencies broadly—and Bitcoin specifically—pose a major threat to sanctions regimes and anti-money laundering efforts because of the anonymity they provide users. In legislation being considered in Washington, such as a recent measure to address El Salvador’s adoption of Bitcoin and another to bolster innovation capacity, policymakers are considering rules that would crack down on digital currencies with the aim of preventing money-laundering. And as the United States rolls out sanctions to counter Russia’s invasion of Ukraine, cryptocurrencies have been cited as a way for the Kremlin to circumvent financial penalties. But the perception of Bitcoin as providing perfect anonymity belies an inaccurate understanding of how the technology works and fails to address the complex dynamics currently at play between cybercriminals, sanctioned entities, and law enforcement agencies.
In early February, the U.S. Department of Justice made a record seizure of cryptocurrency—$4.5 billion—and announced that it had arrested a New York couple for their role laundering funds stolen from a cryptocurrency exchange. “Thanks to the meticulous work of law enforcement, the department once again showed how it can and will follow the money, no matter what form it takes,” the department noted. The arrest of the couple—an eccentric pair that were quickly dubbed the “crypto Bonnie and Clyde”—illustrated the increasing sophistication with which law enforcement in the United States and elsewhere are investigating cybercriminals.
Although Bitcoin and related cryptocurrencies offer some anonymizing features, they are in fact highly traceable. In a series of recent cases, investigators have demonstrated how to use the visible and immutable ledger of decentralized blockchains to trace illegal transactions and sometimes even recover stolen funds. In the cat and mouse game between law enforcement and online criminals, policymakers concerned with money laundering therefore ought to focus less on targeting Bitcoin and similar currencies and instead get ahead of shifting trends—principally, the adoption of privacy-protecting coins and the use of decentralized exchanges—that threaten to make investigations of online crimes and enforcing sanctions more difficult.
Introducing the cryptocriminals
Bitcoin and other cryptocurrencies are digital networks whose accounts are privately controlled, but whose transactions are all publicly and verifiably recorded in a visible ledger or “blockchain.” Although public account addresses are anonymized, the owner of a given account or “wallet” can remain anonymous only as long as their real identity cannot be tied to it. Once their identity is associated with a public address, however, it is trivially easy to identify their transactions.
Cryptocurrency is typically traded on centralized exchanges, such as Bitfinex. In 2016, Bitfinex was hacked by anonymous criminals who transferred several thousand Bitcoin to digital wallets held by the New York couple, Russian-born Ilya Lichtenstein and his wife and amateur rapper Heather Morgan. The connection between hackers that targeted Bitfinex and the couple remains unclear. We only know that they were arrested for attempting to move the stolen funds out of the wallets and clean them—reintegrating them into the legal financial system—when they were caught. Exchanges such as Bitfinex are attractive targets for malicious hackers, and several exchanges have had their funds drained, with losses likely totaling at least several hundred million dollars.
The anonymity of cryptocurrency accounts has previously made them attractive to criminals on the dark web, the portion of the internet only accessible through special software and popular among cybercriminals. Chainalysis, a firm that studies crypto analytics, suggests that Bitcoin transactions on the dark web totaled nearly $250 million in 2012 and likely reached $1 billion in 2019. For similar reasons, cryptocurrency is attractive for ransomware attacks in which hackers penetrate computer systems, encrypt data, and demand a ransom payment in order to restore access.
But cryptocurrencies are far from perfect in obscuring the identities of malicious hackers, and law enforcement agencies are getting better at tracking online criminals and their transactions. Once hackers obtain illicit cryptocurrency, perhaps from a heist or as part of a ransomware scheme, they will often want to convert it into cash, which is far less traceable. But thisstep is quite difficult: Conversions into and out of cash are easiest on major centralized exchanges, but those exchanges increasingly comply with strict “know your customer” or “KYC” regulations. As a result, illicit actors typically cannot convert their digital assets into cash on the most liquid exchanges today without identifying themselves and all their transactions. The same KYC regulations have resulted in major cryptocurrency exchanges blocking Russian accounts tied to illicit activity and subject to U.S. sanctions implemented in response to events in Ukraine.
