Cyberware criminals, drug traffickers, and even hostile state actors can abuse decentralized finance services (DeFi) to transfer and launder their ill-gotten gains through the U.S. without alerting financial authorities, the U.S. Department of the Treasury warned in its latest assessment.
Cryptocurrencies and non-fungible tokens (NFTs) are but a few examples of DeFi services that can be used without the user or customer needing to provide their personal information. This therefore presents financial authorities with the added challenge of following a criminal’s trail and locating their illicit money.
What makes DeFi services such an attractive option for criminals is the lack of federal regulation and oversight imposed on them that would otherwise be par for the course in more centralized institutions like banks and credit unions.
Such criminal activity, the assessment found, occurs even at the state level. The Treasury highlighted that agents of the Democratic People’s Republic of Korea (DPRK) have in the past used DeFi services to steal, transfer, and launder the country’s ill-gotten gains.
“Actors like the Democratic People’s Republic of Korea (DPRK), cybercriminals, ransomware attackers, thieves, and scammers are using DeFi services to transfer and launder their illicit proceeds,” the Treasury said. “They are able to exploit vulnerabilities, including the fact that many DeFi services that have anti-money laundering and countering the financing of terrorism (AML/CFT) obligations fail to implement them.”
For example, in March last year, the Lazarus Group, a North Korean state-sponsored cyber hacking group that is sanctioned by the U.S., hacked into an NFT blockchain online game called Axie Infinity and stole over US$600 million in virtual assets. At the time of the heist, authorities had no clue of the group’s involvement; it took almost a year for the truth to come to light.
Ransomware criminals, scammers, and drug traffickers are other actors highlighted by the Treasury that use DeFi services to steal and launder their illicit proceeds.
One way in which they can achieve this is through a virtual asset mixer, which obfuscates the source and destination of a digital transaction. Mixers accomplish this by pooling virtual assets from a variety of digital wallets and accounts into a series of transactions, but splitting the total amount sent into multiple smaller ones and trying to pass them off as a series of independent transactions unrelated to one other.
These laundering methods, the Treasury said, create additional hurdles for financial investigators attempting to trace the illicit proceeds behind a crime.
In the U.S., the Bank Secrecy Act (BSA) requires financial institutions to assist U.S. government agencies in detecting and preventing money laundering. One way financial institutions are obligated to do so is by filing a suspicious activity report whenever a digital transaction is believed to be linked to criminal activity.
To get around this hurdle, money launderers can resort to unregulated enablers such as DeFi services, simply because they do not receive the same degree of scrutiny from U.S. financial authorities.
Worse still, the Treasury notes that there is currently no generally accepted definition of what constitutes a DeFi service, or even “what characteristics would make a product, service, arrangement or activity ‘decentralized.’”
The opaqueness of this unregulated, undefined digital marketplace means that, for the moment at least, criminals hold the advantage over authorities when it comes to laundering their ill-gotten gains.
April 13, 2023 Published by The Organized Crime and Corruption Reporting Project.