Fraud & Crypto Asset: Recent News Update And Practical Considerations

Worldwide trading volume in cryptocurrency (e.g., Bitcoin, Ethereum, Litecoin) and other digital assets (e.g. non-fungible tokens (NFTs) and stablecoins) have been gradually rising due to the increased adoption by investors and traders (both retail and institutional) of these digital assets for payment, investment, or value transfer. Consequently, with the rise in popularity of cryptocurrency and digital assets, activities relating to such assets have attracted fraudulent activity and financial crime.

This article will highlight some of the recent local and overseas cases involving illicit practices and crypto assets, and provide some practical tips in relation to risk management measures.

Crypto assets – an ideal medium of exchange for fraud?

About a decade ago, barely anyone had heard of cryptocurrency and there was little mainstream interest in it. Then came Bitcoin, one of the first decentralised[1] cryptocurrency and arguably the most famous crypto asset to-date. Bitcoin’s earliest users were online black markets, such as Silk Road. In addition, from a monetary perspective, what started out at a humble price of US$0.30 per Bitcoin has now exploded to a mind-blogging price of close to US$50,000 per Bitcoin. It is hence unsurprising that Bitcoin is now the preferred ‘currency’ for financially motivated hackers, where ransom is typically demanded in Bitcoin.

A unique characteristic of blockchain technology is that virtually anything of value can be tracked and traded on a blockchain network, with cryptocurrency perhaps being the most well-known fungible[2] tokens of such purpose. In recent times, we have seen the rise of stablecoins, such as the Facebook-backed Diem which is yet to be launched, and NFTs which, unlike cryptocurrency where every token is considered alike, is regarded to represent a unique underlying asset (e.g. a video of LeBron James slam dunk[3] or an artwork[4]). It hence can be seen that crypto assets and their underlying blockchain[5] technology continue to transform the composition of financial and capital systems. However, much recent news about crypto assets (especially cryptocurrency) has been negative, with the focus unfortunately on hacks on international crypto exchanges, global enforcement actions, and significant concerns raised by various regulatory authorities and market participants. Due to cryptocurrency’ instant transactions, portability and international reach, it has been the subject matter of cryptocurrency fraud and scams, as well as illicit activities. In the next section, we look at some recent incidents involving cryptocurrency exchanges and trading platforms.         

Recent cryptocurrency-related incidents

Poly Network

News broke on 10 August 2021 that more than US$600 million in crypto assets had been stolen in a hack on Poly Network, a firm specialising in the transfer of cryptocurrency. This was one of the biggest ever cryptocurrency heists. As a (hitherto) lesser known name in the world of crypto, Poly Network is a decentralised finance (DeFi) platform which facilities peer-to-peer transactions with a focus on allowing users to transfer or swap crypto assets across different blockchains. Tokens are swapped between the blockchains using a smart contract[6] which holds instruction on when to release the assets to the counterparties. One of the smart contracts that Poly Network used to transfer tokens between blockchains maintained large amounts of liquidity to allow users to efficiently swap tokens.[7] Preliminary investigations carried out by Poly Network found that the hackers exploited a vulnerability in this smart contract; the hackers appeared to override the contract instruction for targeted blockchains and diverted the funds to wallet addresses specified by the hackers. Three days later, in an interesting sequence of events, the hacker had returned nearly all of the stolen assets. Despite the hackers claiming that it “always” planned to return the stolen assets, some crypto analysts suspected that the hackers might have realised the safest option was to return the stolen assets as it was simply too difficult to launder stolen crypto assets on such a colossal scale.

Liquid

Just a week after the headline-grabbing incident involving Poly Network, the Japanese cryptocurrency exchange Liquid announced on 19 August 2021 that its digital wallets had been compromised by hackers, resulting in US$97 million worth of cryptocurrencies being stolen. This was apparently the second hack at Liquid in less than a year – in November 2020, the exchange admitted to a data leak of its customers. Liquid is presently among the top 20 cryptocurrency exchanges in the world in terms of trading numbers processing volumes of over US$133 million transactions in 24 hours.[8] All deposits and withdrawals on the Liquid platform were suspended following the hacking incident, and only recently resumed on 30 August 2021.

Torque

In Singapore, numerous police reports were filed earlier this year by defrauded investors against Torque Trading Systems, a cryptocurrency trading platform incorporated in the BVI with management in Singapore and operations in Vietnam. In February 2021, retail investors were informed that one of Torque’s employees had apparently made unauthorised leveraged trading on the platform, hence leading to significant losses in retail investors’ trading accounts. Torque subsequently went into liquidation and more than a hundred police reports were filed against the company, with investors claiming millions lost in cryptocurrencies. The news of Torque came about the same time as warnings from a senior minister in the Singapore parliament (who is also chairman of the Monetary Authority of Singapore (“MAS”)) that cryptocurrencies are highly risky as investment products and certainly not suitable for retail investors.

