Seven Alarming Thank You Notes to Bitcoin

By John Reed Stark* (A Shorter Form of this Article is published in the D&O Diary and Published in Law360)

Presenting for your perusal a collection of alarming 2019 year-end thank you notes to bitcoin -- a sort of holiday compendium of bitcoin love-letters, each followed by a brief discussion, with some final thoughts added at the end.

In the comment section below, please feel free to write your own (or perhaps someone else’s) thank you note to bitcoin. The bitcoin-glitterati will undoubtedly delight in the attention . . .

From Ransomware Attackers 

The first instance of what we now know as ransomware was called the AIDS Trojan because of who it was targeting – delegates who had attended the World Health Organization AIDS conference in Stockholm in 1989. Now, thirty years later, WannaCry, NotPetya and Cryptolocker have become household names and corporate nightmares.

Indeed, the 2019 surge in ransomware attacks on cities, municipalities, schools and healthcare organizations in particular is just a foretaste of what is likely come in 2020. A recent Lloyds of London report boldly asserts that a large scale ransomware attack could cost the global economy $193 billion and impact more than 600,000 businesses worldwide.

Meanwhile, ransomware variants have evolved considerably in 2019, from the early days of scareware and locker attacks to sophisticated social engineering schemes and full-on cyber warfare. The U.S. ransomware plague has gone from bad to worse, with no end in sight to the outbreak:

• Ransomware threat groups now routinely collaborate, creating a burgeoning ransomware industry. For instance, the creators of ransomware families such as Cerber lease out their attack mechanisms like franchises in exchange for a profit percentage of extortion earnings;
• Ransomware attackers are now sharing attack vectors. For instance, security firm SentinelOne recently reported on how the operators of the TrickBot banking Trojan have begun selling access to networks it has previously compromised to other threat groups including those seeking to distribute ransomware;
• Ransomware attack vectors have become more effective, impacting the outer reaches of IT infrastructure and back-up systems (even supply chains), while also becoming more targeted and strategic. For example, according to Yahoo Finance, a threat intelligence company called Anomali has discovered a new ransomware variant dubbed eCh0raix, with enhanced scoping power. Unlike traditional ransomware, which targets users and their files, eCh0raix attacks NAS appliances, the scalable hardware that has its own dedicated storage disks and (ironically) typically helps businesses protect corporate data, enable file-sharing among employees and remote connectivity;
• No longer merely spray and pray, ransomware attacks have adopted a range of advanced persistent threat (APT) command and control tactics. For instance, ransomware gangs now use more sophisticated modus operandi, by illegally gaining access to networks, and over time, slowly taking command by installing backdoors, stealing the credentials of administrative accounts, and ultimately gaining control over domain controllers; and 
• Ransomware attacks have become more automated, requiring less attacker interaction. For instance, the ransomware variant called MegaCortex is now reportedly capable of executing directly with one single command making post-exploitation deployment easier, requiring few, if any, other manual steps (such as requiring a password in order to decrypt and load the final payload during a live infection).

Ransomware attacks now also accomplish far more than just paralyzing corporate, healthcare and government computer systems but also use the opportunity to steal company data and threaten to release their data via social media unless the companies pays more. In other words, ransomware attacks have become data breaches. Krebs on Security reports:

“As if the scourge of ransomware wasn’t bad enough already: Several prominent purveyors of ransomware have signaled they plan to start publishing data stolen from victims who refuse to pay up. To make matters worse, one ransomware gang has now created a public website identifying recent victim companies that have chosen to rebuild their operations instead of quietly acquiescing to their tormentors."

How do most corporate victims of ransomware attacks pay the ransoms demanded? Bitcoin of course – it’s fast, reliable, verifiable, subject to little regulation, and virtually untraceable. Bitcoin is ideal for ransomware extortion schemes. Attackers can simply watch the public blockchain to know if and when a victim has paid up. they can even create a unique payment address for each victim and automate the process of unlocking their files upon a confirmed bitcoin transaction to that unique address. 

Unlike the sequence of events during a kidnapping scenario, where the exchange of money arguably places criminals in their most vulnerable position, ransomware attackers can facilitate pseudo-anonymity and speedy payment via a simple, easy and global bitcoin transaction process. Hence, rarely is there ever even an arrest, let alone a successful prosecution, of a ransomware attacker. Law enforcement remains virtually powerless and has even fallen victim themselves to ransomware extortion schemes.