For these reasons, laundering large amounts of money or evading sanctions via cryptocurrency is far from straightforward. Recall again that most cryptocurrencies are, by design, a series of publicly validated ledgers that record transactions. Transactions that are flagged can be traced—say, by a hacker moving Bitcoin from a plundered crypto exchange to their digital wallet. In Lichtenstein and Morgan’s case, law enforcement needed only to find the former’s private credentials to access all his digital wallets. In such cases, the holders’ cryptocurrency can not only be easily identified, but their funds can also be seized electronically, as happened to Lichtenstein and Morgan.
The ability to trace and recover cryptocurrencies gives some hope to crime victims. When the fuel-distributor Colonial Pipeline was the target of a ransomware attack last year, which disrupted fuel supplies on the Eastern Seaboard of the United States, the company paid a ransom in order to recover access to its data. Law enforcement was ultimately able to recover some $2.3 million of that ransom payment. The $11 billion hack of The DAO, a decentralized venture capital fund was solved similarly: all the relevant transactions were public.
Government bureaucracies now have powerful cyber and legal capabilities, augmented by private contractors, to mitigate the risks posed by cryptocurrencies. Successfully laundering large amounts of cash via Bitcoin or Ethereum today requires sophisticated operational security and/or residence within a country that is unlikely to prosecute illicit activity carried out abroad. Had Lichtenstein and Morgan better protected their accounts or simply left the United States, it is possible they would still be at-large—just like a number of criminal hackers residing in havens like Russia, China, North Korea, and Iran, and who are inordinately difficult to punish. Absent the right passports and cryptography expertise, however, Bitcoin and similar cryptocurrencies are far from an optimal way to launder money at scale.
While current policy fears about money laundering via cryptocurrency are overblown, there are a few trends that policymakers should be concerned about. The first is the emergence of and potential mass adoption of privacy-preserving coins, which threaten to decouple the link between crypto wallets and traders’ identities. For example, the coin Monero utilizes a number of privacy-enhancing technologies, like obscuring IP addresses, to obfuscate the identities of those involved in trades and to improve the fungibility of tokens. Monero therefore increases the likelihood that criminals can evade law enforcement and anonymously convert coins to cash. As the privacy protections of a given coin increases, so too does the likelihood it could be used as part of a sanctions-evasion scheme. As a result of the difficulties in tracking and tracing the individuals involved in privacy coin transactions, the IRS has offered payments of $625,000 to those that can crack the privacy protections of Monero, Zcash, and other such cryptocurrencies.
A second potential cause for concern is the shift away from centralized exchanges, which are required to conduct identify checks for customers, to decentralized exchanges like dYdX and Uniswap, which is estimated to be the largest such exchange. Decentralized exchanges rely on peer-to-peer systems to operate. This means that several computers serve as nodes in a larger network, in contrast to centralized exchanges that are operated by a single entity. Decentralized exchanges make it easier for traders to anonymously buy and sell coins; most such exchanges do not currently comply with “know your customer” laws, which means that it can be cumbersome for government officials to identify the parties involved in cryptocurrency transactions. Because these exchanges are not run by a single entity, they can be exceedingly difficult to police and lack the sanctions-enforcement mechanism of more centralized exchanges.
Policymakers and regulators are right to be concerned about the potential for cryptocurrency to enable illicit activity online. But the assumption that anonymous accounts on Bitcoin, Ethereum, and related cryptocurrencies will facilitate money laundering and sanctions evasion is misplaced. Rather than focusing on blockchains whose transactions are public and traceable, regulators should focus their attention where it more needed instead, such as privacy-enhancing coins and decentralized exchanges.
Richard Clark is Postdoctoral Fellow at the Niehaus Center for Globalization and Governance at Princeton University and incoming Assistant Professor of Government at Cornell University.
Sarah Kreps is the John L. Wetherill Professor and Director of the Tech Policy Lab at Cornell University and a non-resident senior fellow at the Brookings Institution.
Adi Rao is a PhD candidate in Government and a fellow in the Tech Policy Lab at Cornell University.