Cryptocurrency has always been the payment method of choice for bad guys. Get hit with an enterprise ransomware attack and plan to pay? You’ll need crypto. The key reason cyberthieves love cryptocurrency so much is that it is far harder to trace payments.
That is why a move being attempted by the European Union has so much potential. The EU — in a move that will likely be mimicked by many other regional regulatory forces, including in the United States — is putting in place tracking requirements for all cryptocurrency.
If it is successful, and the EU has an excellent track record on precisely these kinds of changes, cryptocurrency may quickly fade as the thief’s payment of choice.
What does that mean for enterprise IT and security? It's entirely plausible that the ransomware fights you’ll have in 2023 and 2024 may not necessarily require crypto. The bad guys might come up with ways to more safely use Visa, wire tranfers or ACH payments. (Do you know how much easier paying ransom becomes if you can charge a PayPal account or use Zelle or Venmo?)
One big slice of the nightmare of paying ransomware is the difficulty in quickly obtaining a large amount of cryptocurrency. The enterprise can’t hold it for the future, given how extremely volatile its value is. You think you are tucking away $5 million worth of crypto, only to discover that it’s worth $42,000 when you try and use it.
So what exactly has the EU done? The Council of the European Union said the bloc has reached a “provisional agreement” on a new landmark regulatory framework for cryptocurrencies. The agreement’s text is not final, so it’s not clear what will ultimately be included. An EU official told me “the text will be ready in time for the confirmation of the provisional agreement by ambassadors of EU member states at one of the Coreper meetings, not before September.”
“Not before September”? As deadlines go, that's relatively meaningless. But given that it's been announced, the change seems more likely than not to happen.
From the EU statement: “The aim of this recast is to introduce an obligation for crypto asset service providers to collect and make accessible certain information about the originator and the beneficiary of the transfers of crypto assets they operate. This is what payment service providers currently do for wire transfers. This will ensure traceability of crypto-asset transfers in order to be able to better identify possible suspicious transactions and block them.”
The statement also promised “the new agreement requires that the full set of originator information travel with the crypto-asset transfer, regardless of the amount of crypto assets being transacted. There will be specific requirements for crypto-asset transfers between crypto-asset service providers and un-hosted wallets.”
By the way, the EU in this document also listed “non-cooperative jurisdictions for tax purposes,” which include American Samoa, Fiji Guam, Palau, Panama, Samoa, Trinidad, Tobago, the U.S. Virgin Islands, and Vanuatu.
Another interesting detail is what the EU promised consumers, though it is less clear how well anyone can deliver when it comes to consumer protections. The new agreement “will protect consumers against some of the risks associated with the investment in crypto-assets, and help them avoid fraudulent schemes. Currently, consumers have very limited rights to protection or redress, especially if the transactions take place outside the EU. With the new rules, crypto-asset service providers will have to respect strong requirements to protect consumers wallets and become liable in case they lose investors’ crypto-assets. (The agreement) will also cover any type of market abuse related to any type of transaction or service, notably for market manipulation and insider dealing.”
Those are fine goals, but let’s not forget that they are imposing rules on criminals who pretty much earn their living by ignoring laws and other restrictions. The penalties for these violations is unlikely to be more of a deterrent than getting caught and charged with extortion, theft, fraud, and perhaps espionage. Against that backdrop, some EU penalties don’t deliver much of a fear factor.
That all said, cryptocurrency exchanges are, sort of, mostly legal operations. If new rules can make those operations less hospitable to the thieves, that’s good. WIll it be enough to push them into the arms of PayPal and their counterparts? That will be very interesting to watch.