From Terrorists

The same rationale of secrecy and pseudo-anonymity unfortunately applies to terrorism financing. For instance, the Palestinian military-political group Hamas, which the U.S. government deems a terrorist organization, may be using the Coinbase cryptocurrency exchange for fundraising. Elliptic, a company that develops tools to track how cryptocurrencies are used in criminal activity, has found that Hamas has deployed a method to make some of their donations nearly untraceable by providing each visitor a different bitcoin address for payment transmittances.

Similarly, in December 2017, a woman was arrested in New York for allegedly obtaining $62,000 in bitcoin to send to Islamic State. Around the same time, an Islamic State-affiliated darknet site called Isdarat sought bitcoin contributions from supporters.

It is not surprising that a March 2019 report from the United Nations Security Council found that Kim Jong Un and the North Korean regime have been exploiting vulnerabilities in bitcoin and other cryptocurrency exchanges to evade sanctions and fund their military ambitions. Between January 2017 and September 2018, state-sponsored hackers have stolen $571 million worth of cryptocurrency tokens from cryptocurrency exchanges across Asia, according to one estimate cited in the UN report.

Ina July 2019, in a White House Press Briefing by U.S. Treasury Secretary Steven Mnuchin on Regulatory Issues Associated with Cryptocurrency, the White House was especially blunt about its bitcoin-related terrorism concerns. Secretary Mnuchin stated:

"Cryptocurrencies, such as Bitcoin, have been exploited to support billions of dollars of illicit activity like cybercrime, tax evasion, extortion, ransomware, illicit drugs, human trafficking. Many players have attempted to use cryptocurrencies to fund their malign behavior. This is indeed a national security issue. " (emphasis added)

Terrorists have even gone so far as to use bitcoin in an attempt to tamper with elections. In July, 2018, special counsel Robert Mueller indicted twelve Russian intelligence officials for allegedly attempting to influence U.S. elections in 2016. The indictment notes that the conspirators used bitcoin to fund the purchase of servers, register domains, and make other payments “in furtherance of hacking activity.” According to the indictment, the “use of bitcoin allowed the Conspirators to avoid direct relationships with traditional financial institutions, allowing them to evade greater scrutiny of their identities and sources of funds.”

From Drug Dealers 

According to a 2019 Ciphertrace report, almost all drugs sold on darknet marketplaces are purchased with cryptocurrencies, largely bitcoin. Recently, members of a bitcoin-fueled drug ring that used the dark web to import crystal meth into the UK were sentenced to more than 30 years imprisonment. Nestor Burgos, 32, of River Grove, Illinois, was sentenced recently to 15 years in federal prison for his role in transporting fentanyl and other drugs into the United States from China, and selling them on the streets of Chicago. Burgos used bitcoin to pay his China trafficker accomplice.

Consider also bitcoin's role in the U.S. opioid epidemic, with one person in the U.S. dying every 16 minutes from an opioid overdose. In 2019, the White House issued two opioid bitcoin-related advisories, one to financial institutions and the other to digital payments platforms. The two advisories warned that fentanyl, along with other synthetic opioids, were being purchased using bitcoin and other cryptocurrencies, noting:

“Individuals located in the United States search for fentanyl and identify potential websites that may provide the opportunity to purchase illicit drugs online. Foreign representatives will instruct the U.S.-based individual to send payments through [cryptocurrency], such as bitcoin, bitcoin cash, ethereum, or monero.” 

Per the White House Advisories, darknet marketplaces often have their own forums on which customers can read about different drugs, vendors’ reputations, products, or operational security and how to use certain virtual currencies to obfuscate their activities. Vendors advertise their products— including illicitly-produced synthetic opioids, counterfeit pharmaceutical opioids, and legitimate but diverted pharmaceutical opioids—with pictures and detailed descriptions of their products, often highlighting their operational security, commitment to customer service, and reliability in delivery.

Professor Talis Putnins, co-author of an influential University of Technology Sydney report on cryptocurrency and illegal drugs, told Cointelegraph that cryptocurrencies like bitcoin have had a big impact on the way drugs are purchased:

“Cryptocurrencies have fundamentally transformed the way illegal drugs are bought and sold, shifting much of the activity from a cash-based, physical ‘on the street’ market to an online marketplace. The online illegal drugs trade needed two fundamental things to take off. One is an anonymous communications platform, which was provided by the darknet and underpinned by TOR (an anonymous communications protocol). And the second important piece was an anonymous or private way of making digital payments that was difficult to trace by authorities. That is the role that cryptocurrencies have played. Thus, they are an integral part of the online drugs trade.”

