Last month, the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) levied sanctions against Russian-based cryptocurrency exchange Suex. This move represents the first time the U.S. has sanctioned a digital currency exchange, signaling a major shift for cryptocurrency exchanges and their potential exposure to liability.
The news gets even worse for Suex. Around the same time that OFAC announced the sanctions, cryptocurrency exchange Binance announced that its compliance program had identified issues with Suex, de-platformed the exchange, and shared information from its investigation with law enforcement. Binance’s success may set a new standard for digital asset compliance programs, but time will tell whether it has set a new gold standard or will become the bare minimum.
A Haven for Bad Actors
By way of background, Suex acts as an intermediary between users looking to convert cryptocurrency holdings into fiat cash and larger, more mainstream exchanges. To be clear, Suex does not directly custody its clients’ holdings; instead, it uses accounts with larger exchanges to transact on behalf of customers. While these larger exchanges have greater liquidity and can allow for greater cash out payments, they are also held to higher standards for user identity verification. An exchange like Suex offers access to greater liquidity and more anonymity in any given transaction by using its own accounts to convert customers’ cryptocurrency holdings on the larger exchanges. While this service, known as a nested exchange, can be legitimate, investigation into Suex showed that over 40% of the exchange’s known transaction history was associated with illicit actors, like ransomware and cyber hackers.
Without access to larger exchanges, platforms like Suex lose access to the liquidity necessary to convert large sums of cryptocurrency for its users. And absent a mechanism for fiat conversion like Suex, users sitting on large sums of cryptocurrency are severely limited in their ability to discreetly spend their holdings. Thus, by blacklisting exchanges like Suex, the U.S. Treasury may be able to stymie future ransomware attacks by limiting attackers’ ability to cash out illegally obtained cryptocurrency.
Notable Policy Shifts
Some of the large exchanges enabling platforms like Suex have already begun preparing for this policy shift. Following the news about the sanctions, Binance reported that it had already de-platformed Suex earlier this year. Binance, the world’s largest cryptocurrency exchange, cited internal investigation and safeguard mechanisms that resulted in deleting Suex’s accounts even before the OFAC blacklisting.
While Binance did not list any specific parameters used for their internal auditing process, it did offer a more in-depth look at money laundering safeguards on the platform earlier this year. In June, Binance reported taking down a $500 million ransomware ring called FANCYCAT. In so doing, Binance took credit for leading to the arrest of FANCYCAT members by employing a two-pronged approach. First, Binance claimed that it implemented an “[Anti-Money Laundering] detection and analytics program,” to identify and offboard suspicious accounts. In the case of FANCYCAT, the system reportedly detected suspicious behavior and the Binance security team “mapped out the complete suspect network”—this according to a Binance blog post.
After identifying the suspect network, Binance reportedly worked with “private sector chain analytics companies TRM Labs and Crystal (BitFury) to analyze on-chain activity and gain a better understanding of this group and its attribution.” Binance then said it collaborated with law enforcement to take down the criminal group.
A New Industry Standard?
Binance’s proactive response to Suex’s potential use of the platform to facilitate criminal conduct will likely set the industry standard for compliance in this space. At the same time, the OFAC sanctions represent only the most recent step of the U.S. government in preventing an increasing threat of ransomware and cyberattacks. The Treasury reported that in 2020, ransomware payments reached over $400 million, more than four times the reported level in 2019. And though the crypto industry continues to negotiate its standards for compliance and legal exposure, the Treasury Secretary Janet L. Yellen has made clear in a recent press release Treasury’s intention to prevent any facilitation of malware attacks: “We will continue to crack down on malicious actors. . .we are committed to using the full range of measures, to include sanctions and regulatory tools, to disrupt, deter, and prevent ransomware attacks.”
This could especially spell trouble for Binance. Last year, Chainalysis (a blockchain analysis firm) published a report showing that 27.5% of the 2.8 billion worth of Bitcoin traced to criminal activity in 2019 ended up on Binance’s exchange, representing the single biggest recipient of illicit Bitcoin that year. Binance’s recent beefing up of its compliance program is no doubt in response to concerns that it may face liability for facilitating money laundering or sanctions avoidance.
Cryptocurrency Exchanges in Treasury’s Crosshairs
The current focus of the Treasury seems to be on exchanges that directly facilitate transactions involving funds acquired through cyberattacks and ransomware (essentially, money laundering), an admittedly small group. Chainalysis has reported that a group of only five exchanges received 82% of all ransomware funds in 2020. However, as the Treasury’s position continues to crystalize, the foresight of Binance and other exchanges that take action to prevent facilitating potential money laundering can only strengthen their position against the risk of liability.
However, though Treasury’s official position, at least as of late, is the prohibition of transacting with blacklisted exchanges like Suex, it is possible, based on the use of the nested exchange model, that larger exchanges could incur liability if they fail to properly monitor and ensure compliance not just internally but with the nested services that use their platforms. Updated guidance makes clear that “OFAC may impose civil penalties for sanctions violations based on strict liability,” further clarifying the need for companies facilitating digital asset payments to have robust compliance programs in force.
This blog post is not offered, and should not be relied on, as legal advice. You should consult an attorney for advice in specific situations.