Want to eliminate ransomware? Regulating Crypto Exchanges

Between July 2020 and June 2021 alone, ransomware activity spiked 1,070%, according to to a recent Fortinet report, along with other res...


Between July 2020 and June 2021 alone, ransomware activity spiked 1,070%, according to to a recent Fortinet report, along with other researchers confirming the proliferation of this mode of extortion. Mimicking the predominant business model of the legitimate tech world, ransomware-as-a-service portals jumped up into the darkest corners of the web, institutionalizing the shadow industry and lowering the skill ceiling for would-be criminals. The trend should be alarm a wake-up call in the crypto ecosystem, especially since ransomware attackers have a knack for paying in crypto.

That said, the industry that was once a wild Wild West now assumes a more orderly framework. Slowly but surely seeping into the mainstream, it has now reached the point where some of the largest centralized exchanges (CEXs) are hiring high-level financial crime investigators to oversee their anti-money laundering efforts.

The problem is that not all trades are created equal. A centralized exchange works the same way as a traditional business entity, but that doesn’t mean everyone is now queuing up to get their anti-money laundering (AML) right. Things get even trickier with decentralized exchanges (DEXs), which, let’s face it, aren’t as decentralized as their name suggests, but like to pretend otherwise. In most cases, DEXs have little to nothing in terms of Know Your Customer (KYC) metrics, helping users to jump between coins and blockchains as they please while leaving few traces. While some of them may use various analytics services to perform background checks on wallets, hackers may try to circumvent them using mixers and other tools.

Related: DAOs are supposed to be completely autonomous and decentralized, but are they?

When it comes to ransomware cash flow, DEXs and CEXs are high on the radar, but criminals use them for different purposes. Criminals use DEXs, along with mixing services, to launder the ransom paid by customers, moving it from address to address and currency to currency, according to to a recent report by the US Financial Crimes Enforcement Network. CEXs, on the other hand, primarily serve as an exit point for criminals, allowing them to cash in fiat coins.

Related: Crypto in the crosshairs: US regulators eyeing the cryptocurrency sector

Having money stolen from your network is not a good idea for anyone, and sometimes it has consequences. In September alone, the US Treasury imposed sanctions on OTC broker Suex for working effectively to facilitate ransomware money laundering. The exchange was nested on Binance, although the company said it had de-platformed Suex long before the Treasury designation based on its own “internal safeguards”.

The development should be a wake-up call for CEXs and DEXs everywhere, as it applies the domino effect of US sanctions to the crypto ecosystem. A sanctioned entity may be comfortably settled in its home jurisdiction, but in today’s interconnected world, US sanctions hamper transactions involving foreign clients that it might wish to undertake even more. It just doesn’t have to involve just Binance – it could include any legitimate business with a US presence and interests, and the same goes for hosting providers, payment processors, or anyone enabling day-to-day business operations of the target company.

In theory, sanctions could even indirectly affect decentralized entities in multiple ways. Decentralized projects still normally have core development teams associated with them, which invokes the perspective of individual responsibility. In the future, and with enough regulatory stringency, they might even see their inbound and outbound traffic throttling or outright blocked by IPS, unless users use additional obfuscation tools like VPN.

Related: From NFTs to CBDCs, Crypto Must Tackle Compliance Before Regulators Do

Attrition war against ransomware

The Suex OTC incident and its far-reaching implications tell us what could be a broader strategy to snuff out ransomware groups. We know they depend on multiple nodes inside the crypto ecosystem, but DEXs and CEXs hold special value to them in activate let them cover their tracks and put money in their pockets. And that’s the end goal, in most cases.

It is na├»ve to expect every player in this field to be equally diligent with their internal safeguards. Enforcing KYC and AML standards on exchanges will, at the very least, make it harder for criminals to move crypto and withdraw cash. Such moves would increase their losses, making the whole operation less profitable and, therefore, less lucrative. In the long term, ideally, this could deprive them of vital areas of the vast infrastructure they use to transport cash, making the cookie jar effectively inaccessible. And why look for money that you can’t put in your pocket?

With advances in machine learning and digital ID, DEXs can be as adept at KYC as their centralized parents, using AI to process the same documents that banks would for their KYC efforts. It’s a procedure that can be automated, giving their legitimate customers more peace of mind and potentially attracting more cash flow with their regulated status. The crypto community could go one step further by implementing additional controls on transactions involving exchanges and services known to have a high proportion of illicit activity. While measures such as blacklisting wallets are unlikely to gain popularity (although blacklisting is not unheard of in the crypto space – for example, NFT platforms have recently froze trade in stolen NFTs) – even their limited adoption can make a difference, bringing more legitimate traffic to exchanges that go the extra mile.

Related: Major Crypto Exchanges Target Asian Market Amid Growing Regulatory Clarity

In military terms, it’s like waging a war of attrition against ransomware groups – exhausting the enemy instead of causing direct immediate damage. A sophisticated ransomware attack requires a huge investment of time and money. This is true for both teams developing a bespoke solution for a specific high-level target or an operator of a ransomware-as-a-service platform. Not being able to cash the ransom means most of that time, effort, and investment just went to waste.

Critics may argue that such measures would not work, simply because hackers can always switch to another financial mechanism to claim their money, such as gift cards. To some extent this is true; When we want we can. But consider this: Colonial Pipeline had to Pay a ransom of $5 million in crypto to suspected Russian hackers. How easy would it have been for the attackers to cash out the same amount in Walmart gift cards? Would the risk-reward ratio still justify the attack? I doubt. It makes sense to invest millions to steal billions, but moving those billions into anything but crypto without raising a bunch of red flags is a whole different story.

Related: Are cryptocurrency ransom payments tax deductible?

There’s a better counter-argument here: the ransom isn’t always the motivation. A state-backed group striking as part of a larger adversarial campaign would appreciate the extra money, but it’s just as interested in keeping its handlers happy. It’s the pinch of salt that goes well with the pro-regulation argument, and yet even denying a ransom to financially motivated hackers would already make a dent or two in the proliferation of ransomware.

All in all, ransomware is a complex problem, difficult to solve with a single silver bullet decision. This will require a more nuanced approach and, most likely, greater international cooperation in this area. There are, however, good reasons to make foreign exchange regulations an important part of these efforts in an effort to deprive attackers of the opportunity to reap the rewards of their attacks – and thus attack the financial heart of their operations. .

This article does not contain investment advice or recommendations. Every investment and trading move involves risk, and readers should conduct their own research when making a decision.

The views, thoughts and opinions expressed herein are those of the author alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

Lior Lamesh is the co-founder and CEO of GK8, a cybersecurity company that offers a self-managed end-to-end custody platform with true cold room and hot MPC capabilities for banks and financial institutions. Having honed his cyber skills within Israel’s elite cyber team reporting directly to the Prime Minister’s Office, Lior oversees GK8’s onsite hardware and software development.