[Note: the views expressed below are solely my own and do not necessarily represent the views of my employer or any organization I advise.]
I have spent the past few weeks in East Asia, primarily in China visiting friends and relatives. Because the connection to the outside world was limited, the upside was that the cacophonous noise of perma cryptocurrency pumpers was relatively muted. I have had a chance to reflect on a number of ideas that are currently being discussed at conferences and on social media.
The first idea is not new or even unique to this blog as other companies, organizations and individuals have proposed a type of digital signature analytics + KYC tracking process for cryptocurrencies. A type of Kimberley Process but for cryptocurrencies.1
For instance, the short lived startup CoinValidation comes to mind as having the first-to-market product but was notably skewered in the media. Yet its modus operandi continues on in about 10 other companies.2
A Formal Kimberley Process
For those unfamiliar with the actual Kimberley Process, it is a scheme enacted in 2003 to certify where diamonds originated from in order to help prevent conflict diamonds from entering into the broader mainstream diamond market.
The general idea behind proving the provenance of diamonds is that by removing “blood diamonds” from the market, it can cut off a source of funding of insurgencies and warlord activity.3
What does this have to do with cryptocurrencies? Isn’t their core competency allowing non-KYC’ed, pseudonymous participants to send bearer assets to one another without having to provide documentation or proof of where those assets came from? Why would anyone be interested in enabling this?
Some may not like it, but a de facto Kimberley Process is already in place.
For instance, in many countries, most of the on-ramps and off-ramps of venture-backed cryptocurrency exchanges are actively monitored by law enforcement, compliance teams and data analytic providers who in turn look at the provenance of these assets as they move across the globe.4
On the fiat side, while many jurisdictions in North America and Western Europe currently require domiciled cryptocurrency exchanges and wallets to enforce KYC and AML compliance requirements, several areas of Asia are less strict because the local governments have not defined or decided what buckets cryptocurrencies fall into.5
There are some other noticeable gaps in this system involving crypto-to-crypto exchanges. Irrespective of regions: implementing harmonized KYC/AML standards on the non-fiat side of exchanges appears to be missing altogether. That is to say that very few, if any, exchange does any kind of KYC/AML on crypto-to-crypto.6
What are some examples of why a Kimberley Process would be helpful to both consumers and compliance teams?
Below are three examples:
(1) During my multi-country travel I learned that there are several regional companies that sell debit cards with pre-loaded amounts of cryptocurrency on them. Allegedly two of of the popular use-cases for these cards is: bribery and money laundering. The example I was provided was that it is logistically easier to move $1 million via a thin stack of debit cards than it is to carry and disperse bags of cash with.7
Attaching uniform KYC and legal identities to each asset would aid compliance teams in monitoring where the flow of funds originated and terminated with cryptocurrencies. And it would help consumers shy away from assets that could be encumbered or were proceeds of crime.
(2) Affinity fraud, specifically housewives (家庭主妇), are common targets of predators. This has been the case for long before the existence of computers let alone cryptocurrencies, but it came up several times in conversations with friends. According to my sources, their acquaintances are repeatedly approached and some actually took part in Ponzi schemes that were presented as wealth management products.
The new twist and fuel to these schemes was that there is some kind of altcoin or even Bitcoin itself were used as payout and/or as rails between parties. We have already seen this with MMM Global — which is still an active user of East Asia’s virtual currency exchanges — but two questionable projects that I was specifically shown were OctaCoin and ShellCoin.8
Note: in January 2016 multiple Chinese governmental bodies issued warnings about MMM Global and other Ponzi schemes.
[Video of MMM Global operations in The Philippines. Is that really Manny Pacqiauo?]
Victims who were not tech savvy and lied to, have no recourse because there is no universal KYC / KYCC / AML process to identify the culprits in these regions. Similarly, when these illicit virtual assets are re-sold to exchanges, customers of those exchanges such as Alice and Bob, may receive potentially encumbered assets that are then resold to others who are unaware of the assets lineage (much like a stolen motorcycle being resold multiple times). This creates a massive lien problem.
