Reupload from my Medium. This is an old article written before the Tornado Cash case.

Intro

Due to its digital nature and privacy features, criminals have been turning to cryptocurrencies as their preferred ways, after cash, to wash money earned from illicit activities. Money laundering via centralized exchanges (CEXs) has become increasingly difficult due to compliance and oversight practices such as Know Your Customer (KYC) and Anti-Money Laundering (AML), as well as a surge in regulation from governments around the world. At the same time, DEXs have seen a surge in activity and liquidity. Together, these two trends have made DEXs more attractive to money launderers, who can wash large volumes of funds coming from illicit activities through these vibrant and liquid platforms. How can DEXs and aggregators protect against money laundering? Should they do that in the first place, since that would possibly violate some of the core tenets of crypto, such as anonymity and permissionless access? Could users who share a liquidity pool with ‘dirty’ funds be considered responsible and, to a certain extent, ‘accomplices’? As crypto steps up its user base and activities and becomes mainstream, analyzing whether and how DEXs should solve this problem is a topic that will become increasingly important.

The problem

One of the most common arguments that naysayers have been using to attack crypto is that it favors criminal activities, such as money laundering, (cyber)terrorism, dark web purchases, and more. This is thanks to the permissionless, immutable, and digital nature of cryptocurrencies, which would make them easy to be moved around without incurring government and banks’ oversight. One of the latest such accusations comes from a Reuters investigation, which found that Binance has served as a conduit for the laundering of at least $2.35 billion in illicit funds coming from hacks, investment frauds, and illegal drug sales. Binance officially rejected these figures. Whether or not they are accurate, the problem exists and Binance, like many other crypto companies, had kept surveillance and scrutiny at minimum levels at least until 2021, when crypto became more popular and businesses started requiring new and existing users to submit identification (KYC). Security and compliance crypto firm Chainalysis found that cybercriminals laundered $8.6 billion worth of cryptocurrency in 2021. In 2021, illicit money in crypto increased by 79% in absolute terms, though the overall crypto adoption and usage increased by over 500%, which means that relatively speaking, the percentage of crypto transactions related to illicit activities decreased over time, representing just 0.15% of cryptocurrency transaction volume in 2021.

For comparison, the UN Office of Drugs and Crime estimated that:

“between $800 billion and $2 trillion of fiat currency is laundered each year — as much as 5% of global GDP.”

Traceability, transparency, and anonymity

Cryptocurrencies are an interesting case because, while ensuring anonymity, complete permissionless access, and ease of movement, they also are one of the most transparent ledgers of transactions available. Unlike cash, which is nearly impossible to track, Blockchain has proven to be one of the most powerful tools for law enforcement as all transactions are openly available to anyone via certain websites such as Etherscan. This allows authorities to more easily track movements between wallets in the effort to convert the funds into fiat. This is why, when analyzing numbers about illicit and criminal activities, Chasinalysis clarifies that:

We also need to note that these numbers only account for funds derived from “cryptocurrency-native” crime. It’s more difficult to measure how much fiat currency derived from offline crime — traditional drug trafficking, for example — is converted into cryptocurrency to be laundered.

Despite a generally high level of transparency, the explosion in DeFi has also led to a corresponding ecosystem of tools that enable hiding Ether transactions and ‘muddy the waters’, which make tracing back to the original wallet more difficult. Mixers, for example, are crypto services that help protect the privacy and hide transaction trails by pooling together funds deposited by several users, mixing them, and giving back each user a share of this obfuscated pool equivalent to what they put in. Mixers, such as Tornado Cash and Blender.io, are used both for adding privacy to legal transactions and to hide trails for illegal ones. In a recent report, Chainalysis found that illicit addresses account for 23% of funds sent to mixers so far in 2022, up from 12% in 2021, with funds from sanctioned countries and stolen funds representing the largest share. In the recent Ronin Bridge hack attributed to North Korea’s Lazarus Group, for example, the hackers made extensive use of Tornado Cash to launder some of the stolen crypto assets from the heist, which at the time of the theft totaled $540 million.

The June peak of $115 million deposited on Tornado Cash follows closely the $100 million Harmony Hack by North Korean hackers

Interestingly, some of these mixing services have started blocking transactions from flagged wallets, while security companies keep refining their ability to de-mix certain transactions and identify the original source of funds. Elliptic, for instance, has introduced Holistic Screening, a new risk analytics tool for bridges, which allows the tracking of cryptocurrencies moving from one blockchain.

