While Binance announced it had recovered $5.8 million in stolen funds from the Lazarus Group on Friday, law enforcement still has a long way to go in its AML efforts of equipping itself with the necessary, sophisticated tools to investigate crypto-related crimes.
Since the U.S. Treasury Department sanctioned the digital wallet holding the stolen funds, hackers have begun moving the funds around, laundering close to $100 million in small installments through Tornado Cash, a mixer service that obscures the link between the source and destination of any given crypto transaction.
Indeed, there is undoubtedly an arms race underway as hackers are looking for new ways to target consumers, most recently through social engineering tactics as carried out through the Trezor-Mailchimp phishing scam.
According to an Elliptic employee, this is a very crucial time for both law enforcement and the overall industry:
“We’re at a particularly important moment: Everyone is still learning what’s possible and how attacks might occur, and the borderless nature of crypto makes it difficult to enforce standards globally,” said the employee.
“These are people acting all over the world. Even if you enforce very well in one jurisdiction, if there are other jurisdictions with weaker enforcement, you’re still going to end up with a problem.”
Should DeFi consider AML compliance solutions?
By and large, the intelligence tools used by law enforcement can track crimes taking place directly on blockchains, rather than finding money from other crimes making their way to crypto territory.
Some DeFi smart contracts allow the conversion of illegally acquired funds to privacy-centric cryptocurrencies like Monero, making it even easier to remove the trail of breadcrumbs for law enforcement to follow. Monero transactions are recorded in an obfuscated ledger, making transaction visibility more complex than on a public ledger like the Bitcoin Network.
Certainly, DeFi is difficult to police, with the $8.6 billion laundered in 2021, a 30% increase in money laundering activity over 2020, according to Chainalysis, with $900 million received by suspicious addresses. According to Chainalysis, those figures only represented funds derived from “cryptocurrency-native” crime, meaning cybercriminal activity such as darknet market sales or ransomware attacks in which profits are almost always derived in crypto rather than fiat currency.
“This demonstrates the DeFi platforms need to consider compliance solutions to prevent their platform from being abused for illicit activity,” said Kim Grauer of Chainalysis.
“DeFi is using loopholes in regulation because they don’t actually hold the customer’s money, unlike a broker,” said David Jevans, a senior executive of CipherTrace, a company started in 2015 with money from the US federal government.
The clock is ticking for lawmakers
Right now, lawmakers are in a quandary. If the Lazarus Group is using laundered money to fund North Korea’s ballistic missile and nuclear efforts, having orchestrated last year’s ransomware attack upon the Colonial Pipeline – then it behooves the U.S. federal government to treat these as national security threats.
Yet, questions remain whether it is legal under U.S. federal law to force software developers to comply with AML rules. “The writing and publishing of software is free speech under the first amendment,” opines Miller Whitehouse Levine, a policy director at the DeFi Education Fund.
One approach to regulation could be to find a corporate hook into DeFi platforms upon which regulatory mandates could be hung.
As a case in point, SEC chair Gary Gensler said that DeFi reminded him of the P2P lending business from an earlier part of the century, which had an intermediary. One could latch onto DeFi governance mechanisms, for example, and build a framework around that.
Ultimately, the clock is ticking for lawmakers.