Mann arbeitet am Schreibtisch mit Tablet und Notebook

Cryptocurrency crime: A law enforcement officer explains

published on 19.05.2022

The hype around cryptocurrencies is not diminishing. In fact, blockchain money is also very popular among criminals. Senior Public Prosecutor Markus Hartmann, head of the Central Office and Contact Point for Cybercrime North Rhine-Westphalia (ZAC NRW), explains how crimes involving cryptocurrencies are carried out, what those affected can do, and why regulating bitcoin is not a priority for him.

expert talk with
Markus Hartmann, Leiter der Zentral- und Ansprechstelle Cybercrime Nordrhein-Westfalen (ZAC NRW)
Markus Hartmann
head of the Central Office and Contact Point for Cybercrime North Rhine-Westphalia (ZAC NRW)

Cryptocurrencies serve as a digital means to an end for criminals

Mr Hartmann, the market for cryptocurrencies grows larger every year. This is unfortunately accompanied by an increasing potential for crime. As the head of the Central Office and Contact Point for Cybercrime in North Rhine-Westphalia, I can imagine that you are anything but enthusiastic about the hype surrounding cryptocurrencies, would that be about right?

I wouldn’t say that, exactly. As a tech service, we certainly have an affinity for cryptocurrencies and the digital innovations associated with them. In fact, I don't even want to rule out the possibility of being able to pay for justice services in Bitcoin [Glossary] at some point. Cryptocurrencies themselves are not criminal, but a means to an end – similar to how someone might use a kitchen knife to commit murder, so to speak. They are not a criminal instrument per se, but they are attractive for criminal offences because of their specific use and characteristics. 

The ZAC NRW's tasks are many and varied, ranging from the investigation of classic hacker attacks to the fight against hate crime and child pornography. What is the status of crimes involving cryptocurrencies?

They currently constitute a large part of our work. But this is also partly due to the fact that we are working on two completely different fields in this topic. First and foremost, we deal with crimes where cryptocurrencies are not at the centre of the criminal activity at all, but rather "merely" serve as a means of transaction. In ransomware attacks, for example, the blackmail is actually always carried out via Bitcoin. Drug and arms dealers have now also switched to using digital money. To put it simply: the more illegal transactions take place online, the greater the significance of cryptocurrencies as a financial transaction tool. There is, however, another area that concerns us: cybertrading. This is where criminals set up fake virtual exchanges to fool investors into thinking they are trading digital money. And because the hype around Bitcoin and the like is so great, those afflicted sometimes invest quite large sums of money. It is not until they want their money back for the expected profits that they realise: everything went straight into the criminal’s pockets. 

Are cryptocurrency transactions more likely to involve criminal activity than those involving currencies issued by central banks?

This is difficult to say for us as law enforcement officers because we only ever see what we call the bright field. Almost all crypto transactions that cross our desk are criminal by nature. When measured against the total number of transactions, they probably represent only a modest fraction. We must also remember that we still have a lot of unresolved issues in the area of traditional currencies, for example in preventing money laundering. Assuming that traditional money has less potential for crime is, in my opinion, rather foolish. No doubt, cryptocrime creates difficulties in terms of traceability and forces us to keep finding new technical ways to address it. But the authorities also have difficulty tracking down the people behind highly professional money laundering.   

“Cryptocurrencies are not a criminal instrument per se, but they are attractive for criminal offences because of their specific use and characteristics.”

Who are the typical victims of cryptocrime?

Businesses are the main targets. This is true in the area of ransomware, as well as for data espionage and data sabotage. It simply has greater earning potential than when targeting individuals. And the more professional the perpetrators, the more careful their selection of victims. The aim is to be able to get a high return from a single act. Six or seven years ago, ransomware attacks flooded the internet like open fire. Now targeted crime dominates.

What about the public sector?

Attacks on state infrastructures are definitely on the rise. And this is precisely the problem we need to focus on. In recent years, hospitals have been affected, as well as institutions such as the Berlin Court of Appeal and entire districts such as Anhalt-Bitterfeld. We need to strengthen the resilience of our critical infrastructures, especially in light of the current global political situation.

The victims seem to be clearly visible. Is this also the case for the perpetrators?