From Child Pornographers

Bitcoin could soon become the currency of choice among pedophiles and child pornography rings. For example, in October, 2019, Jong Woo Son, a 23-year-old South Korean, was indicted on charges of operating Welcome to Video, an online market for child sexual exploitation material that held 250,000 unique videos. Online market for child sexual exploitation material served 1 million Bitcoin accounts, and only 337 account holders were arrested. 

In August 2019, Patrick Falte, 29, was one of four federally charged for engaging in and running a child sex abuse exploitation enterprise on the dark web called "The Giftbox Exchange." With over 72,000 registered users and 56,000 posts, "The Giftbox Exchange proved a haven for sophisticated predators to produce and spread deplorable depictions of child sexual abuse,” according to Assistant Attorney General Brian A. Benczkowski of the Justice Department’s Criminal Division. Falte acted as the lead administrator of the site and established rules that required users to upload and share images and videos depicting pre-teen children being sexually abused before they could access the site. Falte paid for the operation of the site using bitcoin.  

People are even using bitcoin's system to share child pornography and bitcoin miners may even have child pornography on their hard drives. For example, German researchers have found about 1,600 files of non-financial data, some of which link to or contain child pornography and other objectionable material, on the system that stores bitcoin transactions. Similarly, according to the BBC, someone added images of child sexual abuse to the Bitcoin Satoshi Vision (BSV) core ledger through the payment processing app Money Button.

From Retailers 

In the history of financial innovation, modernization and invention, there has always existed one constant: whatever the product, criminals will attempt to exploit its application. Bitcoin dramatically illustrates this axiom. Yet despite the treacherous reality of bitcoin’s predominant use, retail, so desperate for marketshare, apparently wants in.

According to several news reports, some of the world's biggest retailers have begun accepting cryptocurrency payments in the form of bitcoin, ethereum, bitcoin cash and the Gemini dollar. Similarly, U.S.-based payments startup Flexa announced that it has enabled Amazon-owned Whole Foods, Nordstrom, Starbucks and dozens of other companies to take bitcoin payments.

Benevolently branded Starbucks seems one of the more incongruous of these purported crypto-friendly retailers. Loyal Starbucks customers laud the company’s commitment "to inspiring and investing in community action around the world. From alleviating hunger through their food donation program to making investments in local partnerships and coffee- and tea-origin communities, Starbucks has always strived to do more than sell coffee -- and to make a positive impact upon the world.

But by accepting cryptocurrency, Starbucks would be assisting in the growth of an increasingly sophisticated, dangerous and terrorist-minded gang of global criminals – which to me, seems paradoxically at odds with the 286 "Stories of Social Impact" Starbuck proudly trumpets on its website.

It’s not just that bitcoin-friendly retailers have given little consideration to the myriad of victims of crypto-funded ransomware, terrorism, drug dealing and the like. Cryptocurrency’s liquidity risk; price volatility; cybersecurity vulnerabilities; commission fees; anti-money laundering (AML) implications; ethical dilemmas; tax burdens; entanglement mishaps and the rest, create a situation that could be unmanageable or even untenable for a retailer’s shareholders, partners, affiliates and other fiduciaries. Not to mention that for the most part, the entire cryptocurrency system resides amid an unregulated, mysterious and sinister environment – a patently poor choice of virtual venue.

Perhaps all of the above issues are why bitcoin-friendly retailers do not seem to advertise, publicize or otherwise promote their cryptocurrency policies -- opting instead to conduct their crypto-business on the q.t. and in the shadows (just like the criminals they now service).

From President Donald J. Trump 

Given his anti-bitcoin position, President Trump is 100% aligned with an array of outspoken and active cryptocurrency critics and skeptics, who also happen to be some of the most virulent anti-Trump Democrats, including U.S. Congresswoman Maxine Waters (D.Ca); U.S. Senator Elizabeth Warren (D Mass.); and U.S. Congressman Brad Sherman (D.Ca.).

President Trump even went so far as to co-opt some of Congressman Sherman’s arguments. Congressman Sherman (who specifically introduced articles of impeachment against President Trump) recently stated:

 “An awful lot of our international power comes from the fact that the U.S. dollar is the standard unit of international finance and transactions,” Sherman said at a meeting of the House Financial Services Committee last week . . . Clearing through the New York Fed is critical for major oil and other transactions. It is the announced purpose of the supporters of cryptocurrency to take that power away from us, to put us in a position where the most significant sanctions we have against Iran, for example, would become irrelevant.”

President Trump is also lining up against some of his own political appointees and advisors. Last year, Steve Bannon, then White House chief strategist, boasted that digital currencies “are the future.” The President’s acting White House Chief of Staff, Mick Mulvaney, has also been vocal about his support of cryptocurrency and the benefits of blockchain, stating back in 2014:

 “My interest in [bitcoin] is to just try and make sure that government doesn’t act too soon in such a fashion that curbs the potential for bitcoin. Because I see potential for bitcoin as a medium of trade and as a transactional tool, and I’d hate to see the government make decisions early that sort of retard its growth.”