But property theft is not a new or unknown problem, why is it worth highlighting for cryptocurrencies?
Many of the original victims in East Asia are not affluent, so these scams have a material impact on their well being. The average working adult in many provinces is still less than $500 per month. Thus not only do they lack a cushion from scams but any price volatility — such as the kind we continue to see in cryptocurrencies as a whole, can wipe out their savings.
(3) Due to continual usage of botnets and stolen electricity — which is still a problem in places like China — the lack of identification from coin generation onward results in a environment in which ‘virgin coins’ sell at a premium because many exchanges don’t investigate where machines are located, who owns them, who paid for the opex and capex of those operations (e.g., documentation of electric bills).9
Unfortunately, the solutions proposed by many cryptocurrency enthusiasts isn’t to create more transparency and identification standards enabling better optics on coin provenance but rather to make it even harder to track assets via proposals like Confidential Transactions.10
Heists, thefts and encumbered coins
I am frequently asked how is it possible to know who received potentially encumbered cryptocurrencies? For amateur sleuths, there is a long forum thread which lists out some of the major heists and thefts that occurred early on in Bitcoinland.
Above is a video recording of a specific coin lineage: transactions that came from the Bitcoinica Theft that ended up in the hands of Michael Marquardt (“theymos”) who is a moderator of /r/bitcoin and owner of Bitcoin Talk.11
Recall that in July 2012, approximately 40,000 bitcoins were stolen from the Bitcoinica exchange.12 Where did those end up? Perhaps we will never know, but several users sued Bitcoinica in August 2012 for compensation from the thefts and hacks.
How are consumer protections handled on public blockchains?
In short, they do not exist by design. Public blockchains intentionally lack any kind of native consumer protections because an overarching goal was to delink off-chain legal identities from the pseudonymous interactions taking place on the network.
Thus, stolen cryptocurrencies often recirculate, even without being mixed and laundered.13
Consequently a fundamental problem for all current cryptocurrencies is that they aren’t exempt from nemo dat and have no real fungibility because they purposefully were not designed to integrate with the legal system (such as UCC 8 and 9).14 Using mixers like SharedCoin and features like Confidential Transactions does not fundamentally solve that legal problem of who actually has legal title to those assets.1516
Why should this matter to the average cryptocurrency enthusiast?
If market prices are being partially driven by predators and Ponzi schemes, wouldn’t it be in the best interest of the community to identity and remove those?17
Perversely the short answer to that is no. If Bob owns a bunch of the a cryptocurrency that is benefiting from this price appreciation, then he may be less than willing to remove the culprits involved of driving the prices upward.
For example, one purported reason Trendon Shavers (“pirateat40”) was not immediately rooted out and was able to last as long as he did — over a year — is that his Ponzi activity (“Bitcoin Savings & Trust”) coincided with an upswing in market prices of bitcoin.18 Recall over time, BS&T raised more than 700,000 bitcoins. Why remove someone whose activity created new demand for bitcoins? 19
But this incentive is short-sighted.
If the end goal of market participants and enthusiasts is to enable a market where the average, non-savvy user can use and trust, then giving them tools for provenance could be empowering. Ironically however, by integrating KYC and provenance into a public blockchain, it removes the core — and very costly — characteristic of pseudonymous, censorship-resistant interaction.
Thus there will likely be push back for implementing a Kimberley Process: doxxing every step of provenance back to genesis (coin generation) with real world identities removes pseudonmity and consequently public blockchains would no longer be censorship-resistant. And if you end up gating all of the on-ramps and off-ramps to a public chain, you end up just creating an overpriced permissioned-on-permissionless platform.
Despite this, Michael Gronager, CEO of Chainalysis, notes that:
Public ledgers are probably here to stay – difficult KYC/AML processes or not. I probably see this as a Nash equilibrium – like in the ideal world all trees would be low and of equal height but there is no path to that otherwise optimal equilibrium. We believe that fighting crime on Blockchains will both build trust and increase their use and value.
One way some market participants are trying to help law enforcement fight crime is through self-regulating organizations (SRO).
