What You Don’t Know About Cryptocurrency Regulations Can Kill You

Explosion of Ransomware

Ransomware is taking us ever higher and has seen a significant explosion in 2021, with the global attack volume increasing over 150% for the first six months of the year as compared with a year ago same period.

In the entire year of 2020, researchers logged 304.6 million ransomware attempts, and just between January and June of this year, the ransomware scourge hit a staggering 304.7 million attempted attacks within the SonicWall telemetry alone.

The FBI tells us that there are now 100 different strains circulating around the world.

But ransomware by itself represents only one small component of the attack chain and the one that gets the most press.

Three reasons:

One, it is fairly easy to understand, two, it is steeped in legend, characters and stories and, three, it relies on a vast, yet misunderstood network of money laundering connections to convert and distribute ransoms to the threat actors who perpetrated the ransomware attack.

This network operates in cryptocurrency, so immediately it appears complicated, is intertwined with that blockchain thing, unregulated, and impossible to understand and it additionally isolates the victim from any actionable information that may be helpful in recovering the ransom paid.

It is the outbound path for criminal liquidity, and without it, and with only a reliance upon fiat currency, the bad guys would be choosing another attack vector in other domains.

Truth of the Matter                                  

It turns out however, that crypto is regulated and has been for years. The exchanges are subject to sanctions and fines and are rigorously managed by OFAC, the US Treasury Department’s Office of Foreign Assets Control

In an attempt to apply pressure on the outbound end of the equation, in late September, OFAC slapped sanctions on SUEX, a cryptocurrency exchange, because it seems it has been laundering money for ransomware attackers.

A first.

SUEX facilitated criminal transactions involving at least eight ransomware variants and 40% of SUEX’s known transaction history involved bad actors.

In fact, during 2021 a single OFAC fine dwarfs the sum of all OFAC fines issued in a single year.

Car dealers and automotive parts distributors are now designated ‘financial institutions’ under the US PATRIOT Act. Any casino offering house accounts receives that same designation. Insurers are equally bound by the rules and will have a significant impact on that industry in months to come – one simple fine for insuring risks in a sanctioned country can cost an insurer millions in fines. Real estate and construction also fall into the financial institution category and give OFAC jurisdiction over their activities.

Travel and tourism, jewelry and precious gems dealers, non-profits and charities, and importers and exporters are included as well – one fine for a pharma company exporting surgical products to a sanctioned entity exceeded $7.6 million.

Energy, transportation, logistics, payments, trading, technology ($12 million on a telecom company that did not have an OFAC compliance program in place and was violating OFAC rules) and all money services businesses (like mortgage brokers and cc services) must now comply.

This ain’t no disco.

Face the Music

According to the Treasury Department, ransomware payments totaled more than $400 million in 2020, more than four times that of 2019.

The Fed now sees malicious cyber activities both as criminal and as a threat to national security.

The Fed’s interpretation of the SolarWinds hack, and the Colonial Pipeline attack, which significantly impacted government agencies, private companies, and the public at large, places those attacks in that same national security threat category.

The SUEX designation as a criminal site and associated sanctions will restrict cybercriminals’ ability to start cryptocurrency transfer within the US and will place those third-party consultants that negotiate with cyber attackers and facilitate the payment of ransoms at risk for substantial penalties and prosecution.

Intentional or otherwise.

The Proof is in the Blockchain

Unless you are in a financial services company that must by dictate, assess your risk and implement controls, this may not sound like a big deal.

But in fact, not dissimilar to the impact the SEC has on securitized investments, OFAC’s recent scrutiny of the virtual currency industry, and beefing up its staff for enforcement, will place liability pressure on legitimate companies the bad guys are leveraging to channel their crypto.

In other words, I now have to prove I know who I am dealing with.

And just because I bundled credit default swaps, or a funded credit derivative in with collateralized debt obligations and declared that they were asset-backed securities doesn’t make them so.

The SEC decides and the industry complies.

Is the cybercrime space different and untouchable by regulatory rules?

Yes. But, those involved in the facilitation and creation of virtual wealth do not fall in that category.

Some operational motions within the virtual currency industry (e.g., technology companies, exchangers, administrators, miners, wallet providers, and other traditional financial institutions dealing with virtual currency) have the potential to shift the landscape dramatically.

Regulations 101

For openers, U.S. persons holding virtual currency deemed to be blocked by OFAC regulations must deny all parties to that virtual currency. Which means, there is no legal requirement to convert the virtual currency to fiat currency or put it in an interest-bearing account. Blocked virtual currency must be reported to OFAC within 10 business days.

Companies must now screen for IP addresses that originate in sanctioned jurisdictions and block any users there.

OFAC wants companies to screen for black-listed addresses when screening SDNs (Specially Designated Nationals) and block any related transaction. Unlisted virtual currency addresses that share a “wallet” with a listed virtual currency address will also pose a sanctions risk and further diligence will be required to ensure that the transaction does not involve an SDN.

All of this is documented at the OFAC resource center and those who fail to take this seriously will be punished accordingly.

Time to Upskill

If you are a CISO and don’t understand anything you’ve just read, you are not alone.

In a way, it’s not your problem.

But in another way, it is a co-indicator of the cybersecurity threat problem writ large.

Because you actually do have an obligation to protect and defend the entirety of your employer’s world, not just your network or your end-points or your critical assets or the education of your fellow employees.

Your CFO may have no control over interest rates, but it is their obligation to factor global fiscal risk and potential impacts into forecasts and business planning.

If you don’t understand what is driving every threat vector, and can’t measure the resulting downstream potential cyber risk, then it might be time for some upskilling.

Read more: