October 20, 2020

Financial Attacks on Democracy

The Role of Cryptocurrency in Election Interference

By: Elizabeth Rosenberg, Jesse Spiro and Sam Dorshimer

Introduction

The use of cryptocurrency has increased steadily in recent years. Although it retains some mainstream reputation as a safe haven for criminals, most uses of virtual currency, and most virtual asset service providers (VASPs), are legitimate. Major retailers and financial institutions have incorporated cryptocurrency for payments and investing. However, it is true that criminals remain drawn to this developing domain by the features of anonymity or pseudonymity offered by many virtual currencies and the uneven regulatory implementation and compliance of VASPs in many jurisdictions. Such criminals use virtual currency to assist with money laundering and to obscure the audit trail for other criminal activity, such as the financing of terrorism, nuclear proliferation, and election interference. VASPs also can be vulnerable to cyberattacks that allow easy theft of large amounts of virtual assets to fund such activities.

The 2019 “Report on the Investigation into Russian Interference in the 2016 Presidential Election,” popularly known as the Mueller report, revealed a wealth of information about how Russian officials exploited cryptocurrency and virtual asset service providers to meddle in the 2016 U.S. presidential election. Russian state operatives were able to use the most common cryptocurrency, bitcoin, and the most mainstream and best-regulated cryptocurrency exchanges in the United States to engage in this criminal activity. At the time, Russia was steps ahead of financial investigators and law enforcement officials who track proliferators of weapons of mass destruction, terrorists, and human traffickers on the blockchain. At the time of the last U.S. presidential election, social media websites and the public policy community were increasingly aware of election interference, specifically by Russia. However, very few analysts were following the money trail.

As the United States nears its 2020 presidential election, the intelligence community is providing official warnings that Russia and others are once again interfering. Blockchain analysis and early law enforcement investigations also reveal that Russia is again exploiting virtual currency to support misinformation and an assault on democratic processes. In September 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control sanctioned three Russian nationals working for the Internet Research Agency, and their associated cryptocurrency accounts, for election interference and engaging in influence operations. While this is a rather limited response to foreign interference in a U.S. election, it acknowledges that Russian actors are using cryptocurrency in their interference efforts, and signals that U.S. government officials are concerned with such activity. Russian operatives may have a greater incentive this time around to seek out virtual currencies that offer more anonymity and VASPs with less oversight, ability, or inclination to detect suspicious activity. Russian operatives are likely to use the darknet, or other anonymous means, to make purchases of ads or services. And as a more general matter, others that might seek to interfere with the U.S. electoral process are also taking note.

As the United States nears its 2020 presidential election, the intelligence community is providing official warnings that Russia and others are once again interfering.

This policy brief examines what we know about Russia’s financing of election interference in 2016 and adds original blockchain analysis of Russia’s methods to purchase a range of services and to finance its interference using virtual currency. It discusses the ability of government and independent analysts to spot this activity, especially as it intensifies in the run-up to the 2020 presidential election. It goes on to outline lessons for U.S. policymakers and steps that they might take to prevent the exploitation of virtual currency and VASPs for election interference, and thereby to preserve the integrity of democratic institutions for the upcoming presidential election and beyond.

Funding the Russian Interference in the 2016 U.S. Presidential Election

The Mueller report explains how 12 Russian operatives, including two internal units working for the Main Intelligence Directorate (GRU), the foreign military intelligence agency of the Russian Federation, used over $95,000 of bitcoin to purchase virtual private networks (VPNs) and other computer infrastructure to hack computers at the Hillary Rodham Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee to obtain and release sensitive documents and thereby influence the results of the 2016 presidential election. A 2018 indictment brought by Special Counsel Robert Mueller’s team against some of these operatives explains how, on February 1, 2016, 0.026043 worth of bitcoin (a little under $10 at the time) was sent to a Bitcoin address, and that on that day, only one bitcoin transaction of that exact amount was made. This allows analysts to connect the amount referenced in the indictment to the Bitcoin address: 1LQv8aKtQoiY5M5zkaG8RWL7LMwNzVaVqR.

Blockchain investigators at cryptocurrency tracing and attribution firm Chainalysis, as well as other analysts, determined that this amount of bitcoin originated from bitcoin mining and from a U.K.-based exchange. Miners use computing power to generate new bitcoins, and exchanges allow people to buy, sell, and trade these and other cryptocurrencies. On December 15, 2015, this U.K. exchange sent 11.84 bitcoin (worth about $5,140 at the time) to a private wallet, which is a personal Bitcoin address where individuals can store funds off of an exchange or other cryptocurrency service. From there, the funds can be traced on the blockchain through a series of payments, likely to purchase services related to the operation. Two merchant service providers, which are companies that enable the buying and selling of goods and services using cryptocurrency; one virtual currency exchange; and at least one VPN vendor received funds between December 2015 and February 2016. This money trail is visualized in the map below.

Mapping the Funds Used to Facilitate Russian Election Interference

Between December 2015 and February 2016, cryptocurrency funds from the CEX.io exchange linked to Russia’s GRU were moved to merchant service providers and at least one VPN vendor to make payments that facilitated Russia’s election interference effort.

Source: Chainalysis

The relative ease with which the operatives were able to move newly mined bitcoin through a series of wallets to purchase a range of services is alarming. The pseudonymity offered by bitcoin and other cryptocurrencies, as well as the ability to mine fresh cryptocurrency without a traceable history, makes it significantly easier to obfuscate the origin of funds when purchasing digital services such as VPNs. Furthermore, this set of payments does not use even more sophisticated obfuscating methods that are becoming increasingly popular and could make it even more difficult for law enforcement officials to track this type of activity. These include methods like peel chains to create a longer, more dispersed chain of new wallet addresses to further disguise the origin of payments, or use of privacy coins like Monero rather than bitcoin to provide better anonymity. Moreover, GRU operatives are suspected of involvement in a range of other similar election interference activities, such as in the 2019 European Parliament election.

The ability of bad actors to successfully use virtual currency transactions to facilitate election interference makes it more difficult to trace and disrupt the funding of operations like the 2016 interference campaign. It also presents a major vulnerability for authorities seeking to prevent such activity in the United States, in Europe, and elsewhere.

Cryptocurrency Crime in Context

Russian operatives likely used cryptocurrency to fund interference in the 2016 U.S. election because of the pseudonymity it offers users and the more limited regulatory enforcement against virtual currency exchanges relative to banks at that time. The Russian intelligence service had easy access to web hosting services, VPNs, and domain registries that accepted cryptocurrency. Though investigative capability, law, and policy for cryptocurrency and cybercrime have evolved over the past several years, it is still very easy for sophisticated criminals, including groups backed by adversaries of the United States, to use cryptocurrency to fund activities that threaten U.S. national security and democratic processes, and to evade the regulatory checkpoints established to identify criminal activity.

A Growing Anonymous Ecosystem of Virtual Currency and Commerce

Now, several years after the Russian election interference in the last presidential election, cryptocurrencies still often provide features of anonymity or pseudonymity in practice, and there are many jurisdictions for which regulation is absent or poorly enforced. Criminals still have easy access to hosting services and domain registries to help them mask their identity. It is also worrying that the ecosystem for cryptocurrencies is growing every year, providing more liquidity and a larger volume of activity to disappear into using anonymity services. The total market capitalization of cryptocurrencies has stabilized at over $200 billion, despite price plunges in March 2020 as a result of the COVID-19 pandemic. Along with the growth in the overall cryptocurrency ecosystem, there is growth in the number of merchant service and payment processors for cryptocurrency, including service providers that offer tools to enhance anonymity and obfuscate transactions. This growth in service providers means that it is increasingly possible for criminals to raise, store, and spend money on goods and services within the cryptocurrency ecosystem, avoiding the need to exchange cryptocurrency into fiat currency. The act of exchanging cryptocurrencies with fiat currencies involves scrutinizing the identity of buyer and seller and greater contact with the formal financial system, which serves as a regulatory checkpoint and roadblock for financial crime since the formal banking system in most jurisdictions is more heavily regulated and compliant than many cryptocurrency exchanges. As cryptocurrency becomes more mainstream, and if prices rise, then cryptocurrency use for e-commerce will increase in parallel, reducing the need to exchange cryptocurrency into fiat currency.

Total Amount of Cryptocurrency Sent to Merchant Service Providers

The amount of cryptocurrency sent to e-commerce services more than quadrupled between 2016 and 2017, highlighting how quickly the market has evolved since the 2016 election and 2017 cryptocurrency market boom.

Source: Chainalysis

Companies that provide web hosting services, VPNs, and domain registries are among the e-commerce firms that have taken off in recent years. The Mueller indictment references the purchase of VPN services by Russian operatives, which has been independently traced to BitVPN, a decentralized VPN service that focuses on providing enhanced anonymity, and darknet markets more generally as services exploited by Russian intelligence operatives. BitVPN received a major influx in bitcoin immediately before the hacks carried out as part of the 2016 presidential election interference campaign.

Total Bitcoin Received by BitVPN

BitVPN received a significant influx of bitcoin in May 2016, immediately before the use of BitVPN by Russia’s GRU as part of its election interference campaign. A significant amount of bitcoin sent to BitVPN for use of its services can be traced back to GRU-linked accounts cited in the Mueller report and associated indictments.

Source: Chainalysis

Since 2016, U.S. and other national law enforcement agencies have significantly improved their ability to trace illicit cryptocurrency funds to sites such as BitVPN. Their efforts to trace cryptocurrency to services, both illicit and legitimate, has resulted in the takedown of major illicit e-commerce platforms and many successful efforts to put complicit vendors in jail. However, law enforcement investigations can have difficulty accessing classified sources and also take considerable time and resources, assets that are under strain in the prolonged period of increased cyber-enabled crime and fraud. All of this is reflected in the spike in cyber-enabled crime and successive COVID-19-related financial crime advisories from the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN). Unfortunately, criminals can thrive in these circumstances. It will be difficult for government investigators and prosecutors to advance enforcement activity that will deter foreign election interference ahead of the 2020 election.

Easy Evasion of Financial Authorities

Russian intelligence operatives succeeded in their 2016 election interference efforts in part because they were able to avoid any direct relationships with heavily regulated and legally compliant financial institutions.

Generally speaking, criminals seek areas of lower compliance to conceal their illicit activity from law-abiding financial institutions and law enforcement agencies. Criminals have changed how they use cryptocurrency over time, moving money to services they believe can convert it to fiat currencies undetected by regulatory oversight or compliance protocols. Over the past several years this has meant a major shift toward the use of unscrupulous exchanges.

Types of Service Receiving Illicit Bitcoin, 2016–2019

Over the past several years, the types of services utilized by illicit actors moving cryptocurrency have shifted toward exchanges. While many cryptocurrency exchanges are compliant with regulations, exchanges with little to no compliance protocols are now a major part of illicit cryptocurrency activity.