For instance, because we have seen time and time again that the market is not removing these bad actors from the market, several companies have created SROs to help stem the tide. However, as of right now, efforts like the US-based “Blockchain Alliance” — a gimmicky name for a group of venture-backed Bitcoin companies — has limited capabilities.20 They have monthly calls to discuss education with one another in the West (e.g., what is coin mixing and how does it work?) but currently lack the teeth to plug the KYC/AML gaps in Asia. Perhaps that will change over time.
And as one source explained: consider this, has any Bitcoin thief been caught? Even when there is decent evidence, we are not aware of a Bitcoin thief that was actually found guilt of stealing bitcoin, yet.21 Thus an open to question to people who argue that cryptocurrencies are great because of transparency: a lot of bitcoin has been stolen, and no one has been found guilty for that crime. Why not?
Process of elimination
Over the past six weeks, there has been very little deep research on why market prices have risen and fallen. Usually it is the same unfounded narratives: emerging market adoption; hedge against inflation; hedge against collapse of country X, Y or Z; hedge against Brexit; etc. But no one provides any actual data, least of all the investors financing the startups that make the claims.
Perhaps the research that has been done on the matter was from Fran Strajnar’s team at BNC. For instance, on June 1st they noted that:
I reached out to Fran and according to him, in early June, “Somebody dropped many many millions ($) across 4 different Chinese Exchanges in a 2 hour period, without moving price – 4 days before the price rise started last week. Because it was over multiple exchanges and these trades were filled, we are digging into it further.”
If there was a standardized Kimberley Process used by all of these exchanges, it would be much easier to tell who is involved in this process and if those funds were based on proceeds of illicit activity.
Furthermore, barring such a Process, we can only speculate why journalists haven’t looked into this story:
(1) many of them do not have reliable contacts in East Asia
(2) those that do have contacts with exchange operators may not be getting the full story due to exchanges lacking KYC / KYCC / AML standards themselves
(3) some reporters and exchange operators own a bunch of cryptocurrencies and thus do not want to draw any negative attention that could diminish their net worth
Third parties such as Wedbush Securities and Needham have also published reports on price action, but these are relatively superficial in their analysis as they lack robust stats needed to fully quantify and explain the behavior we have seen.
Strangely enough, for all the pronouncements at conferences about how public blockchains can be useful for data analysis, very few organizations, trade media or analysts are publishing bonafide stats.
After all, who are the customers of these virtual currency exchanges? Because of reporting requirement we know who uses Nasdaq and ICE, why don’t we know who uses virtual currency exchanges still?
Two months ago I had a chance to speak with Marcus Swanepoel, CEO of BitX, about his experiences in Africa. BitX coordinates with a variety of compliance teams to help block transactions tied to scams and Ponzi schemes. In the past, BitX has managed to help kill off two ponzi schemes and has tried to block MMM Global which has spread to Africa.
Earlier this spring, some MMM users that were blocked by BitX just moved to another competing local exchange that didn’t block such transactions. As a result, over the course of 8 weeks this exchange did more than 3x volume than BitX during same time frame.22 BitX has subsequently regained part of this market share partly due to MMM fading in popularity.
Why is MMM so successful? Users are asked to upload videos onto Youtube of why MMM Global is great and why you should join and are then paid by MMM as a reward. This becomes self-reinforcing in large part because of the unsavvy victims who are targeted.
But MMM isn’t to blame for everything.
For instance, in China there have been a variety of get-rich-quick Ponzi schemes that rose and blew up, such as an ant farm scheme in 2007. And earlier this year, Ezubao, the largest P2P lending platform in China fell apart as a $7.6 billion Ponzi scam.23 No cryptocurrency was involved in either case.
In fact, one allegation over the past couple weeks is that The DAO attacker placed a short of 3,000 bitcoin on Bitfinex prior to attacking The DAO (which was denominated in ether).24 If there was a Kimberley Process in which all traders on all exchanges had to comply with a universal KYC / KYCC / AML standard, it would be much easier to identify the attackers as well as compensate the victims.
