chevron-down Created with Sketch Beta.

Criminal Justice Magazine

Magazine Archives

Cryptocurrency: Anti-Money Laundering Enforcement and Regulation

Sanjeev Bhasker, Michael Grady, and Kevin Mosley

Summary

  • United States law requires cryptocurrency exchanges and other money services businesses (MSBs) to register with the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) and comply with the Bank Secrecy Act (BSA).
  • The Silk Road and other prosecutions illustrate modern digital asset enforcement.
  • Money launderers rely on sophisticated methods to obscure their digital footprints on blockchains, such as “mixers and tumblers” and “chain hopping.”
  • Regulators and enforcement agencies are working to address the challenges posed by jurisdictional arbitrage, the rise of decentralized finance (DeFi), and new financial products like non-fungible tokens (NFTs).
Cryptocurrency: Anti-Money Laundering Enforcement and Regulation
KEHAN CHEN via Getty Images

Jump to:

Since the first Bitcoin block was mined in 2009, proponents and critics of cryptocurrency have argued about its legitimacy. Proponents cite the growing acceptance rate of cryptocurrency among businesses, the appearance of cryptocurrency ATMs, and the potential adoption of central bank digital currency (CBDC) as evidence of cryptocurrency’s promise and staying power. Detractors point to the collapse of cryptocurrency exchanges, the failure of banks that have catered to the cryptocurrency industry, and the proliferation of high-profile prosecutions involving the illicit use of cryptocurrency. No matter where one stands in this debate, most agree that cryptocurrency is a growing presence in today’s economy and, while frequently used for legitimate purposes, also continues to be abused by criminals to facilitate illegal activity.

Cryptocurrency is a type of virtual asset, i.e., a digital representation of value that can be digitally traded, transferred, or used for payment. See Virtual Assets, Fin. Action Task Force. “Cryptocurrency” is so-named because cryptocurrency transactions are secured by cryptography—the practice of creating and understanding codes to protect information. See Rep. of Att’y Gen.’s Cyber Digital Task Force, Cryptocurrency Enforcement Framework, at 1 (Oct. 1, 2020). Cryptocurrency is also “virtual currency,” which is a term referring to a medium of exchange that can operate like currency but does not have all the attributes of “real” currency, including legal tender status. See Fin. Crimes Enf’t Network, FinCEN Guidance FIN-2019-G001, Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies, at 7 (May 9, 2019). In this article, we use “cryptocurrency,” “virtual currency,” and “virtual assets” interchangeably, but they are slightly different. For example, “cryptocurrency” is the most specific term; “virtual asset” is the least specific.

Cryptocurrency has facilitated or been used in numerous types of crimes, including, but not limited to, ransomware schemes, consumer fraud, market manipulation, thefts through computer hacking, and the sale of unregistered securities and commodities. This article addresses what is perhaps the most common crime involving digital assets—the use of cryptocurrency to launder funds, both to promote criminal marketplaces and other illicit activity and to conceal criminal proceeds.

As the use of cryptocurrency has increased, so too has the sophistication of regulatory enforcement authorities and law enforcement’s efforts to combat the illegal use of virtual assets. Indeed, in the wake of numerous criminal prosecutions and regulatory enforcement actions, it is clear that any contention that existing anti-money laundering (AML) requirements apply only to the “legacy financial system,” and not to the cryptocurrency ecosystem, is false. For over a decade, the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) has had a well-developed regulatory scheme that applies to cryptocurrency as well as fiat currency and legacy financial institutions.

Regulatory Environment: Compliance

Under US law, cryptocurrency exchanges and other money services businesses (MSBs) that do business in the United States are required to register with FinCEN as well as comply with the Bank Secrecy Act (BSA). To the extent that their transactions involve the United States, including US persons, cryptocurrency companies and other persons who engage in cryptocurrency transactions must also comply with US sanctions.

