Worldwide trading volume in cryptocurrency (e.g., Bitcoin, Ethereum, Litecoin) and other digital assets (e.g. non-fungible tokens (NFTs) and stablecoins) have been gradually rising due to the increased adoption by investors and traders (both retail and institutional) of these digital assets for payment, investment, or value transfer. Consequently, with the rise in popularity of cryptocurrency and digital assets, activities relating to such assets have attracted fraudulent activity and financial crime.
This article will highlight some of the recent local and overseas cases involving illicit practices and crypto assets, and provide some practical tips in relation to risk management measures.
About a decade ago, barely anyone had heard of cryptocurrency and there was little mainstream interest in it. Then came Bitcoin, one of the first decentralised cryptocurrency and arguably the most famous crypto asset to-date. Bitcoin’s earliest users were online black markets, such as Silk Road. In addition, from a monetary perspective, what started out at a humble price of US$0.30 per Bitcoin has now exploded to a mind-blogging price of close to US$50,000 per Bitcoin. It is hence unsurprising that Bitcoin is now the preferred ‘currency’ for financially motivated hackers, where ransom is typically demanded in Bitcoin.
A unique characteristic of blockchain technology is that virtually anything of value can be tracked and traded on a blockchain network, with cryptocurrency perhaps being the most well-known fungible tokens of such purpose. In recent times, we have seen the rise of stablecoins, such as the Facebook-backed Diem which is yet to be launched, and NFTs which, unlike cryptocurrency where every token is considered alike, is regarded to represent a unique underlying asset (e.g. a video of LeBron James slam dunk or an artwork). It hence can be seen that crypto assets and their underlying blockchain technology continue to transform the composition of financial and capital systems. However, much recent news about crypto assets (especially cryptocurrency) has been negative, with the focus unfortunately on hacks on international crypto exchanges, global enforcement actions, and significant concerns raised by various regulatory authorities and market participants. Due to cryptocurrency’ instant transactions, portability and international reach, it has been the subject matter of cryptocurrency fraud and scams, as well as illicit activities. In the next section, we look at some recent incidents involving cryptocurrency exchanges and trading platforms.
News broke on 10 August 2021 that more than US$600 million in crypto assets had been stolen in a hack on Poly Network, a firm specialising in the transfer of cryptocurrency. This was one of the biggest ever cryptocurrency heists. As a (hitherto) lesser known name in the world of crypto, Poly Network is a decentralised finance (DeFi) platform which facilities peer-to-peer transactions with a focus on allowing users to transfer or swap crypto assets across different blockchains. Tokens are swapped between the blockchains using a smart contract which holds instruction on when to release the assets to the counterparties. One of the smart contracts that Poly Network used to transfer tokens between blockchains maintained large amounts of liquidity to allow users to efficiently swap tokens. Preliminary investigations carried out by Poly Network found that the hackers exploited a vulnerability in this smart contract; the hackers appeared to override the contract instruction for targeted blockchains and diverted the funds to wallet addresses specified by the hackers. Three days later, in an interesting sequence of events, the hacker had returned nearly all of the stolen assets. Despite the hackers claiming that it “always” planned to return the stolen assets, some crypto analysts suspected that the hackers might have realised the safest option was to return the stolen assets as it was simply too difficult to launder stolen crypto assets on such a colossal scale.
Just a week after the headline-grabbing incident involving Poly Network, the Japanese cryptocurrency exchange Liquid announced on 19 August 2021 that its digital wallets had been compromised by hackers, resulting in US$97 million worth of cryptocurrencies being stolen. This was apparently the second hack at Liquid in less than a year – in November 2020, the exchange admitted to a data leak of its customers. Liquid is presently among the top 20 cryptocurrency exchanges in the world in terms of trading numbers processing volumes of over US$133 million transactions in 24 hours. All deposits and withdrawals on the Liquid platform were suspended following the hacking incident, and only recently resumed on 30 August 2021.
In Singapore, numerous police reports were filed earlier this year by defrauded investors against Torque Trading Systems, a cryptocurrency trading platform incorporated in the BVI with management in Singapore and operations in Vietnam. In February 2021, retail investors were informed that one of Torque’s employees had apparently made unauthorised leveraged trading on the platform, hence leading to significant losses in retail investors’ trading accounts. Torque subsequently went into liquidation and more than a hundred police reports were filed against the company, with investors claiming millions lost in cryptocurrencies. The news of Torque came about the same time as warnings from a senior minister in the Singapore parliament (who is also chairman of the Monetary Authority of Singapore (“MAS”)) that cryptocurrencies are highly risky as investment products and certainly not suitable for retail investors.
