Alternative payment systems, or "virtual currencies" as the Financial Action Task Force (FATF) has dubbed them, have fueled the exchange of illegal goods and services on the Dark Web. Under the shield of anonymity these currencies have let criminals engage in a growing breadth of illicit activities.
The use of cyberspace for financial activity has expanded opportunities for attackers, writes Tom Kellerman in a new report, "Follow the Money: Civilizing the Darkweb Economy," an initiative for The Wilson Center's Digital Futures Project, where he is a global fellow.
The World Economic Forum estimates cybercrime costs the global economy about $445 billion per year, the report states, citing a stat from the McKinsey Global Institute. It's time for payment systems to be held accountable, according to the report. Many implement Anti-Money Laundering (AML) and Know Your Customer (KYC) protocols, but criminals continue to find workarounds.
"We, as an industry, continue to talk about the symptoms of cybercrime without appreciating the fact that hacking tools and services are all commodities that are facilitated by an economy of scale," Kellerman explains. "The Dark Web has become a full economy of scale by definition."
Indeed, the Dark Web has enabled the sale not only of hacking tools, but all types of personally identifiable information and content promotion services to spread disinformation online. While hacking tools can be expensive, data is not: Identity "packages" can cost as little as 25 cents. Criminal markets include weapon and drug sales, child pornography, and hackers for hire.
Bitcoin is among the most well-known virtual currencies but far from the only one; in fact, most cybercrime proceeds are not laundered through Bitcoin, says Kellerman. Internet-based virtual currencies also include the more anonymous Monero, Dash, and Zcash, as well as China's AliPay, Russia's WebMoney, and Kenya's M-Pesa. While these are commonly used for legitimate purposes, they are also "ripe for abuse," the report says.
"The more anonymous they are, the more likely they are to be used on the Dark Web," says Scott Dueweke, president at the Identity and Payments Association, who provided insight for the report. Anonymity fuels cybercrime and the movement of currencies across systems.
Kellerman says financial institutions, including alternate payment providers, should be able to prove who their customers are and freeze funds used for crime and conspiracies if needed by law enforcement. "The best way to destabilize the capability of cybercriminals to flourish is to put pressure on their capacity to deliver goods and services," he explains.
Since 50% of all crimes now have a cyber component, the report states, it's time to "follow the money" and create an e-forfeiture fund to benefit public and private organizations around the world. The idea is financial institutions can track funds used for illegal purposes, seize it, and reinvest the money in protecting the infrastructure of the global financial system.
As cybercrime is a global problem, it demands an international solution among public and private organizations, says Dueweke. A public-private partnership could build a de facto or industry-led standard for converting money into alternate payment systems.
"This could create a baseline of respectability and standard of trust that doesn't exist now," Dueweke explains. There is no standard for companies to prove which customers are using virtual currencies for legitimate purposes, and which are using them for crime.
The global initiative would involve the Bank for International Settlements, which is owned by 60 member central banks around the world, the report explains. Because global cybercrime is enabled by cryptocurrencies, all nations should join to regulate and supervise them.
"The fund would represent a global public/private partnership to combat money laundering using these alternative payment systems," the report states. Virtual currencies which refuse to identify their customers or freeze accounts could potentially be linked to criminal activity.
"The only way to get a global standard like that is to have a public/private partnership," Dueweke says.
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.