1 Introduction

Cryptocurrency is at the nexus of illicit behaviour by transnational criminal networks involved in terrorism, drug trafficking, pornography, sanctions-evasion, and ransomware. But you would never know it when looking at cryptocurrency literature. By way of example, a recent book on sanctions makes barely two passing references to virtual currency.Footnote 1 The transboundary, un(der)regulated, and relatively new features of cryptocurrency are having a transformative impact on crime: in 2021 and 2022 a state-sponsored hacking group in North Korea procured billions in crypto coins through ransomware attacks to fund its nuclear arsenal.Footnote 2 In addition, North Korea reportedly stole $400 million in cryptocurrency in 2021 alone, which is since estimated to have grown to $1.7 billion, with crypto theft in 2022 estimated to total $3.8 billion.Footnote 3 Hacking has emerged as the crypto equivalent of a bank robbery, stealing vast sums from exchange websites: In August of 2016 Bitfinex, a top exchange program for cryptocurrency, was hacked and lost over half its digital assets. Assets valued at US$3.6 billion were traced to a couple who had enriched themselves and laundered proceeds of crime using different cryptocurrencies.Footnote 4 In other words, crypto crime is dynamic and changing; whereas virtual currencies had been primarily used to place and layer proceeds of precursor crime into the financial system, theft of actual virtual currency is a rapidly growing crime. Not every financial crime in cyberspace involves cryptocurrency; but the extent of crypto-enabled crimes in cyberspace is growing exponentially.Footnote 5 Yet, the current literature on crypto crime largely neglects the crime-crypto nexus as a subset of financial crimes related to Online Child Sexual Exploitation and Abuse (OCSEA), sanctions evasion and ransomware.

This chapter calls into question the prevalent monolithic approach to crypto crime to flag the associated inflexibility of current risk assessment frameworks for financial crime, notably as it pertains to the Financial Action Task Force (FATF), which is the dominant international organization offering guidelines on mitigating financial crimes. The chapter studies the way cryptocurrency is being leveraged to enable OCSEA, sanctions evasion and ransomware to make the case for a more nuanced approach to contain its proliferating use for criminal transactions. The sort of virtual currency in which a business deals, along with shifts in and out of one cryptocurrency or another, for instance, should affect risk scores for particularly businesses. But that is not how the system is set up. The FATF framework currently offers no flexibility for assessments and no real-time assessments. The FATF framework is allegedly over-designed for effect, rather than efficiency. What virtual currency is concerned, however, this chapter concludes that despite global Anti-Money Laundering Counter-Terrorist Financing (AMLCTF) compliance costs upwards of $270 billion a year, the current framework provides neither good traction, nor good results. That is, it is ineffective, in part because it is insufficiently nuanced to capture different types of criminogenic financial risks that emanate from the use of virtual currency. Part of the reason is inherent to the blockchain. While traditional AML is premised on precursor crime where the user is known but the transaction is hidden, virtual currency flips that problem: with Distributed Ledger Technology, the transaction history of the blockchain is transparent to all network nodes and non-repudiable, but the pseudonymity of individual participants is maintained, and the centralised institution replaced with the virtually currency protocol.Footnote 6

In 2022, crypto crime netted at least $20 billion.Footnote 7 Other estimates peg profits even higher.Footnote 8 This chapter compares three types of transnational crime that stand out for their profits and particularly heinous damage: Online Child Sexual Exploitation and Abuse (OCSEA), sanctions evasion and ransomware. The use cases in this chapter show that cryptocurrency is used differently for each. OCSEA uses cryptocurrency for transactional purposes, choosing coins for pseudonymity. As technology develops to track mainstream coins used in crime, such as Bitcoin, perpetrators are shifting to more anonymous and secure methods of transaction. That partially explains a recent shift in virtual currency out of Bitcoin. For example, Monero offers greater anonymity and security. But is Monero more popular in OCSEA transactions than Bitcoin? Sanctions evasion uses cryptocurrency to transfer value and for rent seeking, when an entity aims to gain wealth without engaging in productivity or reciprocal agreements. Cryptocurrency makes it possible to move large amounts of money without a traditional transactional component. Finally, cryptocurrency is the payment of choice for ransomware attacks because amounts are large. Payments use coins such as Bitcoin but often overlap with other types of coins and mixers because proceeds subsequently need to be laundered from the initial wallet.

The subfield of crypto crime is in its infancy. Researchers are only now starting to gauge the scale of crypto crime and regulatory options to quell it. The Internet Watch Foundation, Interpol, the United Nations Office on Drugs and Crime (UNODC) have all flagged the impact, scale and proliferation of cryptocurrency-based crime on illicit economies. Still, there is little scholarship on the nexus between cryptocurrency and crime.Footnote 9 Cryptocurrency regulations remain sector-agnostic with little attention paid to illicit economies. Guidelines lack specificity and largely ignore the way crypto intersects with illicit behaviour. Cryptocurrency is changing network dynamics, geopolitical ramifications, and the dynamic of multiple criminal marketplaces. The discourse on cryptocurrency-based crime remains fairly monolithic: Should it be regulated and if so, how? What is the scale of crypto crime? Has regulation of crypto been effective?Footnote 10 Instead of taking up these basic questions, this chapter compares patterns in OCSEA, sanctions evasion and ransomware in the context of cryptocurrency. In doing so, the chapter aims to demonstrate the value of cryptocurrency as an intervening variable in these respective crimes and pivoting mitigation efforts into cryptocurrency-based crimes.