Source: Chainalysis

In 2016, illicit funds often went to risky currency exchange services such as BTC-e and WEX. The administrators of both of these exchanges now face indictments in the United States on money-laundering charges related to the 2014 Mt. Gox exchange theft disclosures. BTC-e and WEX have since stopped exchanging fiat currency for cryptocurrency, and BTC-e has been shut down by investigators, which has caused criminals looking to cash out their illicit funds into fiat to adapt. Criminals now use other exchanges with weak know-your-customer requirements to move cryptocurrency funds.

The cryptocurrency industry has become more compliant since 2016, particularly in a few leading jurisdictions including the United States, Japan, and the European Union. Additionally, the Financial Action Task Force (FATF), the international standard-setter for countering illicit finance efforts, released guidance in June 2019 to clarify the applicability of FATF anti-money laundering and counterterrorist financing requirements to virtual assets and virtual asset service providers such as virtual currency exchanges. However, many countries have been slow to implement such international standards or to enforce them. It is still possible for criminals to raise, move, and exchange currency while avoiding direct relationships with compliant financial institutions that actively look for criminal activity.

To illustrate this, Chainalysis recently found that nearly 50 percent of all illicit funds now bypass regulation by clearing through just two exchanges, taking advantage of the little-regulated over-the-counter (OTC) market. Brokers in this OTC market move large amounts of cryptocurrency on behalf of their clients, and while most brokers operate licitly, some specialize in the movement of illicit funds. These illicit funds flow through a money-laundering mechanism that is built to move illicit funds at scale. Criminals and state-backed entities engaging in illicit financial activity are constantly adapting to seek out such entities where they remain, particularly as more of the cryptocurrency ecosystem becomes more intensively regulated and supervised.

There is every reason to suspect that foreign intelligence services intent on interfering in U.S. elections are adapting rapidly as well, and they have at their disposal sophisticated means to launder and disguise their financial footsteps, even in the relatively well-regulated U.S. financial system. U.S. law, in particular the Bank Secrecy Act (BSA), provides the requirements needed for better scrutiny of virtual currency transactions, but many companies engaged in virtual currency transactions in the United States are not in full compliance with this authority, particularly the Travel Rule, which requires transmission of certain information about the parties for cross-border transactions above a threshold. In part this is because many virtual currency exchanges grew out of the technology industry, where companies, unlike traditional financial services firms, were not used to and did not invest in the regulatory compliance required of financial institutions. This led some companies to be slow to comply and others to gamble that they could ignore compliance completely, at least until their businesses were more established. Other companies have convinced themselves that their offerings do not implicate money transmission under the BSA, relying on ambiguities in the application of the law to their businesses. A small number of foreign virtual currency exchangers that provide services to U.S. customers have not registered in the United States as money transmitters, despite guidance from the U.S. Department of the Treasury that they are subject to regulation.

Furthermore, public enforcement against non-compliant businesses has been limited, providing difficult incentives for legitimate businesses competing with them. Such enforcement, when it does occur, can take considerable time, as cross-border investigations to meet legal standards can take years to pursue through official information-sharing processes. Similar and often greater problems with compliance exist in many other jurisdictions, and beyond that there are many jurisdictions that have not yet enacted the regulation needed to require such compliance in the first place.

Self-Generated Funds Can Sustain Operations Indefinitely

Criminals or state actors that use cryptocurrency can create their own money by mining cryptocurrency. They do this by using intensive computing power to painstakingly solve difficult cryptographic puzzles. Once miners have solved the puzzle, and thereby validated a new block on the blockchain to facilitate a new transaction, they earn cryptocurrency and can spend that newly minted cryptocurrency directly on services that accept it. This kind of activity occurs without the audit trail that normally accompanies other assets. That is exactly what agents of the GRU did in 2016, when they stored freshly mined bitcoin on a mining platform and a U.K.-based exchange. That cryptocurrency was then used to fund the GRU’s 2016 election interference activity, including its BitVPN purchases.

Cryptocurrency mining investments mean that Russia, including the GRU, could again succeed in creating the financial resources needed to engage in criminal activity and election interference undetected.

Most cryptocurrency mining is done by a few large mining operations or “pools,” but anyone can participate with enough computing power. Russia has been active in mining in the past, and most observers expect that this activity will grow as Russia expands investments in cryptocurrency mining. For example, Russian firms recently converted a nuclear power plant and an aluminum plant to bitcoin mining facilities where individuals can rent mining rigs to mine coins. Chinese firms are also dominant players in bitcoin mining. Additional states making a major investment into cryptocurrency mining include other U.S. adversaries like North Korea and Iran. These facilities could corner up to 20 percent of total global mining power for bitcoin, based on their size. Without a significant investment in infrastructure, it is often not profitable to mine bitcoins without a mining pool membership. Such investments mean that Russia, including the GRU, could again succeed in creating the financial resources needed to engage in criminal activity and election interference undetected.

A Growing Threat

The threat of U.S. adversaries using cryptocurrency to finance election interference and other illicit activities has grown since 2016. While U.S. regulators and law enforcement have improved their ability to trace and disrupt illicit activity, it remains relatively easy for illicit actors to hide the source of their funds and purchase services to interfere in U.S. and other elections. The growing overall cryptocurrency industry, as well as the growing ecosystem of VPN vendors, merchant service providers, and others accepting payments in cryptocurrency, makes it easier for illicit, state-backed actors to acquire services in support of hacking and election interference. U.S. adversaries are investing in improving their ability to mine cryptocurrency, providing them with the ability to self-fund these operations and to further obscure the source of their activities. U.S. officials will need new tools, additional dedicated personnel, and enhanced authorities, as well as greater cooperation with the private sector and other jurisdictions, to address this threat.

