The recent so-called “WannaCry” ransomware cyber-extortion attack has thrust bitcoin as a means of payment back into the debate surrounding illegal online activity. Much in the way that the internet, in its early days, was seen as a tool useful only for crime, pornography, and other socially unacceptable activities, so too are bitcoin and other cryptocurrencies seen by some as only useful for bad actors. This of course ignores the substantial investment in bitcoin and other cryptocurrencies by legitimate and well-known businesses, financial institutions, and even governments all around the world. Still, in some corners the stereotype persists. But much in the way that the internet continued to grow and evolve, so too will the bitcoin and cryptocurrency ecosystem grow and evolve, and its use by bad actors will continue to diminish.
Why would a ransomware operator request bitcoin?
Bad actors are drawn to bitcoin for the same reason that thousands of businesses and millions of individuals are drawn to bitcoin for legitimate commercial reasons—it is fast, easy, and convenient.
First, bitcoin transactions are fast. The WannaCry ransomware, like many similar ransomware attacks, displays a timer and indicates that the “ransom” to be paid will go up the longer the victim waits to pay the ransom. This bit of “countdown clock” behavioral prompting drives more and quicker payments from victims. Bitcoin transactions, which are functionally instantaneous, work well with this technique, especially as compared to bank transfers, which can take days to settle, especially if sent internationally.
Second, bitcoin transactions are easy because the bitcoin system is built on open source code that places a premium on interoperability. As a result, bitcoin can be seamlessly transacted between otherwise unrelated parties, such as the victim and the perpetrator of a ransomware attack, much in the same way that any two parties in the world can send an email to each other.
Third, bitcoin is convenient because its wide adoption makes it a liquid resource that can be readily converted into real, fiat currencies. With more and more lawful exchanges operating around the world and more and more businesses accepting bitcoin for electronic payments and other commercial uses, it is increasingly easy for people to use bitcoin in their everyday lives.
What can be done to prevent the abuse of bitcoin?
There are a number of ways to reduce the attraction of bitcoin as a payments method for ransomware attacks.
Enforcement agencies can improve their capacity for investigating criminals that use bitcoin. Every bitcoin transaction creates an immutable, perpetual record on the bitcoin blockchain, which is visible to everyone. There are a number of private sector vendors that have developed tools that allow people to trace bitcoin transactions through the blockchain and identify end wallets, and regulators’ in-house capabilities improve with every year. Enforcement agencies must invest in either external or in-house solutions if they hope to effectively police this space. And while the bitcoin blockchain offers some level of pseudonymity, this problem is less pronounced than the anonymity provided by the traditional financial system, which allows sophisticated actors to open bank accounts across jurisdictions in the names of shell or fictitious entities. Further, the blockchain is open, allowing easier access for enforcement agencies than is true for the traditional financial system, where financial institutions maintain closed, proprietary transaction ledgers that often are protected by bank secrecy laws. In other cases—notably, the Silk Road investigation—enforcement agencies were able to leverage blockchain records to identify perpetrators; there is no reason to think that they would be unable to do so in the case of a ransomware attack as long as they bring the appropriate level of resources to bear on the problem.
Regulators can revise their regulatory regimes to explicitly incorporate bitcoin and cryptocurrency exchanges and payments platforms. While regulators are increasingly doing so, there is still a good deal of ambiguity and lack of clarity in jurisdictions all around the world. Bitcoin and cryptocurrency businesses want to be good corporate citizens, and many affirmatively engage with regulators or voluntarily adopt regulatory requirements that do not explicitly apply to them. Regulators should establish clear rules of the road so that companies and consumers all know what they can and cannot do.
Cryptocurrency companies can adopt anti-money laundering (AML) policies and procedures that comply with best practices for traditional financial institutions. Enforcement agencies have and will continue to go after companies that facilitate illegal activity, and regulators are increasingly defining the scope of regulated behavior to encompass bitcoin and other cryptocurrency transactions. As a result, companies operating in this space should engage counsel to determine if they are at risk of regulatory sanctions and/or criminal prosecution.