By Robert Sanchez, ACSS Reporter
February 12, 2022
The international regulatory community has taken considerable steps to improve oversight of cryptocurrency transactions. Since the advent of blockchain technology, regulators have struggled to keep up with it and the evolving applications that innovate decentralized finance (DeFi).
The primary tool of regulators for navigating this space is known as blockchain analytics. This is the practice of modeling and visualizing transactions that take place on a blockchain ledger.
Often, blockchain users manage their cryptocurrency funds with a cryptocurrency wallet. Wallets host funds digitally and interact with blockchains by their coded wallet address.
The wallet address is the unique identifier that can attribute a user to a transaction. The analytics may display the cryptocurrency wallet address of the end-users, the amount of value transferred, and possibly the country of the device.
In other words, blockchain analytics is a method of reading the open and distributed ledger that makes up a blockchain. When personally identifiable information can be attributed to a wallet, financial activity on a blockchain can be identified as the actions of a user.
Blockchain analysis offers regulators insightful information about users for investigations. Sites like blockchain.com and etherscan.io are resources available to compliance officers to easily access transaction histories of various cryptocurrency wallets and addresses. These include transactions on the prominent Bitcoin and Ethereum blockchains. Both are public, so their respective coins and transactions can be openly traced when the necessary wallet or transaction information is available.
Transactions can be traced from one of the following data points:
- The wallet address of a user, such as that of a sender or receiver.
- The transaction’s unique identification, known as a transaction ID.
For example, when the US Treasury added individuals to OFAC’s Specially Designated Nationals And Blocked Persons List (SDN) in November based on a case against ransomware operators, it listed the multiple cryptocurrency wallet addresses associated with the case. The blockchain analytics on one of these wallet addresses, 158treVZBGMBThoaympxccPdZPtqUfYrT9, can be found here.
Blockchain data platforms such as Chainalysis and CipherTrace offer investigation and visualization tools that assist compliance professionals in developing criminal cases related to decentralized finance. For example, the following image displays Chainalysis’s Reactor tool and illustrates how software can visualize the flow of funds between cryptocurrency wallets of individuals and businesses.
Virtual Asset Service Providers
Regulators can employ blockchain analytics to detect illicit cryptocurrency transactions converted back into fiat currency and see to whom the funds are really going. This can be done by identifying either the account that the end-user has made with a virtual asset service provider (VASP) or the bank account associated with the digital assets.
A VASP enables one to buy, sell, and trade cryptocurrency and other blockchain-enabled assets. It often hosts wallets for customers and allows conversion services for fiat currency transactions, which are linked with the user’s bank account.
Many VASPs employ Know Your Customer (KYC) protocols. When users start a wallet with a VASP, they are required to provide personally identifiable information, such as full names, addresses, photos of government IDs, and banking information. Investigators can inquire with VASPs about the activities and identities of users, likely by a subpoena or another official process. Some VASPs proactively cooperate with authorities on reporting suspicious activity, but this is not commonplace.
Tracking these transactions is far from uniform or infallible, but it is a significant start. This is as far as blockchain analytics goes in tracing assets. The regulatory community is still a long way from being able to monitor cryptocurrency transactions universally to the same extent as fiat currency.
A Gap in Oversight – Privacy Coins
Certain methods of blockchain-enabled finance create a problematic blind spot for regulators. The main challenge stems from privacy coins and their considerable lack of KYC protocols.
Privacy coins are cryptocurrencies that allow users to conduct transactions while purposefully encrypting the flow of funds, muddling the trail for regulators.
Some of these financial services market themselves as privacy-based, meaning their priority is focused on ensuring that activity is private and inaccessible by authorities. Privacy coins such as Monero, ZCash and many others encrypt the identities of the individual users. The details of the transactions are also encrypted and are not open-source like BTC (Bitcoin) and ETH (Ethereum) transactions.
For example, a person can download the free Monero protocol onto their computer and send the virtual currency to others peer-to-peer. No information, including the transaction, the amount sent, the identities of the parties, or the locations of the parties, can be discovered.
Blockchain analytics is mostly possible only when blockchains are “open”, not fully encrypting transactions to the point where even the end address and transaction amount are hidden. Privacy coins, on the other hand, operate on their own privacy-focused blockchain or that of third parties.