Similarly, because ransomware remains a “killer app” of cryptocurrencies such that companies, police stations, hospitals, elementary schools and even universities are now setting up Coinbase accounts and stockpiling cryptocurrencies to pay off hackers. What is the aggregate demand of all of this activity? If it is large, does it impact the market price? And how would a Kimberley Process help provide restitution to the victims of this ransom activity?
A strawman Kimberley Process
How can you or your organization get involved in creating a Kimberley Process for cryptocurrencies?
Right now there is no global, industry standard for “best practices” in mutualizing, implementing, or carrying out KYC / AML provisions for cryptocurrencies.25
In writing this post, several sources suggested the following process to kick-start an effort:
(1) organize an industry-level event(s) which brings together:
(a) AML analytics companies
(b) representatives from regulatory bodies and law enforcement (e.g., FATF, FinCEN)
(c) KYC/AML practitioners
(d) existing market structures and utilities such as SIFMA, ROC, Swift (e.g., KYC registry, LEI)
(e) compliance teams from cryptocurrency exchanges and wallets
(2) at the event(s) propose a list of baseline standards that exchanges and wallets can try to implement and harmonize:
(a) what documentation is required for KYC / KYCC / AML
(b) other financial controls and accountability standards that can assist exchange operators (e.g., remove the ability for an operator to naked short against its own customer base)
(3) tying these standards together with a uniform digital identity management system could be the next step in this process.
On that last point, Fabio Federici, CEO of Skry (formerly Coinalytics), explained:
In general I believe the biggest unsolved problem is still identity and information sharing. Obviously you don’t want all your PII and transaction meta data on a public blockchain, as this information could not only be leveraged by profit seeking organizations, but also malicious actors. So the question becomes what’s the right framework for sharing the right amount of information with only the people that need access to it (maybe even only temporarily).
PII stands for personal identifying information. In theory, Zcash (or something like it) has the potential to solve some of Fabio’s concerns: relevant info can be encoded in the transaction, and only the relevant parties can read it. But this delves into “regulated data” which is a topic for another post.26
Similarly, Ryan Straus, an attorney at Riddell Williams and adjunct professor at Seattle University School of Law explained that:
Identity is central to the legal concept of property. Property systems are information systems: they associate identified entities with identified rights. With the sole exception of real currency, possession or control is not conclusive indicia of ownership.
Factual fungibility simply makes it harder to prove that you have a better claim to a specific thing than the person who now possesses or controls it. The hard part about what you have written about is that it is difficult to avoid conflating KYC (which involves identity of people) and the Kimberley Process (which involves identifying things).
In order to enable participants to share information without being unduly hounded by social media, it was also suggested that the presence of: investors, cryptocurrency press and cryptocurrency lobbying groups should kept to a minimum for the initial phase.
In addition to implementing additional financial controls and external audits, cryptocurrency exchanges and wallets adopting a Kimberley Process would help provide transparency for all market participants.
While it is probably impossible to remove all the bad actors from any system, reducing the amount of shadows they have to hide could provide assurances and reduce risks to market participants of all shapes and sizes.
However, the trade-off of implementing such a Process is that it negates the core utility that public blockchains provide, turning them into expensive permissioned gateways. And if you are permissioning activity from the get-go, you might as well use a permissioned blockchain which are cheaper to manage and operate and also natively bake-in the KYC, KYCC and AML requirements. But that is a topic for another post as well.