Registration Requirements

US law requires MSBs to register with FinCEN. See 31 U.S.C. § 5330. This requirement applies to money-transmitting businesses that transmit cryptocurrency. Failure to register is a criminal offense. Specifically, 18 U.S.C. § 1960 provides criminal penalties for persons who knowingly own or operate an unlicensed money transmission business. See 18 U.S.C. § 1960. Section 1960 defines an unlicensed money transmission business to include those that:

  • operate without a state license;
  • fail to comply with federal registration requirements under 18 U.S.C. § 5330; or
  • transfer funds that are known to be derived from a criminal offense or are intended to be used to promote unlawful activity.

Covered “money transmitting” includes transferring funds by “any and all means.” Id. § 1960(b)(2). Courts have repeatedly held that cryptocurrency constitutes covered funds for purposes of section 1960. See, e.g., United States v. Budovsky, No. 13cr368 (DLC), 2015 U.S. Dist. LEXIS 127717, at *37 (S.D.N.Y. Sept. 23, 2015) (citing United States v. Faiella, 39 F. Supp. 3d 544, 545–47 (S.D.N.Y. 2014)). And FinCEN’s registration requirements expressly cover persons engaged in money transmitting “wherever located doing business, whether or not on a regular basis or as an organized or licensed business concern, wholly or in substantial part within the United States.” 31 C.F.R. § 1010.100(ff).

Notably, section 1960(a) prohibits persons from “knowingly” owning or operating an unlicensed money transmitting business. All that is required is that the persons know that they were operating a business engaged in money transmitting and that the business was unlicensed. The government does not need to prove that the defendant was aware of applicable registration requirements.

Bank Secrecy Act and Anti-Money Laundering Requirements

In addition to meeting registration requirements, cryptocurrency companies that provide money transmission services “wholly or in substantial part in the United States” must also establish AML and countering the financing of terrorism (CFT) programs. Under the BSA, 31 U.S.C. § 5311 et seq., such companies must, among other things, conduct due diligence on their customers, monitor transactions for illicit activity, and report any suspicious activity to FinCEN.

Under the BSA and its implementing regulations, a qualifying MSB must “develop, implement, and maintain an effective anti-money laundering program.” 31 C.F.R. § 1022.210. An “effective anti-money laundering program” is “one that is reasonably designed to prevent the money services business from being used to facilitate money laundering and the financing of terrorist activities.” The program must be “commensurate with the risks posed by the location and size of, and the nature and volume of the financial services provided by, the money services business.” The BSA provides that such programs must include, at a minimum: (1) the development of internal policies, procedures, and controls; (2) the designation of a compliance officer; (3) an ongoing employee training program; and (4) an independent audit function to test programs. 31 U.S.C. § 5318(h).

Cryptocurrency companies that are subject to the BSA must also report suspicious transactions to FinCEN. Specifically, MSBs must report transactions involving funds or assets of at least $2,000 where the company suspects the funds are derived from illegal activity, are being transferred to conceal illegal activity, or use the MSB to facilitate illegal activity; the transaction is designed to evade the BSA; or the transaction “serves no business or apparent lawful purpose.” 31 C.F.R. § 1022.320.

Sanctions

Exchanges and other companies that interact with cryptocurrency may also be required to comply with US sanctions laws. The US sanctions regime is rooted in the International Emergency Economic Powers Act (IEEPA), 50 U.S.C. § 1701 et seq., which grants the president of the United States a broad spectrum of powers necessary to “deal with any unusual and extraordinary threat, which has its source in whole or substantial part outside the United States, to the national security, foreign policy, or economy of the United States, if the President declares a national emergency with respect to such threat.” Under 50 U.S.C. § 1705(c), it is a crime to willfully cause a violation of any license, order, regulation, or prohibition issued under IEEPA, as described in section 1705(a).

