Is it possible that any of us are at all surprised to learn that in just the first quarter of 2019 more than US$1.2 billion worth of cryptocurrency was stolen? Probably not. This story follows the old line from bank robber Willie Sutton who is credited with saying that he robbed banks “because that’s where the money is.” So not much has changed. Cryptocurrencies are not exactly money, though, even if they do have a market value.
In 2019, protecting unregulated cryptocurrencies is much more complicated than securing monies held in traditional banks. As the global markets increasingly utilize cryptocurrencies, new cybercriminal threats emerge. Even the largest cryptocurrency exchanges have become vulnerable, as we saw earlier this month, when Binance suffered a loss of 7,000 bitcoin, to the tune of roughly $41 million dollars, thanks to sophisticated hackers.
So what are lawmakers doing to protect cryptocurrency holders?
We are starting to see the emergence of anti-money laundering (AML) protections around the world, including from FINRA (Financial Industry Regulatory Authority). Although it is not a government entity, FINRA is “a not-for-profit organization authorized by Congress to protect America’s investors by making sure the broker-dealer industry operates fairly and honestly.”
FINRA’s stated purpose behind its AML rules:to help detect and report suspicious activity including the predicate offenses to money laundering and terrorist financing, such as securities fraud and market manipulation.The Asia/Pacific Group (APG) also has established AML and counter-terror financing (CFT) regulations that cover cryptocurrencies.
In addition, the Financial Stability Board (FSB), whose members include the U.S., the European Union, and some 20 other countries, has taken steps to address the unique problems posed by cryptocurrencies. The FSB last month published its crypto-assets regulators directory “to provide information on the relevant regulators and other authorities in FSB jurisdictions and international bodies who are dealing with crypto-asset issues, and the aspects covered by them.”
Who’s watching all of these cryptocurrency thefts, scams, and frauds?
Crypto Crime Tracking
The Anti-Phishing Working Group has tracked phishing and malware attacks against bitcoin and other cryptocurrencies since 2011. Last year, it established a separate Working Group for Crypto Currency. The APWG Crypto Currency Working Group does the following:Helps protect cryptocurrency exchanges, wallets, investment funds and consumers against loss of cryptocurrency assets due to phishing and targeted attacks.
Enables cryptocurrency exchanges to submit live phishing information to the APWG eCrime Exchange (eCX) and get that data distributed into Web browsers, email clients and other security products in real-time, protecting more than 100 million consumers. Of course, this is now important because all businesses are vulnerable to phishing and malware attacks, which are in the news every day — so much so that hardly anyone ever raises an eyebrow.Surely the APWG Crypto Currency Working Group will continue to be very busy given the scale of Cybercrime today.
Where is all the “money” going? Offshore, apparently.
In the past two years there has been a sharp increase in cross-border bitcoin payments, up some 46 percent since March 2017, according to a CipherTrace Cryptocurrency Intelligence report. The likely reason for this noteworthy increase relates to traceability. Given the limited controls over cryptocurrencies and the decentralized global market for trading them, the lack of uniform regulations from country-to-country makes it difficult for enforcement agencies to trace the stolen funds.
Once moved to offshore exchanges in unregulated countries, cryptocurrencies become incredibly hard to track, often leaving U.S. authorities in the dark. While global regulations are in the works, it does not seem these efforts can keep pace with cybercriminals looking to cash in on a relatively defenseless market.
How to Avoid Phishing and Related Malware
There are simple things that cryptocurrency companies can do to reduce the risks associated with phishing attacks and related malware. For instance, regularly train all employees to be alert for phishing emails. Based on current statistics, less than 50 percent of businesses provide phishing training.
Some sources of phishing attacks often go unnoticed. Virtually every business in the world allows employees to use cellphones, tablets and personal computers (aka BYOD — bring your own device). So cybercriminals know that those devices are entry points for phishing attacks and malware.
Another problem in today’s world is businesses’ failure to backup data files properly, so that if there is a malware attack the business can recover. Since the time from intrusion to detection is eight months, according to the FBI, what’s happening during those eight months?
One thing is that cybercriminals are technically savvy enough to know that if they create malware in the backup of data, then the ability to reconstruct data likely will be impaired. A cybercriminal who has eight months to study backup procedures can figure out how to do the most damage by destroying data.
During those eight months of undetection, cybercriminals also can study the blockchain technology that hosts the cryptocurrency. So it should come as no surprise that KPMG recently issued a recommendation that blockchain developers need the mentality of cybercriminals.