Lessons for Policymakers

The ease with which foreign intelligence agencies can exploit cryptocurrency to fund criminal activity, including election interference, should be a grave source of concern for proponents of democracy and free and fair elections. It should be particularly worrisome to U.S. leaders, given the upcoming national election. Moreover, it should be a concern for national security policymakers focused on the character and future of the U.S. great power rivalry with Russia and China, which has also sought to influence U.S. political processes, and for those seeking to balance technology innovation with the need to prevent illicit finance.

The ease with which foreign intelligence agencies can exploit cryptocurrency to fund criminal activity, including election interference, should be a grave source of concern for proponents of democracy and free and fair elections.

There are steps that U.S. policymakers could take to improve the collective understanding of the illicit finance threats associated with cryptocurrency, in particular the ability of foreign adversaries of the United States to use this form of money once again to fund interference efforts in U.S. elections. There also are actions they could take to reduce or eliminate these threats. Several of these are outlined below.

1. Ensure Robust Information Sharing Between the Private and Public Sector

At a basic level, more robust and institutionalized information sharing between private sector actors and public sector investigators and analysts can create more knowledge about cryptocurrency vulnerabilities and bad actors, reducing the chance that these can be exploited for election interference. They also can be used to uncover instances where such activity, or attempts at such activity, have occurred. Finding ways to understand the identity of users of cryptocurrency that may seek to disrupt elections will be a part of defending the integrity of democratic institutions and processes for upcoming elections. Most cryptocurrency transactions are recorded on transparent, public blockchain ledgers, making it possible for law enforcement agencies and the private sector to work from the same blockchain data to report and investigate suspicious activity, including illicit foreign funding for election interference, once linked to an identifiable bad actor or activity. The public transparency of blockchain transactions can be turned from a detriment to an asset for law enforcement if industry makes a concerted effort to identify bad activity and share with law enforcement.

Establish the trust and mechanisms to more expansively and regularly share illicit cryptocurrency addresses. While many VASPs regularly report on possible illicit cryptocurrency activity in suspicious activity reports (SARs), FinCEN and other federal regulators and law enforcement officials should more expansively and regularly share illicit cryptocurrency addresses with the private sector, along with details, when legally possible, on how these addresses have been linked to such activity. Such sharing ensures that bad actors have fewer places to hide, that all parties involved gain more understanding of the methods used by such parties, and that the full range of public and private measures can be brought to bear against them. This might be done publicly, to put pressure on virtual currency businesses that appear to be knowingly hosting addresses linked to bad activity, or published to more restrictive distribution lists, as the FinCEN does with its Secure Information Sharing System for BSA-regulated financial institutions. Law enforcement also should seek wherever possible to share more about how they know that particular addresses are associated with bad actors, as this improves the ability of private sector actors to identify and avoid them. To share in such detailed ways, beyond the general red flags that FinCEN regularly publishes in advisories for industry, will require additional legal work and processes, given the potential impact on address holders. It will also require a higher level of trust with the cryptocurrency industry; that trust is currently in a very early, developmental stage, given how slow industry has been to implement financial integrity protocols, including the Travel Rule. Some exchangers also regularly publish lists of law enforcement subpoenas received, which does not further this level of trust. Law enforcement remains hesitant to disclose sensitive information involving potential ongoing investigations.

Facilitate private sector cooperation and information sharing. FinCEN should more actively encourage exchanges and other VASPs to collaborate in a private sector mechanism to share information on illicit cryptocurrency addresses and activity. Similar arrangements among traditional financial institutions sharing information under Section 314(b) of the USA Patriot Act have been successful in improving the quality of information shared with one another and, ultimately, the U.S. government. A similar mechanism for VASPs could be similarly beneficial and is available to exchangers. VASPs should organize such collaboration patterned off the successful example of traditional financial institutions, which self-organized such models. FinCEN should expedite any endorsement that is needed to ensure confidence in the information-sharing mechanisms.

Encourage the creation of global, public corporate registries for VASPs and VASP addresses. A number of private sector efforts are underway to create registries of VASPs to share the blockchain addresses they use and offer to their customers to store virtual currency. Such registries would greatly aid the detection of and reporting on illicit activity using virtual currency. Broadly establishing foreign registries of VASPs, the way U.S.-registered exchangers are publicly listed on FinCEN’s website, would help U.S. exchangers verify the legitimacy and accountability of foreign counterparts for information sharing.

Encourage effective technological solutions for disclosure of information when funds are transferred. FATF’s Recommendation 16 calls for members to ensure that their regulated financial institutions obtain and include key information about the originator and beneficiary in transmittal orders to other financial institutions, and that such information “travel” through intermediary financial institutions. On June 21, 2019, FATF interpreted this provision to apply to VASPs with respect to transactions for $1,000 or €1,000 or more. The United States, in particular FinCEN, should continue to engage with private sector efforts to find technological solutions for the efficient and reliable transmission of this information in the context of virtual currencies and other digital assets, and to encourage a common, open standard for data transfer to ensure that the various technical solutions being developed are interoperable. At the same time, it should take steps both domestically and internationally to ensure that applicable Travel Rule obligations are enforced.

Allow greater sharing of SARs by U.S. virtual currency businesses with foreign affiliates. FATF’s Recommendation 18 encourages member states to require their regulated financial institutions to have enterprise-wide approaches to risk that extend across borders. But the United States, for example, limits the sharing of SARs by a regulated financial institution with its foreign affiliates and, for money transmitters, even with other affiliates in the United States. In accordance with previous FATF guidance on this issue, FinCEN should consider allowing such sharing, incorporating safeguards as needed to protect the security of such information.

