Cryptocurrency: DeFi Services - Govt Risk Assessment Report
Government regulation cannot protect you from your own ignorance and stupidity, nor from being the object of criminals. Learn about money and markets, teach others, effect Personal Responsibility, then tell the GovBankPols, their FUD, and their Control and Power and Grift schemes to go fuck their then thus unnecessary selves back to zero. "Open source code is cited as a security risk." Long live crypto, defi, monetization, tokenization, p2p, privacy, self-custody, distributed, unstoppable, cash. https://home.treasury.gov/news/press-releases/jy1391 by DerpJungler "CryptoBro" Why? I work as an AML/Fraud Officer in TradFi. I live to research this stuff. The United States Department of the Treasury has released a comprehensive risk assessment report on Decentralized Finance (DeFi) services, which basically goes into how DeFi services are probably not decentralized and how they are used by criminals for theft and money laundering, among other crimes. I went through all of the report multiple times and the goal of this post is to provide as much of a simple summary as I can and discuss with you why this report is important to know and what it might mean for the crypto ecosystem. Before they open fire against the whole DeFi “industry”, they acknowledge that most illicit financing activities occur outside the virtual asset ecosystem, primarily in fiat currency. (Which is great because their previous report claimed that DeFi is only used for ML and no mention of traditional finance ML) 2. MARKET STRUCTURE The second section (after the Introduction) is titled “Market Structure” where the authors explain the definitions and scope of DeFi services and emphasize on how most of DeFi services claim to be decentralized, but they usually have a controlling organization providing centralized administration or governance. They also claim that the term “decentralization” is usually used as a marketing-driven technique than a reflection of reality. Then the report goes on to explain how DeFi services must comply with AML/CFT Regulatory Obligations and while the industry claims there is insufficient regulatory clarity, the CFTC, FinCEN and SEC argue that adequate clarity exists but not implemented in DeFi. Then the DeFi industry is explained in more detailed (4 layers blah blah) and how users use it for the same reasons as TradFi (lending & borrowing) but also for mixers and cross-chain bridges, where the problem lies. The report emphasizes how despite the importance of DeFi services in the virtual asset ecosystem, they account for only a relatively small portion of total activity in virtual asset markets. Sourcing Coingecko, the 24-hour volume of total virtual asset activity in early January 2023 was $29.7 billion, with DEXs accounting for only 3 percent of the volume. In the last parts of the Market Structure section, the report focuses on governance, validators, and custody. They explain how the distribution and concentration of governance tokens also affects the centralization and the decision-making process of DeFi protocols and that some blockchains have a limited number of validators in their consensus mechanism, which can lead to concentrated decision-making and prioritization of certain transactions. Lastly, they claim that custody is ambiguous in DeFi, and how it doesn’t really exist since customers deposit and lock their assets in smart contracts and that individual entities can gain control/change those smart contracts and the users’ assets as a result. (They reference The DAO incident) 3. ILLICIT FINANCE THREATS The third section of this report focuses on how illicit actors (hackers and scammers) use DeFi to launder their stolen funds. This section goes deeper into some money laundering cases, explaining how hackers and fraudsters launder their funds (take notes folks), that ransomware attacks are becoming matters of national security for the U.S. Government and they close the section off by providing examples of theft, drug trafficking and other ML/TF cases in the DeFi industry. The Money Laundering section is straight forward, they explain how illicit actors use mixers, cross-chain bridges, liquidity pools and DEXs that bypass KYC to launder their funds. (I also made a post here a few months ago about this) Ransomware attacks have sharply increased in recent years and the report dives deeper into how it is becoming a serious issue for the US and how cybercriminals are now not only using malware, but also selling it to others (Ransomware-as-a-service). Cybercriminals use DeFi to launder their stolen funds. The Theft section discusses how, in 2022, illicit actors stole billions of dollars' worth of virtual assets from Virtual Asset Service Providers (VASPs), including DeFi services. DeFi services have been particularly attractive for cybercriminals, accounting for a majority of stolen virtual assets in 2022. They give examples of security breaches, “code exploits”, “flash loan attacks” and then provide some examples, such as the Mango Markets and DFX Finance cases. The Fraud and Scams section emphasizes on the sharp increase in losses of crypto as a result of frauds and scams. In 2021, the FBI Internet Crime Complaint Center (IC3) reported a nearly 600% increase in loss amounts reported in virtual asset-related complaints, from $246 million in 2020 to more than $1.6 billion in 2021. Here they explain concepts such as “rug