The Department of Justice (DOJ) announced last week and earlier this month civil forfeiture actions brought by the United States Attorney’s Office for the District of Columbia to seize stolen or laundered virtual currency from various terrorist organizations and North Korean actors. These combined actions represent the largest seizures of cryptocurrency by the United States government to date. “Terrorist networks have adapted to technology, conducting complex financial transactions in the digital world, including through cryptocurrencies,” said Treasury Secretary Steven Mnuchin. Other statements by federal officials announcing these actions highlighted the ability of investigators and prosecutors to trace and seize virtual currency related to illegal activity. These cases demonstrate that in its fight against money laundering and terrorist financing, U.S. law enforcement can identify and prosecute terrorist networks that use virtual currency in their attempts to finance their activities through anonymous donations.
In these actions, the government seems to have raised both its expectations and incentives for financial institutions to work with the government to disrupt cyber-enabled money laundering. In announcing the complaint against the North Korean actors, Assistant Attorney General John Demers said, “[A]ctions like those today send a powerful message to the private sector and foreign governments regarding the benefits of working with us to counter” threats from North Korea.” Financial institutions that transact in virtual currency, such as exchanges, should review their AML compliance programs to ensure that they can detect and prevent the types of illegal behavior identified in these complaints. Financial institutions should consider employing technology-based solutions as they monitor for suspicious activity involving virtual currency.
Forfeiture Action Targeting Assets Stolen by North Korean Actors
In a forfeiture complaint filed last week, the DOJ alleges that North Korean hackers stole millions of dollars from virtual currency accounts and then attempted to launder the stolen funds to make them untraceable. The action, United States v. 280 Virtual Currency Accounts, follows a related criminal complaint and civil actions brought earlier this year. Last week’s complaint details several sophisticated techniques these state-sponsored actors took to launder the stolen proceeds, including layering funds though voluminous transactions (up to 5,000 in one instance), transferring funds through multiple countries, and “chain hopping” (i.e., converting to multiple cryptocurrencies before exchanging the funds for fiat currency). According to the complaint, the North Korean hackers also falsified KYC data to successfully deposit other types of stolen cryptocurrency at an exchange. In one instance, the hackers converted stolen cryptocurrency to fiat using over-the-counter (OTC) traders in China that were operating in the United States as unregistered foreign-located money services businesses. The complaints also point to the exchanges’ role in uncovering these violations, stating that the exchanges’ controls resulted in the freezing of several accounts and helped prosecutors track the transactions.
Forfeiture Actions Targeting Terrorist Organization Funds
In the forfeiture actions brought earlier this month, the United States Attorney’s Office for the District of Columbia filed three separate civil complaints targeting assets associated with websites (including Facebook pages), as well as specified cryptocurrency accounts that solicited, sent or received funds to benefit Hamas, al-Qaeda and ISIS, organizations designated as terrorist organizations by the United States government (“designated terrorist organizations”). These seizures are the culmination of coordinated efforts of multiple government agencies, including the DOJ, the Department of Homeland Security and the Internal Revenue Service.
The three forfeiture complaints, identified as related cases by the DOJ, stem from three different funding schemes operated by various designated terrorist organizations:
- United States v. 155 Virtual Currency Assets – In April 2019, government investigators discovered a public Bitcoin key in a Telegram (a cloud-based messaging application) post soliciting donations for al-Qaeda. Investigators traced the balance of that al-Qaeda donation wallet to a cluster of other public keys, which belonged to a central terrorist financing hub. Investigators found that after receiving the donation, the central terrorist financing hub cluster engaged in several classic money laundering transactions (including purchasing gift cards with crypto through online gift card exchanges and layering). The cluster also redistributed Bitcoins to—and received funds from—other known terrorist financing organizations, some of which were intended to fund the purchase of weapons. The government seeks the forfeiture of the balance of 155 Bitcoin accounts.
- U.S. v. Facemaskcenter.com and Four Facebook Pages – The Face Mask Center website, created in February 2020, purported to sell COVID-19-related PPE, which had been designated by the United States government as scarce materials. (FinCEN previously has warned about COVID-19-related fraud and AML risks.) Facemaskcenter.com advertised near-unlimited availability of its PPE, including the sought-after N95 masks and ventilators. However, the action alleged, facemaskcenter.com neither had an unlimited supply nor offered government-approved PPE. The government discovered that a person known to the government as an ISIS facilitator had registered facemaskcenter.com’s Facebook page and advertised PPE for sale from that page as well as from two additional Facebook pages. Each of these three Facebook pages was linked to a fourth Facebook page registered in the facilitator’s own name. The government seeks the forfeiture of facemaskcenter.com and the four Facebook pages.
- United States v. Fifty-Three Virtual Currency Accounts – DOJ alleged that in early 2019, Hamas’s military wing, the al-Qassam Brigades, began soliciting Bitcoins to support a fundraising campaign via Twitter and its official websites. According to the DOJ, “The al-Qassam Brigades boasted that bitcoin donations were untraceable and would be used for violent causes.” Specifically, al-Qassam first requested that donations be sent to a single Bitcoin address on a U.S.-based virtual currency exchange and subsequently requested that donations be sent to a Bitcoin address locally controlled by al-Qassam. Eventually, al-Qassam began generating unique Bitcoin addresses for each donation solicited through its official websites. The forfeiture complaint alleges that two cryptocurrency accounts, operated by two Turkish nationals, received the equivalent of up to $80 million of these donations and engaged in a series of transactions consistent with money laundering. Government investigators also identified several bank accounts at an unidentified financial institution that were linked to the al-Qassam websites. The complaint seeks the forfeiture of all identified cryptocurrency wallets, the al-Qassam websites and the accounts held at the unidentified financial institution.
The government also unveiled a criminal complaint and supporting affidavit, charging the two Turkish nationals identified above with money laundering and operating an unregistered foreign money services business (“MSB”) that engaged in MSB activities in the United States. Holding foreign MSBs liable for failing to register is consistent with long-standing FinCEN guidance.
The Government’s Expectations of Financial Institutions
As law enforcement and regulators have noted, terrorists and other bad actors are using increasingly sophisticated methods, including cyber-enabled funding campaigns and use of cryptocurrencies, to conduct complex financial transactions. But, as illustrated in these cases, the U.S. government is capable of obtaining critical information about the true identity of illicit actors through subpoenas to cryptocurrency exchanges seeking details regarding those firms’ KYC data and internal controls, as well as through the use of forensic tools. The DOJ’s press releases acknowledge the importance of the assistance from the exchanges involved and from private cybercrime investigative firms’ forensic tools.
Law enforcement and regulators expect financial institutions to effectively adapt their anti-money laundering programs to address risks posed by evolving methods of money laundering and terrorist financing, including through the use of cryptocurrency. For example, in an Iran-related advisory, FinCEN has suggested that financial institutions employ cryptocurrency-specific technology in their controls and has specifically identified for financial institutions convertible virtual currency-related activities and transaction characteristics that it considers red flags for illicit activity. As FinCEN Director Kenneth Blanco said in a November 2019 speech, financial institutions should be prepared to explain how they “mitigate risks associated with [anonymity-enhanced cryptocurrencies], including how [they] identify potentially suspicious activity and comply with reporting and recordkeeping requirements—including the Funds Travel Rule.” Financial institutions should also consider employing cryptocurrency-specific technology—like blockchain explorers—to monitor transactions and to help identify potentially suspicious activity.