EU puts together package against money laundering: virtual currencies like Bitcoin also in its sights!
by Svenja Koch
The European Union is stepping up its fight against money laundering. The focus is also on cryptocurrencies such as Bitcoin and Ethereum.
For these reasons, the EU is tightening security measures
The European Union has recognised that in certain sectors it is possible to carry out transactions completely anonymously. Here, individual transactions with high values are particularly the focus of attention. This concerns above all the so-called cryptocurrencies. These digital currencies have now become firmly established. The market has a value of several billion euros. The values are invested in various digital cryptocurrencies, Bitcoin is probably the best known of these digital currencies.
Cryptocurrencies are based on the principle of direct trade. Two partners arrange a transaction and settle the payment via a cryptocurrency. The entire transaction takes place without a bank. The prerequisite is a trading platform that enables the exchange of the currency units. The possibility of carrying out transactions worldwide and without banks is touted as a major advantage of digital currencies.
There are now also numerous crypto service providers. These are providers that operate on the internet and provide users with so-called cryptowallets. With such a cryptocurrency wallet, it is therefore possible for anyone to exchange any real currency, such as the euro, for bitcoin and other digital currencies. Likewise, these platforms offer the exchange of cryptocurrencies back into euros, dollars and other means of payment.
The current situation - how easy are the possibilities for money laundering?
The focus of the European Union is primarily on crypto service providers. Registration on these platforms is currently not subject to controls. Accordingly, it is often possible to register under a pseudonym or a false identity. Moreover, transactions on these platforms are not under any supervision, as there is no competent authority. The crypto platforms are neither banks nor financial service providers.
These framework conditions allow the digital currencies to be used to conduct illegal transactions. Two people have the possibility with these currencies to exchange real money into a digital cryptocurrency, then send it to each other and exchange it again into a real currency via a crypto service provider. For example, it is possible for a German user to exchange 100 euros into bitcoin, send it from his cryptowallet to a user in the Caribbean, and the latter then exchanges the digital currency in turn into his national currency via his crypto service provider. In this case, it is not traceable for banks, authorities or official bodies between which persons and for what purpose an exchange of money took place.
Criminals take advantage of this special property of cryptocurrencies. Bitcoin and similar digital currencies are the preferred choice for extortion in cyber attacks. If cyber attacks succeed in overcoming IT security and encrypting data from the company, the attackers usually send a ransom demand. The payment is demanded in the form of a cryptocurrency.
The investigators are powerless in this case if the company decides to give in to the demand after such an attack. The recipient is unknown and likewise it is not possible to trace the transaction. Moreover, the criminal who receives the payment can be sitting in virtually any place in the world. Access to his account with the crypto service providers is possible from anywhere. Then the hacker exchanges the extorted Bitcoins for real money via his crypto platform and transfers them to his own account. This transaction is completely inconspicuous because the background cannot be traced. Large sums can be disguised by transferring them in small tranches to different accounts. For these reasons, digital currencies have established themselves as a means of payment in cyber attacks with ransomware.
Cryptocurrencies are also used in other criminal activities. It is conceivable to conduct drug transactions in this way. Even enormous sums can be transferred unnoticed between different countries with uncontrolled digital currencies. Terrorist financing is another point that the EU Commission also mentions in its legislative proposals. Money can be moved in this way unnoticed and uncontrolled to regions where terrorism flourishes. The list of possible criminal transactions that can be financed in this way is very long. In addition to cyber attacks, criminals can use digital currencies, for example, to conduct illegal arms deals, child trafficking or the smuggling of a wide variety of goods.
In the past, there have also been repeated criminal acts on the part of the operators of such crypto service providers. These have even been directed against their own users. Since the operators operate largely free of legal regulation, there have been several cases in the past where crypto platforms disappeared overnight. Users who stored their Bitcoin on such platforms lost their entire holdings. This also shows a weakness of the lack of control for users. The platforms manage the users' Bitcoins and thus have direct access to the digital currency. Since it does not physically exist and is not bound to any owner, it is very easy to steal it. It is important that users of digital currencies are also aware of this weakness in IT security.
What do cryptocurrencies have to do with cyber threats and IT security?
