Cryptocurrencies: regulatory and enforcement trends in the United States
Fraud schemes have grown increasingly sophisticated and complex in our ever-changing economic, commercial, technological and regulatory landscape. It is essential for investigations practitioners to remain abreast of these evolving trends and understand how to apply investigative techniques and technology solutions when issues arise.
In this extract of a chapter for GIR Americas Investigations Review 2025, FRA experts explore cryptocurrencies in the context of fraud and compliance investigations. Beginning with an overview of pertinent aspects of the evolving regulatory framework in the Americas, the authors then discuss specific nuances, considerations and investigative tools that practitioners should consider, including examples of how they have been applied in recent investigations.
Cryptocurrencies and fraud
Cryptocurrencies are starting to be accepted as more mainstream forms of investment and financial instruments and are therefore attracting more attention from regulatory and law enforcement agencies. These digital assets allow for faster fund transfers across the globe and provide increased transaction transparency.
Expanding growth in the use of cryptocurrencies has even led several countries, such as El Salvador and the Central African Republic, to formally accept bitcoin as legal tender.[1] There’s also been a push worldwide to regulate stablecoins, which are cryptocurrencies backed by fiat currency that maintain a stable value, and central bank digital currencies (CBDCs), which are stablecoins issued and controlled by central banks or governments.[2] As of November 2023, approximately 130 countries are exploring a CBDC, and 64 countries are in the advanced stages of exploration (launch, pilot or development).[3]
However, price volatilities and nascent regulatory oversight have allowed bad actors to take advantage of the investing public by leveraging cryptocurrencies as conduits for fraudulent activities. We are now seeing a wide range of schemes perpetrated through cryptocurrencies, including traditional fraud such as investment scams and newer types of cryptocurrency-specific fraud such as smart contract exploits[4] and address poisoning attacks.[5] According to the Chainalysis 2024 Crypto Crime Report, funds sent to illicit addresses reached US$24.2 billion in 2023.[6]
Regulatory guidance and enforcement trends in cryptocurrencies
Due to the decentralised nature and complexity of cryptocurrencies, regulatory agencies in the United States have been slow to provide guidance and enact specific frameworks for regulation. Other jurisdictions across the globe, such as the European Union and Dubai, have already passed or debated cryptocurrency specific legislation. However, the United States has not; instead leveraging its existing legal framework to regulate the cryptocurrency industry. This has led to the phrase ‘regulation by enforcement’ and outcry from the industry for regulatory guidance that identifies the major cryptocurrencies that qualify as securities (falling under the jurisdiction of the SEC) and those that qualify as commodities (falling under the jurisdiction of the CFTC).
SEC Chairman Gary Gensler has expressed his view that most cryptocurrencies, except for bitcoin, meet the criteria of an ‘investment contract’ and are thus securities.[7] As a result, the SEC has been aggressive in bringing actions against cryptocurrency exchanges and decentralised finance (DeFi) protocols allegedly operating as unlicensed securities exchanges. The CFTC has also become increasingly aggressive in bringing enforcement actions, particularly against DeFi protocols for offering illegal digital asset derivates trading.[8]
In addition to the SEC and CFTC, US regulatory agencies such as the DOJ, OFAC and the Financial Crimes Enforcement Network (FinCEN) are now actively focused on cryptocurrencies and are taking the global lead on investigations and enforcement. We highlight below recent guidance from these regulators most pertinent for investigative professionals to consider in investigations.
DOJ
In February 2022, the DOJ expanded its cryptocurrency resources by creating the National Cryptocurrency Enforcement Team (NCET), with the mission of tackling complex investigations and prosecuting criminal misuses of cryptocurrency.[9] Following the collapse of FTX in November 2022, there has been an increased sense of urgency to root out bad actors within the digital assets industry. In fact, in July 2023, the DOJ announced that it would double the number of prosecutors available to work on the team’s growing cryptocurrency-focused case load.[10]
As a result, the DOJ has unveiled numerous cryptocurrency related charges and seizures in the past year, which largely fall under the following three themes.