Pursuant to IEEPA, the president has issued executive orders that prohibit, among other things, the exportation, re-exportation, sale, or supply, directly or indirectly, to certain sanctioned jurisdictions of any goods, technology, or services from the United States or US persons, wherever located. The Secretary of the Treasury’s Office of Foreign Assets Control (OFAC) issues licenses, regulations, and prohibitions under IEEPA. OFAC administers and enforces economic sanctions programs primarily against countries and groups of individuals, such as terrorists and narcotics traffickers. OFAC regulations implementing the Iranian sanctions regime, for example, generally prohibit the export of services, including financial services, to Iran from the United States. Such financial services could include executing transactions in cryptocurrency or providing cryptocurrency-related services, such as cryptocurrency mixers or tumblers.

All US persons and US incorporated entities must comply with US sanctions regulations, regardless of where they are located. Significantly, non-US persons can also violate US sanctions by causing US persons to engage in financial transactions with designated individuals or entities. Failure to abide by these laws and regulations can result in both civil fines and criminal enforcement actions, including criminal prosecution.

Early Enforcement Examples

The Department of Justice has, over the past decade, successfully prosecuted money laundering and related crimes involving cryptocurrency. As in traditional financial investigations, cryptocurrency can be traced and seized. “Following the money,” whether fiat or cryptocurrency, leads investigators to identify criminal actors and illicit proceeds. Familiarity with blockchain technology, hosted and self-custodial wallets, as well as emerging technologies (e.g., mixers, tumblers, privacy coins) allows law enforcement to successfully prosecute illicit conduct.

The Department has a long history of prosecuting those who seek to misuse virtual assets or create digital asset companies that violate US laws and regulations. As history shows, investigators’ ability to follow cryptocurrency has identified targets, recovered funds, and stopped crime. The dawn of modern digital asset prosecutions is illustrated in both the Silk Road and Liberty Reserve prosecutions.

Silk Road

The infamous Silk Road marketplace operated as an online criminal bazaar designed to let its users buy and sell drugs and other illegal goods and services anonymously with cryptocurrency, purportedly outside the reach of law enforcement. Created by Ross Ulbricht in 2011, Silk Road was operated by both him and his co-conspirators until it was shut down by law enforcement authorities in October 2013. While in operation, Silk Road was used by thousands of drug dealers and other vendors all over the world to distribute hundreds of kilograms of illegal drugs and other illicit goods and services to well over a hundred thousand buyers, and to launder hundreds of millions of dollars deriving from these illegal transactions.

Ulbricht sought to anonymize transactions in the marketplace by requiring buyers to use bitcoin to pay for their illegal goods. Customers purchased contraband with bitcoin, vendors were paid in bitcoin, and the administrators (Ulbricht and staff) received commissions in bitcoin. With assistance from international law enforcement partners, authorities were able to successfully prosecute Ulbricht and his co-conspirators, recover illicit proceeds, and shut down the marketplace.

In 2015, Ulbricht was convicted at trial in the Southern District of New York on numerous charges, including money laundering conspiracy, computer hacking conspiracy, drug trafficking conspiracy, conspiracy to traffic false identity documents, and engaging in a continuing criminal enterprise. He is currently serving a life sentence.

While the marketplace was still operating, another defendant, James Zhong, executed a scheme to defraud Silk Road of cryptocurrency by creating a string of approximately nine Silk Road accounts in a manner designed to conceal his identity. Beginning in 2012, Zhong triggered over 140 transactions in rapid succession in order to trick Silk Road’s payment system into releasing approximately 50,000 bitcoin into Zhong’s accounts. Zhong then transferred the bitcoin into a variety of separate addresses also under his control, all in a manner designed to prevent detection, conceal his ownership and control, and obfuscate the bitcoin’s source. Law enforcement traced these funds, eventually locating them in November 2021 within Zhong’s self-custodial wallet, which was hidden inside his residence. In November 2022, Zhong pled guilty to wire fraud in the Southern District of New York and forfeited the bitcoin, valued at over three billion dollars at the time of seizure. As evidenced in Zhong’s prosecution, even a decade later law enforcement successfully traced and recovered illicit funds and identified their criminal target.

