Cryptocurrencies and its risks.
Understanding the lifecycle of a typical cryptocurrency transaction puts into context the role of cryptocurrency mining. When a cryptocurrency transaction is initiated, it is first verified by computers connected to the cryptocurrency network, referred to as nodes. The transaction remains in a memory pool (“mempool”) of unconfirmed transactions until a miner (a mining node in the network) selects it for validation, after which it is propagated to the network and added to the block of transactions (the blockchain).
Mining is typically underpinned by the Proof of Work (PoW) method of validating transactions and reaching consensus about the addition of new blocks (consensus is reached when 51% or more of nodes agree on the transaction validity). In PoW, a miner uses computational power to solve a complex puzzle (the solution of which is called a “hash”) that allows the miner to validate a cryptocurrency transaction. The winning miner is then rewarded with newly generated cryptocurrency (i.e. newly mined Bitcoins, which at present is 6.25 bitcoin), along with transaction fees.
Cryptocurrency mining can be broken down into three distinct segments : (a) proprietary mining, where miners operate and maintain their own hardware for their gains; (b) remote hosting, where data centres or containers are outfitted to house hardware owned and provided by a client for their own use in mining; and (c) cloud mining, where customers rent out their own computational power for use by a third party. Many involved in cryptocurrency mining also join mining pools - groups of miners who collectively use their computational resources to mine new coins and share rewards between participants, according to their respective contributions.
In the years since the first block was mined in 2009, cryptocurrency mining activity has become very active, both legally and illegally. With over 100 years left until the last Bitcoin is expected to be mined and a diverse range of cryptocurrencies being generated and transacted every day, we have only skimmed the surface on understanding how mining is and can be used to obfuscate the trail of criminal proceeds.
During the relative infancy of Bitcoin mining, unsuspecting clients we deceived by clever fake mining hardware suppliers. Butterfly Labs found itself in trouble with the Federal Trade Commission (FTC) in USA after the it alleged that the company failed to provide the hardware purchased by consumers until it was practically useless, or in many cases, did not provide it at all. The complaint also alleged that the company offered consumers Bitcoin “mining services”, charging them upfront in exchange for computing time, which it ultimately failed to provide.
Cryptojacking, understood as the unauthorised use of a computer/device for cryptocurrency mining (typically associated with cybercriminals and hackers), may range from the theft of electricity for powering mining operations to the use of malware to hijack processing power of unsuspecting computer users.
In 2018, users of a game called Abstractism found that applications and malware had been unknowingly installed on their machines , allegedly for the purpose of mining cryptocurrency. Users were encouraged to leave the game running all the time and noticed large amounts Central Processing Unit (CPU) and Graphics Processing Unit (GPU) usage, hallmarks of computational power used in cryptocurrency mining. When challenged by a user, the developer claimed the files were ‘game launchers’ needed to play the game and responded by saying that “Bitcoin is outdated… We currently use Abstractism to mine only Monero coins”, indicating the developer’s actual intent. The game and its items were subsequently removed by Steam, its digital platform distributor.
Although malware files in the case of the Abstractism game were detectable, Europol’s Internet Organised Crime Threat Assessment (ICOTA) report from 2019 claimed some of the findings noted a decline in ransomware due to attackers shifting to stealthier cryptojacking methods . New tactics use fileless malware, which makes detection more difficult compared to application-based alternatives. The report also suggests that corporate networks, along with individual users, may be targets of attacks.
Such fileless attacks are what appear to have occurred recently, when in May 2020 ICOTA reported that a number of supercomputers across Europe had been hacked to mine cryptocurrency . The Europol report stated that supercomputers in UK, Germany and Switzerland, along with suspected intrusions in Spain, were accessed when their secure remote logins were compromised. The supercomputers were shut down while the issue was addressed, highlighting both the extremes cybercriminals will go to access cryptocurrency mining processing power and their considerable impact.
The increase in popularity in cryptocurrency mining has seen an increase in convergence with other criminal activities. In 2016, the Spanish national police and tax authorities dismantled a large criminal network and took down 6 Bitcoin mining centers suspected to be involved in the laundering the proceeds of their crimes . In 2019, police in Porte Alegre-Brazil investigating drug trafficking unexpectedly came across a makeshift Bitcoin mining operation of 25 mining machines , many believed to be from China, running sophisticated software. As the location was in a conflicted drug trafficking area, the police believed a criminal network from the area was using cryptocurrencies to launder money.
As mining pool operators generally do not conduct KYC/AML due diligence on members, the likelihood that participating miners may behave maliciously or introduce assets of criminal origin is increased.
From initial observation of registration information requested upon sign-up for three of the largest mining pools (Poolin, F2Pool and BTC.com), it appears that that only an email address or phone number is required to register. Only the terms of service of BTC.com suggests that some personal information may be collected which may identify a natural person , but in which situation this may be collected is not clear.
