Global trading volumes in cryptocurrencies (e.g., Bitcoin, Ether and XRP) and other digital assets (e.g., stablecoins such as Tether and USD Coin) have been steadily increasing, as more traders and investors adopt these digital tokens as a means of investment, payment or value transfer.
The cryptocurrency and digital assets space is also attracting growing interest from hedge funds and other institutional investors, with some established financial institutions expanding their offerings to services such as crypto and digital asset custody and trade execution. In tandem with this rise in popularity, the cryptocurrency and digital assets space has attracted fraudulent activity.
Crypto and digital asset fraud in Asia-Pacific
The Asia-Pacific region is a hotbed for digital innovation, and has a significant cryptocurrency adoption rate among citizens. Cryptocurrency exchanges, which handle significant volumes of cryptocurrency, have been targets of fraud. As exchanges typically enter into possession of their users’ cryptocurrency, they present a centralized store of value for hackers to focus their attacks on. Exchanges in Japan, South Korea, Hong Kong and Singapore have been the targets of high-profile hacking attacks in recent times.
For owners of cryptocurrency or other digital assets, fraud risks are not limited to external risks such as hacking. They also include internal risks such as employees or other insiders exploiting flaws or gaps in internal security frameworks and controls to misappropriate cryptocurrency and digital assets. Such risks are more pronounced where access to private keys associated with these assets is entrusted to one or a few individuals.
Investors and crypto traders can also find themselves exposed to other types of fraud that are not unique to the cryptocurrency and digital asset space. In 2019, a purported South Korea-based crypto wallet and exchange solicited approximately US$2.9 billion worth of deposits in Bitcoin, Ether and other cryptocurrencies. This organization promised high rates of return (to be generated by exchange profit, mining income, and referral benefits), but was in fact a Ponzi scheme which resulted in the misappropriation of the deposited tokens. A comparable scam was perpetuated by a China-based organization, which resulted in the misappropriation of an estimated US$1 billion worth of cryptocurrency.
The manipulation of cryptocurrency prices is another category of fraud that affects the integrity of crypto markets. A concentrated campaign of manipulative trading activity conducted through a Hong Kong-headquartered exchange is alleged to have induced at least half of the increase in the price of Bitcoin and other major cryptocurrencies over the course of 2017. Another form of cryptocurrency price manipulation is “pump and dump”, whereby messaging apps are used to rally investors to acquire cryptocurrencies in large volumes and drive up their price. The instigators then effect a sudden sell-off of those cryptocurrencies (which usually results in a subsequent and sharp price drop).
Other examples of manipulative practices include “spoofing”, whereby orders for the sale or purchase of a cryptocurrency are placed but cancelled before they are executed, and “wash trading”, where a person exploits an opaque trading structure to engage in purchase and sale transactions with themselves, thus artificially increasing demand and value.
Overview of regulatory frameworks in certain Asia-Pacific jurisdictions
Regulators across the Asia-Pacific region have introduced, or are in the process of implementing and expanding, frameworks for the licensing and regulation of crypto and digital asset service providers. This includes crypto exchanges and wallet providers. These frameworks complement the longstanding securities regulatory regimes which may apply to some issuances of digital assets, for example those undertaken for fund-raising purposes, such as initial coin offerings or digital equity or debt issuances. These regulatory developments are generally intended to align with the guidance issued by the Financial Action Task Force in 2019 on anti-money-laundering and countering-the-financing-of-terrorism (AML/CFT) standards for virtual asset service providers.
These regulatory frameworks typically require service providers, such as exchanges and wallet providers, to implement technology risk management measures and cybersecurity safeguards against external intrusion and other forms of fraud. AML/CFT controls may also serve as an anti-fraud measure, as they enhance the transparency and traceability of cryptocurrency transactions – for example, by requiring service providers to carry out due diligence on users, and to apply the “travel rule”, which requires information to be exchanged with other service providers on transaction originators and beneficiaries. As these regulatory measures are applied more widely across jurisdictions, they will make it increasingly difficult for cryptocurrency and digital asset fraud to be perpetrated, as well as facilitate the investigation of such fraud.
In Singapore, the Payment Services Act 2019 regulates entities which operate exchange and dealing platforms for digital payment tokens (e.g., Bitcoin and Ether), by subjecting them to AML/CFT, technology risk, cybersecurity, compliance oversight and audit requirements.
A position paper published in November 2019 by Hong Kong’s Securities and Futures Commission similarly states that crypto exchanges eligible for licensing must comply with a range of requirements, including in relation to the protection of user assets, AML/CFT, accounting and audits. In Japan, very recent legislative amendments now cover crypto custodians and crypto derivatives businesses. These service providers are now regulated along with cryptocurrency exchanges in Japan, in areas such as cybersecurity, the protection of user assets and monies, and AML/CFT. In March 2020, South Korea enacted legislative amendments to regulate crypto service providers such as exchanges, by requiring service providers to partner with a single bank for deposits and withdrawals.
In certain Asia-Pacific jurisdictions, the legal position relating to the manipulation of cryptocurrency prices remains unsettled. However, regulatory expectations of risk management and maintenance of fair, orderly and transparent markets should compel crypto exchanges and other service providers to maintain control frameworks to mitigate market manipulation risks. The commission of crypto price manipulation may also, in certain cases, fall within the scope of more general fraud offenses under existing penal and criminal laws.