Cryptocurrency is morphing how crimes turn a profit. It has been fuelling the exponential growth of OCSEA.Footnote 11 The Internet Watch Foundation reports that cryptocurrency payments for child sexual abuse have been doubling annually.Footnote 12 These transactions are peer-to-peer. Sanctions evasion using cryptocurrency has geopolitical implications and threatens regional stability and international security. Russian oligarchs use cryptocurrency to evade sanctions and fund conflict.Footnote 13 Ransomware attacks that extort payment using cryptocurrency disproportionately target public infrastructure, incur billions in losses from the public sector due to ransom payments and theft, shut down hospitals, and deprive municipalities of data that is essential to deliver public services.Footnote 14 Ransomware can also have geopolitical implications, insofar as it enables proliferation finance of corrupt authoritarian regimes.Footnote 15

The chapter postulates that the underappreciation of nuances in the use of cryptocurrency in crime is hampering efforts to mitigate the nefarious impacts of these crimes. In response, the chapter compares cryptocurrency patterns across these three types of crypto crime. The chapter concludes on ways to mitigate and deter the use of cryptocurrency for crime. The chapter is structured as follows. First, sections on materials and methods outline essential terms and background. Second, the chapter reviews three different crimes and their intersection with cryptocurrency: OCSEA, sanctions evasions, and ransomware attacks. Finally, it discusses the implications of a comparative approach to crypto crime for purposes of mitigation, investigation, and research with specific application to FATF.

2 Materials and Methods

2.1 Key Terms

This section operationalizes key concepts used in crypto laundering scholarship: decentralized coins, centralized coins, stablecoins, state backed coins, NFT’s, crypto mixers, cryptocurrency exchanges, and decentralized finance.

Decentralized coins enable peer-to-peer transactions to take place with limited oversight from a central authority.Footnote 16 Decentralized currencies aim to disperse financial power beyond reach of any central authority such as a bank or government. Many coins claim to be decentralized to cater to users who are nervous about government involvement and bank failure in traditional finance. Still, they tend to have a central authority.

Coins with oversight are centralized. These coins are owned or operated by a central authority: a government, company, individual or bank. Rather than being peer-to-peer, like a decentralized network, transactions go through and operate within a central exchange that is monitored by an authority of some capacity.Footnote 17

A stable coin can exist in a decentralized or centralized network. Its core characteristic is that its value is tied to a fiat currency such as the US dollar or to assets such as bonds. However, these coins often fall victim to volatility and fail. For example, the Terra stablecoin was marketed as a safe investment because it was tied to an algorithm. Yet, the coin crashed in May 2022.Footnote 18 That is an interesting case study in and of itself because it, along with the collapse of FTX that same year: this dynamic environment entails different liquidity requirements because bank runs that used to take days to pick up steam now happen almost instantaneously.

State-backed coins or central bank digital currencies (CBDC) are an official response to the growing popularity of digital assets: crypto coins that are held and privately issued by government. There are two types of CBDC’s, retail which are held and exchanged between individuals and the crypto business, and wholesale, which are run by financial institutions.Footnote 19 For example, Venezuela’s Petro or Petromoneda coin is issued by the government of Venezuela, backed by the country’s oil, gas, gold, and diamond supply.Footnote 20 Many crypto users take issue with state-backed coins because they are antithetical to the premise of crypto: to remove financial power from government. Concerns about state-backed currency include cyber security, susceptibility to phishing and ransomware attacks at executive levels of government, and an increase in state surveillance of the population.Footnote 21 Although state-backed coins are not always popular, they have been introduced in the Bahamas, China, Jamaica, the Caribbean, and Nigeria. Australia, Thailand, Brazil, India, South Korea, and Russia plan to or are piloting state-backed coins.Footnote 22

Non-fungible tokens, or NFTs, are an asset whose value and existence is tied to a blockchain. The NFT contains an identification code that makes it non-interchangeable. A value can be assigned to NFTs, which often popularizes them through images and artwork. NFTs are commonly tied to the Ethereum blockchain.Footnote 23

Crypto mixers are online platforms that are used to distort and redistribute funds to make them more difficult to trace across blockchains used by Bitcoin, Ethereum, and other public blockchains which do not offer criminals the transparency they are seeking.Footnote 24 According to Chainalysis, the 30-day moving average of cryptocurrencies sent through crypto mixers reached $US 51.8 million on April 19, 2022, which is twice the amount for the same period in 2021. Nearly 10% of all funds that originate with illicit addresses are sent to mixers—no other service type cracked a 0.3% mixer sending share.Footnote 25

Cryptocurrencies can be traded and sold through cryptocurrency exchanges. Exchanges can be centralized in structure and peer-to-peer, but the basic structure is that exchanges provide crypto users opportunities to trade their crypto for other types of cryptocurrencies or for fiat currencies such as the US dollar. Some exchanges specialize in moving crypto for illicit activity while others aim to provide infrastructure to exchange coins legally. Exchanges are susceptible to wash trading, with trading volume appearing higher than is representative of actual trade. In 2019, Bitwise Asset Management claimed that 95% of all reported bitcoin trading volume is faked by users to build the futures market.Footnote 26

Decentralized finance (DeFi) is a sector of the financial system that was built on principles of being open source, near anonymous, financially inclusive, and separate to central authority. DeFi takes place on blockchains, for example the Ethereum Blockchain. DeFi technology often does not require verification of identity; so, there is little to no traceability when crimes are committed that involve DeFi coins or exchanges.Footnote 27 Its focus on limiting transaction traceability and maintaining anonymity makes DeFi difficult to include in AML and CTF initiatives. This has opened an opportunity for criminals who wish to launder money using DeFi with little to no regulatory oversight. One study found that crypto money laundering schemes taking place on Web 3 commonly use DeFi platforms to launder money through token exchanges. Indeed, between 2021 and 2022 DeFi based money laundering is estimated to have increased by 1964 percent!Footnote 28

2.2 Literature

This chapter makes two contributions to the literature. First, it posits a systematic nexus between crime and cryptocurrency. Second, it contributes to literature on OCSEA, sanctions evasions, and ransomware attacks by identifying specific cryptocurrency trends. This chapter builds upon scholarly literature on crypto crime by engaging with the nuances of these crimes that use cryptocurrency and discerning differences between them. Specifically, the chapter finds that its anonymous, transnational and digital chapter makes cryptocurrency a particularly heinous enabler of OCSEA. In comparison, sanctions evasion requires perpetrators to circumvent regulations, and associated risks are geopolitical rather than local, such as proliferation finance and war.

