Cryptocurrencies have been a controversial topic in the FinTech space and wider financial sector in recent years. Despite a reputation for higher financial crime risk, their increased popularity makes them difficult to ignore and financial institutions are looking for compliant ways to engage. With evidence to suggest that sanctioned governments are using cryptocurrencies, a robust and responsive risk approach is necessary.
The divisions between north and south are complex, but at first glance it would seem South Korea leads when it comes to the FinTech sector, and more specifically cryptocurrency trading. Along with Japan, they are regional leaders and South Korea is home to some of the world’s largest crypto-exchanges, including Bithumb and Upbit, with a disproportionate volume of trade passing through its markets.
There has appeared in recent months to be the potential for a thawing of international relations for North Korea, which has been under UN sanctions since 2006, and US sanctions from as far back as 1950. In recent weeks there have been renewed calls from Kim Jong Un’s regime for an end to US sanctions, following the North Korea-US summit in June, where Donald Trump suggested an agreement could be reached. But with latest UN reports suggesting the Kim regime is continuing to build their nuclear military capability, a lifting of sanctions is unlikely to happen soon. This makes any North Korean involvement in the relatively borderless market of cryptocurrency trading a cause for concern.
As sanctions persist, the decentralized, interconnected and potentially anonymous nature of cryptocurrencies offers a portal into the international economy. It is a way to circumvent economic restrictions that hold the country in poverty, and to continue to fund the country’s nuclear programme which is estimated to cost 30% of the country’s GDP. Despite the hardship of ordinary people, Kim is himself worth an estimated $5 billion. An unsurprising fact, as North Korea is among the most corrupt in the world, currently 171 out of 180. Much of Kim’s wealth is rumoured to be held overseas, making the illicit movement of funds a high priority and the under-regulated alternative of cryptotrading very attractive. The difficulty of tracing the source of virtual funds, especially when trading involves private coins that anonymise the seller and buyer, is compounded when digital assets are exchanged for legal tender. The dollars, euros or pounds can be entirely without trace of their suspicious origins.
The regime has also allegedly turned its hand to simple theft of cryptocurrencies. Utilising established cyber capabilities, witnessed in such devastating international cyber attacks as 2017’s WannaCry ransomware attack, North Korea is the main suspect behind at least three successful hacking attempts of cryptocurrency exchanges within the past year. This includes the security breach of the Japanese exchange Coincheck in January, where an equivalent of $530 million worth of coins and tokens was stolen. It is uncertain how much of this reached North Korea, although some estimate the regime was in possession of $200 million worth of Bitcoin and other cryptocurrencies as of March 2018.
Russia’s Crypto Measures
Along with ongoing talk of a national Russian cryptocurrency, the CryptoRuble, that could potentially evade sanctions, another example of the growing interplay between state-sponsored financial crime and digital assets can be seen in Russia’s alleged meddling in the 2016 US election. Last month, as part of the ongoing Special Investigation led by Robert Mueller into Russian active measures to influence the outcome of the election, 12 Russian nationals were indicted for hacking email accounts affiliated with Hillary Clinton, using cryptocurrencies in an attempt to cover their tracks.
The perceived anonymity of cryptocurrencies made them the means of choice for facilitating this cross-border criminality. However, in this case, they were in fact the means by which the criminals were identified. In the indictment, conspirators were identified using the same pool of bitcoin funds to purchase infrastructure that was used for the hacking, such as a virtual private network (VPN). They also raised funds through bitcoin mining.
It also detailed how they obscured the origin of bitcoin they received:
‘this included purchasing bitcoin through peer-to-peer exchanges, moving funds through other digital currencies, and using pre-paid cards. They also enlisted the assistance of one or more third-party exchangers who facilitated layered transactions through digital currency exchange platforms providing heightened anonymity.’
As the indictment shows, attention to the mechanisms of virtual currency trading is increasingly relevant to the crime itself. They laundered ‘the equivalent of more than $95,000 through a web of transactions structured to capitalize on the perceived anonymity of cryptocurrencies’. The growing awareness and recognition of the intricacies of the cryptomarket by authorities, means the same will be expected of financial institutions. It was noted the 12 Russians used a mix of currencies including US dollars so the border between fiat and cryptocurrencies needs to be understood as an institution that believes itself to deal only in one or the other, is likely exposed to both.
Practical Steps for FinTechs
With over 1500 cryptocurrencies currently in circulation, a first step for a FinTech engaging with cryptocurrencies is to be aware of the relative risk of different cryptocurrencies, with the highest risk being private coins and of course coins created by sanctioned entities, such as Petro coin by Venezuela.
Weak KYC and verification processes on signing up for an account with a crypto-exchange is an important factor. Weak KYC can be deliberately aimed at encouraging wider adoption, with minimal identification required, often with an ideological basis of preserving the anonymised freedom of the virtual realm.
Geography is central to assessing financial crime risk. While the majority of exchanges have some restrictions in place for the jurisdictions they serve, usually in line with international sanctions, others such as Russian crypto-exchange Simex will allow a North Korean citizen to sign up for an account.
Regulatory status of a crypto-exchange is a particularly fast evolving risk factor. There is a global move towards both self-regulatory organisations and the establishment of regulatory authorities. However it is evident that exchanges with lower levels of regulation often have more users and more coins on offer. A lack of oversight that makes these platforms more vulnerable to financial crimes like money laundering, terrorist financing and yes, sanctions evasion.
While cryptocurrency trading continues to shift and adapt to geopolitical trends, FinTechs are excellently placed to respond to changes as they emerge. A comprehensive understanding of the unique financial crime risks surrounding cryptocurrencies and how this is situated in its political landscape will allow firms to assess both the individual customer and their virtual funds in their full context. Cryptocurrency trading is one weapon in the cyber arsenal of hostile states such as North Korea and this dimension of risk from sanctioned entities should be included by any FinTech looking to deal with crypto funds. As seen in the case of Russian active measures, proper controls can go far in tracing criminal use of cryptocurrencies, and - with the accuracy and permanence of digital transaction data - perhaps even more so than traditional currencies.