- One reviewer argued that analytics may be superior to KYC. In the event of a compromised account — so goes the argument — analytics can help provide linkage between the flow of funds whereas KYC of compromised accounts would be “illusory.” [↩]
- This includes but is not limited to: Chainalysis, Blockseer, Skry, Elliptic, Netki and ScoreChain. [↩]
- Incidentally there is a UK-based startup called Everledger which works with insurance companies and tracks a catalogue of diamonds vis-à-vis a blockchain. [↩]
- See: Flow of Funds; KYSF; KYSF part 2; and bitcoin movements. To actively monitoring transactions at these entry and exit points, based on anecdotes, up to 20% of all nodes on the Bitcoin network may be managed and operated by these same set of participants as well. [↩]
- Note: it bears mentioning that as of this writing, no country has recognized cryptocurrencies as actual legal tender and consequently cryptocurrencies are not exempt from nemo dat. This is important as it means the provenance of the cryptocurrencies actually does matter because those assets could be encumbered. [↩]
- I asked around and my sources do not know of a single exchange that does KYC/AML on cryptocurrencies that are directly exchanged for other cryptocurrencies (e.g., Shapeshift). Furthermore, as highlighted in the past, there are gaps in compliance when it comes to certain fiat-to-cryptocurrency exchanges such as BTC-e and LocalBitcoins. [↩]
- This is in USD equivalence, usually not in USD itself. [↩]
- OctaCoin is interesting in that the operators behind it claim that it is financed from revenue streams of 3 online casinos who purportedly payout users on a regular basis. Note: gambling in China is a bit like golf in China: it’s illegal but everywhere. It is only legal in a few internal jurisdictions such as Hainan and Macau and elsewhere on the mainland only a couple of state-run lotteries are given legal status. [↩]
- Note: stealing electricity to mine bitcoins has occurred in other areas of the world too, including in The Netherlands. [↩]
- The official motivation for developing Confidential Transactions is to enable more user privacy which then leads to more fungibility. As one source pointed out: “At the end of the day it’s a balance between privacy and security. Basically the story goes ‘just because I don’t what anyone to know what I’m buying, doesn’t mean I’m a drug dealer.'” [↩]
- Marquardt also allegedly co-owns both Bitcoin.org and Blockexplorer.com, and co-manages the Bitcoin Wiki. [↩]
- Here’s another video showing some of those transactions. [↩]
- The Craig Wright / Satoshi saga is interesting because in a recent interview Craig admittedly used Liberty Reserve which was an illicit exchange based in Costa Rica shut down by the US government. According to the interview he also had ties to Ross Ulbricht, the convicted operator of Silk Road. [↩]
- See The Law of Bitcoin, Section 1.5 in the United States chapter from Ryan Straus. There are exceptions, see UCC Article 2 – sale of goods. [↩]
- See also: Learning from the past to build an improved future of fintech [↩]
- Interestingly, SharedCoin.com (sometimes referred to as Shared Send) used to be a mixer run by Blockchain.info, a venture-backed startup. It was recently shutdown without any notice and the domain now redirects to the CoinJoin wiki entry. They also pulled the SharedCoin github repo and any material that links it back to Blockchain.info. [↩]
- One reviewer mentioned that: “Ponzi schemes will always exist and should probably be fought not just in the crypto space but where in other industries too; requiring continuous education. It would be way simpler and more effective to shut down domains owned by MMM than it would to be to do anything else, but here you actually meet the pseudonymity feature of the Internet. Try to do that internationally – it is not easy!” [↩]
- From between September 2011 to September 2012 market prices more than doubled. See SEC vs. Trendon Shavers [↩]
- Note: this is a similar argument that Rick Falkvinge made three years ago. [↩]
- There are probably several dozen advocacy groups and non-profit working groups scattered across the world. Each has different goals. For instance, ACCESS in Singapore works with some regulators in SEA. While others are merely trying to create technical standards. [↩]
- Most of the criminals that are convicted are found guilty of money laundering and interaction with illicit trade, not theft of bitcoins themselves. [↩]
- Two months ago, the Financial Times briefly covered this story and Marcus wrote about some of it in March as well. [↩]
- There were some early warning signs for that industry. For instance, according to a Bloomberg story in February 2015: “The value of China’s peer-to-peer lending transactions surged almost 13-fold since 2012 to $41 billion last year, according to Yingcan Group, which tracks the data,” notes Bloomberg. However, 275 of the more than 1,500 lending went bankrupt or had trouble repaying money in 2014, an increase from 76 just a year earlier, according to Yingcan. [↩]
- No one has proven this allegation. Furthermore, there are multiple exchanges to short cryptocurrencies. [↩]
- Much of the technology needed to implement these type of processes, such as PKI anchored by certificate authorities. [↩]
- For example, see HIPAA and EU-US Privacy Shield [↩]