Scholarship on crypto crime has primarily focused on the regulation of the illicit uses of cryptocurrency,Footnote 29 to a lesser extent, theoryFootnote 30 and investigative techniques to address the illicit use of crypto.Footnote 31 As of late there has been a greater focus on the geopolitical risk that is enabled by cryptocurrency, and on transnational crime. The little research that has been done on OCSEA flags cryptocurrency payments in general and their use in paying for illicit materials, but without having collected data on cryptocurrency specifically.Footnote 32 The research that does exist suggests that enforcement data is quite limited.Footnote 33 Sanctions scholarship focuses on minimizing geopolitical risk and showing that cryptocurrency is used to evade sanctions.Footnote 34 Ransomware attacks have attracted the most scholarly attention.Footnote 35 This is in keeping with a bigger shift to geopolitical consideration in crypto scholarship.Footnote 36 Regardless, data on the use of cryptocurrency in OCSEA, sanctions, and ransomware remains quite limited, which makes the comparative approach in this chapter all the more useful in expanding the scope of available data.

This chapter builds on recent work on money and crypto laundering, especially its role in the Illicit International Political Economy. IIPE gauges political and economic variables of illicit transnational trade. As in the legal economy, there are distinct trends in the networks, geography, and flows of goods in IIPE, which focuses on globalization, financial flows, and the role of the state.Footnote 37 Past research on IIPE has focused on the role of digital currencyFootnote 38; the intersection between licit and illicit markets and policyFootnote 39; and cross-border cooperation.Footnote 40

2.3 Method

This research is based on data compiled from prosecutions of cases on transnational crypto laundering. Far from providing unfettered access to all nodes and edges, this approach has its limitations because investigators limit themselves to a certain subset of a criminal network, and prosecutors narrow the focus further in deciding who to charge and what charges to lay. That has a funnelling effect on the evidence that eventually becomes publicly available once a case has been prosecuted. However inchoate, our approach thus also draws on other legal documents, news sources, blogs, corporate reporting, and informal interviews to triangulate results and expand the number of data points. The coding instrument comprises variables such as country of origin, sector, type of coin, amount transferred, wallet number, etc. The chapter analyzes the observations in the context of the extant literature, synthesizes findings and identifies priority areas for future research and policy.

3 Online Child Sexual Abuse and Exploitation (OCSEA) and Cryptocurrency

Trigger Warning: This section includes references on how cryptocurrency has been used to pay for the sexual exploitation and abuse of minors.

3.1 Overview of OCSEA Using Cryptocurrency

There is no consensus definition for online child sexual exploitation and abuse. The United Nations Childrens Fund’s (UNICEF) includes concerns about child exploitation facilitated by technology: specifically, “technology-facilitated child sexual exploitation and abuse” that is partly or entirely facilitated by technology, either through the internet or other wireless communications channels.Footnote 41 OCSEA has been flagged as a rapidly growing crime, which makes it a priority to contain. There is a breadth of pre-existing literature in this area to inform and triangulate findings. Most sources are from cyber safety groups who connected the rise in OCSEA to cryptocurrency payments. Although some literature discusses OCSEA and cryptocurrency transactions, there is little scholarly and policy-based research on the way they are connected. OCSEA networks tend to involve many individuals purchasing content with smaller network nodes that exist within criminal sectors that exploit children for profit. The chapter’s findings are then linked to social (such as who is committing these crimes and how they are taking place) and technological attributes (such how the internet is used in investigations and how perpetrators use it to identify and lure victims).Footnote 42

The 2022 Interpol Crime Report ranked OCSEA as a high priority threat. Moreover, 62 percent of Interpol’s member states expect OCSEA either to ‘increase’ or ‘significantly’ increase over years to come.Footnote 43 Yet, top crypto crime analysis groups and scholarly publications do not include materials about OCSEA. That reflects a broader lack of research and reporting on children within the crypto community. Cryptocurrency and blockchain technology increase the risk of child pornography as imagery becomes more readily accessible.Footnote 44 The escalating number of websites offering OCSEA content for purchase using cryptocurrency is depicted in Table 1, which also shows the exponential growth in websites year-over-year. In 2022, crypto analysis lab TRM analyzed crypto addresses involved in OSCEA payments, within their sample over two thirds of payments were made to scammers, most of whom advertised their OCSEA ‘content’ on the dark web.Footnote 45 Better analysis of the blockchain and its links to OCSEA payments has potential to minimize this pervasive crime, stop scammers, and better protect childrenFootnote 46:

Table 1 OCSEA crypto crime reports per year, 2015–2022

In addition, the Internet Watch Foundation has collected raw data on the types of payment being used to pay for child abuse imagery in the UK. In 2022, the Internet Watch Foundation released data reporting that virtual currency was the top form of payment used in 2022 to purchase child sexual abuse imagery. Virtual currency was identified 1366 times in payments, the next highest payment method recorded was credit card purchase, showing up 492 times in total.Footnote 47

This data is representative of the concerns that organizations such as Interpol have put forward about increases in OCSEA and crypto as an accelerant.Footnote 48 The data put forward by these groups runs counter to other findings that found payment and remittance services are the most common.Footnote 49 This change in data points to a rise in crypto payments in 2021 and 2022.