While mining is not a crime in most jurisdictions, miners may engage in behaviors that ensure their transactions are favorably mined, facilitating the laundering process. In a selfish-mining attack , an individual miner (or network of pooled miners) privately develops a series of transactions which it validates and releases to the network all at once, ensuring that the its private transactions represent the longest chain and is added to the blockchain. In such an attack, honest minors that contribute to public blocks waste computational power while the selfish miner’s private chain is accepted (as it is the longest). In defense of such attacks, proposals have been made to change block validation rules to consider the timing of block publication.
Criminal activity through cryptocurrency mining is not limited to cryptojacking or selfish mining. An investigation by blockchain analytics service provider Coinfirm revealed that high transaction fees originating from illicit gains were seemingly paid to miners in exchange for either newly mined coins or the return of the paid mining fees (now less traceable), or both. Similar to selfish mining, this technique requires collusion between the sender of the cryptocurrency and the miner, who privately create and validate relatively low Bitcoin transactions with a disproportionately high mining fee, sometimes ranging in the hundreds of thousands of dollars. Once a candidate block has been curated with favorable transactions (e.g. from a miner’s own private wallet or a client’s wallet), the colluding miner (or mining pool) validates the block and propagates it to the network for inclusion in the blockchain, which is likely to be appended if the mining pool has sufficient hash power. However, this practice seems very risky and there are much easier ways to launder assets.
Broader financial crime risks connected to cryptocurrency mining may not be limited to the ‘fee’ element. Mining as a Service (MaaS) may also be used to convert the proceed of crime (fiat or cryptocurrencies with a traceable history of illicit activity) into clean or “virgin” coins, which reportedly sell on the open market for 10 – 20% of their market value. In such a setup, remote hosting or cloud mining services exchange payment for mining services (without sufficient due diligence on the identity of counterparties or origin of assets). In return, the miner sends newly generated or mined coins to a paying client. This method of hiding the original source of funds comes with the additional benefit of receiving new cryptocurrencies with no transaction history.
Risks in cryptocurrency mining extend beyond financial crime. Sanctions risks should also be considered by those tasked with compliance efforts when dealing with transactions and participants that have a cryptocurrency mining nexus.
Under comprehensive sanctions imposed by the United Nations and its members, the Democratic People’s Republic of Korea (North Korea) has focused its circumvention efforts at use of cryptocurrencies, including mining. Although recent findings from investigations into internet traffic from North Korea observed small-scale mining of Bitcoin since May 2019, there has reportedly been a tenfold increase in Monero mining activity since 2018. Investigators were unable to determine the level of computational power involved, as all activity was proxied through one IP address that was believed to host least several unknown mining machines.
Other countries that have found themselves under heavy sanctions have also looked to cryptocurrency as an alternative method of financing. Reports suggest Cubans have turned to cryptocurrency for day to day transactions and in 2018, President Trump signed an Executive Order prohibiting transactions connected to Venezuela’s cryptocurrency, the ‘Petrocoin’.
Like North Korea, Iran has found itself the focus of comprehensive sanctions. Recently, reports have emerged that a cryptocurrency mining company called iMiner was granted a license by Iran’s Ministry of Industry, Mine and Trade to continue operations in the country . iMiner, a Turkish-based entity, was said to have invested $7.3million in a facility running 6,000 mining machines and offering ‘cloud mining services.
Both regulators and anti-financial crime professionals should be cognizant of cryptocurrency mining risks.
Regulators may benefit from giving greater consideration to mining pools and bringing them into greater focus, an area of risk that has not generated as much attention as traditional financial intermediation services such as centralized exchanges or custodial wallet services. In particular, analysis of the activity in a mempool has received little focus but could yield much valuable data. Elliptic, a blockchain analysis service provider, recently announced a new technology that continuously monitors the mempool, allowing risk and compliance professionals to gain insights into high risk activity before transactions are confirmed.
Those tasked with managing financial crime risks, for example in financial institutions, may also benefit from paying closer attention to cryptocurrency mining transactions and mining pool operators. The detection of suspicious activity connected with mining may including high-risk indicators such as identifying blockchain addresses with significant part of transactions that transfer significant fees to miner (>5% greater than the average network mining fee at the time of transaction) or addresses receiving newly generated cryptocurrencies from a miner or mining pool that has recently accepted a high proportion of tainted assets.
As the complexity of money laundering in cryptocurrencies continues to evolve, the detection processes will need to move quicker in making use of valuable data associated with mining to prevent laundering and support law enforcement in identifying assets of criminal origin.
Dev Odedra is an independent AML and financial crime expert based in the UK. Having worked at many of the largest global banks, his experience includes managing financial crime risk in the retail, corporate and investment banking sectors. His expertise includes AML investigations, advisory, controls implementation and improvement.
Chris Gschwend is a Senior Compliance advisor at MME Legal in Zürich, Switzerland. She specializes in blockchain analytics, sanctions, AML and trade compliance. Chris is a regular speaker, teacher and Member of the Board of the OpenVASP Association, currently developing a solution for compliance with the FATF travel rule.