Expand the scope of 314(b) sharing. In the United States, the USA Patriot Act allows sharing of information between regulated financial institutions and “associations” of such institutions regarding “individuals, entities, organizations, and countries suspected of possible terrorist or money laundering activities” for the purpose of “identifying and reporting activities that may involve terrorist acts or money laundering activities.” Congress should consider broadening this language to allow information sharing for other crimes apart from money laundering, such as fraud and ransomware attacks. In particular, when multiple financial institutions each see only part of an activity, it may be difficult to determine whether transactions involve money laundering, terrorist activity, or another form of financial crime until information is shared and a consensus view reached. Congress should also expand the definition of “associations” to clearly include related non-financial institution entities, such as anti-money laundering service providers who can optimize the impact of the information.

2. Consider Novel Regulation and Consequences for Cryptocurrency Crimes

As the ecosystem for cryptocurrency expands and cryptocurrency can be used for more e-commerce purchases, policy leaders should examine new regulatory approaches for virtual assets and VASPs. This should include exploring new legal authorities to target illicit use of cryptocurrencies by state-backed groups. It should also include an examination of the points at which VASPs should gather customer information and how digital identity should best be verified. Traditional approaches to know-your-customer requirements are much more limited than contemporary identity solutions that feature the use of big data to conduct cyber behavior analysis and which should be encouraged further.

Commission a study to examine new regulation and enforcement approaches to cryptocurrency crime. The U.S. Congress should mandate that the Federal Election Commission, in consultation with the Treasury Department’s Office of Intelligence Analysis and FinCEN, compile a study to be briefed to relevant congressional committees, in coordination with other administration agencies and with the input of independent experts and industry stakeholders. The study would look at how to expand and adapt legal authorities to target state-backed groups illicitly using cryptocurrency, as a means to specifically expose and deter such use. The briefing should explore ways to adapt campaign finance and election laws to better address the harms to U.S. elections presented by virtual assets, particularly their use by foreign parties. Additionally, the initiative should consider the enhancement of penalties for cryptocurrency crimes associated with state-backed groups.

3. Use Targeted Authorities to Disrupt Facilitators of Virtual Currency–Related Crime and to Gather Information

The dynamic changes that cryptocurrency has created in the ways people store and move units of value calls for novel approaches to regulation and enforcement. However, many existing authorities already provide a framework in which policy and enforcement officials can operate, innovating their strategies and tools for disrupting criminal financial institution entities, without needing to create new authorities.

Expand the use of Section 311 and other BSA authorities. FinCEN should use well-established authorities under Section 311 of the USA Patriot Act to require U.S. banks to not allow the use of their correspondent account relationships to process transactions for foreign financial institutions determined to be of “primary money laundering concern.” This should be used to bar foreign VASPs and other financial institutions that facilitate the use of virtual currency by illicit actors, similar to the way FinCEN publicly designated Liberty Reserve, an early virtual currency exchanger, under Section 311. This authority also can be used to require reporting on specific foreign jurisdictions, foreign financial institutions, classes of transactions involving foreign jurisdictions, or types of accounts. This includes information on the parties involved in such transactions and their nature, and could be employed to map out areas of particular concern in the world of virtual currency, for example the use of virtual currency with features of enhanced anonymity, or the use of “tumblers” and other mechanisms to obscure audit trails. Likewise, FinCEN has other BSA authorities, such as demand letters, geographic targeting orders, and foreign financial agency regulations, that it should continue to use to improve U.S understanding of the virtual currency ecosystem and to improve coordination with U.S. allies to address threats in this space. Some of these are not public actions, so they could be in use already, but Congress should inquire with FinCEN as to whether there are any enhancements that would further facilitate their use in the virtual currency space relative to traditional banking.

Use sanctions to target VASPs, merchant service providers, and others facilitating illicit activity; identify wallet addresses. The U.S. Department of the Treasury’s Office of Foreign Assets Control already administers a number of sanctions programs targeting rogue regimes as well as malicious cyber-enabled activities that could be used to target entities involved in election interference. This could include state-affiliated actors, like the elements of Russia’s GRU involved in the 2016 attacks, but more importantly it should include their third-party enablers, including VASPs and merchant service providers that knowingly enable such actors. The virtual currency wallet addresses of such persons also can be identified as blocked property to ensure that VASPs screen against and prevent transactions with such assets.

4. Enhance International Cooperation

While the United States and several other advanced economies have taken the lead in applying their financial regulatory frameworks to virtual assets and virtual asset service providers and tracking and disrupting illicit cryptocurrency activity, many other jurisdictions have lagged behind. U.S. regulators should continue and enhance their efforts to ensure that other jurisdictions are also implementing the FATF guidance and increasing their capabilities to detect and disrupt illicit cryptocurrency activity.

Continue to lead at FATF. During its presidency of FATF in 2019, the United States led the development of FATF’s guidance for virtual assets and VASPs. The U.S. Department of the Treasury should continue to lead efforts at FATF to ensure that countries implement changes to address deficiencies related to virtual assets and VASPs in their regulatory frameworks.

Provide additional technical assistance to jurisdictions on incorporating regulations on virtual assets and VASPs into their regulatory frameworks. The U.S. Department of the Treasury should make this technical assistance a key priority in its capacity-building efforts.