3.2 Case Study: Welcome to Video

In 2019, the US Department of Justice (DOJ) took down the darknet website “Welcome to Video.” It specialized in trading content of children being sexually assaulted or exploited.Footnote 50 Users purchased content of children as young as 6 months old, with many of the child victims being subjected to ongoing exploitation over many years. The unsealed indictment included a banner warning: “do not upload adult porn”, and offered users points and website “perks” for paying in Bitcoin or uploading their own videos.Footnote 51 The website used Bitcoin in addition to fiat currency. South Korean Jong Woo Son was eventually arrested as the mastermind behind “Welcome to Video”. Authorities were able to trace transactions on the blockchain and use technology linking payments to him.Footnote 52 The arrest of Son spawned hundreds of additional arrests based on millions of downloads and the ongoing abuse of at least 23 children located throughout the US, Spain, and the United Kingdom. At least 337 people from over 18 countries have been arrested and charged after inter-agency collaboration among South Korea, the USA, the UK, and Germany. They partnered with agencies in Australia, Brazil, Canada, Czechia, Finland, France, Hungary, Ireland, Italy, Poland, Saudi Arabia, Spain, Sweden, and the United Arab Emirates to apprehend contributors.Footnote 53

At least 7300 transactions reaped over $370,000 worth of Bitcoin between 2015 and 2018.Footnote 54 Upon receipt of Bitcoin payments in his wallet, Son would move funds to a Bitcoin account in his own name. Son’s approach was unsophisticated. He transferred money to his own personal account from a Bitcoin wallet explicitly tied to a child pornography website. The account to which he transferred funds was linked to him, registered to his name, phone number and email, and his IP address was unblocked.Footnote 55 Despite the seemingly obvious financial connection between Son and the illicit website, the website and Bitcoins wallets remained active between 2016 and 2019 and were closed only once Son was indicted in 2019.

Bitcoin was built into the use of the website. “In order to download videos from Welcome to Video, customers redeemed “points.” Points could be obtained by: (1) uploading videos depicting child pornography; (2) referring new customers to Welcome To Video; (3) paying 0.03 BTC (approximately $352.59 as of March 5, 2018) for a “VIP” account, which lasted for 6 months and purportedly allowed unlimited downloads; and/or (4) paying for points incrementally (i.e., 0.02 bitcoin for 230 points).”Footnote 56 Welcome to Video encouraged customers to make payments through different Bitcoin exchanges registered worldwide; there were over 1.3 million Bitcoin wallets set up through the Welcome to Video platform. In this way, the darknet website was not just moving illicit transactions but also brought in revenue and customers to Bitcoin (Kennedy 2019). The scale of involvement raises concerns about know-your-customer (KYC) requirements for Bitcoin and other cryptocurrencies. A wallet overtly tied to child pornography should have been shut down by administrators.

Investigators were able to secure an indictment and prosecution using a combination of public blockchain information and by tracking the IP address of the website’s owner. These tactics were unsophisticated. With software from companies such as Chainalysis and BIG, companies and investigators can track Blockchain transactions and connect contributors to crime.Footnote 57 Still, KYC protocols went unheeded for years in this case. These observations suggest that law enforcement and crypto coins that are centralized, such Bitcoin, are ineffective in identifying and addressing crimes like OCSEA.

Son did not use advanced technology, complex money laundering techniques, and did not attempt to hide his location online. Yet for 4 years he ran the world’s largest child pornography website, profited from it, and was able to keep and spend much of that money through transfers over a public blockchain. Because it is public, the blockchain holds out tremendous opportunity in principle to identify and mitigate cases in this area; prevention of OCSEA is thus inextricably tied to cryptocurrency.

4 Sanctions Evasion and Cryptocurrency

4.1 Overview

The introduction of cryptocurrency to the global financial system has altered global sanctions regimes. Cryptocurrency has allowed sanctioned entities to evade detection and continue trade that undermines the efficacy of geopolitical aims an economic stability. Sanctions have grown more popular as an instrument of international politics. In recent years crypto wallets, coin companies, and mixers have been sanctioned by agencies such as the U.S. Treasury Department’s Office of Foreign Assets Control.Footnote 58 Under international law sanctions are: “Coercive measures taken [in response to a violation of international law] in execution of a decision of a competent social organ, i.e., an organ legally empowered to act in the name of the society or community that is governed by the legal system.”Footnote 59

The logic that informs sanctions evasion payments uses cryptocurrency by means of combination of rent seeking behaviour, moving money and then laundering it, or in political circumstances, for proliferation finance. Sanctions can be implemented at multiple levels and across different trade sectors including oil, food, medicine, and defence. This section focuses on economic sanctions: when a state actor leverages economic instruments to control or enforce behaviour by one actor against another. Any entity can impose sanctions on another. However, the power an actor exerts over the international community determines the impact sanctions are likely to have. For purposes of legitimacy or having an economy too small to make an impact unilaterally, many actors choose to enforce sanctions through the United Nations (UN) or through multilateral channels, such as the European Union (EU).