We are seeing two major factions. The first is the monetarily motivated perpetrators who are responsible for the majority of cryptocrimes. They operate a business model that relies increasingly on the division of labour. In the past, crimes were mostly planned by a single person. Now groups are targeting individual business areas. For example, with ransomware: one group specialises in finding security holes and sells its knowledge to another group, which then commits the crime. Then there is often a third group that supplies the transaction capabilities via cryptocurrencies. This division of labour results in a very high degree of professionalisation.

Who is the second faction of perpetrators?

Here we should be careful in our wording. I would call them state-motivated, state-induced and state-sponsored groups. I am so cautious about this because it is very difficult to identify the perpetrators and their geo-location using the standards of criminal procedure. With the help of a few framework parameters, however, we have determines that the findings of the security service providers and other agencies are quite plausible. In any case, the sophistication of the attacks is high, which is why they can be described as state-directed or state-supported.

What should those who have been affected do?

In the case of cybertrading, criminal charges are practically mandatory. There are now very successful investigations into this, including those by our colleagues from the public prosecutor's office in Cologne and Bavaria, in which the officials expose those behind the crime and confiscate funds. The probability of identifying suspects is considerable. But we also advise that people to report ransomware attacks. The problem is that companies still decide against it all too often because their main concern is to keep the business running and they fear disruption from the investigations. And that is doubly problematic, especially if a ransom is actually paid. Firstly, the victims are supporting the business model of the perpetrators, and secondly, they sometimes run the risk of making themselves liable to prosecution – for supporting a criminal organisation. That is why I recommend that victims contact the law enforcement authorities and file a criminal report.

Even when the prospect of success is slim?

Success is relative in this context. For example, we almost always succeed in determining how the crime happened. I can't recall a recent case where the investigating authorities were unable to determine how the attacker got into the system, which attack mode was chosen, and which vulnerability was exploited. And valuable lessons can also be learned from this - enabling them and others to close their security gaps as quickly as possible. Victims often ask us why they should report attacks if the perpetrators are difficult to track down. Our answer: the first victim can help to spare others from a similar fate. And you might benefit from it later, especially if someone else has spoken out about a new kind of attack. 

In recent years, not only has the number of transactions involving cryptocurrencies risen sharply, but so has the number of currencies themselves. Bitcoin is still quite dominant, but there are quite a number of alternatives. Does that make your work even more difficult?

It goes without saying that we need to keep ourselves up-to-date, but the number of different cryptocurrencies alone does not pose an additional obstacle from our point of view. I am more concerned about those trying to introduce new currencies with more "privacy". Bitcoin technology is transparent – and transactions are easily traceable. Our problem is perhaps more one of big data, and we face challenges that stem from the highly global nature of Bitcoin. If new currencies with even stronger secrecy mechanisms come onto the market, this could increase the risk of cover-ups.  

If new currencies with even stronger secrecy mechanisms come onto the market, this would increase the risk of cover-ups.

Can cryptocurrencies be regulated?

The current proposals from the European Parliament aim to redesign Bitcoin so that it is only a form of digital transaction. Then every hosted wallet and every transaction made from it would be identifiable. This would of course be good for the investigating authorities, but the currency could then lose some of its appeal. Which in turn raises the question of migration tendencies: will criminals then switch to new, unregulated currencies? I don't think that regulating bitcoin alone would solve the problem. I believe we need to invest in the technical capabilities of the law enforcement agencies.

ZAC NRW is also the central office for the recovery of cryptocurrencies in North Rhine-Westphalia. How does this recovery work?

We are very successful in depriving criminals of their earnings. Some teams in police agencies are specially trained to look for clues on wallets during searches so that we can siphon off criminally acquired assets. The confiscated cryptocurrencies are collected at ZAC NRW and are then sold. We have several mechanisms for doing this. If a court has ruled that cryptocurrencies be permanently confiscated, we auction them off via the Judicial Auction platform. We are currently in the process of evaluating how sustainable this concept is. In pre-trial proceedings, however, the responsible public prosecutors often arrange for emergency sales. In NRW, they can now also do this through us. Cryptocurrencies are very volatile. If the investigation process is lengthy, we cannot afford to accept the risk of a fall in the exchange rate and will therefore exchange it for real money. This means that we are actually moving freely in the market.