Liberty Reserve

Liberty Reserve was a Costa Rica–based centralized digital currency company that operated from 2006 to 2013. At the height of its influence, Liberty Reserve had more than 200,000 customers in the United States, had more than five million customer accounts worldwide, and billed itself as the internet’s “largest payment processor and money transfer system.” In reality, its owner, Arthur Budovsky, and his co-conspirators operated an illegal money transmitting system that laundered hundreds of millions of dollars in illicit proceeds for criminals around the world. In 2013, after a global investigation that involved cooperation from approximately 17 countries, law enforcement shut down Liberty Reserve. Budovsky and his co-conspirators were prosecuted, and Budovsky admitted to laundering more than $250 million in criminal proceeds.

Budovsky is a digital currency pioneer, a convicted money launderer, and a recidivist. In 2006, Budovsky was convicted in New York state court of operating an unlicensed money transmitting business. That money transmitting business, Gold Age, Inc., functioned as an exchanger for e-gold, which was then a popular digital currency. Following his conviction, Budovsky moved to Costa Rica, renounced his US citizenship, became a Costa Rican citizen, and incorporated Liberty Reserve to evade US law enforcement and help criminals conduct illegal transactions and launder the proceeds of their crimes.

In 2013, after he and his co-conspirators were indicted for money laundering conspiracy, in violation of 18 U.S.C. § 1956(h); conspiracy to operate an unlicensed money transmission business, in violation of 18 U.S.C. § 371; and operation of an unlicensed money transmission business, in violation of 18 U.S.C. § 1960, Budovsky argued, among other things, that cryptocurrencies do not constitute “funds” for purposes of 18 U.S.C. § 1956, and, thus, no “financial transactions” occurred. The court rejected this argument. Budovsky ultimately pled guilty and was sentenced to 20 years’ imprisonment; several of his co-conspirators also pleaded guilty. As demonstrated in the Liberty Reserve case, despite attempts to avoid US jurisdiction, digital asset and cryptocurrency companies and the persons running them may be subject to US laws and regulations—regardless of where the company is organized—when they, among other things, execute transactions for US customers, maintain operations in the United States, advertise in the United States, use banks in the United States, or move funds through the United States. Liberty Reserve was a pre-cryptocurrency attempt to use virtual assets to launder illicit proceeds. The advent of cryptocurrency has not changed criminals’ desire to use these assets to promote or conceal criminal activity.

Evolving Use of Cryptocurrency and Cryptocurrency Businesses in Money Laundering

Though many cryptocurrency transactions are not tainted by underlying criminal activity, there is no question that darkweb drug vendors, sanctioned states, terrorist groups, and child sex-traffickers increasingly favor digital assets to move and hide ill-gotten gains. Unsurprisingly, criminals seeking to exfiltrate and launder illicit money are drawn to digital assets by the promise of nearly instant, seemingly anonymous, and unchecked cross-border payments.

Criminals’ use of digital assets has evolved with the growing awareness that private firms and law enforcement have developed methods to trace cryptocurrency transactions on public blockchains and thereby attribute illicit money movement to individuals and organizations. Blockchain tracing led directly to the identification of numerous criminal enterprises, including the principal architects of the child exploitation site Welcome to Video and the darkweb marketplace AlphaBay. In response, money launderers have relied on increasingly sophisticated methods to obscure their digital footprints on blockchains.

Mixers and Tumblers

Perhaps the most well-known method of obscuring links to illicit activity on blockchains is through services called “mixers and tumblers.” Generally, these services pool funds from multiple users and then distribute them to the intended recipients at random times so that the funds are difficult to trace and thereby enhance a user’s anonymity. In short, a “mixer” divides a user’s cryptocurrency into small quantities in different addresses on the relevant blockchain and then aggregates the original quantity of cryptocurrency into a collection address. A “tumbler” swaps a user’s units of cryptocurrency with other users’ units of cryptocurrency and then transfers the original amount to a new address, which is then accessible to the contributing user. Some online services offer both mixing and tumbling at the same time. Companies offering mixing and tumbling charge a fee for their services.

