On January 17th, with cryptocurrency prices being widely routed by risk aversion, Crypto.com flagged a “security incident” that caused the operation to freeze withdrawals.
Days later, the Singapore-based exchange announced that hackers had stolen at least $15 million worth of Ethereum (ETH) tokens — and potentially as much as $33 million, according to independent estimates — but pledged to reimburse those affected. Crypto.com faulted some accounts for a lack of 2-factor authentication for the breach, but didn’t provide many other details.
However, information security specialists and amateur blockchain sleuths on Twitter were already tracing the hacked funds, with almost half pointing to a non-custodial Decentralized Finance (DeFi) mixing service called Tornado Cash.That’s where the trail goes cold.
Tornado Cash (TORN), itself a smart contract token, is one of a few legal cryptocurrency mixing (or “tumbling”) protocols that can be used to obfuscate transaction history.
It can also wash crypto proceeds in ways that are raising alarm among investors and law enforcement — already grappling with a rise in the sector’s illicit activity amid a sharpening debate over how to provide regulatory oversight to the booming digital coin movement.
Experts say blockchain mixing services aren’t necessarily illicit, even though hackers use them. While part of the growing crypto ecosystem, mixers offer a handy way for criminals to launder funds without being explicitly classified as money laundering.
Still, in December, hackers used Tornado Cash to wash $196 million of crypto stolen from Bitmart, a crypto exchange. According to Victor Fang, CEO and Founder of blockchain analytics firm Anchain.AI, Tornado Cash uses zero knowledge proof.
“This is advanced cryptography, Turing-awarded work from MIT, the highest award in computer science” explained Fang, who chuckled in awe of the technology underpinning the protocol.
Over the past year, Tornado Cash serviced over $10 billion worth of crypto transaction according to Anchain, with a rising number of criminal cases being managed by Fang’s firm involving the protocol.
“Privacy is not criminal but criminals are seeking these privacy solutions. This is the tip of the iceberg, the beginning of the future we’re going to see play out,” he added.
Money laundering, especially the digital coin variety, is notoriously difficult to track. The United Nations estimates that around 2-5% of global growth (roughly $2 trillion) gets laundered in fiat currencies each year, but the figure is not regularly updated.
Currently, crypto’s market capitalization tops $1.7 trillion, and experts insist crime is a shrinking margin of those flows. However, there’s still $8.6 billion in blockchain-based loot getting laundered, according to a report released Wednesday by blockchain analytics company Chainalysis.
The firm previously found that crypto-based crime hit an historical high at $14 billion, but at 0.15% of all sector transactions is relatively low. Chainalysis tracked crypto money laundering over the past year, but did not count funds coming from mixing services as illicit, according to Chainalysis’ director of research Kim Grauer.
Yet billions in laundered funds were up 30% in 2021 compare to the prior year, and represent the amount of money sent from a crypto wallet that the firm marked as illicit. Those funds then went to another platform for trading, gambling, DeFi, mixing, or other purposes.
And according to Grauer, tracking illicit flows come only from “multi-decade-long and hard-won investigations” into specific financial firms. The rise of the use of digital ledgers, however, could make it easier, some say.
“We can’t say cryptocurrency is better for fighting crime but there’s no equivalent data set for measuring criminal activity in fiat currencies,” Grauer told.
Mixing services still represent a slim margin for the destination of illicit crypto funds according to Chainalysis data. Yet based on conversations with compliance officers, Grauer said that customer funds sent from a mixing service can be a “red flag,” with firms receiving a significant amount of funds from mixers.
While algorithmic tools offer precise data, curbing crypto laundering relies on coordination between law enforcement and private companies, which in the eyes of regulators need improvement.
The DeFi boom has also fed money laundering, with illicit wallet use up from 2% in 2020 to 17% over the past year, reflecting the sector’s high rate of theft. Still, crypto exchanges remain the primary method for thieves to wash hot money, with those receiving 47% of total illicit funds tracked over the last year, largely because of scams.
One way to halt illicit crypto flows hinges around blocking, or at least monitoring exit points, out of the cryptocurrency economy that give criminals on- and off-ramps chance to convert their loot into less traceable cash. Increasingly, regulators want to shore up their surveillance and reach at these critical junctures.
Congress is debating a measure that grants the U.S. Treasury broad authority to prohibit or freeze certain digital asset, particularly if they relate to foreign banking institutions, transactions or if “1 or more types of accounts is of primary money laundering concern.”
Amid a broad debate about crypto regulation, some market players see the provision as a “blank check” for regulators to muzzle crypto’s privacy and commerce benefits. Two of the largest cryptocurrency exchanges, FTX and Binance, both qualify as foreign banking institutions though they both have U.S. subsidiaries. In theory. they could run afoul of Treasury’s interpretation of that statute, some argue.
If cryptocurrency is ever going to get “traction, there has got to be more regulatory constructs around it,” according to David Cass, a former crypto and stablecoin researcher at the Federal Reserve who’s now a partner with Law and Forensics, a legal and investigations firm.
The marketing of Tornado Cash and other crypto mixers may affect how regulators “facilitate cooperation with those services, Daniel Garrie, Law and Forensics’ co-founder, told.
“They can say if you are found to interact or engage with this, you’re not allowed to participate in the U.S. banking system, something like that but there are a lot of caveats,” Garrie said.