- Companies that do not adequately mitigate financial crime risks
In November 2023, the DOJ announced that it had reached a US$4 billion settlement with Binance for violations of the Bank Secrecy Act (BSA), acting as an unregistered money transmitting business, and sanctions violations. Binance’s guilty plea was part of a coordinated resolution with FinCEN, OFAC and the CFTC. The guilty plea also required Binance to appoint an independent compliance monitor.[11] Additionally, Binance’s ex-CEO, Changpeng Zhao, was sentenced to four months in prison for failing to maintain an effective anti-money laundering (AML) programme.[12]
Relatedly, in March 2024, the DOJ charged the cryptocurrency exchange KuCoin and two of its founders for conspiring to operate an unlicensed money service business and violating the BSA by failing to maintain an adequate AML programme. Similar to the charges against Binance, the charges against KuCoin allege that KuCoin failed to register with FinCEN as a money transmitting business and failed to file any suspicious activity reports (SARs).[13]
- Companies or entities that enable financial crime
Cryptocurrency mixers – services that enable money laundering by blending pools of cryptocurrency – continue to be a target of the DOJ as they enable nefarious entities to obfuscate the source and destination of their funds. In April 2024, the DOJ arrested two individuals for operating the Samourai Wallet, a cryptocurrency mixer that allegedly executed over US$2 billion in unlawful transactions and facilitated more than US$100 million in money laundering transactions from illegal darknet marketplaces.[14]
Additionally, the trial of Roman Sterlingov, the creator of the notorious Bitcoin Fog cryptocurrency mixer, concluded in March 2024 with Sterlingov’s conviction by a federal jury for money laundering. Bitcoin Fog was the longest running cryptocurrency mixer, laundering approximately US$400 million during its operation.[15] Prior to that, the DOJ charged Roman Storm and Roman Semenov in August 2023 for operating the Tornado Cash cryptocurrency mixer where they laundered more than US$1 billion,[16] which OFAC also sanctioned.[17]
- Entities that use cryptocurrency to defraud
Finally, the DOJ has been increasingly aggressive against groups that enable or participate in cryptocurrency investment schemes that have resulted in an astounding amount of victim loss. According to the Federal Bureau of Investigation’s (FBI) 2023 Internet Crime Report, reported losses due to cryptocurrency investment scams totalled approximately US$3.96 billion in 2023, representing a 53 per cent increase from 2022.[18] This is primarily due to the increased prevalence of ‘pig butchering’ scams, in which people are duped into investing in fraudulent cryptocurrency investment platforms.[19] In May 2024, the DOJ charged two Chinese nationals for the roles they allegedly played in laundering US$73 million in proceeds derived from pig butchering scams.[20] The DOJ has also targeted infrastructure related to these scams. For example, in May 2024, the DOJ announced that the US Secret Service seized a web domain used to host a fraudulent cryptocurrency investment platform in furtherance of a pig butchering scheme.[21]
SEC
In the past year, SEC Chairman Gary Gensler has been active in bringing enforcement actions in the crypto space, filing 19 separate lawsuits since August 2023, including lawsuits against the exchanges Kraken and ShapeShift.[22] This is in addition to its unsettled lawsuits against Binance and Coinbase for purportedly operating unregulated securities exchanges. However, the SEC’s enforcement actions thus far have been received with mixed reactions by the cryptocurrency industry and US lawmakers due to the lack of regulatory guidance currently in place to define the agency’s jurisdiction over digital assets and whether crypto assets qualify as investment contracts.
In that vein, the SEC has also brought enforcement actions against other cryptocurrency exchanges and DeFi protocols it believes to be operating unlicensed security exchanges. In April 2024, the SEC served a Wells Notice to Uniswap Labs, one of the largest decentralised cryptocurrency exchanges. The Wells Notice claims that Uniswap acts as an unregistered securities exchange and an unregistered securities broker.[23] In May, Uniswap submitted a formal response to the Wells Notice,[24] stating that it does not meet the definition of an exchange and is thus not subject to regulation by the SEC. The response further states that the claim that Uniswap’s interface and wallet service do not meet the definition of a broker,[25] pointing to a recent ruling from a federal judge dismissing the SEC’s claims that wallet services provided by the cryptocurrency exchange Coinbase qualified it as an unregistered securities broker.[26]
OFAC
OFAC actively uses its authority in the cryptocurrency space, sanctioning both wallets and cryptocurrency mixers used for nefarious activity as well as the cryptocurrency wallet addresses of individuals and entities sanctioned for non-crypto specific crimes. This is especially true with the increased attention on North Korea’s and Russia’s use of cryptocurrency to evade sanctions.
