The U.S. Department of Justice (“DOJ”) announced on March 15, 2023 that in a coordinated effort between U.S. Federal Bureau of Investigations, Europol, and German police, the darknet cryptocurrency mixing service ChipMixer has been shut down.  The operation involved the U.S. government’s court-authorized seizure of two domains that directed users to the ChipMixer service and one Github account.  In addition, German authorities seized $46 million in cryptocurrency, as well as ChipMixer’s back-end servers used to run the site. 

Further, the U.S. Attorney’s Office for the Eastern District of Pennsylvania filed a criminal complaint against ChipMixer’s suspected founder, Vietnamese national, Minh Quoc Nguyen (“Nguyen”), alleging that Nguyen openly flouted financial regulations and instructed users how to use ChipMixer to evade reporting requirements while obscuring his true name under a series of stolen and fictitious identities. The complaint also alleges that ChipMixer, described as a popular platform for laundering illicit funds gained from unlawful activities like drug trafficking, ransomware attacks (according to Europol, ransomware actors Zeppelin, SunCrypt, Mamba, Dharma, Lockbit have used ChipMixer), and payment card fraud, was used to launder more than $3 billion in cryptocurrency since 2017.  Nguyen has been charged with money laundering, operating an unlicensed money transmitting business, and identity theft in connection with the operation of ChipMixer. 

Continue Reading  Darkweb Cryptocurrency Mixer ChipMixer Shut Down for Allegedly Laundering $3 Billion Worth of Crypto

In Related Case, Federal Court Holds that Bitcoin-to-Bitcoin “Tumbler” Can Represent “Money Transmission”

On April 27, IRS CI and FBI Special Agents arrested Roman Sterlingov, a dual citizen of Russia and Sweden, for his alleged role as the founder and operator of Bitcoin Fog, a cryptocurrency “tumbler” or “mixer” aimed at concealing the source of funds. The criminal complaint and accompanying Statement of Facts, filed in the District of Columbia, alleges that over the course of 10 years, Bitcoin Fog moved more than 1.2 million bitcoin, valued (at the time of the transactions) at about $335 million. According to the government’s press release, “[t]he bulk of this cryptocurrency came from darknet marketplaces and was tied to illegal narcotics, computer fraud and abuse activities, and identity theft.”

Sterlingov allegedly founded the site while promoting it under the pseudonym Akemashite Omedetou, a Japanese phrase that means “Happy New Year.” In a post on an online Bitcoin forum, Omedetou advertised that Bitcoin Fog “[mixes] up your bitcoins in our own pool with other users,” and “can eliminate any chance of finding your payments and making it impossible to prove any connection between a deposit and a withdraw inside our service.”

Ironically, Sterlingov was identified by investigators using the very same sort of tracing that Bitcoin Fog was meant to forestall. The Statement of Facts outlines in extensive detail how Sterlingov allegedly paid for Bitcoin Fog’s domain using a now-defunct digital currency; it goes on to show a series of transactions recorded to the blockchain that identifies Sterlingov’s purchase of that currency with bitcoin. Based on tracing those financial transactions, investigators were able to identify Sterlingov’s home address and phone number, together with a Google account that hosts a document that describes how to obscure bitcoin payments – that document mirrors closely the methods Sterlingov allegedly employed to purchase the Bitcoin Fog domain.

In addition to thanking various domestic law enforcement agencies, the government’s press release highlights the international nature of the investigation by also thanking Europol and Swedish and Romanian law enforcement agencies. The criminal complaint against Sterlingov is therefore another example of IRC-CI pursuing its simultaneous goals of fighting crypto-related crime and collaborating with foreign law enforcement officials in order to do so.

Notably, this is the second case brought by the Department of Justice, Criminal Division’s Computer Crime and Intellectual Property Section, targeting virtual currency mixer operations. In United States v. Harmon, a case also being prosecuted in the District of Columbia, the defendant has similarly been charged for his alleged role in operating Helix, a bitcoin mixer that sent more than $300 million in bitcoin to designated recipients.
Continue Reading  DOJ Again Charges Crypto “Mixer” Under the BSA and District of Columbia’s Money Transmitters Act

On December 18, the Financial Crimes Enforcement Network (“FinCEN”) issued a proposal to impose on banks and money service businesses (“affected institutions”) a new set of rules for digital currency transactions involving “unhosted” digital asset wallets (i.e., wallets that are not provided by a financial institution or other service and reside instead on a user’s personal device or offline).  The proposed rule states that, for the purposes of these new requirements only, the definition of “monetary instruments” at 31 U.S.C. § 5312(a)(3) would be expanded to include convertible virtual currency and digital assets with legal tender status.  If adopted, the rule will create significant obligations for recordkeeping, reporting, and identity verification requirements.
Continue Reading  FinCEN Proposes New Rule for “Unhosted” Virtual Currency Wallets

First Post in a Two-Part Series

How do financial institutions get in trouble with their regulators? Recent AML enforcement actions suggest that the following two failures are at the heart of most of these actions: (1) inadequately identifying, monitoring and/or reporting suspicious activity; and (2) failing to implement adequate internal controls. And these same issues crop up year after year.