Continue to develop channels between financial intelligence units to share information on virtual currency transactions and VASPs. The United States and more than 150 other countries have financial intelligence units (FIUs; in the case of the United States, FinCEN) that act as central focal points for domestic and international sharing of reporting on suspicious activity, money laundering, and terrorism finance. Many of these FIUs are members of the Egmont Group of FIUs, a group that facilitates cooperation and intelligence sharing between FIUs. In February 2020, FinCEN co-chaired an Egmont meeting of 50 senior officials from global FIUs to discuss virtual asset issues, including cryptocurrency business models, money laundering and terrorist finance risks, illicit typologies, and the role of FIUs in tracing virtual assets. FinCEN should continue this work by leading an ongoing working group of Egmont members to consider improved methods for information sharing on virtual currency transactions and VASPs to ensure that such sharing is at least as robust as what currently occurs for more traditional transactions and financial institutions, and that the unique types of information in this context and barriers to effective detection of illicit activity are addressed.

5. Increase Public Enforcement of Anti–Money Laundering Regulation of Virtual Currency Transactions and VASPs

Domestically, U.S. regulators and law enforcement should increase public actions to ensure that VASPs that are required to register as money transmitters adopt effective anti-money laundering programs, conduct customer due diligence, and report suspicious activity. Regulators and law enforcement should publicly take enforcement actions against entities that do not comply. This rewards companies that play by the rules and reduces the number of places for bad actors to turn. Internationally, the U.S. should work with partners to ensure that they do the same, especially for jurisdictions that remain especially attractive to criminal actors.

Increase law enforcement channels. FinCEN should encourage cryptocurrency exchanges to establish a chief law enforcement liaison to facilitate greater communication with domestic and foreign law enforcement officials. In addition, the U.S. Departments of Justice and State should work to create an international working group to accelerate development of an electronic mutual legal assistance treaty (MLAT) system, beginning with a pilot project around cryptocurrency cases.

Conclusion

Cryptocurrency has a lingering reputation as a safe haven for criminals and a form of value that is easily exploited by illicit actors. This is an artifact of its earliest days of development and does not reflect its growing scale and the range of investors, merchants, and others who now use it for legitimate purposes. However, cryptocurrency continues to retain avenues for exploitation to facilitate a variety of transnational crimes and direct threats to U.S. interests. These include financing of election interference, a direct and existential danger to U.S. democratic culture and institutions. Worryingly, in the face of the well-documented description of this activity from the Mueller report, policy leaders have failed to act or even draw mainstream attention to this element of the election interference threat. This should be motivation to take steps to compel greater transparency, information sharing, and cooperation as part of the regulatory and compliance practices for the cryptocurrency industry.

It will be difficult for any policy priority to compete with the preeminent public health and related economic crises from COVID-19. However, preventing another direct attack on American democracy should be a priority.

Particularly in an era of much greater digital financial activity, and in the run-up to another presidential election, the integrity and security of the virtual asset ecosystem should be a mainstream concern. It will be difficult for any policy priority to compete with the preeminent public health and related economic crises from COVID-19. However, preventing another direct attack on American democracy should be a priority. Arresting the flow of cryptocurrency to fund such an attack is a key part of this policy priority.

About the Authors

Elizabeth Rosenberg is a Senior Fellow and Director of the Energy, Economics, and Security Program at the Center for a New American Security (CNAS). Previously, she served as a Senior Advisor at the U.S. Department of the Treasury on international illicit finance issues, helping senior officials develop financial sanctions and formulate anti-money laundering and counterterrorism financing policy.

Jesse Spiro is the Global Head of Policy & Regulatory Affairs for Chainalysis. Previously he was the Global Head of Threat Finance & Emerging Risks for Thomson Reuters and Refinitiv. He is a member of the U.S. Digital Chamber of Commerce Anti-Money Laundering Task Force and the Intelligence and National Security Alliance Threat Finance Task Force, and he was a 2018 Foundation for Defense of Democracies National Security Fellow.

Sam Dorshimer is a Research Assistant in the Energy, Economics, and Security Program at the Center for a New American Security, where his work focuses on U.S. tools of coercive economic statecraft and how new financial technologies can enable and combat illicit financial activity. He previously interned with the Atlantic Council, the Office of the U.S. Trade Representative, the U.S. Senate, and the U.S. Department of State.

Acknowledgments

The authors would like to thank Maura McCarthy for her review of this report. They also thank Yaya J. Fanusie for his ideas and feedback during the drafting of this report, and Carlton Greene for his legal review. Additionally, they would like to thank the research team at Chainalysis for their work in analyzing the data and creating graphics included in this report. Finally, they would like to acknowledge Melody Cook and Maura McCarthy for their assistance with the production of the report.

About the Energy, Economics, and Security Program

The Energy, Economics, and Security Program analyzes the changing global economic landscape and its national security implications. From the shifting geopolitics of energy to the market influence of new technologies, to the tools of economic statecraft, such as trade and investment policy and sanctions, the program develops strategies to help policymakers understand, anticipate, and respond. This program draws from the diverse expertise and backgrounds of its team and leverages other CNAS experts’ strengths in regional knowledge, technology, and foreign policy to inform conversations at the nexus of markets, industry, and U.S. national security and economic policy.