Anonymity-Enhanced or Privacy Coins

Anonymity Enhanced Coins (AECs) are cryptocurrencies that do not rely on publicly-visible blockchains. As a result, the tracing techniques available to analyze Bitcoin and Ethereum blockchains (which are public and viewable by anyone) are not available to anti-money laundering investigators on AEC blockchains, such as Monero. Some darkweb drug marketplaces forbid the use of traditional cryptocurrencies in favor of AECs in an attempt to thwart criminal investigators’ use of tracing tools.

Chain Hopping, Decentralized Exchanges, and Smart-Contract-Based Tumblers

“Chain hopping” describes the act of exchanging cryptocurrency tokens on one blockchain for tokens on a different blockchain. The effect of chain hopping is that tracing must be performed on more than one blockchain, complicating the process.

A decentralized exchange (DEX) provides a platform for users to exchange crypto-tokens with other users, but without the need for a centralized company to host the transaction. Rather, a string of autonomous code manages the transactions, including the maintenance of “liquidity pools” that reward participants for allowing their tokens to provide liquidity to create a more stable marketplace, even in the face of scarcity and volatility.

While transactions are usually traceable through DEX protocols, a class of “smart-contract”-based protocols has promised anonymity through “zero-knowledge proofs.” The most well-known implementation of this technology is Tornado Cash. Much like a tumbler, this service allows users to designate even amounts of certain cryptocurrencies—for instance, .1-, 1-, 10-, or 100-unit quantities of Ether, and then allows users to reclaim those amounts through new Ethereum addresses using a proof that does not require the protocol to learn any information about the user (e.g., a username or an attributable password). Furthermore, some platforms purport to not take actual custody of the user’s tokens and claim that they are autonomous, without centralized management, and based only in code.

This method of noncustodial, smart-contract-based anonymization was quite attractive to North Korean actors, who allegedly used the system to disassociate millions of dollars of cryptocurrency from its illegal origins. As a result, OFAC sanctioned Tornado Cash (see below). The matter is currently in litigation.

Noncompliant Exchanges, IncludingPeer-to-Peer Exchangers

Cryptocurrency exchanges are companies that allow customers to buy, sell, and exchange cryptocurrency. Such entities are subject to the BSA and accompanying regulations (described above). Historically, some exchanges have chosen to ignore BSA requirements and conduct cryptocurrency transactions without collecting know your customer (KYC) data or reporting suspicious transactions. Money launderers seek out and use these noncompliant exchanges for the purpose of cashing out their cryptocurrency without identifying themselves.

Individual traders sometimes act as peer-to-peer exchangers—in other words, persons who conduct cryptocurrency-to-cash transactions with other individual traders without an intermediary. These peer-to-peer exchangers often find customers in online forums and then arrange to meet in person to conduct their trades. These transactions, which frequently involve large amounts of cash, are conducted without names, contact information, or identification. Peer-to-peer exchangers run the risk of becoming MSBs (described above), which are required to register with FinCEN and comply with applicable regulations—including the collection of KYC data.

Nested Exchanges

A nested exchange operates by offering crypto-related services to the public through a nominee—a person or a company that makes transactions on behalf of others on a compliant exchange. The nested exchange thus operates as a passthrough, allowing a user to conduct transactions that appear as if they were conducted by the nominee. The client of the nested exchange is thus insulated from having to provide KYC information to the compliant exchange.

The methods described above purport to allow a would-be money launderer to transact anonymously, thus erasing any link between illicit activity and laundered funds, even in the face of blockchain tracing techniques. It is for this reason that the Department of Justice has continued to enforce existing laws and regulations that prohibit the use of nominees, require the collection of basic customer identity, and impose the rule that money transmitters shall maintain effective AML programs.

