Cryptocurrency has exploded in popularity, with Bitcoin adopted as a national currency in two countries. The blockchain technology on which cryptocurrency is built is an important tool used not only to facilitate a medium of exchange but also in many industries, including healthcare and education. As with all technologies, blockchain is a tool and can be abused by malicious actors. However, the decentralised nature of the technology creates an obstacle to establishing jurisdiction in transnational crimes.
1. Introduction
For Bitcoin and most cryptocurrencies, the association with cybercrime and fraud is not due to a lack of transparency but rather the ease of use in international transactions, something that increases the complexity of establishing jurisdiction. While Bitcoin and many cryptocurrencies are on public ledgers, transferring money between banks and across borders creates barriers to identifying the criminals, as it takes time for law enforcement to obtain information from each bank, which may require time-consuming processes in each country, and banks may even be owned by criminal actors (Levi 2002). If banks in any jurisdiction stop cooperating, the trail is lost (Hedayati 2012). In order to truly remain anonymous, cybercriminals could use stolen identities to transfer funds and eventually withdraw the cash, making them nearly untraceable. However, selecting a specific currency is inefficient for those engaging in cybercrime. Human time is valuable while running code is low cost. As such, cybercriminals play a numbers game allowing code to attack any computer with identified vulnerabilities or assume the identities of anyone whose information has become available, often through phishing attacks (Ghazi-Tehrani and Pontell 2021). Insisting on bank transfers in dollars would make sense in the US; however, if the victim’s computer is located in Poland or China, a request to transfer dollars to a US bank account may pose a greater challenge and prevent the criminals from receiving some of the funds. As cryptocurrency is jurisdiction-non-specific, cybercriminals can establish a single demand message for a virus that can harm systems globally. Due to the global nature of cryptocurrency, which uses a distributed ledger system, the appropriate jurisdiction for those involved in crypto-related crime is not always clear.
2. Background of Cryptocurrency and Blockchain Technology
Bitcoin and other cryptocurrencies are a form of distributed ledger that use blockchain to record transactions (
Soltani et al. 2022;
Pinto et al. 2022;
Gorbunova et al. 2022). As a record of assets, ledgers are ordinarily kept by one centralised person or entity, requiring trust in that entity. For example, when someone opens a bank account, the bank does not store physical money for the customer but rather maintains a ledger tracking how much money to which the customer is entitled. As a highly regulated sector, people trust that banks will maintain accurate ledgers instead of changing the amount in customer accounts (
Cardona 2022). With cryptocurrencies, the ledger is stored across multiple nodes around the world and the blockchain functions to prevent improper changes to the record. The greater number of nodes and the greater the decentralisation, the more secure a cryptocurrency is. Startup projects may be susceptible to attack. However, Bitcoin has never been successfully hacked and, with around 15,000 full nodes, (
Bailey and Warmke 2023) is a permissionless and trustless network. It is said to be permissionless in that anyone who holds Bitcoin can transfer it and create new wallets (like accounts) without the need for a bank or any other intermediary, and trustless in that the code is open source and the ledger is distributed so no one can make unauthorised changes to the ledger (
Arote and Kuri 2022).
A new Bitcoin block is created approximately every 10 min, and the chain goes back to 2009, when Bitcoin was first created in response to irresponsible banking behavior causing the 2008 financial crisis (
Aboura 2022). Although Bitcoin is good for international transfers, it is not ideal for most retail purchases due to the 10 min delay. As such, a second layer has been added, known as the lightning network (
Divakaruni and Zimmerman 2023;
Liu and Au 2022;
van Dam and Kadir 2022). The lightning network facilitates nearly instant Bitcoin transactions at a fraction of a cent (
Dylan LeClair 2022). In El Salvador, where Bitcoin was adopted as an official currency (
Taylor 2022), the lightning network was used by the government to transfer Bitcoin to its citizens.
Bitcoin uses a distributed consensus mechanism commonly referred to as “mining” to confirm transactions and update the blockchain. Encrypted numbers with 64 digits act as digital fingerprints, called hashes, which are used to secure the system (
Allenotor and Oyemade 2021). Miners use the hash from the previous block and try to calculate the next hash. This connection of the hashes is what creates the chain between blocks, preventing someone from altering the ledger (
Wezza et al. 2022). Proof of work, where miners use large amounts of computing power to secure the blockchain, is a useful tool for securing the blockchain and has been proposed for other things, including preventing denial of service attacks on email servers (
Soria Ruiz-Ogarrio 2022). However, it has been criticised for its high degree of energy consumption (
Wendl et al. 2023), largely within the context of ESG (
Rudd 2023). As such, many other projects have opted for a consensus mechanism called proof of stake. In proof of stake, holders of a cryptocurrency can “stake” their currency to give a validator the authority to confirm transactions (
Ibañez and Rua 2023). The theory is that those who own the currency have a stake in ensuring the security and accuracy of the system. In some cryptocurrencies, the stakers will lose their staked currency if the validator where they stake misbehaves.
In order to transact on the blockchain, users have two items, a public key and a private key (
Liu et al. 2017). The public key is like an email address on the blockchain, and others can use it to send cryptocurrency to that address. The private key is like a password and allows the user to send from any address to which they have the private key. Therefore, only the person with a private key can move funds on the blockchain. This both ensures the security of the blockchain and means that if a user loses their private key, they lose access to their cryptocurrency. To simplify the process, digital wallets are used to store the private key and streamline transactions (
Suratkar et al. 2020). These wallets are said to “hold” the cryptocurrency, but they only display the user’s account balance (which is public on the blockchain) and hold the private key. All cryptocurrency is on the decentralized blockchain, not on the wallet or any one device.
Aside from assets like Bitcoin that are meant as a permissionless and decentralised medium of exchange, digital assets can be divided into multiple asset classes, including:
1. Stable coins, which are pegged to the value of a specific asset, often the US dollar (
Ante et al. 2023);
Decentralised digital assets lack a clear regulatory framework in most countries. To address this and in response to Executive Order 14067, the US Department of Justice (DOJ) issued a report on crimes related to digital assets (
DOJ 2022). In this report, the DOJ expresses concerns over the use of cryptocurrency in crimes including sanctions evasions. The report calls for greater cooperation, both internationally and between government departments, and discusses the current state of the law, which lacks a comprehensive regulatory framework specific to decentralised digital assets, but where enforcement actions have nevertheless been taken. In spite of the fact that the US does not recognise cryptocurrency as legal tender, 18 U.S.C. § 1960, which prohibits “unlicensed money transmitting businesses” has been held to apply to cryptocurrency transmitting businesses.
On the regulatory front, the Financial Action Task Force (FATF), a 39-member body that establishes standards aimed at preventing money laundering, identifying funds related to the illicit drug trade, and terrorist financing, issued its recommendations on regulating digital assets (
FATF 2021;
de Koker et al. 2022). The FATF adopts the terms “virtual assets” (VAs) and “virtual asset service providers” (VASPs) in their recommendations. As a developing technology, whether something is considered a VASP under the recommendations may not always be clear. The focus of the recommendations is information collection and monitoring, with mandatory disclosure requirements, such as the ‘travel rule’ and information sharing central to these recommendations. Although the recommendations are not law, FATF recommendations set global standards that usually lead to broad adoption.