Today, countries that are sanctioned include Russia, Cuba, Iran, Venezuela, and North Korea.Footnote 60 Cryptocurrency makes it possible for actors that are subject to sanctions to develop virtual currencies to avoid having to interact with currencies with which they are sanctioned from transacting. In 2022 ten cryptocurrency entities and 400 addresses were sanctioned.Footnote 61

This numbers reflect growing concern about cryptocurrency being used to evade sanctions. The increase in sanctioned addresses and entities corresponds with an increase in sanctions evasions payments using virtual assets. Both 2021 and 2022 saw increases in sanctioned crypto entities, with numbers reaching a record high in 2022. There were nine entities sanctioned in 2021 and ten entities sanctioned in 2022, in addition the wallets sanctioned included 100 addresses in 2021 and 350 addresses in 2022.Footnote 62

The issue became more acute following Russia’s invasion of Ukraine in 2022. Russia has been subject to an array of sanctions ever since, notably by the United States and allies. Not only would cryptocurrency enable crime, now it was being used to fund a war. Bitcoin and Ethereum were demonstrably used at greater scale following the period in 2022 of the invasion and subsequent sanctions. Cryptocurrency has made it easier to avoid sanctions imposed by OFAC by moving money without interacting with the US dollar while avoiding Western jurisdictions where wallets may be subject to seizure. Because the world’s financial systems are interdependent, and the United States’ Office of Foreign Assets Control (OFAC) has been able to police bad actors that avail themselves of the U.S. financial system.Footnote 63 Global financial flows pass disproportionately through New York for instance. However, with the emergence of cryptocurrency to advance geopolitical agendas, it is now possible to transact without using US territory or the US dollar, which had historically been a comparative strategic advantage for the US.

Transboundary payments, the pseudonymous nature of crypto, and prevalence of technology like mixers and tumblers mean that sanctioned entities can evade sanctions and profit with minimal oversight from traditional regulations. Cryptocurrency is a game changer insofar as it makes it relatively easy to evade sanctions to evade OFAC and its regulations. In many countries, cryptocurrency is not included in sanctions regulations, which making it difficult to prevent the use of cryptocurrency to evade sanctions. OFAC has worked to address the regulatory gap that cryptocurrency has created, imposing economic sanctions on numerous Bitcoin wallet addresses, companies, and individuals, such as the Russian “BitRiver.”

Meanwhile, the US DOJ has been bringing criminal charges (United States Department of Justice 2022a). In in response to OFAC sanctioning of numerous crypto entities, in May 2022 Magistrate judge Zia Faruqui approved the first cryptocurrency sanctions complaint. Japan is also reviewing its laws on cryptocurrency to impede Russia from evading sanctions. And the EU has banned high value cryptocurrencies from servicing Russian individuals and entities. Yet, the scale of the impact of virtual currency sanctions evasion remains unclear.

4.2 Case Study: The Lazarus Group

Lazarus is a ransomware attack group affiliated with North Korea’s Reconnaissance General Bureau that has been evading sanctions against North Korea, using ransomware to encrypt files and hold them ‘hostage.’ In 2020, OFAC designated it a “state sponsored malicious cyber group.”Footnote 64 Lazarus effectively enables proliferation finance by enabling the North Korean regime.Footnote 65 Since they are located in North Korea, they do not run the risk of US domestic prosecution. Lazarus thus remains prolific. Victims include healthcare, entertainment, and cryptocurrency, among other sectors. Lazarus uses many different entities to move money, including crypto mixer Tornado Cash.Footnote 66 Lazarus can count on support outside of North Korea. In April 2022, a US citizen was indicted for travelling to North Korea to speak at a cryptocurrency conference where he gave advice on blockchain technology and negotiations with the US on nuclear weapons, thereby effectively enabling North Korean proliferation finance.Footnote 67 His intentions were to move money from North Korea to South Korea without being detected by sanctions programs imposed by the USA and South Korea. A year earlier the US Justice Department had named Ghaleb Alaumary, a 36-year-old man from Ontario, and described him as a “prolific money launderer for hackers engaged in ATM cash-out schemes, cyber-enabled bank heists, business email compromise (BEC) schemes, and other online fraud schemes.” He was promptly sentenced to 11 years in jail (US Department of Justice 2021).

In 2018 the Lazarus Group hacked into a virtual currency exchange and stole $ USD 250 million in cryptocurrency and laundered the proceeds through multiple wallets and mixers, many through automated accounts. There were 113 cryptocurrency accounts tied to the group. Money came from YouBit, UpBit, and Bithumb, in South Korea. Fake photographs and falsified documentation were used to circumvent KYC requirements.Footnote 68

Online laundering transactions used decentralized currencies including Bitcoin, Ethereum, Dogecoin, Litecoin, Zcash, Ripple and Ethereum Classic, many of which are alt coins of varying value.Footnote 69 However, funds also travelled through the traditional financial system. China-based banks were used to launder funds after exchanging crypto for fiat currency. Chian Guangfa, the Agricultural Bank of China, and China Everbright Bank sent $455 million stolen by Lazarus through mixers such as Tornado Cash, which operates on the Ethereum blockchain. It allows users to distort the provenance of funds by putting them through complicated and seemingly random transactions. That makes transactions difficult for law enforcement to track, which makes mixers very popular for sanctions evasion.Footnote 70 Tornado Cash has since been sanctioned by the US government for this and numerous other crypto heists.

This case demonstrates complexity of sanctions evasion schemes, especially ones that enjoy the support of a sanctioned government. The Lazarus group partnered with other groups engaged in criminal activity, including mixers and governments. This makes it difficult to shut down and mitigate. In other words, cryptocurrency raises geopolitical risk by opening sanctions gaps that are a function of failure to regulate. Fuelled by cyber profits, in 2022 North Korea’s regime tested a record number of nuclear weapons.

4.3 Ransomware

4.3.1 Overview

Virtual currency has enabled new crimes, such as crypto theft, to morph. A devastating example of a morphing crime is ransomware: a type of malware designed to encrypt files and make essential information or services (for example healthcare data) inaccessible to the owners. In most cases, the owner must pay a sizeable ransom to have encrypted files unlocked.

