As cybercrime increased with the spread of the COVID-19 pandemic and cyberwarfare became a hot topic following Russia’s attack on Ukraine, cryptocurrency increasingly became associated with illegal and criminal activities. It has become a significant part of the thriving of ransomware and other forms of cyber extortion.
This perception is not new, as Chainalysis CTO Gregg Gurvais Grigg presented data on how cybercriminals are switching to crypto as their preferred currency at the 2021 MIT Technology Review CyberSecure conference. Because crypto provides a good level of anonymity, especially with the process called tumbling, it has allowed cybercriminals to get their ransoms without leaving a trace or exposing themselves to entrapment operations.
However, a recent United States government official appears to be downplaying the supposed dangers of cryptocurrency use. While lawmakers from both the Democratic and Republican parties invoke recent security incidents to push for the greater regulation of crypto, a key US government official is saying that the underlying technology for crypto money actually assisted officials in tracking malicious activity.
Ransomware is a big problem
In his testimony at the Senate Banking Committee Hearing on March 17, Michael Mosier, Deputy Director and Digital Innovation Officer for Financial Crimes Enforcement Network (FinCEN), noted the increase in ransomware payments. However, he pointed out that this is not entirely attributable to the availability of crypto. “The increase in ransomware payments has less to do with criminals reflecting current financial trends, and more to do with three practical emergences.”
These emerging trends are, first, the advent of ransomware-as-a-service, which makes ransomware kits available to everyone, making practically anyone capable of launching ransomware attacks. Second, the rise of double extortion or the combination of different threats to force victims to pay. Third, the wide adoption of cyber insurance creates the impression that organizations have the ability to pay the ransom through their insurance plans.
These trends are aggravated by most organizations’ inadequate protection and response plans versus ransomware and other threats. One survey by a data recovery service provider reveals that 39 percent of organizations worldwide have no ransomware emergency plan or they are not aware if they have any. Crypto may make it easy to collect ransoms, but if organizations start thinking about ransomware protection, they wouldn’t be so prone to ransomware and other similar attacks in the first place, forcing cybercriminals to look for other cyber weaknesses to exploit.
Helps, not hurts
Mosier explains further the idea that cryptocurrency is not the main driver of the surge in ransomware attacks. The convenience and anonymity cryptocurrency affords are not exactly hindrances to government actions against cyber criminals like ransomware perpetrators.
“However, payments made in cryptocurrency offer law enforcement significant visibility and investigative benefits over opaque banking, as we saw with the recovery of $2.3 million in cryptocurrency from the Colonial Pipeline attackers,” Mosier said in his statement to the US Senate Banking Committee.
Mosier explained that there are many cases involving the use of cryptocurrency that can be solved because of the features of cryptocurrency. These are cases where it is possible to identify on a public ledger the Virtual Asset Service Provider (VASP) that should be sent a subpoena through the concept of “immutable public evidence.”
Instead of relying on mutual legal assistance treaties and employing a lot of guesswork, investigators can examine publicly accessible digital currency ledgers and work their way into identifying cybercriminals and prosecuting them. This is also easier compared to dealing with the complex world of shell companies and banks with opaque wire transfer systems.
“It greatly oversimplifies the issue to blame cryptocurrency for payments increasing. Ignoring the variety of factors at play, this claim fails to recognize that part of the solution is having cyber insurance policies require that the policyholder develop and maintain meaningful cybersecurity practices as one of the best ways to help reduce payments – and, importantly, reduce victims from the beginning.” Mosier pointed out.
Adapting, not avoiding
Eight senators led by Elizabeth Warren of Massachusetts are pushing for legislation that would impose greater oversight over cryptocurrency and the industry built around it. The lawmakers are particularly worried that Russia may evade the impacts of the sanctions imposed by the US and its allies on Russia by turning to cryptocurrency.
However, Senator Pat Toomey of Pennsylvania argued that there is no solid evidence that proves that Russia is planning to or is already using cryptocurrency to get around the sanctions. Toomey cited the statements made earlier by FBI Director Christopher Wray, National Security Council Cybersecurity Director Carole House, and FinCEN Acting Director Hima Das.
Evidently backing the objection to the planned law to regulate cryptocurrencies, Mosier suggested that lawmakers should provide more funding for FinCEN and the Office of Foreign Assets Control under the Treasury Office instead of imposing more reporting obligations on crypto-asset holders. This new funding will be used to develop and deploy suitable tools for analyzing and tracing transactions on the blockchain.
Mosier believes that suppressing new technologies like cryptocurrency is counterproductive and not in line with the development and improvement of the technologies that shape the modern digital world.
“There is work to be done yet for cryptocurrency. There are too many exploits, rugpulls and scams. The early internet had a lot of fraud and exploits as well. You’d order something online and have no idea whether you’d actually get it. It took years to work out consumer protections, and certainly data privacy and protection remain elusive to this day. But we haven’t decided to shut down the internet. We work persistently to find the balance and prioritize risks,” Mosier explained.
The points expressed by the deputy director of FinCEN add another opposing view that may appear to throw a monkey wrench on America’s strategy in addressing the Ukraine-Russia conflict. This is not necessarily the case, though. Top officials in the US Government propose that it may not be to America’s advantage to be too focused on addressing the Russian invasion problem at the expense of suppressing technologies that can be useful for the country’s economy and society in general.