Cryptocurrencies indirectly contribute to the current situation of high levels of cyberthreats. These give criminals a way to receive large sums of money in the context of extortion in cyber attacks without fear of prosecution. In the current situation, the anonymity on crypto exchanges is the main contributor to cyberthreats. If this gap is closed, then it will become significantly more difficult for hackers to gain financial benefits from their cyberattacks. Many cyber attacks, especially Advanced Persistent Threats, aim to extort money from victims.
In the current situation, IT security is the only tool available to companies to defend themselves against cyber threats. It is virtually impossible for investigating authorities to track payments via Bitcoin and other digital currencies and locate the recipients, especially since they are often located abroad. In addition, the threats from cyber attacks continue to increase due to the current situation. Hackers now offer their ransomware as a service, similar to the Software as a Service concept. For hackers and criminals alike, extortion with ransomware and settlement via Bitcoin are currently a kind of Eldorado. As soon as the IT security of a target is overcome and the servers are encrypted, the attackers make exorbitant ransom demands to release the data again. This increases the pressure on the IT security of companies within the EU, as they are constantly targeted by hackers.
These are the goals of the European Union
The EU Commission proposes a whole range of measures in the framework of the draft legislation to improve the fight against money laundering and terrorist financing. For example, the EU Commission wants to create a new European authority for combating money laundering called AMLA. This authority will have central supervision of money laundering and terrorist financing and, according to the Commission's wishes, will coordinate cooperation with the national authorities as well as the FIU, the EU's money laundering reporting office.
One of the EU Commission's goals is to improve the security, especially IT security, of citizens within the European Union. Above all, the EU wants to curb organised crime. The latter has discovered cryptocurrencies and the trading platforms for these digital currencies as a helpful tool for carrying out illegal transactions. Based on the steadily increasing number of cyber attacks, it is clear that this threat is real. The IT security of companies and also of private individuals has problems keeping up with this development. Hackers and even criminals with little IT experience have discovered cyber attacks as an easy method for successful extortion. Through the means of IT security, it is often not possible to identify those behind such cyber attacks. Nor do the investigating authorities have any options to track down the blackmailers, as they currently do not have access to the transaction data.
The EU also wants to implement uniform rules for combating money laundering within the bloc. Within this framework, the EU wants to link national bank account registers and thus allow central agencies easy access. In this way, the EU wants to facilitate and accelerate criminal prosecution. Furthermore, the EU Commission demands in its legislative proposal that a cash payment ceiling be introduced. This applies throughout the European Union and the Commission plans to set it at 10,000 euros. Corresponding legal regulations already exist in many EU countries, including Germany. Exceptions apply to transactions between two private individuals.
In addition, the proposal provides for the revision of the Money Transfer Regulation from 2015. The focus here is on the tracing of crypto transfers. This point is closely related to the payment mechanisms that hackers exploit in cyber attacks. Accordingly, the draft law calls for anonymous cryptowallets to be banned altogether. In addition, the EU wants to oblige crypto exchange operators to verify the identity of registered users as well as to store information on transactions in a database. This includes a listing of both parties exchanging cryptocurrency. The EU authorities then want to have access to this data. Furthermore, it should be mandatory for these providers to report suspicious transactions to the EU authorities.
The EU draft also stipulates that operators of crypto exchanges based outside the European Union are obliged to set up a contact point for service by the authorities. Since 2015, this has already applied to e-money merchants and payment service providers.
With the proposed changes, the EU Commission wants to close gaps in existing laws and improve citizens' IT security. Current legislation no longer fits the digital reality. Anonymous accounts on crypto exchanges not only facilitate money laundering, they also provide hackers with an ideal environment for processing extortion payments as part of cyber attacks.
With the legislative changes, crypto exchange operators will be subject to similar regulations as banks and other financial service providers. The EU wants to ensure transparency in transactions with Bitcoin and other cryptocurrencies. If criminals are deprived of the platform for processing illegal payments, this will also have a positive impact on the cyber threats posed by these groups. Cyber attacks with a financial background, such as extortion through ransomware, will then no longer be feasible on this scale and the IT security of companies will feel the relief in the incident response of successful extortion attempts in the future.