  1. Despite major turmoil in the cryptocurrency markets in March 2020 as a result of the COVID-19 pandemic, cryptocurrency markets have largely recovered. For more see, Galen Moore, “What’s Next for Bitcoin After March’s Crash – CoinDesk Quarterly Review,” CoinDesk, April 9, 2020, https://www.coindesk.com/bitcoin-price-research-coindesk-quarterly-review.
  2. According to estimates from Chainalysis, a blockchain analytics firm, criminal activity now accounts for only 1.1 percent of cryptocurrency use, though many cases involving cryptocurrency are far-reaching and consequential. See “The 2020 State of Crypto Crime,” Chainalysis, January 2020, 5, https://blog.chainalysis.com/reports/cryptocurrency-crime-2020-report.
  3. Jeff John Roberts, “Bitcoin Comes to Whole Foods, Major Retailers in Coup for Digital Currency,” Fortune, May 13, 2019, https://fortune.com/2019/05/13/bitcoin-comes-to-whole-foods-major-retailers-in-coup-for-digital-currency/.
  4. Blockchain refers to the distributed ledger used by many cryptocurrencies that encodes the web of virtual currency trades and purchases on blocks of information that are stored in a shared ledger and can only be added to or updated through consensus among network users. For a more in-depth description of blockchain technology, see “Blockchain 101,” CoinDesk, March 17, 2017, https://www.coindesk.com/learn/blockchain-101/what-is-blockchain-technology.
  5. “Treasury Sanctions Russia-Linked Election Interference Actors,” U.S. Department of the Treasury, press release, September 10, 2020, https://home.treasury.gov/news/press-releases/sm1118.
  6. Robert S. Mueller III, Report On The Investigation Into Russian Interference In The 2016 Presidential Election (U.S. Department of Justice, March 2019), 1:36-37, https://www.justice.gov/storage/report.pdf.
  7. United States of America v. Viktor Borisovich Netyshko, Boris Alekseyevich Antonov, Dmitriy Sergeyevich Badin, Ivan Sergeyevich Yermakov, Aleksey Viktorovich Lukashev, Sergey Aleksandrovich Morgachev, Nikolay Yuryevich Kozachek, Pavel Vyacheslavovich Yershov, Artem Andreyevich Malyshev, Aleksander Vladmirovich Osadchuk, Aleksey Aleksandrovich Potemkin, and Anatoly Sergeyevich Kovalev, Case 1:18-cr-00215-ABJ (United States Court for the District of Columbia, 2018), https://www.justice.gov/file/1080281/download. The estimates of the dollar value of bitcoin in this report are based on historical price data from CoinMarketCap. For price data, see Bitcoin (BTC) Historical Data, CoinMarketCap,https://coinmarketcap.com/currencies/bitcoin/historical-data/?start=20130428&end=20200424.
  8. For similar analysis tracing the origins of the funds used to facilitate Russian hacking activities in 2016, see Tom Robinson, “How the DOJ Indictment of Russian Hackers Is Supported by Blockchain Analysis,” Elliptic, July 24, 2018, https://www.elliptic.co/our-thinking/doj-indictment-russian-hackers-blockchain-analysis, and Tim Cotten, “Russia’s Bitcoin Hacking Funds,” Medium, April 19, 2019, https://blog.cotten.io/russias-bitcoin-hacking-funds-c0a87b33f1e2.
  9. Mike Orcutt, “This is how North Korea uses cutting-edge crypto money laundering to steal millions,” MIT Technology Review, March 5, 2020, https://www.technologyreview.com/2020/03/05/916688/north-korean-hackers-cryptocurrency-money-laundering/.
  10. Henry Foy, Madhumita Murgia, and Michael Peel, “EU scrambles to stop Russian interference ahead of May elections,” Financial Times, February 28, 2019, https://www.ft.com/content/d8205ea0-3a6a-11e9-b72b-2c7f526ca5d0.
  11. “Total Crypto Market Capitalization and Volume, $,” TradingView, https://www.tradingview.com/markets/cryptocurrencies/global-charts/.
  12. Andrey Shevchenko, “Remaining Anonymous: Which Crypto Privacy Solution Works Best?” CoinTelegraph, April 2, 2020, https://cointelegraph.com/news/remaining-anonymous-which-crypto-privacy-solution-works-best.
  13. Olga Kharif, “From Online Gambling to Pot, Crypto Commerce Takes Off This Year,” Bloomberg, November 6, 2019, https://www.bloomberg.com/news/articles/2019-11-06/crypto-commerce-jumps-65-as-tether-s-use-takes-off-this-year.
  14. See Tim Cotten, “Russia’s Bitcoin Hacking Funds,” for additional details on cryptocurrency used by Russian operatives traceable to BitVPN. The darknet refers to Internet content that is not indexed by traditional search engines and typically requires special software or authorization to access. Darknet marketplaces typically specialize in providing a range of illicit goods and services that can be purchased while disguising the identities of buyers, sellers, and market operators. For a more in-depth explanation of darknet markets, see Federal Bureau of Investigation, “A Primer on DarkNet Marketplaces: What They Are and What Law Enforcement Is Doing to Combat Them,” November 1, 2016, https://www.fbi.gov/news/stories/a-primer-on-darknet-marketplaces.
  15. “Darknet Market Activity Higher Than Ever in 2019 Despite Closures. How Does Law Enforcement Respond?” Chainalysis, January 28, 2020, https://blog.chainalysis.com/reports/darknet-markets-cryptocurrency-2019.
  16. “Coronavirus Updates,” Financial Crimes Enforcement Network, https://www.fincen.gov/coronavirus.
  17. “Russian National and Bitcoin Exchange Charged in 21-Count Indictment for Operating Alleged International Money Laundering Scheme and Allegedly Laundering Funds From Hack of Mt. Gox,” U.S. Department of Justice, press release, July 26, 2017, https://www.justice.gov/usao-ndca/pr/russian-national-and-bitcoin-exchange-charged-21-count-indictment-operating-alleged.
