Poor cybersecurity practices within the decentralized finance (DeFi) industry present a threat to crypto, consumers, and national security, according to a new report from the United States Treasury Department.
The first-of-its-kind document argues that DeFi’s peer-to-peer nature presents new illicit finance risks that require extra legal supervision to address.
The Risks of DeFi
Released on Thursday, the 2023 DeFi Illicit Finance Risk Assessment details how cybercriminals, scammers, and other illicit actors are abusing the DeFi ecosystem to launder money through systems that fail to implement proper sanctions and anti-money laundering controls.
“There have been several instances of actors, including ransomware actors, thieves, scammers, and drug traffickers, using DeFi services to transfer and launder their illicit proceeds,” the report claimed.
The department noted a variety of techniques for accomplishing this, including swapping funds into less traceable cryptos, moving between blockchains, and sending assets through cryptocurrency mixers. Laundered funds are then cashed out into fiat currency using Virtual Asset Service Providers.
Last August, the Treasury added the cryptocurrency mixer Tornado Cash to its list of sanctioned entities, due to its popularity with Korean cybercriminals.
Ransomware is another high-profile issue noted by the department, which is recognized as a “national security priority.” Since transactions on crypto networks like Bitcoin are both pseudonymous and irreversible, they make for an ideal payment rail through which criminals can extort payments from victims.
The department referenced a 2022 study from blockchain analytics firm Elliptic, which found that 13 ransomware strains laundered their money through a single cross-chain bridge, totaling $50 million in the first half of 2022.
Finally, the Treasury acknowledged the prevalence of “fraud and scams” plaguing the crypto industry, with at least $1.6 billion stolen through crypto-related scams in 2021, according to the FBI. Such scams range from classic “rug pull” thefts to more personal “pig butchering” scams, after which funds are laundered and obfuscated using many of the aforementioned methods.
DeFi’s Weakness: Centralization
Contrary to its name, the Treasury noted that much of the DeFi space is rife with centralized points of failure.
“In practice, many DeFi services continue to feature governance structures (e.g., management functions, fixing problems with the code, or altering the functionality of the smart contracts to some degree),” the report stated.
Alternatively, DeFi protocols which are managed by decentralized autonomous organizations (DAOs) and their governance token holders may be centralized in the hands of early DAO investors. “Developers and early investors in a DeFi service may keep control of the service by allocating significant shares of governance tokens to themselves or otherwise maintaining de facto control,” said the Treasury.
Despite the risks posed by DeFi, the report acknowledges that cash is still king when it comes to financial crime. “Money laundering, proliferation financing, and terrorist financing most commonly occur using fiat currency or other traditional assets as opposed to virtual assets,” it stated.