Despite these attempts to come clean and reduce liabilities, the U.S. Treasury Department has recently put Tornado Cash on the Specially Designated Nationals list, de facto banning American citizens from using the tool or transacting with addresses involved with it. The measure would appear rightful except that it also affected donation addresses, among which one linked to public goods and open-source projects funding platform Gitcoin. To show the limits and problems of such a new measure, an anonymous user has started sending small amounts of ETH to various celebrities and honest addresses. Since there is no way to prevent other users to send us tokens if our address is public, these users couldn’t prevent receiving ETH and ‘interacting’ with this compromised wallet, which could potentially trigger the blockage of their wallets in a cascade effect.

Even funds and transactions that are not being washed through mixing services — crypto detractors claim — can be hard to trace due to the anonymity of wallet addresses. While this was true in the first years of existence of cryptocurrencies, and especially Bitcoin, a few security crypto firms like Chainalys, Elliptic, and CypherTrace have been building software and tools that can track transactions and help law enforcement identify illicit earnings. This task is made easier given that the fiat on-ramp and cash-out still require centralized exchanges, which means there is usually a traceable link between anonymous decentralized wallets and identifiable centralized ones.

CEXs vs. DEXs: regulation and best practices

Crypto centralized exchanges effectively serve as the point of entry and cashing out from/to fiat. Users generally buy crypto on a centralized exchange using a debit/credit card or a bank account, and the same method to cash out their crypto to pay for everyday-life expenses. As evidence of the crucial role that CEXs play, crypto forensic firm Chainalysis shows that a large portion of illicit funds eventually gets transferred to centralized exchanges:

Because of this, CEXs can play a key role in identifying, blocking, or freezing stolen funds. For example, Binance managed to freeze $6 million worth of stolen funds associated with the Ronin bridge hack. CEXs are also the first targets of regulators and watchdogs around the world, as they can be clearly identified with traditional company frameworks, and need to obtain authorizations from governments and agencies.

DEXs have typically specular advantages compared to CEXs: they can bypass compliance controls (like KYC and AML), meaning they do not collect a user’s ID, address, or phone number, therefore ensuring a sort of anonymity for their users, and lack a central administrator with active oversight of user accounts, records, identities, or activities. A limitation to DEX anonymity and permissionless nature is represented by stablecoins. When depositing assets on DEXs, criminals would very often convert to stablecoins, which, in the case of centralized companies like Tether and Circle, once flagged, can be easily frozen.

Despite being decentralized in name, many DEXs actually have a core team and sometimes even a legal entity running them, or exerting some influence or control, sufficiently to be targeted for violations (if they don’t have KYC or AML procedures). Consequently, agencies from Europe and the United States have been trying to include DEXs in the list of regulated “brokers” as they facilitate such trades regardless of whether it is open source and decentralized or not. If this trend continues, DEXs will have to comply, for example by getting a license, verifying users’ identities, reporting suspicious transactions, and freezing illicit ones upon request from the authorities. Else, DEXs may be unable to run their business at the minimum due to a lack of interoperability with centralized exchanges.

Yes, regulations are coming, and the main reason why DEXs will hardly survive the coming storm is their proclaimed lack of ability to identify the users using and contributing to liquidity pools.

Introducing KYC and AML to DEXs won’t be easy, and may be problematic from a technical and ethical point of view. From the former, it would entail embedding a KYC procedure into smart contracts that power the DEX and let it work automatically without human intervention. Alternatively, some DEXs are considering adding KYC into the front-end layer. From the latter, it will mean superseding the permissionless nature of crypto protocols, which goes against the core tenets of blockchain.

DEXs will need to work hard to accumulate expertise and analytical tools in order to properly defend against illicit transactions and freeze criminal activities before they manage to spread further in the ecosystem. Alternatively, they could consider partnerships and collaborations with centralized services, traditionally more accustomed to these practices.

How different companies are dealing with this?

In September last year, SushiSwap, one of Uniswap’s largest competitors, suffered a $3 million hack. To recoup the lost funds, SushiSwap asked crypto exchanges FTX and Binance to share the attacker’s hacker’s KYC information and instructed their lawyer to file an IC3 complaint with the FBI. More recently, SushiSwap started to take measures to protect its business and its users from legal liability in case of illicit activities on the platform. After approving a proposal with 100% of the votes, SushiSwap set to implement a legal structure aimed at mitigating risks for token holders and members of the Sushi protocol.

Another reason for DEXs to comply with KYC, AML, and other regulatory requirements is to appeal to and attract institutional investors. It’s now well-known that banks and hedge funds had been slow to engage with decentralized finance because of their own regulatory hurdles and because decentralized solutions cannot ensure adequate protection. That is why 1inch plans to launch 1inch Pro, a separate and permissioned service that complies with U.S. regulations, such as KYC and AML, and sources liquidity from separate pools than 1inch traditional DEX’s, a product that will mostly target banks and other institutional investors. It’s easy to think that many DEXs will start their transition to compliance by adding a separate, permissioned product to their main, decentralized one.