The Financial Action Task Force (FATF), active in maintaining compliance in the global financial system, has expressed the concern of regulators toward privacy coins. In its report, Second 12-Month Review of the Revised FATF Standards on Virtual Assets and Virtual Asset Service Providers, it says: “Sophisticated illicit activity by state actors using virtual assets for sanctions evasion has been observed. [T]he last year has seen a significant increase in the use of privacy wallet transfers where multiple people’s transactions are combined into a single transfer. Overall, the use of anonymity enhancements remains a key area of ML/TF concern.”
Prominent Privacy Coin
Monero (XMR) is a prominent privacy coin – a cryptocurrency where every user is anonymous by default. The sender, receiver, and amount of all transactions are hidden through encryption and obscuration. Methods include:
- employing a crypto wallet address unique to a single transaction every time Monero is used, creating a “stealth address.”
- employing “ring signatures,” a type of encryption that displays a transaction’s history as multiple different possibilities, making it impossible to determine the true nature of the transaction when analyzing the Monero protocol’s code.
- employing “ring confidential transactions”, which add a layer of encryption to hide the amount of cryptocurrency exchanged in transactions.
Another characteristic is “fungibility” – the ability for a currency to be ‘comparable and exchangeable’ for another. Monero and several other privacy coins rely on their fungibility to distance themselves from information leading to the identification of users.
Monero employs these methods to support its overall ethos of unwavering privacy. It states on its website: “Monero needs to be able to protect users in a court of law and, in extreme cases, from the death penalty. This level of privacy must be completely accessible to all users, whether they are technologically competent or have no idea how Monero works. A user needs to confidently trust Monero in a way that this person does not feel pressured into changing their spending habits for risk of others finding out.”
Privacy coins create blind spots for regulators because they obscure the paper trails of fiat currency and use automated market-makers (AMMs).
Fiat to Privacy Coin to Fiat
First, privacy coins can facilitate transactions that obscure significant details. A privacy coin could be used to move funds to another user with this method.
- Attach a bank account to a VASP and create a digital asset wallet (wallet 1).
- Use a fiat currency to purchase a cryptocurrency that is exchangeable for a privacy coin.
- Swap the cryptocurrency for a privacy coin.
- Make a wallet on the privacy coin’s protocol specifically designed for that privacy coin (wallet 2).
- Send that privacy coin from wallet 1 to wallet 2.
- Now that the privacy coin is in its privacy-enabled wallet, the user can send it to another actor also using that brand of privacy coin wallet.
- The receiving user can send the privacy coin back to a VASP connected to their bank from where they can withdraw funds
Privacy coins cannot always be bought with fiat currency from a bank account linked with a VASP and may require another layer of transactions.
It is not uncommon for privacy coins to be purchased with other cryptocurrencies. Eventually, users will convert their privacy coins back into a fiat currency.
Transactions can also be obscured with AMMs, pools of cryptocurrency that many exchanges rely on for liquidity. The public has the opportunity to lend their cryptocurrency as liquidity to the pool in return for a steady aggregation of free coins.
AMMs are common in exchanging privacy coins, where funds are not directly transferred between parties but are redeemed through the liquidity pool. A privacy coin protocol employing an AMM could process a transaction by having the sending party’s funds placed into the liquidity pool and the receiving party withdrawing the funds, thus thwarting the discoverability of the parties’ relationship by blockchain analysis.
Like any banking service, VASPs should conduct KYC protocols to ensure compliance with regulatory requirements and assist with investigations. Many VASPs do require users to enter personally identifiable information. This is why a second layer of transactions is common practice for privacy coin users.
Often, to use privacy coin protocols, you need not enter any personally identifiable information or complete any KYC protocols. On some services, like Oasis, you can create a wallet in a matter of minutes and receive and send funds anonymously without providing any personal or financial information.
Not all users of privacy coins participate in illegal financial activity. Privacy is a draw for many users of the growing side of DeFi. From the standpoint of avoiding sanctions and money laundering, however, privacy coins are a useful tool.
Australia and South Korea have barred VASPs from listing privacy coins, and Japan has banned privacy coins. US regulatory bodies have encouraged the private sector to develop tools to trace privacy coins such as Monero and others, and some entities are making good progress.
In 2020, Chainalysis and Integra FEC were awarded contracts by the US Internal Revenue Service to develop tools for blockchain analytics of Monero. In 2021, CipherTrace reported the release of visualization tools enabling the tracking and analyzing of Monero funds offered to government and financial institutions.
The regulatory community must understand that blockchain analytics can only go so far and that privacy coins and protocols are constantly created. Regulators have a big battle on their hands with countless updates of protocols and plenty of products on the horizon. Following developments will be essential to try to curb illicit activity.