Ransomware attacks have been incurring sizeable losses for governments, businesses, and individuals that rise year over year. Ransomware is a form of malware that can encrypt files and hold them as ‘hostage’. Criminals require victims to pay a ransom in exchange for a decryption key. Victims include hospital data and healthcare more broadly. In 2022 ransomware attacks ranked as a top crime involving cryptocurrency against federal agencies, at 11.9% of all crimes involving virtual currency.Footnote 71 At the state and local level this number is similar with 11.3% of crimes identified as ransomware attacks.Footnote 72 Ransomware attacks typically have three stages. The first stage is infection, in this stage a computer receives the malware. The second stage is encryption, in this stage the files, data, or personal information is encrypted, that is, the content is no longer available to the owner. The third stage is demand, when the attacker requests a ransom fee to decrypt infected files. If the ransom is paid, the attacker needs to launder the proceeds, and the files will either be restored or destroyed.

Ransomware technology is a form of malware. Malware is: “hardware, firmware, or software that is intentionally included or inserted in a system for a harmful purpose”.Footnote 73 These programs are covertly integrated into an operating system to violate a computer’s security. While there are many ways to introduce malware to a computer, criminals have several popular techniques including: phishing emails with malware attachments; social engineering; and removable USB devices.Footnote 74 The subject matter targeted by ransomware attackers includes threats to financial data, sensitive information, and data necessary to public functionality and wellbeing. The malware attack takes place on a victim’s computer as the result of a virus or other code-based entity.Footnote 75 After peaking in 2021, the profitability of ransomware attacks declined slightly the following year. There is a notable technological variable in this decline: the average lifespan of ransomware strains has been steadily and rapidly in decline. In 2012 the average lifespan of a strain was 3907 h, and now in 2022 the average lifespan was down to only 70 h.Footnote 76 This decline corresponds with more effective, targeted, and aggressive forms of malware.

For the purposes of this chapter, we distinguish between socio-political and financial attributes of ransomware. Socio-political attributes play an important role in varying ransomware attacks, such as state-tolerated bad actors in Russia that combine rent-seeking behaviour with grey-zone adversarial objectives, such as sewing mistrust in public and critical infrastructure. Attacks have increased steadily over the past 20 years. However, this increase stalled in 2022 despite continued advances in the technology. In 2021 ransomware attackers made US$ 765.6 million in profits, but by 2022 that number had dropped to US$ 456.8 million. This steep decline has been attributed to several changes, including a change in law enforcement policy which recommends that victims of attacks not pay up: 59% of individuals did not pay their ransom, the highest number to date.Footnote 77 Combined with greater technological resilience, data protections strategies and improved cyber response, these developments are credited for the decline in ransomware profitability.Footnote 78

On the financial side, the publicity of the blockchain has allowed for a trove of data. Recent trends track the movement of funds between the wallet receiving the ransom and its secondary destination: Often funds are initially sent to central exchanges (for example Binance), then on to high-risk exchanges, illicit platforms, and mixers, which are commonly used as secondary points from wallets. Although ransomware attacks use cryptocurrencies to engage in rent-seeking behaviour, ransomware attacks often rely on laundering the proceeds of their illicit gains in combination with the traditional financial system. The scale or ransomware funds tends to necessitate more complex, mixed method laundering techniques, but these often involve Western jurisdictions since that is where targeted entities tend to be located. That gives criminal intelligence a leg up. At the same time, reliance on cryptocurrency to receive ransom payments means that crypto is inextricably linked to ransomware crimes.

The potential risks of ransomware attacks are vast, with the geopolitical implications for proliferation financing being particularly clear. For example, FATF postulates that North Korea’s state sponsored ransomware attacks have enabled an “unprecedented number of recent launches of ballistic missiles.” These launches have been funded, in large part, by virtual currencies stolen from decentralized exchanges adding up to approximately USD 1.2 billion since 2017 alone.Footnote 79 Non-state actors are profiting as well. Illicit groups of many kinds have exploited ransomware attacks and cryptocurrencies to move illicit money. Ransomware attacks can bring billions in profits to nefarious state actors, criminal organizations, and terrorist groups. It is essential to better understand how these different actors occupy ransomware attack spaces within the global economy.

4.3.2 Case Study: The LockBit Gang

In 2022 LockBit, was among the most prolific and profitable criminal ransomware gangs. Their network is global, decentralized, and multinational. Since inception Lockbit has received USD $100 million in payments. In 2022 Lockbit brought in USD $44 million alone.Footnote 80 The Canadian Centre for Cyber Security estimated that the LockBit Gang was “responsible for 22 percent of ransomware incidents” in Canada and approximately 44% of global incidents.Footnote 81 Mikhail Vasiliev, a Russian-Canadian based in Bradford, Ontario, was charged in the District of New Jersey with “intentionally causing damage to a protected computer” and “knowingly extorting money in relation to damage to a protected computer” between September 2019 and October 2022.Footnote 82 The charges were the result of a RCMP investigation lead by the National Cybercrime Coordination Centre (NC3). The investigation uncovered Vasiliev’s ownership and stewardship of the LockBit ransomware strain that emerged in January 2020. LockBit is a malware that deploys (hard or soft) ware that can be purchased and deployed to lodge demands for payment. The company is responsible for making over $100 million in ransom demands with tens of millions of these demands resulting in a ransom being paid.Footnote 83

Vasiliev had been coordinating with the rest of the LockBit gang and extorting victims in the USA, Germany, France, and China in 2019.Footnote 84 They encrypted companies’ entire networks, then reached out to negotiate ransom payments. Upon receiving payment, they provided the decryption key to victims to re-access their files. They requested between one and three Bitcoin as payment and provided the wallet addresses, equivalent to $7000 to $11,000 each, but up to $30,000 USD was paid out in ransom. In 2022 ransom demands increased to multimillion dollar figures.Footnote 85 A sample ransom note read as follow (DiMaggio):


There is only one way to get your files back:

  1. 1.