Regulators’ approach toward crypto assets in Singapore

Insofar as crypto assets are regulated in Singapore, the regulatory approach is one that is activity-based and risk-proportionate. The policy objectives behind regulating any type of crypto-related activity is primarily to combat money laundering and terrorism financing (“AML/TF”). Crypto assets ecosystem, by its very nature and design, allows crypto assets-holders to bypass institutional intermediaries which traditionally are required to function as important gatekeepers in the global AML/TF regime and in the broader financial markets. Further, the risk of untested business models and the lack of a clear and shared understanding of blockchain technology and how crypto assets are sold and traded over bring about uncertainty over a still-evolving regulatory environment and the very real potential for abuse and fraud. 

In Singapore, the MAS, which is the main regulatory authority with oversight over crypto assets within the country, has taken steps to address the money laundering and terrorism financing risks associated with crypto assets:

First, digital payment token service providers, which are entities involved in providing cryptocurrency related services, need be licensed by the MAS. For instance, exchanges offering the trading of cryptocurrencies are regulated as digital payment token service providers under the Payment Services Act. In terms of AML/TF requirements, digital payment token service providers must comply with these requirements, such as obligations to perform customer due diligence and transaction monitoring. Additionally, these entities are required to file suspicious transactions reports with the Commercial Affairs Department.

Second, the MAS has stepped up surveillance of the cryptocurrency sector, to identify suspicious networks and higher risk activities for further supervisory scrutiny. The crypto assets space is constantly evolving and in light that fraud is an ongoing concern in this industry, the MAS has stated it would continue to adapt its rules as needed, to ensure that its regulation and surveillance efforts remain effective and commensurate with the risk posed.

Third, the MAS continues to raise awareness among members of the public on the risks of investing in crypto assets, through its advisories and public education efforts. These are to provide consumers with information on how to avoid being cheated or inadvertently used as mules to carry out money laundering activities.

Possible risk management measures

 As a general point, the mitigating measures to minimise fraudulent activities or financial crimes relating to crypto assets will vary from service providers and their users. A service provider should seek to understand its exposure to technology risks and put in place a robust risk management framework to ensure cyber resilience. Further, it should be aware that the techniques used by threat actors are becoming increasingly sophisticated; weak links in the interconnected IT ecosystem can be compromised to perform fraudulent financial transactions, exfiltrate sensitive data (e.g. customer data or financial data etc.) or cripple IT infrastructures.  

A robust framework to counter fraud risks should typically consists of the following non-exhaustive aspects:

1. Customer due diligence and identity verification. It is now increasingly prevalent for most service providers to establish business relationships by way of electronic means, including online channel and mobile channel. The digitalisation of identification and verification processes is an important enabler to boost convenience and reach, as well as push down service costs. However, if not effectively managed, the customer due diligence and identity verification process can undermine the integrity of the transactions. Service providers should thus establish stringent measures, to ensure uncompromising accuracy in customer identification and verification, along with an ongoing assessment of the robustness of the entire KYC process.   

2. Cybersecurity measures.  Even though digital transformation brings tremendous benefits to the crypto asset ecosystem, it also naturally increases service providers’ (and their customers’) exposure to a range of technology risks, including cyber risk. A service provider should establish policies and procedures on regular vulnerability assessment and penetration testing (VA/PT) on their IT system, to identify security vulnerabilities and to obtain an in-depth evaluation of its cybersecurity defences. In addition, multi-factor authentication and end-to-end encryptions should be implemented to safeguard the confidentiality of customer data and financial transactions.

3. Fraud monitoring. Service providers should implement real-time fraud monitoring procedures to identify and stop suspicious or fraudulent transactions. Customers ought to be notified of suspicious activities or transfer of funds which are above a well-defined threshold, and a process should be established by the service provider to investigate suspicious transactions or payments and to ensure issues are adequately and promptly addressed. Insider threat, which include sabotage of IT systems and fraud by employees, contractors and service providers, is also a pertinent risk; background checks on personnel who has access to the customer data, IT infrastructure and/or financial transactions should be carried out to minimise this risk.  

Clyde & Co is a leading global law firm with over 50 offices and associated offices worldwide, 440 partners, 1,800 lawyers, 2,500 legal professionals and 4,000 total staff. The Singapore office of Clyde & Co has advised a range of companies in size and scope (from start-ups to incumbent financial service companies) on contentious and non-contentious crypto asset matters, including crypto assets fraud and disputes. Should you have any queries on crypto assets fraud investigations and regulatory matters, our team would be happy to assist. Please do not hesitate to contact Junxiang Koh or Zhen Guang Lam.