Insofar as crypto assets are regulated in Singapore, the regulatory approach is one that is activity-based and risk-proportionate. The policy objectives behind regulating any type of crypto-related activity is primarily to combat money laundering and terrorism financing (“AML/TF”). Crypto assets ecosystem, by its very nature and design, allows crypto assets-holders to bypass institutional intermediaries which traditionally are required to function as important gatekeepers in the global AML/TF regime and in the broader financial markets. Further, the risk of untested business models and the lack of a clear and shared understanding of blockchain technology and how crypto assets are sold and traded over bring about uncertainty over a still-evolving regulatory environment and the very real potential for abuse and fraud.
In Singapore, the MAS, which is the main regulatory authority with oversight over crypto assets within the country, has taken steps to address the money laundering and terrorism financing risks associated with crypto assets:
First, digital payment token service providers, which are entities involved in providing cryptocurrency related services, need be licensed by the MAS. For instance, exchanges offering the trading of cryptocurrencies are regulated as digital payment token service providers under the Payment Services Act. In terms of AML/TF requirements, digital payment token service providers must comply with these requirements, such as obligations to perform customer due diligence and transaction monitoring. Additionally, these entities are required to file suspicious transactions reports with the Commercial Affairs Department.
Second, the MAS has stepped up surveillance of the cryptocurrency sector, to identify suspicious networks and higher risk activities for further supervisory scrutiny. The crypto assets space is constantly evolving and in light that fraud is an ongoing concern in this industry, the MAS has stated it would continue to adapt its rules as needed, to ensure that its regulation and surveillance efforts remain effective and commensurate with the risk posed.
Third, the MAS continues to raise awareness among members of the public on the risks of investing in crypto assets, through its advisories and public education efforts. These are to provide consumers with information on how to avoid being cheated or inadvertently used as mules to carry out money laundering activities.
As a general point, the mitigating measures to minimise fraudulent activities or financial crimes relating to crypto assets will vary from service providers and their users. A service provider should seek to understand its exposure to technology risks and put in place a robust risk management framework to ensure cyber resilience. Further, it should be aware that the techniques used by threat actors are becoming increasingly sophisticated; weak links in the interconnected IT ecosystem can be compromised to perform fraudulent financial transactions, exfiltrate sensitive data (e.g. customer data or financial data etc.) or cripple IT infrastructures.
A robust framework to counter fraud risks should typically consists of the following non-exhaustive aspects:
Clyde & Co is a leading global law firm with over 50 offices and associated offices worldwide, 440 partners, 1,800 lawyers, 2,500 legal professionals and 4,000 total staff. The Singapore office of Clyde & Co has advised a range of companies in size and scope (from start-ups to incumbent financial service companies) on contentious and non-contentious crypto asset matters, including crypto assets fraud and disputes. Should you have any queries on crypto assets fraud investigations and regulatory matters, our team would be happy to assist. Please do not hesitate to contact Junxiang Koh or Zhen Guang Lam.
 ‘Decentralised’ refers to the transfer of control and decision-making from a centralised entity (individual, organisation or group of individuals and/or organisations) to a distributed network. The decentralised nature of Bitcoin means that it is resistant to censorship and manipulation by any single entity.
 To briefly explain the meaning of ‘fungible’, it means easy to exchange or trade for something else of the same type and value (Cambridge Dictionary (last accessed at https://dictionary.cambridge.org/dictionary/english/fungible on 25 August 2021)).
 Reuters, “How a 10-second video clip sold for $6.6 million” (last accessed at https://www.reuters.com/article/us-retail-trading-nfts-insight-idUSKCN2AT1HG on 25 August 2021).
 The Straits Times, “Mystery Singapore buyer of $93m digital work at Christie's auction revealed” (last accessed at: https://www.straitstimes.com/life/mystery-singapore-buyer-of-93m-digital-work-at-christies-auction-revealed on 25 August 2021)
 ‘Blockchain’ is a shared, immutable ledger that facilitates the process of recording transactions and tracking assets in a business network.
 A ‘smart contract’ is a program stored on a blockchain that runs when predetermined terms are met. They are commonly used to automate the execution of a contract so that all parties may immediately be notified of the outcome, without any time loss or intermediary’s involvement.
 Reuters, “Explainer: How hackers stole and returned $600 mln in tokens from Poly Network” (last accessed at: https://www.reuters.com/technology/how-hackers-stole-613-million-crypto-tokens-poly-network-2021-08-12/ on 15 August 2021).
 Per information from CoinMarketCap, a price-tracking website for crypto assets.