An interesting experiment comes from Solflare, one of the most popular Solana wallets. Solflare has launched a key integration with cryptocurrency exchanges FTX.com and FTX US, enabling investors to access centralized finance (CeFi) and DeFi apps from a single non-custodial, KYC-verified wallet. By connecting the user’s KYC-verified FTX account to Solflare’s non-custodial wallet, the Solana blockchain can verify that those wallets meet regulatory requirements and aren’t “shell” accounts for illicit activities. Such partnerships between DEXs and CEXs can be another viable way to build compliance in the decentralized world.

Timechain, a Canadian registered Money Services Business (MSB) through TimeSwap, is a decentralized exchange aggregator and permissionless lending and borrowing protocol actively regulated by the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) and AMF that has released the first compliant Automated Market Maker (AMM) liquidity pools, yield farming and staking functionality.

One more viable way is to leverage zero-knowledge technology, which would allow DEXs to verify users’ identity (Verifiable Credentials), and issue a cryptographic proof of their compliance, without ever revealing or even storing users’ information, thus maintaining their decentralized ethic. Identification startup Burrata issues “digital identity tokens” to attach to cryptocurrency wallets. PureFi is a protocol that allows users to get KYCed without disclosing their identity, which means they can ensure anonymity and privacy while at the same time meeting compliance requirements. Finally, a negative reputation as discussed by Vitalik could also be a valuable solution for the problem of verifying compliance while preserving users’ anonymity.

Wallets

Wallets are another key component in the blockchain ecosystem, as they serve as the getaway to decentralized applications. Decentralized wallets share similar challenges with decentralized exchanges, as they cannot easily block addresses that are proven or suspected to be connected with illicit funds and crimes. In the most recent crypto hack, thousands of Solana wallets were attacked, leading to the loss of at least $4 million worth of Solana and USDC. A few of the responsible or related accounts have been identified, but due to the permissionless nature of these infrastructures, it is hard to block them. As it can be seen from this interface on Solscan, very often the only measures that can be taken in order to increase users’ safety are to warn users and emphasize the risks associated with interacting with these addresses:

As mentioned, it won’t be too hard for this and the other blacklisted addresses to move the illicit funds across wallets, DEXs, or other protocols and eventually land at a centralized exchange, and cash out. In the process, they will likely mix these illicit funds with legit ones, which would, in turn, become ‘gray’ money and liable to penalties and sanctions.

NFT Marketplaces

DEXs and CEXs are not the only destinations for illicit or gray funds. Despite representing just a small percentage of the overall money laundering activities in cryptocurrency, NFT marketplaces also saw an impressive surge in illicit funds pouring in:

NFTs, similar to art, can be an ideal way for dishonest players to wash illicit money. NFTs, same as art, are easy to buy and move around, their value is more subjective than coins as they are less liquid and a lot more volatile, and they are usually less subject to oversight by authorities and agencies (e.g. are NFTs securities?). These characteristics, together with some specific shady practices like wash trading, allow criminals to buy NFTs with illicit funds, exchange them multiple times among self-funded wallets in order to increase their value and appeal (wash trading), and then sell them to unaware and honest users, who then automatically can become criminals too. As it can be seen, NFT marketplaces and NFT trading add further obstacles in distinguishing pure legit funds from illicit ones, and purely honest players from dishonest ones.

Conclusion

Despite representing a small percentage of the total crypto in circulation, money laundering and illicit activities represent a considerable problem, growing year by year. This will attract increasing regulation, and while that may first target centralized projects, decentralized protocols won’t be exempted, especially as their trade volume and number of users increases, and as they seek help from centralized exchanges and authorities to recoup hacked funds, as SushiSwap did.

It’s ethically important that all players, also the most decentralized and permissionless ones, fight against illicit activities, as this can eventually benefit the whole industry:

Criminal abuse of cryptocurrency creates huge impediments for continued adoption, heightens the likelihood of restrictions being imposed by governments, and worst of all victimizes innocent people around the world.

CEX and DEXs alike should join forces and adopt best practices to avoid illicit funds getting mixed with legit ones, producing gray pools of assets that can potentially negatively affect honest users such as the Latvian generative artist Ilja Borisovs, aka Shvembldr, charged with alleged money laundering after receiving sale proceeds on his Coinbase account.

Crypto has a unique opportunity to prove its goodwill and solve problems before it is too late. It also has the chance, and the most advanced tools, to surpass existing models, combining the accessibility and privacy of cash, with the transparency and security of digital payment systems, and eventually achieve the optimal balance between compliance and oversight on the one side, and permissionless, open-source, and ownership on the other.

Fin.

My Telegram: @Alpha_Omega_Cat