So I’ve talked about Banking-as-a-Service for some time, but what about Crime-as-a-Service? It does exist on a pay-as-you-blow basis.
Europol were one of the first to note this trend, in a report published late last year (from ITPro):
According to the organisation’s 2014 Internet Organised Crime Threat Assessment (iOCTA), the model allows cybercriminals to develop sophisticated malicious products and services before selling them on to the less experienced to use via the “digital underground” world.
As a result, it’s getting easier for less technically-minded criminals to engage with cybercrime, putting companies at even bigger risk.
“In a simplified business model, a cybercriminal’s toolkit may include malicious software, supporting infrastructure, stolen personal and financial data and the means to monetise their criminal gains,” the report states.
“With every aspect of this toolkit available to purchase or hire as a service, it is relatively easy for cybercrime initiates – lacking experience and technical skills – to launch cyber attacks not only of a scale highly disproportionate to their ability but for a price similarly disproportionate to the potential damage.”
Many of these transactions take place on the “Dark Net”, which the report states has fuelled evolution of cybercrime in recent years.
They followed this up on Tuesday with an assessment that cryptocurrencies are becoming the value exchange of choice for Crime-as-a-Service (from Coindesk):
Digital currencies are increasingly serving as a money laundering platform for “freelance criminal entrepreneurs operating on a crime-as-a-service business model”, according to a new Europol report.
The EU’s law enforcement agency said that the decline of traditional hierarchical criminal networks will be accompanied by the emergence of individual criminal entrepreneurs, who come together on a project basis.
The report, which identified the key driving factors affecting the EU’s criminal landscape, predicted that the role of freelance crime organisers is expected to “become more prominent”.
It added that individuals with computer expertise are very valuable to criminal organisations and that people with such skills are expected to advertise their services in exchange for payment in cryptocurrencies.
The report continued:
“Virtual currencies are an ideal instrument for money laundering. In addition to traditional layering methods, cryptocurrencies use specialised laundering services to obfuscate transactions to the point where it is very resource-intensive to trace them.”
This gets interesting as I attended a policy forum last week where the UK’s National Crime Unit were saying that they’ve spent “an inordinate amount of time investigating cryptocurrencies”. I asked what they meant by that, and they clarified that it was time spent understanding them. When I then asked if they saw much criminal activity in cryptocurrencies, they said not yet. The National Crime Unit see most money laundering crime in cash (€500 notes being the launderers note of choice). They only use cryptocurrencies if the payee demands payment that way.
However, this is because cryptocurrencies are still minor league compared to cash markets, and they are being studied as some of the action in cryptocurrency exchange is for illicit activities on the dark net. Note cryptocurrency guys that I say some, not all.
For example, in a further Europol study produced in February, they find that bitcoin is the preferred currency of paedophiles (from Coindesk):
Bitcoin is increasingly being used to pay for livestreams of child sex broadcasted over illicit Internet sites, according to a new Europol report.
Produced by Europol’s EC3 cybercrime centre, the report sheds new light on the commercial sexual exploitation of children online, while providing evidence that individuals with a sexual interest in children are becoming more entrepreneurial.
“Live streaming of abuse for payment is no longer an emerging trend but an established reality”, the report said.
“There is a clear shift from traditional credit card payments to the ones providing the most anonymity, namely alternatively payment options, including virtual currency.”
In line with the International Centre for Missing and Exploited Children's (ICMEC) findings, the report said that “there is apparent migration of commercial child sexual exploitation, along with other criminal enterprises, from the traditional payments system to a new, largely regulated digital economy made up of hosting services, anonymising Internet tools and pseudonymous payment systems”.
Add to the above the use of bitcoins for terrorism. According to Bitcoin News, the United States Central Commands have been studying the alternative payment methods terrorist organisations raise and transfer money around the globe to support their activities. Digital currencies proved to be of the most efficient mechanisms for the transfer of funds due to their decentralized nature that facilitates anonymous donations as opposed to traditional banking transactions with the use fiat currency. Recently, an Israeli analyst has come up with concrete evidence that the ISIS is raising funds in Bitcoins, most likely in the United States, to fund their operations.
This is not even to mention the use of cryptocurrencies for drug dealers.
What is intriguing in all of this is that the cryptocurrency community believe they are unassailable in all of this. Money is decentralised by bitcoin and they believe (or hope) it is therefore immune to governmental and regulatory control. Anyone who disagrees is a statist.
Conversely, for the reasons given above – terrorism, drug running, extortion and sex trafficking – this idea of a decentralised market that governments are excluded from controlling may be wrong. To be clear however, bitcoin and cryptocurrencies are not the problem here. You have massive use of cash for terrorism, money laundering, drug running and paedophilia. It is the reason why the US dollar has more physical stores outside the USA than inside, and is the reason why it’s the currency of choice for people like Saddam Hussein. Equally, it should be born in mind that cryptocurrencies are not anonymous, are traceable and are available in a form that can be identified, so governments do have ways to deal with them.
The most likely start will be on the cash-in and cash-out moments of cryptocurrency usage. You may be able to use cryptocurrencies in a revolving credit and debit scheme bilaterally but, as soon as you try to cash out or put cash into the scheme, the national jurisdictions will make the transaction subject to national laws.
Over time they will then get other regulatory structures put in place. A whole raft of papers have already been issued on these themes, with the latest iteration of the New York Department of Financial Services (NYDFS) cryptocurrency regulation – or the BitLicence if you prefer – providing clear requirements for cryptocurrency usage. Issued last month, the NYDFS BitLicence requires any trading firm to adhere to a collection of rigid rules. There’s a raft of requirements for capital provision, record-keeping, and even oversight of new or planned features, such as:
- The BitLicence application itself costs $5,000
- Firms must keep detailed records of customer names, addresses, dates, and transaction amounts for at least seven years
- Audits will be made every two years by the NYDFS
- Firms must get written approval before changing products or services, or creating new ones
- Mandatory internal anti-money laundering programs must be implemented, including enhanced oversight of foreign customers and those who transact in amounts greater than $10,000
- Firms must have an internal cybersecurity program to protect personal and financial information from hackers
- Firms must show a clear disaster recovery plan in the event of attempted or successful theft
These BitLicence rules make cryptocurrency trading firms, for all intensive purposes, banks.
Equally, it means that for every step the cryptocurrency markets innovate ahead of the curve, the lawmakers review, analyse and try to keep up. Whether they can keep up or not is a different question.