Cryptocurrency: DeFi Services - Govt Risk Assessment Report

grarpamp grarpamp at
Fri Apr 14 17:52:30 PDT 2023

Government regulation cannot protect you
from your own ignorance and stupidity,
nor from being the object of criminals.
Learn about money and markets, teach others,
effect Personal Responsibility,
then tell the GovBankPols, their FUD,
and their Control and Power and Grift schemes
to go fuck their then thus unnecessary selves
back to zero.

"Open source code is cited as a security risk."

Long live crypto, defi, monetization, tokenization, p2p,
privacy, self-custody, distributed, unstoppable, cash.

by DerpJungler "CryptoBro"

Why? I work as an AML/Fraud Officer in TradFi. I live to research this stuff.

The United States Department of the Treasury has released a
comprehensive risk assessment report on Decentralized Finance (DeFi)
services, which basically goes into how DeFi services are probably not
decentralized and how they are used by criminals for theft and money
laundering, among other crimes. I went through all of the report
multiple times and the goal of this post is to provide as much of a
simple summary as I can and discuss with you why this report is
important to know and what it might mean for the crypto ecosystem.

Before they open fire against the whole DeFi “industry”, they
acknowledge that most illicit financing activities occur outside the
virtual asset ecosystem, primarily in fiat currency. (Which is great
because their previous report claimed that DeFi is only used for ML
and no mention of traditional finance ML)


The second section (after the Introduction) is titled “Market
Structure” where the authors explain the definitions and scope of DeFi
services and emphasize on how most of DeFi services claim to be
decentralized, but they usually have a controlling organization
providing centralized administration or governance. They also claim
that the term “decentralization” is usually used as a marketing-driven
technique than a reflection of reality. Then the report goes on to
explain how DeFi services must comply with AML/CFT Regulatory
Obligations and while the industry claims there is insufficient
regulatory clarity, the CFTC, FinCEN and SEC argue that adequate
clarity exists but not implemented in DeFi. Then the DeFi industry is
explained in more detailed (4 layers blah blah) and how users use it
for the same reasons as TradFi (lending & borrowing) but also for
mixers and cross-chain bridges, where the problem lies.

The report emphasizes how despite the importance of DeFi services in
the virtual asset ecosystem, they account for only a relatively small
portion of total activity in virtual asset markets. Sourcing
Coingecko, the 24-hour volume of total virtual asset activity in early
January 2023 was $29.7 billion, with DEXs accounting for only 3
percent of the volume.

In the last parts of the Market Structure section, the report focuses
on governance, validators, and custody. They explain how the
distribution and concentration of governance tokens also affects the
centralization and the decision-making process of DeFi protocols and
that some blockchains have a limited number of validators in their
consensus mechanism, which can lead to concentrated decision-making
and prioritization of certain transactions. Lastly, they claim that
custody is ambiguous in DeFi, and how it doesn’t really exist since
customers deposit and lock their assets in smart contracts and that
individual entities can gain control/change those smart contracts and
the users’ assets as a result. (They reference The DAO incident)


The third section of this report focuses on how illicit actors
(hackers and scammers) use DeFi to launder their stolen funds. This
section goes deeper into some money laundering cases, explaining how
hackers and fraudsters launder their funds (take notes folks), that
ransomware attacks are becoming matters of national security for the
U.S. Government and they close the section off by providing examples
of theft, drug trafficking and other ML/TF cases in the DeFi industry.

The Money Laundering section is straight forward, they explain how
illicit actors use mixers, cross-chain bridges, liquidity pools and
DEXs that bypass KYC to launder their funds. (I also made a post here
a few months ago about this)

Ransomware attacks have sharply increased in recent years and the
report dives deeper into how it is becoming a serious issue for the US
and how cybercriminals are now not only using malware, but also
selling it to others (Ransomware-as-a-service). Cybercriminals use
DeFi to launder their stolen funds.

The Theft section discusses how, in 2022, illicit actors stole
billions of dollars' worth of virtual assets from Virtual Asset
Service Providers (VASPs), including DeFi services. DeFi services have
been particularly attractive for cybercriminals, accounting for a
majority of stolen virtual assets in 2022. They give examples of
security breaches, “code exploits”, “flash loan attacks” and then
provide some examples, such as the Mango Markets and DFX Finance

The Fraud and Scams section emphasizes on the sharp increase in losses
of crypto as a result of frauds and scams. In 2021, the FBI Internet
Crime Complaint Center (IC3) reported a nearly 600% increase in loss
amounts reported in virtual asset-related complaints, from $246
million in 2020 to more than $1.6 billion in 2021. Here they explain
concepts such as “rug pulls” and “pig butchering”. They also provide
some examples here such as the “Baller Ape” NFT and the Frosties NFT
collection. (Honesty, there are countless examples that could be used

