In this opinion piece, Janis Graubins, co-Founder of Identity and Access Management company Notakey, follows the trial of a suspicious cryptocurrency wallet address and explains if and how illicit activity can be combated.
We had the Wild West, where the cliche of the cowboy movies was the nearest sheriff is 90 miles away, and so you had to pack a gun and defend yourself. –Steven Pinker
Regulators warn to be cautious, friends preach them as the next big thing. What’s about cryptocurrencies? Are they solving real-life problems or are mainly used for money laundering? I will try to answer these questions in a series of articles.
But let’s start with the first questions I typically get when starting to talk about cryptocurrencies — if there is no central authority, who is responsible for fighting frauds? This is a very serious topic as things can go wrong even for experienced crypto investors such as Ian Balina:
Does it eventually come up to the banks that allow exchanging cryptocurrencies to fiat currencies? And do they have right systems in place to pick up potential illegal activity? Or is it the case of Commonwealth Bank of Australia, where crime syndicates laundered more than A$75m through CBA’s systems.
I will first identify a suspicious wallet address that I will analyze. Then I will look into how end controls could help and if there should be controls at the start? Then I will ask myself if any controls should be put in the first place and what would happen if there are not? And finally, I will sum everything up and provide practical information on what can be helpful for fighting criminal activities.
1. Identifying a suspicious address: to understand what can we do right, we need to understand how things can be done wrong.
To understand what risks there are for potential money laundering in cryptocurrency space and if in case somebody would steal my funds I would be able to recover it, I started with taking one Ethereum address that according to comments is involved in several scams.
And followed where the money goes to. From this account it was transferred to this one:
My initial thoughts were let’s use an existing service such as Coinfirm to make sense of all the transactions in the address. And that was what I did:
The problem with the report, however, was that while it shows identified risks, it does not provide with context. Moreover, some of the risks that could be identified manually were not identified by Coinfirm at all:
And these are just few. Others that were not identified were structured deposits, multiple output transactions, high-value addresses, ICO contributor etc. That is why I decided to continue with checking transactions manually.
2. Can End controls stop money laundering? And what is Ethereum Mixer?
When I looked further where the money flows from this account I was surprised that after being transferred to another account, it was split in smaller amounts and eventually sent to Shapeshift to lose tracks (Shapeshift is a company that allows exchanging one cryptocurrency to another).
Initially, I thought that it might be done manually but after a while, I started to think that there might be an Ethereum Mixer involved. So what is it?
Of course, it says it is all about privacy but who are we kidding here? What it does is take control of your wallet address, splits the amount and sends them to your end-address through other user accounts, newly created accounts and Shapeshift. This illustration sums it up nicely:
And this is not one separate case. According to Satoshi fund research (they analyzed transactions that in a given period were equal to 68.5% in money terms) Ethereum Mixer counts for a large volume of all ETH transactions:
But let’s get back to our case. As we can see from the illustration of top output addresses, the funds are sent to Exchanges like Kraken. It should be that at this point the money laundering stops because of their Know Your Customer (KYC)procedure at Exchange? It should if the KYC would be reliable.
And it is not much better with Tier 3 verification. In particular, the problem with the implementation of KYC is — it allows to allow upload photos of ID documents and yourself, instead of taking live photos.
In the cryptocurrency world, creating an account with fake identity takes seconds. So if somebody has access to your photo and ID documents, that person can impersonate you. And to be frank, data breaches where ID documents are leaked happen quite often.
3. Do we need to look the other way around? Should we put controls in the beginning?
For this let’s go back to the address we analysed. If we check from where the funds are coming from, we can see that they are from addresses that have received the funds by mining, participated in ICOs or bought and sold tokens through Exchanges.
We can see that the address has many small incoming transactions. If we check that address in details it becomes clear that the funds come from mining.
The only thing what is needed to mine ethereum or bitcoin is hardware that can be bought in any electronics shop. No KYC is required to join a mining pool. It basically means that there could be Government officials from North Korea mining bitcoin or ethereum and no one would know. They even would not need to buy hardware themselves as there are many services that sell hashing power for mining.
Let’s look first at Ubcoin ICO. Do they check from where the funds are coming from.
According to their Telegram chat for funds below 50 eth (around $20k) it is not required to do any KYC at all. Money launderers could easily buy these tokens and then exchange to fiat currencies through Exchanges (when they are listed). Even better, they actually could create a fake ICO through which they launder the funds.
Similar situation is with ModulTrade token that already is listed and has a questionable KYC in place.
As it can be seen from the Telegram chat, it would be easily to impersonate another person as there is no face-matching in place.
Of course, it is possible that both Ubcoin and ModulTrade have a solution for analyzing wallet transactions and in case the funds are coming from a source that looks suspicious, they might do enhanced due diligence. However, I could not find any information about that.
4. Do we actually need to have any controls?
I have talked a lot about downside of not having a KYC and not being able to track transactions due to Mixers, but what about cases where you are doing something legitimate but would still like to keep your privacy?
For example, let’s say I own a brothel in Switzerland from which I get profit every month. In Switzerland this is legal. But if I would live in Russia, where it is illegal, I might be cautious about showing my source of income. The same logic applies to several other use cases — e.g., if I would have a medical condition that requires buying medical marijuana that is allowed in one country but not in another.
There are several more use cases, where keeping privacy makes sense. That is why ideally KYC would be required only where there are risks of money laundering. Nevertheless, the question is how to do it if so many people are trying to hide their tracks?
5. Why should I care?
As a company — you should care because the fines for not complying with AML rules are very high. E.g. JP Morgan case, where the bank paid a fine of $ 1.7 billion. Regulators across the world are looking into if cryptocurrencies should also be subject to the same law. Even if operations with cryptocurrencies will no be subject to AML rules, still all company funds can be frozen in case there is an ongoing investigation for a bank that holds all money of the company. For a business that is trying to be the next Google, this is a completely unnecessary risk as all the operations of the company might be suspended for an unknown time period.
For individuals — not filing a suspicious transaction report, might lead to criminal charges carrying jail sentences for reporting entities and their directors, officers, agents, and employees.
6. What could help?
The first thing what needs to be done is set in place good KYC systems. With that I mean:
- a system that only allows taking photos of ID document and person at that exact moment— no uploading of already existing photos;
- using algorithms or specially trained specialists for ID document verification and face-matching. There is significant difference between trained specialists (and algorithms) and untrained specialists — untrained specialists will look at the face as a whole while trained specialists will examine features of the face: http://rspb.royalsocietypublishing.org/content/282/1814/20151292. Moreover, there is an extreme end to it called Congenital prosopagnosiathat refers to the phenomenon by which some members of the general population are extremely bad at face recognition (in the clinical range) despite having no known pathology. And if you think that no one is doing face-matching by untrained specialists, just take a look at this tweet from one of the ICO organizers:
To sum everything up — money laundering is possible but so is identifying these actions. Ethereum Mixers, ICOs and Mining Services make it more difficult to analyze if funds are not coming from a suspicious source, therefore, linking a wallet to a verified identity could help. Privacy is important, therefore ideal KYC solution should show that person has passed the check without revealing their identity.
Featured image from United Artists/The Good, the Bad and the Ugly.
Follow us on Telegram.