Recent Enforcement Examples

The US government has continued to hold cryptocurrency companies accountable for violating US law, including registration requirements, the BSA, and US sanctions. Whether in business registration, AML programming, or economic sanctions, effective crypto compliance serves to protect industry and its customers.

Recently, in United States v. Legkodymov et al., 23-mj-17 (E.D.N.Y.), the United States charged Anatoly Legkodymov, a co-founder and senior executive of Bitzlato Limited (Bitzlato), a cryptocurrency exchange registered in Hong Kong, with violations of 18 U.S.C. § 1960. The filed criminal complaint alleges that customers of Hydra Marketplace, “an anonymous, illicit online bazaar (known as a ‘darknet market’) that facilitated the sale of illegal drugs, stolen financial information, fraudulent identification documents, and money laundering services, including cryptocurrency mixing,” regularly engaged in illicit transactions using cryptocurrency accounts hosted at Bitzlato.

This criminal complaint further alleges that, although Bitzlato at times purported to disallow US-based users, it in fact knowingly accepted US customers, executed transactions with US-based exchanges, and used US online infrastructure. At times, Legkodymov also allegedly managed Bitzlato from the United States. The case against Legkodymov, as set forth in the criminal complaint, is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

In United States v. Arthur Hayes et al., 1:20-cr-00500-JGK (S.D.N.Y.), the Department of Justice charged four founders and/or executives of the Bitcoin Mercantile Exchange (BitMEX), an online cryptocurrency derivatives exchange that had operations and thousands of customers in the United States, with failing to implement an adequate AML program, in violation of the BSA, and conspiracy to violate the BSA. BitMEX was a futures commission merchant and thus constituted a “financial institution” under the BSA. 31 U.S.C. § 5312(c).

All four defendants in the case pled guilty to failing to implement an adequate AML program, in violation of 31 U.S.C. § 5318(h). The indictment alleged that the defendants “intended for BitMEX to solicit and accept customers in the United States, and otherwise operate there, without complying with U.S. AML and KYC requirements.” Among other things, BitMEX had operations in Manhattan, allowed customers to register to trade on BitMEX anonymously, and knowingly allowed certain US users to open accounts and trade in violation of the company’s purported ban on US-based users. Furthermore, BitMEX’s website expressly advertised that “No real-name or other advanced verification is required on BitMEX.”

In a separate action, the Commodity Futures Trading Commission (CFTC) filed a civil complaint against the holding companies that own and operate BitMEX and three individual co-founders and co-owners of BitMEX for failing to register with the CFTC and violating various laws and regulations under the Commodity Exchange Act. BitMEX entered a consent order with the CFTC and agreed to pay a $100 million civil monetary penalty.

In 2019, prosecutors from the US Attorney’s Office for the District of Columbia and the Department of Justice’s Computer Crime and Intellectual Property Section charged Larry Dean Harmon, the operator of “Helix,” a darkweb cryptocurrency mixing and tumbling service, for conspiracy to launder monetary instruments, in violation of 18 U.S.C. § 1956(h); operating an unlicensed money transmission business, in violation of 18 U.S.C. § 1960; and money transmission without a license, in violation of D.C. Code § 26-1023(c). In 2021, Harmon pled guilty to money laundering conspiracy and is awaiting sentencing. In a factual recitation, Harmon admitted posting that Helix was designed to be a “bitcoin tumbler” that “cleans” bitcoins by providing customers with new bitcoins “which have never been to the darknet before.” Harmon charged a 2.5 percent fee for the service, and he was not registered with FinCEN as a money transmitting business. The property involved in the scheme totaled at least 354,468 bitcoins, which was the equivalent of approximately $311,145,854 at the time of the transactions.

In the sanctions arena, OFAC recently designated “Tornado Cash” as a Specially Designated National—effectively blocking its assets and prohibiting US persons from conducting financial transactions with this platform. In August 2022, OFAC alleged Tornado Cash laundered more than $7 billion worth of virtual currency since its inception in 2019. This included substantial funds associated with the Lazarus Group, a DPRK state-sponsored hacking syndicate that was designated in 2019 by the United States for its involvement in a large virtual currency heist. This designation occurred pursuant to Executive Order 13694, “authoriz[ing] the imposition of sanctions on individuals and entities determined to be responsible for or complicit in malicious cyber-enabled activities that result in enumerated harms that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States,” a cyber sanction intended to protect national security.

In announcing this sanction, the Department of Treasury noted that Tornado Cash “repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks. Treasury will continue to aggressively pursue actions against mixers that launder virtual currency for criminals and those who assist them.” This mixing service was used to launder illicit funds, including for cyber actors harming the nation’s security. As a result of this designation, all US companies and individuals (including the cryptocurrency industry and customers) are prohibited from using Tornado Cash and associated sanctioned addresses for financial transactions.

Emerging Issues

As the virtual asset space evolves, regulators and law enforcement face new challenges posed by illicit actors attempting to use virtual assets as payment for, or to facilitate, criminal activity; as a means of concealing criminal activity; or as a way to undermine the virtual asset ecosystem. Regulators and enforcement agencies are working to address the challenges posed by jurisdictional arbitrage, the rise of decentralized finance (DeFi), and new financial products like non-fungible tokens (NFTs).

Jurisdictional Arbitrage

Illicit actors often seek to use noncompliant exchanges, particularly those located in jurisdictions with less robust AML and CFT controls. International partnerships, such as the Financial Action Task Force (FATF)—an intergovernmental organization composed of more than 200 jurisdictions that works to develop policies to combat money laundering and terrorist financing—seek to implement uniform AML/CFT standards for virtual asset service providers all over the world. By encouraging other jurisdictions to adopt and implement these standards, the United States and its partners strive to limit the opportunities for virtual asset service providers to engage in jurisdictional arbitrage and threaten the stability of the US financial system.

But some virtual asset platforms have taken jurisdictional arbitrage one step further. Instead of establishing themselves in a noncompliant jurisdiction (of which there are increasingly fewer every year), some providers claim no jurisdiction at all. Some of these providers are subject to US registration requirements (and the BSA) because they operate in whole or substantial part in the United States, but these “stateless” providers often refuse to respond to legal process, claiming that no country has jurisdiction over them. In addition, these providers may take steps to conceal their presence in or connections with the United States.

While criminal actors create these structures to frustrate US enforcement efforts and avoid compliance with US law, law enforcement and regulators have overcome these challenges, often with creativity and international cooperation. As criminals continue to innovate, so too will the US government in its efforts to protect the US financial system.

Decentralized Finance

As discussed above, DEXs are peer-to-peer exchanges in which users can trade cryptocurrency without intermediaries facilitating the transfers and taking custody of the funds. The decentralized nature of DEXs, which are a subset of the alternative DeFi financial system, can be exploited by criminals seeking to launder the proceeds of their illicit activity. Malign actors can similarly use DEXs, and other financial institutions with similar attributes, to avoid regulation.

Criminal actors appear attracted to decentralization because they believe it will limit requirements for collecting customer identification, record keeping, and reporting. Some DeFi projects are developed for the express purpose of skirting AML requirements. Still other DeFi platforms purport to operate as autonomous organizations with no identifiable controlling individual, company, or group. Such organizations expand on the concepts underpinning jurisdictional arbitrage. Instead of claiming immunity based on location, or a lack thereof, these distributed organizations claim immunity based on lack of centralized control—if no entity is in charge, no entity can be held responsible for what the organization does.

In many cases, however, the criminal actors tend to move their ill-gotten gains, consolidate illicit proceeds, or otherwise demonstrate their control over the platform, enabling law enforcement to identify, track, and ultimately prosecute wrongdoers.