Potential mitigation measures
The practical safeguards that can potentially mitigate fraud risks relating to cryptocurrency and other digital assets will differ for service providers and the users of such services. The rapid pace of technological development that is driving the design of digital assets and the infrastructure within which they are held and transacted means that the attendant fraud risks, and the required risk-mitigation measures, need to evolve and adapt accordingly.
For a service provider such as a crypto exchange, a robust control and compliance framework designed to counter fraud risk should typically comprise the following elements:
- Arrangements for the protection of user assets and monies: These should ensure that user assets and monies can be recognised at all times (even if they are held on the service provider’s balance sheet, e.g., by way of trust), and are not commingled with assets or monies of the service provider. Arrangements for the storage of user assets should be sufficiently secure (e.g., physically air-gapped cold wallets should be preferred over internet-connected hot wallets where appropriate). The service provider should also consider whether insurance for the assets (if available) should be obtained, or a specialised third-party custodian should be appointed.
- Risk management and cybersecurity measures: These measures should ensure that administrative accounts maintained by the service provider, as well as user accounts, are secure and subject to multi-factor authentication. Further, that IT security updates and patches are applied in a timely manner, and firewalls, anti-phishing and other measures are in place to prevent hacking and other forms of intrusion. Also, that regular penetration testing is conducted.
- Customer due diligence and monitoring: Customer due diligence and ongoing monitoring should take account of fraud and impersonation risks, particularly where users are serviced on a non-face-to-face basis.
- A robust governance framework: Measures to prevent fraud should be appropriately reflected in the service provider’s documented governance framework. The governance structure should take particular account of the management of private keys associated with cryptocurrencies and other digital assets. It should also ensure that authority to access and use these is not vested in an unduly small number or connected group of individuals. The service provider should maintain a sufficiently independent compliance function and audit arrangements, to ensure a second and third line of defense against fraud.
- Controls to detect and prevent price manipulation: These measures should include controls for the surveillance of user activities with a view to identifying any manipulative or abusive trading and suspending any user account from which such trading is conducted. Customer due diligence and monitoring should also be designed to address the risk of wash trading (e.g., by eliciting information on the ultimate beneficiary of trades).
Corporate users of cryptocurrency may consider applying a combination of the above-referenced cybersecurity and governance measures, to ensure that their assets are adequately protected from external fraud as well as potential insider fraud.
Investigating instances of crypto fraud
Where a corporation – whether a service provider or corporate user – suspects that it has been a victim of misappropriation of, or manipulation of the price of, cryptocurrency or other digital assets, a practical response will typically include investigating the factual circumstances of the suspected fraud and confirming the sequence of events which led to it.
Undertaking an internal investigation enables the corporation to make an informed decision about whether to disclose or report the incident to regulatory or law-enforcement authorities, and whether to pursue other potential remedies (as further outlined below).
Reconstituting the relevant timeline of events will typically require a careful consideration of available documentary and electronic evidence, as well as interviews with applicable individuals. The conduct of the internal investigation must be balanced with any other relevant considerations, such as any regulatory requirement to make a suspicious transaction report to the relevant authorities, or the need to respond to information requests from relevant authorities or disclosure requests from other aggrieved parties (e.g., users). Where an insider is suspected to be involved, due care must be taken to ensure that the investigation does not result in the relevant individual being tipped off, having due regard to any risk that this individual may be colluding with other parties.
Tracing and identifying the electronic and digital data required to corroborate the fact pattern may require the assistance of a specialist forensics firm, under the supervision of appropriate legal counsel to preserve and maintain privilege. In connection with suspected crypto or digital asset fraud, relevant factors include:
- The features and typology of the cryptocurrency or digital asset: The manner in which transactions are executed and recorded varies across different classes of cryptocurrency and digital asset. While transactions in cryptocurrencies such as Bitcoin and Ether are recorded on their native blockchain, this is not the case for all types of digital asset. For example, stablecoins that are pegged to or denominated in fiat currency or a commodity are often subject to more centralized governance mechanisms, and records of transactions in these assets may be kept by the issuer. Similarly, transactions in digital securities such as tokenized equity or debt may be registered on a blockchain, but may also be recorded in, and reconciled against, a register kept by the issuer.
- The ecosystem for storing and transacting the cryptocurrency or digital asset: Forming a complete picture of the fraudulent activity will typically require an understanding of the parties which were involved in the transaction flow – such as any custodian, broker, exchange or other holder of a digital wallet. Information may need to be requested from such parties, and their involvement in the activity (even if passive) may offer clues as to the manner in which assets have been misappropriated, transferred or concealed by the fraudulent party. The nature of the relevant enquiries may, again, depend on the features of the relevant cryptocurrency or digital asset. For example, for stablecoins that are backed by a reserve, enquiries into the fraudulent activity may, in some cases, involve information requests to custodians or other functionaries involved in safekeeping or administering the reserve.
- The range of data trails that may have recorded the fraudulent behavior: In addition to entries in the underlying ledger on which transactions in the relevant cryptocurrency or other digital asset are recorded, other forms of data may assist in forming a picture of the fraudulent activity. For example, crypto exchanges will commonly maintain a surveillance system which aggregates and processes transactional data to allow the detection of trading or order patterns that may be indicative of manipulative behavior, such as “pump and dump” trading or spoofing. Electronic channels used for the discussion of manipulative schemes between colluding parties, such as messaging apps or other online forums, may also leave a data trail.
It is generally good practice to document the findings of the investigation, to allow the investigating corporation to assert the confirmed fact pattern in any claims or complaints made by third parties, or to share the findings with any regulatory authority which may request them.
Client Alert 2020-343