Over the weekend, I listened to one of the latest episodes of Unchained, which is a podcast featuring interviews with some of the best minds in crypto. In the episode, titled “How Widespread Is Money Laundering in Crypto?” host Laura Shin talked with Tom Robinson, the Chief Data Officer & co-founder of Elliptic, and Yaya Fanusie, the director of analysis at the Center on Sanctions and Illicit Finance at the Foundation for Defense of Democracies.
The concept of money laundering through crypto isn’t shocking to anyone, but during the episode, Tom said something surprising: that “ShapeShift doesn’t do KYC. For that reason, the funds from the Wannacry ransom [that] were in Bitcoin were sent to ShapeShift and were then converted to Monero.”
Wait a minute. Ransom racketeers used ShapeShift? What’s going on here?
ShapeShift is a crypto exchange, headquartered in Switzerland, that is currently operating today. They don’t require users to give their personal information in order to clearly identify who is using the service? This is common practice for an exchange. It’s known as KYC, or Know Your Customer. This practice helps prevent bad actors from storing and moving money.
Traditionally, money laundering was a simple concept in theory, if difficult to pull off: run bad money through a shell business, so it looks like lawfully generated revenue. With cryptocurrency, this isn’t really an option, at least not yet, but bad actors have another simple solution to launder their coins: trade them for other coins.
Cryptocurrency has the advantage of being uniquely difficult to trace among currencies. Trading these coins is a faceless transaction with little more than an address to a digital wallet signifying ownership. A single criminal could generate thousands of these addresses to move funds around if they wanted to.
You can see the address, and how much Bitcoin is in that address, but the identity of the owner? Anonymous, though it turns out, only pseudo-anonymous. Criminals can make mistakes. Tracking IP addresses to identify the owners of particular Bitcoin addresses is possible, something that the founder of Silk Road, Ross Ulbricht, found out too late.
So if Bitcoin is only pseudo-anonymous, how can criminals better launder their cryptocurrency? Turns out, the answer remains simple. Monero is a privacy coin that blurs individual transactions in groups, making it impossible to see which individual addresses. If someone can transfer stolen Bitcoin into Monero, then they can get away scott free because after that point, there is no longer a trail that can be followed.
This is exactly what happened on ShapeShift. Almost one year ago, in August 2017, there were reports of the WannaCry Bitcoin funds moving through the crypto exchange ShapeShift. WannaCry was a ransomware virus that infected over 200,000 computers last year, locked up the systems, and demanded $300 in Bitcoin to unlock it. The hackers behind WannaCry then took just over $140,000 of ransomed Bitcoin and exchanged it on ShapeShift for Monero.
The movement was detected by a company called Elliptic, which works with government agencies and financial institutions and finds illegal activity in cryptocurrencies. Elliptic traced the Bitcoin stolen by WannaCry to ShapeShift, but once that Bitcoin was exchanged into Monero, they could no longer follow the trail.
In the aftermath, ShapeShift acknowledged the transaction, stating “the WannaCry attacker did breach its terms of service and utilized the services to move a portion of their proceeds of crime” and that they were working with law enforcement on the issue. However, this begs the question: how can ShapeShift possibly identify when someone breaches its terms of service when they do not identify their users in the first place? Similarly, what information can they then provide to law enforcement to help with the investigation?
“We have no idea who moved the money either, officer, but we’re here to help.”
On their website, ShapeShift states that “users do not have to create accounts, deposit funds, or provide private personal information. This keeps the users safe from identity or financial theft — a critical improvement in exchange technology.” Sure, protecting user identity is important, so there is an argument that this is an improvement, but at what cost? Who is really being protected?
Reading ShapeShift’s Terms of Service, which were updated in April 9, 2018, the company states that users are “prohibited from using or accessing ShapeShift to transmit or exchange digital assets that are the direct or indirect proceeds of any criminal or fraudulent activity…ShapeShift reserves the right to deny, delay, or cancel a transaction it perceives as a risk of criminal or fraudulent activity.”
How can ShapeShift simultaneously prohibit bad actors from accessing the platform while also maintaining a policy of anonymity? Hint: they can’t. The price of anonymity is that everyone is anonymous, including criminals. As long as the exchange is unregulated, everyone can participate, which can appear beautiful as an idea, but in reality and in execution, it becomes a ground upon which criminals thrive.
This points to why regulation is important and why any website that allows users to trade cryptocurrencies should become regulated and follow regulation. In the US, this would mean the website should be regulated by either the CFTC, SEC or the local regulator, and certainly follow FINCEN rules. Should a foreign regulated entity onboard U.S. citizens, then they need to find a U.S. regulated entity as a correspondent in the transaction to make sure it follows U.S. regulation.
ShapeShift is incorporated in Switzerland, the land of the free and secret banking system. However, being a foreign corporation does not absolve its requirements to follow U.S. regulation if they have at least one U.S. customer. Clearly, ShapeShift has US. customers. Not only is Erik Voorhees, the CEO of ShapeShift, American, but Erik admitted that ShapeShift operates in the United States in a conversation with Kraken’s Jesse Powell about New York’s BitLicense, which is difficult to obtain and one of the first regulatory measures taken in crypto.
How does Erik Voorhees get away with this? Digging into his background, I discovered that in 2014 Erik was sanctioned by the SEC for selling unregistered securities to investors without registering the offering with the SEC or seeking an exemption from registration. Because of the consent decree, Erik agreed to not violate the SEC rules. The strange thing is that ShapeShift is clearly not following the FINCEN rules and SEC regulations because the platform allows tokens that were issued in ICOs to be traded when these tokens are clearly viewed as securities by the SEC. Keep in mind that ShapeShift makes money by enabling anonymous transactions and as such is probably operating as an unregistered exchange.
The ShapeShift example illustrates why regulation matters. Those who feel regulation is the enemy of freedom and democracy should reconsider the principles the two are based on. Freedom and democracy are about equal rights, equal access, and equal opportunity. Creating a level playing field for everyone.
In many ways, cryptocurrencies are enabling these principles, but if they better enable criminals to take advantage of others too, then it undermines those original ideals. Perhaps, this type of unregulation can be considered true “freedom,” where anyone can do anything, but as a society, we have already collectively agreed on certain moral principles and laws. Everyone should not be able to do everything. There are crimes that we have decided as a society are wrong. Enabling crime is also wrong. In that sense, we have already let go of the libertarian’s freedom.
This is not to say that ShapeShift or any crypto exchange is directly facilitating criminal activity. I don’t believe Erik built ShapeShift with that intention, nor do I think that anyone would make (or win) an argument saying that exchanges today are comparable to the Silk Road, the most infamous online black market, for example.
However, the Silk Road was in many ways built on Bitcoin. There are inherent dangers to cryptocurrencies, and as a result, there needs to be regulations in place to protect the businesses and people using them. There needs to be accountability. Anonymity is not a step forward in this regard, but one backward.
StartEngine is a leading equity crowdfunding platform that has helped 250+ companies raise over $80M. We are also currently raising capital. Join the nearly 3,500 StartEngine Owners who have already invested in us. Invest in StartEngine here.
For more information, view our Offering Circular.