NFTs

As opposed to other digital assets that can be interchangeable, NFTs have a unique identifier. Thus, they can be used as certificates of ownership and are often associated with digital art or collectibles that are representations of real-world objects. These assets are supported by the Ethereum and other blockchains. Because of their similarities to works of art, NFTs are vulnerable to money laundering risk associated with high-value objects. Further, because NFTs can be purchased pseudonymously, unscrupulous actors can engage in “self-laundering” by purchasing NFTs and selling them to multiple online entities they create in efforts to deter tracing and identification. In addition to complicating the tracing of NFTs, these features also make NFTs vulnerable to use in “wash trades,” where a seller takes both sides of the sale of an asset to deceive others regarding the asset’s value or liquidity. In a 2022 report, a leading blockchain analysis firm examined NFT wash trades occurring in 2021 and determined that 110 wash traders profited from this activity, making more than $8.875 million.

NFTs have also been vehicles for other market manipulation and fraud schemes. On June 1, 2022, the Department announced wire fraud and money laundering charges in the Southern District of New York against a former product manager at OpenSea, the largest online marketplace for the purchase and sale of NFTs. Starting around May 2021, OpenSea began to highlight NFTs on its webpage in a display that changed several times a week. An NFT, and other NFTs made by the same creator, increased substantially in value after being featured on OpenSea’s website. The product manager, Nathaniel Chastain, was responsible for selecting the featured NFTs and therefore knew which NFTs would be presented before this information was made available to the public. From June 2021 to September 2021, Chastain allegedly used this knowledge to buy dozens of NFTs, or other NFTs by the same creator, shortly before those NFTs were featured, and later sold those NFTs at a profit. To conceal the fraud, Chastain conducted these purchases and sales using anonymous digital currency wallets and anonymous OpenSea accounts. In May 2023, Chastain was convicted at trial of wire fraud and money laundering offenses and currently awaits sentencing.

On July 21, 2022, in another insider manipulation case, the Department unsealed an indictment in the Southern District of New York charging Ishan Wahi, a Coinbase product manager, and two other individuals with wire fraud conspiracy and wire fraud in connection with a scheme to commit insider trading. The indictment alleged that, on at least 14 occasions between June 2021 and April 2022, Wahi tipped his co-defendants to forthcoming public listings on Coinbase so they could place profitable trades in the identified crypto assets before the listings went public. In February 2023, Wahi pled guilty to conspiracy to commit wire fraud and was later sentenced to federal prison. One of Wahi’s co-defendants previously pled guilty and was sentenced to a term of imprisonment. A second co-defendant’s case is pending, and he is presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

In addition to fraud and manipulation risk, NFTs and NFT platforms, like other virtual asset businesses, are subject to hacks and theft. In late March 2022, Lazarus Group, the DPRK state-sponsored cyber hacking syndicate, allegedly exploited a blockchain project linked to the NFT-based online game Axie Infinity, stealing virtual currency worth almost $620 million at the time of the heist.

The BSA and its implementing regulations are a crucial part of the framework for ensuring that illicit actors do not move criminal proceeds using NFTs or through NFT platforms. Under the current statutory and regulatory regime, the BSA may apply to NFT platforms if they are businesses “engaged in the exchange of currency, funds, or value that substitutes for currency or funds,” depending on the facts presented.

Conclusion

From its advent, the promise of cryptocurrency has been intertwined with its exploitation by bad actors. Law enforcement and regulators will continue to use available tools to protect innovation, user funds, and the overall health of the US financial system from illicit parties. And, as the virtual asset space evolves, those who supervise the industry must respond in kind, seeking additional resources and authorities where necessary to support legitimate use. Crypto businesses that operate in the US have obligations to register and implement AML programs. And those that choose not to register, or that willfully fail to implement effective AML programs, violate federal criminal statutes and will be held responsible. Sound compliance practices support healthy business practices and, in turn, protect the US financial system, protect lawful emerging technologies, and strengthen digital asset economies.

    Authors