The patchwork of the regulatory framework within the United States and the Securities and Exchange Commission’s (SEC) enforcement-first approach aims to protect consumers. However, this approach may lead to the creation of a large ecosystem of offshore crypto players that may not cooperate with law enforcement agencies and regulators alike.
The latest U.S. government press on the digital asset industry to have drawn scrutiny is the tax authority’s “broker” rule. The proposal, which maps out how crypto brokers and investors would report transactions to the Internal Revenue Service (IRS), was condemned this month by many in the industry as an existential threat to investor privacy and decentralized crypto projects — reinforcing the idea that the United States is chasing businesses abroad.
The complexity, gaps and overlaps in regulatory jurisdiction create loopholes for malicious actors and have also triggered an exodus, with crypto enterprises seeking favorable regulatory havens offshore.
Bad actors have been able to exploit gaps in murky U.S. regulatory policies through several tactics, and while regulatory bodies attempt to police crypto markets, their efforts often fall short in the face of a global, decentralized industry. A prime example of this occurred on Oct. 3, when U.S. District Judge Analisa Torres denied the U.S. SEC request to appeal a decision regarding Ripple Labs and its cryptocurrency, XRP. Torres ruled that XRP doesn’t constitute a security when sold to the general public, marking a significant setback for the SEC in its endeavor to establish regulatory oversight over the crypto sector.
Overseas, competitors are also taking advantage of the imbalance by allowing regions like Hong Kong to issue licenses for companies supporting retail crypto clients. Against the backdrop of lawsuits against top U.S. crypto enterprises, a Hong Kong legislator quipped, “I hereby offer an invitation to welcome all global virtual asset trading operators including @coinbase to come to HK.”
While competitors test the market opportunity created by the U.S. government, crypto criminals are also seizing the moment. It’s not rocket science. As CEO of a predictive risk platform, I get direct insight into how bad actors find policy loopholes. To build a more effective policy regime that fosters crypto innovation and encourages practical enforcement, it would also be critical to take a hard look at some of the unintended consequences of crypto regulation.
Lost in Translation: The Regulatory Vacuum in Crypto
Crypto has long been regarded as something of a Wild West — and that kind of no-holds-barred ethos still exists today in jurisdictions where it is unregulated. When their home market does not collaborate internationally with other authorities, criminals are still able to operate freely and with impunity.
This evasion is most evident among hacker groups, drug traffickers, ransomware groups and terrorist organizations which often operate in lawless or isolated countries. As unclear regulations drive U.S. crypto firms offshore, the ensuing ecosystem may prove less cooperative with law enforcement agencies. This is particularly concerning when authorities seek to freeze assets tied to illicit activities. In some cases, state-backed actors, such as the infamous Lazarus Group, which has been linked to numerous high-profile cyberattacks, commit acts of sabotage and financial crime for the benefit of their homelands. With government support, these criminals face no risk of prosecution in their home countries.
Even in the U.S., cloudy agency jurisdiction poses significant risks to customers and investors. No federal agency has regulatory authority over the trading of digital assets that are neither securities nor derivative instruments on commodities, including some cryptocurrencies. Some of the largest digital asset markets fall within this unregulated area, posing a substantial gap that leaves the market open to manipulation and other abusive trading practices. Additionally, this regulatory void extends to cybersecurity practices, thereby escalating the risk of hacks in the crypto market.
Coin Mixers and Border Crossing
While strict regulations may easily stop companies from conducting business in a particular jurisdiction, law enforcement agencies will have a harder time preventing users from utilizing services located offshore. Malicious actors leverage coin mixers to bypass compliance requirements and disguise their funds by obfuscating the transaction history of their assets.
One of the most notable coin mixers, Tornado Cash, was sanctioned by the U.S. government in August 2022 for allowing illicit actors to launder more than $7 billion since its creation in 2019. But sanctions only go so far. Although a country can ban coin mixers from operating within their borders, bad actors based there may still access coin mixers abroad through technologies like virtual private networks or Tor browsers.
