From Crypto to Fiat: Sneaky Ways Cybercriminals Dodge KYC/AML

In the 1995 film “The Net,” Sandra Bullock’s character, Angela Bennett, orders a pizza online from pizza.net, the infamous “first thing sold online” service. Angela paid with cash upon delivery. A 2023 remake script might create a novel technology corollary in which Angela pays for the pizza with cryptocurrency.

Crypto does facilitate native purchasing of physical world goods and services, but the list is anything but expansive. Generally speaking, cryptocurrency (e.g., Bitcoin, Ethereum, Monero) must be converted into fiat currency (dollars, euros, yen, etc.) to enable larger purchases, particularly for homes, vehicles, and things of that nature. How does crypto become fiat? Exchanges. 

After FTX’s recent implosion, crypto investors have been touting the benefits of decentralized finance (DeFi), which means storing and transacting cryptocurrency on a blockchain via peer-to-peer nodes instead of relying on centralized financial (CeFi) exchanges that act as a single point of failure. But when fiat currency is needed, an exchange is required to facilitate the transaction, even in a DeFi system. 

However, select entities have recently been the recipients of U.S. Treasury Office of Foreign Asset Control (OFAC) fines, settlements, and sanctions due to violations of anti-money laundering (AML) regulations. Suex, Kraken, Blender IO, and Tornado Cash have all run afoul of the U.S. Treasury. 

Banks are generally careful to avoid maintaining any relationship with sanctioned entities lest they incur a serious legal or compliance failure risk impact. The Financial Crimes Enforcement Network (FinCEN) provides guidance on crypto-involved suspicious transaction reporting requirements. 

The big question is: how much transparency do banks require from an exchange before accepting fiat funds from an exchange account?

A recent Department of Justice investigation into Signature Bank is focused on crypto and money laundering:

US prosecutors were investigating Signature Bank’s work with crypto clients before regulators suddenly seized the lender this past weekend, according to people familiar with the matter.

Justice Department investigators in Washington and Manhattan were examining whether the New York bank took sufficient steps to detect potential money laundering by clients — such as scrutinizing people opening accounts and monitoring transactions for signs of criminality, the people said.

Are banks relying on crypto exchanges for U.S. Treasury OFAC controls compliance and FinCEN reporting? How are banks confirming crypto source attribution and provenance? The answers are likely varied. 

As a banking outsider, it’s not clear to us that small- and medium-sized banks, in particular, are engaged with “Geolocation Tools, Transaction Monitoring & Investigation, and Sanctions Screening” in various blockchains. 

These questions are particularly relevant in the face of large ransomware profits. Jared Der-Yeghiayan, Recorded Future’s Director of Advanced Cybercrime and Engagements (ACE) team, believes that ransomware operators have generated $6–7 billion in criminal revenue over the past five years. That number is based on partial victims identified, the average ransomware price evolutions, and Bitcoin (BTC) exchange rate fluctuations. 

Much of those funds may never leave the blockchain. Rather, revenue is reinvested into growing a criminal enterprise by purchasing additional goods and services in the criminal economy. However, these threat actors still need to convert a percentage of their crypto to fiat to facilitate their lifestyles. And business is booming (see graph below). 

Source

So how does it work? 

There are a variety of ways to “off-ramp” crypto into fiat; the common methods we’ve observed are broken into two segments, small and large quantities.

Small Quantities of Crypto:

• High-risk cashout methods: Although it is not a reliable method because it can involve gambling, some threat actors discuss using BTC ATMs and online casinos that accept crypto. Examples of online casinos (that we’ve seen mentioned by threat actors in digital markets) that accept crypto include Stake, K8 Casino, FortuneJack, Rocketpot, and Rollbit. 

• Virtual debit cards: Another off-ramp method discussed by cybercriminals is transferring sums of cryptocurrency to virtual debit cards that are issued by KYC-less exchanges or linking accounts to electronic payment services such as ApplePay or Google Pay. Two services, Moon and CriptoDebit, have been discussed by threat actors looking for a method to monetize their cryptocurrency. These services work around KYC verifications to transfer various crypto onto a virtual debit card as well as ApplePay or Google Pay. 

• PayPal: Criminals allege it is possible to transfer cryptocurrency to a compromised PayPal account. Once the conversion to a fiat currency occurs, the funds can be spent from PayPal or withdrawn to a bank account. These bank accounts are usually either drop accounts with no association to the users attempting to withdraw the funds or money mules. Due to PayPal fraud controls, this method of conversion is unlikely to work consistently.

Large Quantities of Crypto:

• Centralized exchanges via nested services: Centralized exchanges surprisingly convert the most crypto to fiat (see chart below). One of the main reasons centralized exchanges can act as off-ramps are “nested services” in the form of “over-the-counter” (OTC) platforms. Nested OTC services function as intermediaries between the end user and a larger cryptocurrency exchange, enabling the conversion of crypto into fiat. By using nested services, cybercriminals can take advantage of the liquidity and infrastructure of larger exchanges while minimizing the risk of revealing their identity. This is obviously an attractive option for those looking to convert large amounts of cryptocurrency into fiat discreetly.

Source

This nested OTC off-ramp is by far the most effective, so let’s dive a bit deeper. Here's a step-by-step breakdown of the mechanics involved in this process:

1. Registration: A user wishing to convert crypto to fiat currency creates an account on a nested OTC platform. Since these platforms often have less stringent KYC and AML requirements, it is easier for cybercriminals to maintain anonymity.

2. Quote request: This user submits a request to the nested OTC platform, specifying the amount of cryptocurrency he wishes to convert into fiat. The platform, in turn, provides a quote based on the prevailing market rates, fees, and any additional charges.

3. Trade execution: Once the user agrees to the quote, the nested OTC platform initiates the trade. Nested platforms do this by leveraging their accounts with the larger exchange, which holds the necessary cash reserves and liquidity for the transaction. Depending on the size of the transaction, the OTC service may need to leverage multiple sellers to fulfill the request (for example, selling 500 BTC at once). 

4. Settlement: After the trade is executed on the larger exchange, the nested OTC platform receives the corresponding fiat amount. They then transfer the funds to the user's designated bank account or provide them with other withdrawal options, such as wire transfer, PayPal, or even cash. In interviews with federal law enforcement, this could involve meeting someone with a briefcase of cash in the lobby of a hotel (in Russia or China, for example).

5. Fees and commissions: The nested OTC platform earns revenue by charging fees and commissions on the trades they facilitate. These fees can vary depending on the platform's pricing model and the size of the transaction.

Not all actors immediately off-ramp into fiat. For example, actors in Eastern Europe are more likely to keep their profits within cryptocurrency. The major factors influencing this decision are the volatility of local currencies, such as the Russian ruble or Ukrainian hryvnia, as well as the continued global sanctions against Russia.

Even with law enforcement making progress in locking down and forfeiting illicit crypto, cybercriminals and nation-state actors with enough determination will always find a way to convert to fiat. 

Thus, the question remains: will banks continue to rely on crypto exchanges for KYC/AML due diligence when accepting fiat funds transfers? Mixing and tumbling services intentionally obfuscate originating crypto wallet ownership and cross-chain transactions (converting from Monero to Ethereum, for example) are popular as some blockchain analytic platforms have difficulty following the proverbial trail. 

The question for financial services executives is then this: can you afford to transfer even partial KYC/AML obligations to an exchange or claim due diligence ends at an exchange? In the current regulatory environment, the answer may have profound business implications.