In November 2023, OFAC sanctioned Sinbad.io, a cryptocurrency mixer that was prolifically used by the Lazarus Group, the North Korean state-sponsored cyber hacking group that famously hacked Sony Pictures Entertainment in 2014. According to OFAC, Sinbad.io processed millions of dollars of cryptocurrency that the Lazarus Group had stolen or were linked to other illicit activities like drug trafficking.[27] This follows the sanctions OFAC levied in April 2023 against three individuals operating in China who assisted North Korean actors in laundering stolen cryptocurrency.[28]
Additionally, in March 2024 OFAC sanctioned the Russian nationals Ilya Andreevich Gambashidze and Nikolai Aleksandrovich Tupikin and their respective companies for assisting the Russian government’s disinformation campaign against the United States. The sanctions included two cryptocurrency wallet addresses utilised by the sanctioned individuals.[29]
Cryptocurrency investigation considerations
Given the increasing scrutiny from regulatory agencies, we now explore nuances that practitioners should consider when conducting cryptocurrency investigations and the power of utilising blockchain analysis tools in concert with traditional investigative techniques.
Planning for the investigation
There are several considerations that investigative teams should evaluate carefully during the planning and scoping phases of a cryptocurrency investigation. Investigative teams need to consider the varying levels of regulations, across jurisdictions, that may be applicable. For example, if investigating suspicious transactions that have occurred within a virtual asset service provider (VASP) as defined within US regulations, the practitioner should consult the BSA as the updated guidance indicates that VASPs are considered money transmitters and are, therefore, subject to AML requirements under the BSA. To that end, determining what fiat currencies were involved in an investigation can also help investigators determine what regulations may apply.
As cryptocurrency investigations involve analysing the flow of funds on one or multiple blockchains, the investigation team should determine any required involvement of subject matter experts. These investigations should be staffed with experts who are well versed in the elements that make up a cryptocurrency transaction, including cryptocurrency addresses, wallets, exchanges and analysing data on the blockchain.
Investigative teams also need to determine what kinds of virtual assets are involved in the investigation. There are significant differences in the way one follows the flow of funds in an unspent transaction output-based blockchain, such as bitcoin, versus an account-based blockchain such as ethereum (ETH). While having investigators trained in bitcoin asset tracing is a good baseline, cryptocurrency investigations increasingly involve ETH, ERC-20 tokens[30] and ERC-721 tokens[31] (non-fungible tokens (NFTs)). If these types of tokens are involved, investigative teams should employ individuals trained in tracing these types of assets.
Identifying information relevant to the investigation
Data collection and analysis will be a major component of the overall investigative procedures in a cryptocurrency investigation. Although anyone can trace specific transactions on the blockchain, additional data is required to identify the details of real-world actors associated with cryptocurrency addresses identified on the blockchain. Information such as emails, text messages and other structured or unstructured data stored on devices could potentially help identify the owners of cryptocurrency wallet addresses or provide information on wallet private keys or passwords associated with the addresses.
There are also identity and access management data points to consider, such as knowledge of private keys, code update permissions or access to company-controlled cryptocurrency accounts. These are key facts for investigators to consider if a party claims that they could not have authorised a transfer of funds or if an account with elevated privileges was accessed without authorisation.
Investigative procedures
Cryptocurrency investigations often involve tracing assets to identify the ultimate source or destination of funds and what parties were involved. Instead of traditionally tracing funds through the general ledger and corresponding bank statements to investigate a crime committed using fiat currency, practitioners will investigate the flow of funds by analysing activity recorded on the blockchain.