    Contact with us

  2. 2.

    Send us 1 any encrypted your file and your personal key

  3. 3.

    We will decrypt 1 file for test (maximum file size 1 MB), its guarantee what we can decrypt your files

  4. 4.


  5. 5.

    We send for you decryptor software

    We accept Bitcoin.


    Do not rename encrypted files.

    Do not try to encrypt using third party software, it may cause permanent data loss.

    Do not try to decrypt using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to ours)

By way of example, LockBit targeted St. Mary’s, a small town of 7700 residents in Ontario, Canada with limited cybersecurity capacity. It encrypted 67 gigabytes of data; the data belonged to the city and comprised confidential data on citizens and internal financial documents. The group engaged in a double extortion: it demanded a ransom and threatened to release the town’s data online if the town did not pay up.Footnote 86 In response, the town solicited help from the Canadian Centre for Cyber Security (CCCS), Stratford police, a legal team, and the town council. The CCCS recommended that town council not pay up.Footnote 87 CCCS tried to determine the culprit, and whether they could back up the data before deciding on the ransom payment. Whether St Mary’s paid up to have its files returned is unclear. The town shut down its servers to prevent exfiltration of data, but that left many of their computer systems unusable. Under similar circumstances Stratford, Ontario paid $75,000 in Bitcoin, while Frederick, Colorado faced a US$200,000 ransom demand for the return of their files.

In addition to the financial losses from ransom payments, ransomware attacks can cause long term damage to digital infrastructure. Regulation and investigations have a hard time keeping up. Victims rely on investigators to track addresses and uncover attackers to recovering funds and data. Failure to reacquire files can damage the public good so hospitals, municipalities, and food providers that have been attacked can resume functioning: they are preferred targets that are vulnerable yet more likely to pay up because they can ill afford lengthy disruptions to their operations.

5 Implications and Recommendations

The aim of this chapter has been to make the case for nuanced policy responses to different types of cryptocurrency-based crime, to which the current FATF framework is ill adapted. This section outlines implications and recommendations for crypto crime covered in this chapter: OCSEA, sanctions evasion, and ransomware attacks.


To address the rise in OCSEA Interpol has suggested to build out capacity to detect online child luring technology. In addition, Interpol is proposing greater cooperation among investigating agencies to address the transboundary nature of OCSEA, in support of its broader effort to crack down on crimes that operate on the internet.Footnote 88 However, criminal intelligence and other stakeholders could do (much) better at leveraging transparency from blockchains to gauge potential child pornography risks.Footnote 89 Wallets are forensic artefacts; their discovery and linking them to a real person can be used as evidence in criminal investigations.Footnote 90 As this chapter shows, crypto wallets can indeed provide strong evidence in investigations and prosecutions. In other words, shift strategy to focus more on virtual currency that enables OCSEA, notably privacy-enhancing alt coins such as Monera.

5.2 Sanctions

Not all regulation is created equal. Many countries have partial regulation for coins. For example, Canada has an incomplete regulatory framework in development that does not cover all virtual assets. However, crypto laundering is regulated under Canada’s anti money laundering and countering terrorism financing legislation after virtual assets were added to Canada’s Proceeds of Crime, Money Laundering and Terrorist Financing Act (PCMLTFA) (Government of Canada 2000). In contrast, the Bahamas have a full regulatory framework, anti-money laundering procedures, rules on travel, and allowance for stable coin payments in addition to the launch of the Bahamas’ own CBDC: The Sand Dollar. FATF enforcing standardized regulation and consensus on a gold standard for crypto regulation would go some way to avoid criminogenic asymmetry whereby criminal exploit crypto exchanges registered in different jurisdictions.

5.3 Ransomware

Ransomware is a leading cybersecurity concern for companies, the public sector, and private citizens (Veeam 2022). Ransomware is highly profitable and technology to encrypt or hack files keeps adapting. Cryptocurrency is the payment mechanism of choice for ransomware, with Bitcoin featuring foremost among related financial transactions. Centralized finance is the most common secondary send for ransomware attackers. Preferred targets are smaller entities with large budgets—because they tend to be more vulnerable yet able and willing to pay. With the propensity to pay out ransoms on the wane, ransomware attacks have recently started to decline. A more resilient cybersecurity posture, multisector collaboration, and more research on the nuances of ransomware and cryptocurrency should offer better insights into the way cryptocurrency is used to launder money. While Bitcoin and Ethereum feature prominently, the role of less mainstream coins such as Monero and ZCash are poorly understood.Footnote 91 We also have a poor understanding of the size of ransomware groups and the composition of their networks, which makes it difficult for investigators to “follow the money”.

5.4 FATF Cryptocurrency Guidelines

Arm’s length from the Organization for Economic Cooperation and Development (OECD), FATF is mandated to set standards for financial crime prevention and assess jurisdictions. At the time of writing FATF’s inclusion of virtual currencies within its recommendations are limited and have been active only since 2015.Footnote 92 The current standards clarify that entities that offer virtual payment services must be licensed and should comply with pre-existing regulations for money laundering, customer due diligence, record keeping, and must report suspicious transactions. However, this information is vague and does not offer a targeted approach to crypto or specific crypto crimes. Instead, it places virtual assets under a broad category with vague responsibilities. In their 2023 report FATF found that 75 percent of jurisdictions assessed were not or only partially compliant with virtual asset standards.Footnote 93 These requirements include FATF’s recent update is the so called ‘Travel Rule’ which applies wire transfer requirements to hold information on both the originators and beneficiaries to virtual assets. This is meant to improve traceability and law enforcement’s ability to identify and freeze assets.Footnote 94 Failure to implement basic record keeping combined with poor implementation from jurisdictions have made FATF standards for cryptocurrency largely ineffective.