pulls” and “pig butchering”. They also provide some examples here such as the “Baller Ape” NFT and the Frosties NFT collection. (Honesty, there are countless examples that could be used here) The Drug Trafficking section highlights the growth of drug trafficking organizations, darknet markets that use cryptocurrencies and how DeFi, once again, helps to use and launder funds. They also report that drug-focused darknet markets generated nearly $2 billion in virtual assets in 2021 through sales, representing a steady increase in revenue since 2018. (Business is boomin’) The Proliferation Finance section focuses on the Democratic People's Republic of Korea (DPRK) and that they resorted to illicit activities, including cyber-enabled heists from VASPs and other financial institutions, to generate revenue for its unlawful weapons of mass destruction (WMD) and ballistic missile programs. Then they dive into the “Lazarus Group” hacks and how Tornado Cash enabled cyber attacks from the DPRK. *This is probably why they attacked the creator of Tornado Cash a few months ago. 4. VULNERABILITIES Section 4 discusses vulnerabilities in DeFi services, focusing on non-compliant DeFi services in the United States, explaining that DeFi services often do not implement AML/CFT controls or other processes to identify customers, essentially making them a “Money Laundering Heaven”. The main body of this section highlights two main areas: a) how DeFi projects are against AML/CFT controls in the name of decentralization and b) the difficulties that regulators face in enforcing proper regulations in DeFi due to the lack of clear organizational structure and limited resources (or maybe lack of understanding?) The vulnerability of disintermediation in DeFi services is discussed, where virtual assets can be self-custodied and transferred without intermediaries, possibly leading to gaps in suspicious activity reporting (SAR) and limited information access for financial investigations. These gaps are also created by the cross-border nature of DeFi services, since most countries still lack adequate AML/CFT frameworks for cryptocurrencies and DeFi services. Lastly, cyber-related vulnerabilities are created due to aggregation of funds, open-source code, and lack of cybersecurity requirements, resulting in large-scale thefts in the DeFi industry. 5. MITIGATION MEASURES This section discusses the applicability of existing regulatory frameworks such as the Bank Secrecy Act (BSA) and general AML/CFT requirements to the DeFi industry. However, the authors of the report acknowledge that gaps in the scope of the BSA may also contribute to the current weaknesses of the regulatory framework and perhaps is one of the reasons that DeFi services are not complying. The Treasury’s report concludes by proposing some actually good solutions and actions for regulators and authorities to consider. They propose the strengthening and enhancement of the US AML/CFT supervision for the DeFi industry, continuing research of the DeFi ecosystem and illicit activities, continuing to engage with foreign partners in order for them to also assess illicit finance risks in DeFi, explore and apply “Cyber Resilience” in VASPs and other crypto services and to promote “Responsible Innovation of Mitigation Measures”, encouraging regulators to engage with developers to promote innovation that also mitigates illicit finance risks, fraud, theft and money laundering activities. However, that the report acknowledges that illicit activity is just a small portion of the overall DeFi activity, and DeFi remains a minor part of the broader virtual asset ecosystem. IMPLICATIONS FOR THE CRYPTOCURRENCY MARKET Truth be told, the Treasury’s risk assessment report has been pretty informative when it comes to DeFi and Money Laundering activities within the industry. I believe the report managed to stay unbiased towards DeFi and it highlighted the need for balance between innovation and ensuring the safety of the industry. For people who are already experienced with DeFi and crypto in general, the report serves as a reminder that the industry still lacks the decentralization that it preaches. We are still putting our trust in centralized entities who issue governance tokens, or control the smart contracts we are supposed to interact with. It also serves as a reminder that the protocols we often interact with (bridges, DEXs, liquidity pools, aggregators) are vulnerable to multiple threats. What to expect? Of course, more regulatory scrutiny. Like it or not, regulators such as the FATF, the SEC etc. are drooling over every opportunity to impose stricter regulators in the space, especially when they can just blame it on money laundering, ransomware attacks, or weapons of mass destruction. However, what we do to limit those threats is not only up to the regulators. Education should be a priority for both users and regulators. We need to know how DeFi works and how to interact with these protocols safely, not only to protect our own funds and wealth, but to also break the stereotype that crypto = scams and money laundering. Remember: The report still acknowledges that most illicit finance activity is based on fiat currency, and this is unlikely to ever change. If you guys would like me to dive more in depth into the scam/fraud/cyberattack world and explain terms such as “pig butchering” in more detail, please let me know and I’ll be happy to do so.
participants (1)
-
grarpamp