Complications can arise when cryptocurrencies maintained on different blockchains are used to facilitate the illicit activity. If multiple cryptocurrencies were used at any point in the payment process, it will likely be necessary to perform tracing across blockchains. To this end, investigators need to be aware of cryptocurrency-swapping services and cross-chain bridges. While these services are not nefarious themselves, actors seeking to obfuscate the true source or destination of their funds can utilise these swapping services for illicit purposes.
In these complex situations, blockchain analytics tools streamline the review as they collate copious amounts of blockchain data across multiple blockchains, and provide innovative data visualisations that allow for methodical asset tracing and effective reporting of findings. These tools also layer in proprietary attribution information, allowing investigators to identify when assets have been sent to or from a cryptocurrency exchange. By utilising blockchain analytics tools in tandem with the information collected in the data collection phase to identify owners of cryptocurrency addresses, practitioners will more readily be able to capture and analyse blockchain and cross-chain cryptocurrency transactions.
Case studies
While cryptocurrency schemes are typically complex, we present below two simplified case studies featuring fictitious companies to demonstrate how practitioners could combine cryptocurrency tracing with traditional investigative techniques to create a statement of facts from multiple datasets.
- Ransomware and sanctions due diligence
Company ABC was hit by ransomware, resulting in the encryption of its entire network. The ransomware actors have provided ABC with a bitcoin wallet to send US$1 million to receive the decryption keys. After consultation with in-house counsel, ABC is considering paying the ransom.
Open-source lookups of the ransomware variant revealed that the variant potentially has ties to the DPRK. Given the OFAC prohibition of making ransom payments to sanctioned entities, ABC wants to conduct due diligence to ensure it is not paying a sanctioned wallet address.
ABC first compares the wallet address provided by the ransomware actors with the bitcoin wallet addresses in OFAC’s specially designated nationals and blocked persons (SDN) list and does not find a match. Knowing that it is trivial for a ransomware actor to generate a new wallet address, ABC conducts blockchain analysis to determine whether the wallet address the ransomware actors provided has direct or indirect sending or receiving exposure to any cryptocurrency wallet addresses on the SDN list. By analysing the blockchain, ABC determined that the wallet address provided by the ransomware actors was part of a common spending transaction[32] with a wallet address on the SDN list, and thus it was reasonably likely that wallet address was controlled by a sanctioned entity.
- Embezzlement allegations
Law firm XYZ is investigating allegations that the CEO of BadCryptoExchange embezzled customer deposits. In the data-gathering phase of the investigation, XYZ examines the contents of the CEO’s email account and learns that the CEO has an account at a US-based cryptocurrency exchange. XYZ also gathers identifiers for the BadCryptoExchange’s hot and cold wallets.
XYZ, through the legal authority of a subpoena, acquires records for the CEO’s account at the cryptocurrency exchange. Analysis of those records reveal identifiers for the CEO’s personal cryptocurrency wallet addresses as well as their fiat currency bank account.
XYZ then used blockchain analysis tools to analyse the outbound transactions from BadCryptoExchange’s hot and cold wallets and identifies that funds from a BadCryptoExchange hot wallet were sent to several intermediary wallets and then deposited into one of the CEO’s personal cryptocurrency wallet addresses. XYZ then goes back to the subpoena results from the US-based crypto-exchange and identifies the inbound transaction from the intermediary wallet address to the CEO’s wallet address. By using blockchain analysis, XYZ has now established that customer deposits from BadCryptoExchange were transferred to the CEO’s personal cryptocurrency wallet.
Further examination of the subpoena results from the US-based cryptocurrency exchange revealed that shortly after the CEO received the cryptocurrency from the intermediary wallet, the CEO then sold or cashed out their cryptocurrency and transferred the resulting US dollars to their fiat currency bank account. XYZ then serves a subpoena to the CEO’s bank to continue following the flow of funds.
Analysis of the CEO’s bank records reveal a deposit of US dollars from the US-based cryptocurrency exchange. Furthermore, shortly after the deposit, the bank records show purchases for luxury goods and services. As a result, XYZ has identified a flow of funds from the BadCryptoExchange hot wallets to the CEO’s personal bank account and personal usage.
The above extract is from FRA’s chapter on US regulatory and enforcement trends, published on Global Investigations Review in August 2024; read the accompanying section on Environmental, Social and Governance (ESG) issues here.