A global standard for crypto regulation by parties to the United Nations and the Financial Action Task Force (FATF) would have a levelling effect. If degrees of regulation vary across countries, implications for cryptocurrency buyers, sellers, or users will differ. Absent an international standard for crypto crime compliance, the global regulatory space is highly diverse and inconsistent, not just in regulation but also in its implementation. While countries such as the Bahamas, France, and Japan have implemented regulations, others have outright banned the development of cryptocurrencies, for example China, Qatar, and Saudi Arabia.Footnote 95 Yet, even bans differ. For example, China banned crypto exchanges, initial coin offering’s (ICO’s), and blocked financial institutions from engaging in cryptocurrency trade. In contrast, Canadian provinces such as Alberta have encouraged ICO’s and Canada has a CBDC ready to launch, if necessary.Footnote 96 As countries develop cryptocurrencies and cryptocurrency regulation, collective action holds out promise for setting standards for regulations and opportunities for greater inter-agency collaboration. The criminogenic asymmetry of crypto crime means global standards and cooperation are indispensable to contain crypto crime. Yet, the FATF’s framework is not well adapted to addressing trends in the abovementioned spaces, for example peer-to-peer transfers that take place without oversight from central authority.Footnote 97 Recommendations to improve FATF’s standards have thus far been limited. De Koker et al. recommend that virtual asset service providers be supervised or monitored by a competent authority. Additionally, they recommend that these authorities should take on regulatory measures such as managing and preventing criminal access to virtual assets.Footnote 98

FATF requirements should be updated. However, member states also have a responsibility to ensure that appropriate domestic standards are in place. While FATF is well positioned to take the lead on setting crypto crime standards, FATF cannot do it alone, or without more work. FATF is reliant on its members to implement, regulate, and enforce guidelines, and as of present virtual currency guidelines are simply not being met by member states.Footnote 99 FATF is lagging on virtual currencies in general, and on emerging crypto crimes in particular.

6 Conclusion

This chapter compared different types of crypto crime, to make the case for a more nuanced approach to OCSEA, sanctions evasion, and ransomware. The chapter expands the literature by discussing these crimes in the context of cryptocurrency and identifying trends that make the case for more effective mitigation techniques, beyond what is currently on offer by FATF and in many jurisdictions.

The proposition in this chapter, particularly on OCSEA, stands to benefit from more robust data to bridge gaps between literature and criminal intelligence observations on criminogenic trends in virtual currency. OCSEA is quite understudied, and that cryptocurrency is funding this crime on a level disproportionate to the little scholarly and institutional attention it is receiving. For instance, better KYC requirements for crypto are indispensable to contain OCSEA.

The chapter’s observations on sanctions evasions suggest that rent seeking and money laundering processes are intertwined. Further work on this section could develop data and aim to understand how different types of sanctioned entities operate to evade sanctions. To be sure, the crypto economy is too small for an economy as large as Russia to evade sanctions effectively, that is, US dollar liquidity is insufficient to turn billions of dollars in crypto tokens into market value at scale, let alone move it through the crypto exchange system unnoticed. U.S. enforcement agencies have stepped up their game, and cryptocurrency is now mentioned in sanctions packages.Footnote 100 The absence of commercial banks and their vulnerability to theft, and the anonymity of non-custodial wallets makes them attractive to evade sanctions: Russians and Russia are using cryptocurrency to evade sanctions, but their modus operandi is different from the North Korean regime: Russia, and Iran, have been using cryptocurrency to pay for imports by avoiding commercial payment systems, whereas North Korea just wants to make up for lost revenue. FATF’s cryptocurrency recommendations need to reflect a better and more nuanced understanding of sanctioning crypto wallets and entities to match this growing form of evasion. The current literature on the effectiveness of sanctions would benefit from including crypto sanctions evasion. Sanctions evasion has geopolitical implications, from the potential to fund wars of aggression, to their role in proliferation finance.

This chapter expands the literature on ransomware attacks by discussing how money is laundered and crypto payments are used: Ransomware attackers launder funds at scale because of the amounts involved and extensive attention from law enforcement. Akin to sanctions evasion, ransomware has geopolitical and social implications. If attackers can profit from their crimes, public data will be at risk. Illicit actors have been bankrolling aggressive authoritarian regimes at minimal overhead costs.

The crime-crypto nexus is much more nuanced than commonly presumed, and FATF is inflexibly postured to address it. Investigators can enhance capabilities to keep up with criminal adaptation. Blockchain-based investigations, continuous content monitoring, and other methods allow for the analysis of wallets as forensic evidence. Stringent regulations on enablers of dangerous content and greater penalties for companies that are complicit in the sale of illicit content such as child pornography or ransomware soft- and hardware could help draw red lines. Criminals are rent seekers; cryptocurrency has made crime more profitable and easier to perpetrate. Technology, its adoption by enforcement and a better understanding of the human and socio-economic drivers of crypto crime highlight the risks of untethered crypto as geopolitical actors and nefarious actors look to exploit cryptocurrency for illicit gain. FATF’s failure to provide jurisdictions with timely, nuanced information on alternative financial ecosystems such as cryptocurrency poses vast financial, social, and political risk. As this chapter has shown, even with limited open-source information it is possible to make the case for the nuanced characteristics of crypto-enabled crime and cryptocurrency as an accelerant.