In this post, we’ll discuss these failures and their root causes and provide practical tips for ensuring that your AML program will withstand the scrutiny of regulators. In our next post, we will discuss how these practical tips apply in a specific AML enforcement action: the recent consent order between the New York Department of Financial Services and Mashreqbank.  Further, we look forward to discussing all of these issues in an upcoming podcast in Ballard Spahr’s Consumer Financial Monitor Podcast series.  So please stay tuned.

The U.S. financial institutions that recently found themselves in the government’s crosshairs allegedly engaged in the following behavior:

  • Failing to investigate alerts on high-risk accounts where those accounts had been investigated previously, even when the new suspicious activity to which the bank had been alerted differed from the activity that it previously had investigated.
  • Having a policy of not investigating or filing SARs on cash withdrawals from branches near the Mexican border if the customer said they were withdrawing cash in the U.S., rather than carrying cash into the U.S. from Mexico, in order to avoid having to file a Report of International Transportation of Currency or Monetary Instruments (CMIR).
  • Capping the number of alerts from its transaction monitoring systems based on the number of staff available to review the alerts rather than on the risks posed by the transactions (and lying to regulators about it).
  • Failing to report the suspicious activities of a longtime customer despite having been warned that the customer was laundering the proceeds of an illegal and fraudulent scheme through accounts at the bank.
  • Failing to conduct necessary due diligence on foreign correspondent accounts.
  • A brokerage company failing to file SARs on transactions that showed signs of market manipulation.
  • A MSB’s failing to implement proper controls and discipline crooked agents because those agents were so profitable for the MSB, thereby enabling illegal schemes such as money laundering.

Although the behavior of these financial institutions may differ, the root causes of their failures do not. They include the following:

  • An inadequate, ineffective or non-existent risk assessment.
  • Elevating the business line over the compliance function.
  • Offering products or using new technologies without adequate controls in place.
  • Compliance programs that are not commensurate with the risks, often due to under investment in AML technology or other resources and/or lack of awareness of AML risks or controls.
  • Corporate silos, both human and technological, that prevent or hinder information sharing.
  • Insufficient screening of parties and relationships and lack of effective processes and controls around EDD.

So how can you ensure that your AML program is adequate? Here are some practical tips.
Continue Reading  Practical Tips for Ensuring Your AML Program Withstands the Scrutiny of Regulators

The Conference of State Bank Supervisors (CSBS) announced last week that seven states have agreed to a multi-state compact that, according to the CSBS, “standardizes key elements of the licensing process for money services businesses (MSB).”

The seven states consist of Georgia, Illinois, Kansas, Massachusetts, Tennessee, Texas and Washington.  The CSBS expects other states to

As the value of bitcoin continues to soar (USD:BTC this past weekend exceeded $19,000.00:1), we thought that now would be a good time to emphasize the need to ensure regulatory compliance with the many federal and state AML rules and regulations, in addition to those segmented across various countries. A caveat: This post is far from exhaustive, and before undertaking any investment in cryptocurrency, it would be wise to consult with an attorney familiar with the rules applicable to the cryptocurrency sector.  Due to the nascency of the sector, the practical application of previously existing laws and regulations is rapidly evolving.

To begin, the notion that bitcoin and other digital tokens represent a currency only for criminals has been dispelled. Indeed, there is no question that investment in cryptocurrencies is inherently lawful and increasingly commonplace.  In 2017 alone, investment in initial coin offerings, or token sales, has exceeded $1.5 billion; in a similar vein, the value of certain cryptocurrencies now exceeds a number of Fortune 50 companies.  Most recently, CBOE and CME, the world’s largest futures exchange, launched bitcoin futures contracts.

With this in mind, and as we have written on this blog before (see herehere, here, here, here, here, here, here, and here), it is clear that regulators are moving aggressively to bring the cryptocurrency sector into the fold of existing rules and regulations. To be sure, applying these rules to the burgeoning sector has been like fitting a square peg in a round hole; a bedrock of the initial cryptocurrency boom was the promise of anonymity for its users. Conversely, identity verification is a bedrock of AML compliance.
Continue Reading  Beyond Best Practices: Regulatory Compliance Now a Necessity in the Cryptocurrency Sector

It is a potential crime to conduct a business that exchanges virtual currency and fail to register with the Financial Crimes Enforcement Network (“FinCEN“), even if the State in which one operates does not impose a similar licensing requirement. A federal district court in Louisiana has reaffirmed this principle in United States v. Lord, in which the defendants unsuccessfully sought to withdraw their pleas of guilty to offenses based on a failure to register with FinCEN.

Law and Justice

The defendants are father and son. According to the court opinion, in 2013, they began to operate a bitcoin business through a website called localbitcoins.com, which advertised the services of other bitcoin exchangers. The defendants’ clients provided cash, credit card payments and wire transfers to the defendants to purchase bitcoins from a third-party online bitcoin broker on their client’s behalf, in exchange for commissions charged by the defendants. In the Spring of 2014, the third-party bitcoin broker warned the defendants that they were required to register with FinCEN because they were acting as virtual currency exchangers. Although the defendants allegedly misrepresented to the third-party online broker that they already had registered with FinCEN, the defendants did not actually register until November 2014. By that time, however, they already had exchanged more than $2.5 million worth of virtual currency. This registration delay was the basis of the charges relating to the defendants’ virtual currency business.
Continue Reading  Failure to Register with FINCEN Sustains Guilty Pleas by Virtual Currency Exchangers