The Drug Trafficking section highlights the growth of drug trafficking
organizations, darknet markets that use cryptocurrencies and how DeFi,
once again, helps to use and launder funds. They also report that
drug-focused darknet markets generated nearly $2 billion in virtual
assets in 2021 through sales, representing a steady increase in
revenue since 2018. (Business is boomin’)

The Proliferation Finance section focuses on the Democratic People's
Republic of Korea (DPRK) and that they resorted to illicit activities,
including cyber-enabled heists from VASPs and other financial
institutions, to generate revenue for its unlawful weapons of mass
destruction (WMD) and ballistic missile programs. Then they dive into
the “Lazarus Group” hacks and how Tornado Cash enabled cyber attacks
from the DPRK. *This is probably why they attacked the creator of
Tornado Cash a few months ago.


Section 4 discusses vulnerabilities in DeFi services, focusing on
non-compliant DeFi services in the United States, explaining that DeFi
services often do not implement AML/CFT controls or other processes to
identify customers, essentially making them a “Money Laundering
Heaven”. The main body of this section highlights two main areas: a)
how DeFi projects are against AML/CFT controls in the name of
decentralization and b) the difficulties that regulators face in
enforcing proper regulations in DeFi due to the lack of clear
organizational structure and limited resources (or maybe lack of

The vulnerability of disintermediation in DeFi services is discussed,
where virtual assets can be self-custodied and transferred without
intermediaries, possibly leading to gaps in suspicious activity
reporting (SAR) and limited information access for financial
investigations. These gaps are also created by the cross-border nature
of DeFi services, since most countries still lack adequate AML/CFT
frameworks for cryptocurrencies and DeFi services. Lastly,
cyber-related vulnerabilities are created due to aggregation of funds,
open-source code, and lack of cybersecurity requirements, resulting in
large-scale thefts in the DeFi industry.


This section discusses the applicability of existing regulatory
frameworks such as the Bank Secrecy Act (BSA) and general AML/CFT
requirements to the DeFi industry. However, the authors of the report
acknowledge that gaps in the scope of the BSA may also contribute to
the current weaknesses of the regulatory framework and perhaps is one
of the reasons that DeFi services are not complying.

The Treasury’s report concludes by proposing some actually good
solutions and actions for regulators and authorities to consider. They
propose the strengthening and enhancement of the US AML/CFT
supervision for the DeFi industry, continuing research of the DeFi
ecosystem and illicit activities, continuing to engage with foreign
partners in order for them to also assess illicit finance risks in
DeFi, explore and apply “Cyber Resilience” in VASPs and other crypto
services and to promote “Responsible Innovation of Mitigation
Measures”, encouraging regulators to engage with developers to promote
innovation that also mitigates illicit finance risks, fraud, theft and
money laundering activities.

However, that the report acknowledges that illicit activity is just a
small portion of the overall DeFi activity, and DeFi remains a minor
part of the broader virtual asset ecosystem.


Truth be told, the Treasury’s risk assessment report has been pretty
informative when it comes to DeFi and Money Laundering activities
within the industry. I believe the report managed to stay unbiased
towards DeFi and it highlighted the need for balance between
innovation and ensuring the safety of the industry.

For people who are already experienced with DeFi and crypto in
general, the report serves as a reminder that the industry still lacks
the decentralization that it preaches. We are still putting our trust
in centralized entities who issue governance tokens, or control the
smart contracts we are supposed to interact with. It also serves as a
reminder that the protocols we often interact with (bridges, DEXs,
liquidity pools, aggregators) are vulnerable to multiple threats.

What to expect? Of course, more regulatory scrutiny. Like it or not,
regulators such as the FATF, the SEC etc. are drooling over every
opportunity to impose stricter regulators in the space, especially
when they can just blame it on money laundering, ransomware attacks,
or weapons of mass destruction.

However, what we do to limit those threats is not only up to the
regulators. Education should be a priority for both users and
regulators. We need to know how DeFi works and how to interact with
these protocols safely, not only to protect our own funds and wealth,
but to also break the stereotype that crypto = scams and money

Remember: The report still acknowledges that most illicit finance
activity is based on fiat currency, and this is unlikely to ever

If you guys would like me to dive more in depth into the
scam/fraud/cyberattack world and explain terms such as “pig
butchering” in more detail, please let me know and I’ll be happy to do

More information about the cypherpunks mailing list