Similarly, Trump-appointed SEC Commissioner Hester Pierce would also likely disagree with the President. Dubbed by crypto-fanatics as the “Crypto-Mom,” a nickname given after her now infamous dissent in a decision in an SEC decision to reject an exchange-traded fund (ETF) offering exposure to bitcoin, Commissioner Pierce has become somewhat of a cryptocurrency advocate.  Commissioner Peirce’s dissent not only contested the disapproval of what would have been the first exchange-traded vehicle of cryptocurrency, but it also became rallying cry for bitcoin believers who argue that it’s not the role of regulators to tell investors where they can invest.

From Tulips

There have been quite a few economic bubbles and subsequent crashes over the years such as, the dot com bubble, the stock-market bubble, the real-estate bubble, but the worst of them all was probably the Tulip Bulb Market Bubble of 17th century Netherlands. 

As word spread of the lure of profits by buying and selling the bulbs, bulbs could change hands upwards of 10 times in one day, increasing 1,100% in a month. According to the BBC, in 1633 a single bulb of Semper Augustus was worth 5,500 guilders. Four years later in 1637, the sum had nearly doubled to 10,000 guilders, $600,000 in today's U.S. dollars (according to one historian, 100 guilders in the 1600's equals $6,000 today). 

But as is often the case with economic bubbles, when the Tulip price rose to a point where it was obviously so incredibly inflated, some decided to sell. Next, a domino effect took place where more and more tried to sell at ever decreasing prices, causing widespread panic.

The Dutch government intervened to try to curb the fall, offering to honor contracts at 10% of the face value, however, this only worsened proceedings, as the price began to fall even farther until the bottom completely fell out. What came next was financial ruin for investors because tulip bulbs were suddenly worth next to nothing. Sound eerily familiar? 

Warren Buffett, perhaps the most celebrated investor ever known, refers to bitcoin as “rat poison squared, and like famed Microsoft founder Bill Gates, analogized bitcoin mania to the so-called greater fool theory of investments, where investors are not buying bitcoin because of its intrinsic value but are instead simply betting that there will always be a “greater fool” in the cryptocurrency marketplace poised to pay a price based on higher valuation for an already overvalued bitcoin. Gates told CNBC:

“As an asset class, you’re not producing anything and so you shouldn’t expect it to go up. It’s kind of a pure ‘greater fool theory’ type of investment.”

Along the same lines, legendary Vanguard founder Jack Bogle warned of the perils of bitcoin, stating more bluntly: 

“Avoid bitcoin like the plague. Did I make myself clear? Bitcoin has no underlying rate of return. You know bonds have an interest coupon, stocks have earnings and dividends, gold has nothing. There is nothing to support bitcoin except the hope that you will sell it to someone for more than you paid for it.”

To make matters even worse, bitcoin and other cryptocurrency’s anarchistic valuations remain generally unregulated and without any meaningful oversight, leaving them easily susceptible to fraud and chicanery by insiders, management and better-informed traders and market participants.

Cryptocurrency exchanges, the oft unregulated companies that allow customers to purchase and trade bitcoin, have become notorious for their shady practices, like insufficient verification of listings, abusive trading activity and rampant conflicts of interest. Cryptocurrency exchanges are also ideal targets for cyberattacks. In 2019 alone, cybercriminals were able to siphon away $4.26 billion from cryptocurrency users and exchanges, according to a recent CipherTrace report. Binance, one of the world's largest cryptocurrency exchanges, had $40 million of bitcoin stolen in May 2019.

Indeed, "bitcoin manipulation" has become a redundancy. Per one recent study, a single large trader manipulated the price of bitcoin as it ran up to a peak of nearly $20,000 two years ago. The study reviewed the period between March 2017 and March 2018, when the price of bitcoin soared, and its total market value rose to $326 billion. About half of that increase was due to the influence of a manipulation scheme, according to the study.

Along the same lines, for a fee of about $15,000, a Moscow University student and modern day Jordan Belfort, will develop and execute and automated crypto-market manipulation scheme to pump up the price of any cryptocurrency, using a virtual boiler-room of bots and algorithms instead of the now-antiquated Long Island boiler-room of brokers and telephone lines. 