The sanctions by the Office of Foreign Assets Control (OFAC) led to a sharp drop in Tornado Cash’s usage. However, this dip also highlighted an uptick in illicit usage. Although the total transaction volume plummeted, the ratio of known illicit activities to the service’s volume increased significantly. We have noticed a significant uptick in the usage of Tornado Cash in hacks this year, as illustrated by Zunami Hack, Arcadia Finance Hack and CivFund Hack, among others. But in the background, a ripple effect is also starting to take shape: Illicit actors are adapting their practices and moving toward smart contract-driven laundering through swaps, cross-chain bridges and decentralized protocols. A prominent illustration of this trend is the recent AlphaPo hack, wherein the perpetrators employed multiple bridges and swap transactions to launder the stolen funds and obscure their trail.
Flimsy Know Your Customer (KYC) Processes
Most legitimate crypto businesses have robust processes in place for KYC. A common loophole in these systems is that they often rely on the customer providing a set of documents and may skip cross-referencing those documents with the person providing them. This security oversight allows criminals to submit stolen — but legitimately approved — accounts, wallets and profiles for illicit purposes.
Several crypto exchanges have been criticized for deficient KYC practices, and although some have responded with tighter requirements, many lack effective safeguards against fraud, money laundering and terrorist financing. One way criminals can maintain anonymity with little to no KYC checks and speedy trading is through nested exchanges. Customers of these exchanges often consist of scammers, fraudsters, oblivious users and even some terrorist organizations.
Money mules are another way laundering transactions are going undetected. These domestic criminals work on behalf of their foreign co-conspirators to deposit and transfer scam victims’ money into cryptocurrency. One such operation caught last year by Texas law enforcement targeted thousands of victims and funneled more than $300 million in annual money laundering transactions.
Unregulated DeFi Liquidity Pools and Tokens
Liquidity Provider (LP) tokens are granted to individuals who contribute their cryptocurrency to liquidity pools, but hackers often craft unauthorized or counterfeit LPs to artificially sway the valuation of assets within liquidity pools. This manipulation grants hackers the power to dupe decentralized finance (DeFi) platforms and entities, capitalizing on automated processes and smart contracts to unlawfully amass funds and assets. The absence of a regulatory framework to monitor and authenticate LP token issuance exacerbates this issue, highlighting the need for improved regulatory measures in the crypto space.
Similarly, shā zhū pán (pig butchering) scams are on the rise, operating using romance-based social engineering to lure victims and their funds to join fake liquidity pools. At a chosen time, the scammers empty the entire pool for themselves. Last month, Sophos’ investigation of a major pig butchering operation revealed $1 million stolen utilizing fake liquidity pools.
Over-enforcement Sends Funds Offshore
Unlike the European Union, which has taken a proactive approach with its Markets in Crypto-Assets Regulation (MiCA) framework, the U.S. has been slow to offer clarity on crypto regulation. Despite the Biden administration’s executive order calling for coordination, regulators have made little progress toward establishing clear guidelines, opting instead for aggressive enforcement.
This approach has pushed money out of the U.S. to other jurisdictions that offer greater regulatory clarity. From Q1 2022 to Q1 2023, the share of venture capital flow into European-based crypto projects increased from 5.9% to 7.6%, suggesting a shift out of the U.S.
In the wake of SEC lawsuits against three major crypto exchanges this year, billions of dollars of trading volumes have migrated to Asia — and Hong Kong legislator Johnny Ng openly courted more.
Regulators should adopt clear and robust policies, built with the flexibility to adapt to emerging realities and evolving crime. Hacks will continue to escalate if we fail to strengthen frail cybersecurity best practices, implement smarter regulations and fairly enforce compliance.
Regulators in the U.S. can’t afford to ignore the jurisdiction dynamics and regulatory loopholes that fail to stop manipulative practices and encourage migration.
Mriganka Pattnaik is the CEO of Merkle Science, a predictive Web3 risk and intelligence platform.
(Opinions expressed in this article are the author’s own.)