  18. Mike Eckel, “How Much Did Russian Spy Agencies Rely on Bitcoin? New Hints in Leaked Recordings,” Radio Free Europe/Radio Liberty, November 28, 2019, https://www.rferl.org/a/how-much-did-russian-spy-agencies-rely-on-bitcoin-new-hints-in-leaked-recordings-/30297083.html.
  19. Financial Action Task Force, Guidance for a Risk-based Approach to Virtual Assets and Virtual Asset Service Providers (FATF, June 2019), https://www.fatf-gafi.org/publications/fatfrecommendations/documents/guidance-rba-virtual-assets.html.
  20. “Money Laundering in Cryptocurrency: How Criminals Moved Billions in 2019,” Chainalysis, January 15, 2020, https://blog.chainalysis.com/reports/money-laundering-cryptocurrency-2019.
  21. See FinCEN, “Prepared Remarks of FinCEN Director Kenneth A. Blanco” (Consensus Blockchain Conference, May 13, 2020); Final Rule, Bank Secrecy Act Regulations; Definitions and Other Regulations Relating to Money Services Businesses, Fed. Reg. 76, nos. 43585, 43586 (July 21, 2011).
  22. This chain of payments is visualized in Figure 1 above. For additional analysis of this chain of GRU cryptocurrency payments, see Tim Cotten, “Russia’s Bitcoin Hacking Funds,” Medium, April 19, 2019, https://blog.cotten.io/russias-bitcoin-hacking-funds-c0a87b33f1e2.
  23. On the nuclear plant, see Anna Baydakova, “A Russian Nuclear Plant Is Renting Space to Energy-Hungry Bitcoin Miners,” CoinDesk, January 10, 2020, https://www.coindesk.com/a-russian-nuclear-plant-is-renting-space-to-energy-hungry-bitcoin-miners. On the aluminum plant, see Yulia Fedorinova and Gem Atkinson, “Russia’s Largest Bitcoin Mine Turns Water Into Cash,” Bloomberg, November 24, 2019, https://www.bloomberg.com/news/features/2019-11-24/seo-inside-russia-s-largest-bitcoin-mine.
  24. Christopher Bendiksen and Samuel Gibbons, “The Bitcoin Mining Network,” CoinShares, December 2019, https://coinshares.com/research/bitcoin-mining-network-december-2019.
  25. North Korea has notoriously mined cryptocurrency since at least 2017. More recently, in January 2020, Iran’s Ministry of Industries, Mining and Trade issued over 1,000 cryptocurrency mining licenses to domestic operations to help facilitate trade and skirt economic sanctions. For more detail on North Korea’s cryptocurrency mining activities, see Priscilla Moriuchi, “North Korea’s Ruling Elite Adapt Internet Behavior to Foreign Scrutiny,” Recorded Future, April 25, 2018, https://www.recordedfuture.com/north-korea-internet-behavior/. For more details on Iran’s cryptocurrency mining activities, see Adrian Zmudzinski, “Iranian Authorities Have Issued 1,000 Licenses for Cryptocurrency Mining,” Coin Telegraph, January 27, 2020, https://cointelegraph.com/news/iranian-authorities-have-issued-1-000-licenses-for-cryptocurrency-mining.
  26. David E. Sanger and Julian E. Barnes, “U.S. Warns Russia, China and Iran Are Trying to Interfere in the Election. Democrats Say It’s Far Worse,” The New York Times, July 24, 2020, https://www.nytimes.com/2020/07/24/us/politics/election-interference-russia-china-iran.html.
  27. See 31 U.S.C. § 5318(g), “Reporting of Suspicious Transactions” (BSA SAR provision); 31 C.F.R. § 1022.320, “Reports by money services businesses of suspicious transactions”; cf. FATF, Private Sector Information Sharing (FATF, November 2017), 7-17, https://www.fatf-gafi.org/media/fatf/documents/recommendations/Private-Sector-Information-Sharing.pdf.
  28. PL 107-56, Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) Act of 2001, October 26, 2001), Section 314(b).
  29. See 31 C.F.R. § 5318A(b)(5), “Prohibitions or conditions on opening or maintaining certain correspondent or payable-through accounts.”
  30. Id. at § 5318A(b)(1), “Recordkeeping and reporting of certain financial transactions.”
  31. See 12 C.F.R. § 1829b, “Retention of records by insured depository institutions” (demand letters); 31 C.F.R. § 360, “Regulations Governing Definitive United States Savings Bonds, Series I” (demand letters); 31 C.F.R. § 370, “Electronic Transactions and Funds Transfers Relating to United States Securities” (geographic targeting orders).
  32. “Financial Intelligence Units Meet to Discuss Global Issues Surrounding Virtual Assets,” French Ministry for the Economy and Finance, press release, February 16, 2020, https://www.economie.gouv.fr/files/files/directions_services/tracfin/FIUs_Release_February_16th_2020.pdf.

Authors

  • Elizabeth Rosenberg

    Former Senior Fellow and Director, Energy, Economics and Security Program

    Elizabeth Rosenberg is a former Senior Fellow and Director of the Energy, Economics, and Security Program at the Center for a New American Security. In this capacity, she publ...

  • Jesse Spiro

    Global Head of Policy & Regulatory Affairs, Chainalysis

    Jesse Spiro is the Global Head of Policy & Regulatory Affairs for Chainalysis. Previously he was the Global Head of Threat Finance & Emerging Risks for Thomson Reuters...

  • Sam Dorshimer

    Former Research Associate, Energy, Economics, and Security Program

    Sam Dorshimer is a former Research Associate for the Energy, Economics, and Security Program at the Center for a New American Security....

More from CNAS

View All Reports View All Articles & Multimedia