Final Thoughts

Bitcoin Barons argue that criminals can use cash and other trading financial systems just as easily as they can use bitcoin and other cryptocurrencies to commit crimes. After all, in comparison to bitcoin and other cryptocurrencies, isn’t cash similarly anonymous; untraceable; and fungible? Isn't cash equally ubiquitous and available? The answer is no – which is precisely why bitcoin has evolved into the currency of choice for criminals.

First off, in the U.S., pursuant to the Bank Secrecy Act (BSA), transactions involving traditional financial firms, such as banks, brokers and dealers, and money service businesses (MSBs), are subject to strict federal and state anti-money laundering laws and regulations aimed at detecting and reporting suspicious activity, including money laundering and terrorist financing, as well as securities fraud and market manipulation. 

AML programs typically include a system of internal controls to ensure ongoing compliance with the BSA; independent testing of BSA/AML compliance; a designated BSA compliance officer to oversee compliance efforts; training for appropriate personnel; and a customer identification program. Thus, to ensure AML compliance, financial firms start by obtaining clearly identifiable information about a prospective client and identifying any potential risks of association.  This makes engaging in cash-related crimes challenging.  Given in particular the tremendous technological innovation at financial institutions, moving or warehousing illicit cash is a good way to get caught and wake up one morning to find your financial accounts frozen.

In stark contrast, bitcoin and other cryptocurrency transactions can settle efficiently from anywhere on the globe, without much of a trace of the recipient's identity and whereabouts. There exists no central authority to handle disputes, manage complaints or freeze accounts -- and transfers are irreversible. One cryptocurrency can also be rapidly traded for another.

Of course, the libertarian and anarchistic utility of bitcoin may appeal to the disenfranchised and disenchanted, who loathe our current "rigged" and "corrupt" transparent financial system. But for the rest of us, bitcoin's growing popularity has terrifying implications, especially for law enforcement, who can no longer identify criminals like ransomware attackers, let alone capture and convict them.

Theoretically, anyone with an Internet connection and a digital wallet can be part of any cryptocurrency platform, initial coin offering or other cryptocurrency financing endeavor operating anywhere on the globe – which, of course, opens a worldwide 24-7 laundromat for those with criminal motives. It is not surprising that security company CipherTrace found that "nearly all dark market commerce is transacted in cryptocurrencies," while another recent study found that approximately one-quarter of bitcoin users and one-half of bitcoin transactions are associated with illicit activity.

Meanwhile, bitcoin-enabled crimes like ransomware attacks upon medical facilities, physician practice groups and municipalities prosper because of ransomware's dirty little secret i.e. that most corporations (understandably left with no choice) pay the ransom. Emsisoft studied 948 government/educational/healthcare entities hit by ransomware in 2019, and a whopping 759 paid the ransom. In the past year alone, one firm I know facilitated over $60 million in ransomware payments to offshore extortionists -- all in bitcoin. Yet, because of bitcoin's global, anarchistic pseudononymity, none of these criminals have been captured, despite an overwhelming corporate willingness to cooperate fully with the FBI and other law enforcement agencies.

Make no mistake, the innovative community of blockchain developers and entrepreneurs deserves congratulations, admiration and encouragement -- but their good work has been hijacked by a dangerous legion of criminals. And while there may very well be a place for the blockchain technology that bitcoin represents, there exists no responsible gatekeeper to keep the process and the players honest.

Sadly, too many of the shamelessly self-anointed FinTech attorneys, who practice within the crypto-space, are of little help and have at times actually exacerbated an already dire situation. Some not only blindly facilitate the criminal norms of the cryptocurrency marketplace, but their law firms also blithely encourage cryptocurrency transactions by accepting bitcoin as a form of payment for their legal services. It seems that some lawyers and their firms have become so desperate for fees that accepting bitcoin blood money seems somehow justifiable. 

This last point about lawyers and cryptocurrency hits home and bothers me the most. Because when ransomware gets worse (which it will) and people die as a result (which they will), someone somewhere will undoubtedly ask: where were the lawyers? 

First formulated by the legendary Stanley Sporkin about corporate misdeeds decades ago when he was head of the SEC Enforcement Division in the 1970s and then as U.S. federal district judge from the mid-80s onward, this damning question has been repeated in every major financial scandal since. 

So thank you bitcoin, you have not only stained my profession, but you have once again proven true that ironic old adage: Those who do not learn from history are doomed to repeat it.

*John Reed Stark is president of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He currently teaches a cyber-law course as a Senior Lecturing Fellow at Duke Law School. Mr. Stark also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of global data breach response firm, Stroz Friedberg, including three years heading its Washington, D.C. office. Mr. Stark is the author of "The Cybersecurity Due Diligence Handbook."