Senior Associate Asim Arshad examines the FCA’s first criminal prosecution over the unlawful operation of crypto ATMs, and discusses the wider implication of this crackdown for both lawyers and crypto businesses in the UK.

Asim’s article was published in Law360, 11 October 2024, and can be found here.

On Sept. 10, the U.K.’s Financial Conduct Authority launched a criminal prosecution against Olumide Osunkoya, the first of an owner of a firm enabling crypto asset trading, who pled guilty to the charges. The regulator announced that it had secured its first conviction on Sept. 30 for two offenses relating to the unlawful operation of multiple crypto automated teller machines that were not registered with the FCA.[1]

This article will examine the wider implications for lawyers of that decision.

The FCA alleges that, between December 2021 and September 2023, machines operated by Osunkoya across multiple locations processed crypto transactions with a combined value of £2.6 million ($3.4 million).

It is clear that the regulator is starting to clamp down on crypto activities associated with money laundering.

The FCA confirmed that this is its first criminal prosecution relating to unregistered crypto asset activity under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.

Over the past two years, the regulator has inspected dozens of locations suspected of hosting crypto ATMs, and last month stated that there are no legal crypto ATM operators in the U.K. Therese Chambers, the FCA’s joint executive director of enforcement and market oversight, said: “If you’re using a crypto ATM, you are handing your money directly to criminals.”[2]

Overly Aggressive

The FCA’s position is clear: Crypto ATMs are inherently problematic. As a result, legitimate operators who value regulatory compliance are being actively deterred from considering the U.K. as a potential jurisdiction in which to locate them.

The prosecution of Osunkoya demonstrates the FCA’s commitment to taking enforcement action against unregistered crypto asset businesses. It is an unambiguous signal to those operating within the sector that the regulator will actively pursue transgressors via criminal charges, civil proceedings, or both.

This is not unprecedented. Through previous enforcement action, the FCA has shown itself willing to act, not least because firms operating in this sector are perceived to be a greater risk in terms of money laundering and potential misuse by bad actors.

In its inaugural crypto-related enforcement action in July, the FCA imposed a £3.5 million fine on CB Payments Ltd., part of the Coinbase Group, for breaching requirements imposed under the Electronic Money Regulations 2011.[3]

Crypto ATMs

In their simplest form, crypto ATMs enable users to deposit cash that is converted into crypto-assets. The machine records the deposit, either generating a wallet for the user or requesting the user’s public wallet address to which the crypto can be sent. Operators typically earn fees from these transactions.

Crypto ATMs are often fitted with a camera that records the user making the deposit; some also require the user’s ID documents to be scanned, allowing their details to be recorded.

This functionality enables easy, almost immediate conversion of cash to crypto. Some ATMs offer bidirectional functionality, enabling both the purchase of crypto and the sale of crypto for cash. Some ATMs require little or no personal information, providing the user with the additional benefit of privacy, or even complete anonymity.

Although crypto ATMs are not inherently illegal, to operate one requires registration with the FCA. As noted, currently, there are no registered crypto ATM operators in the U.K.

It is important to note that the same requirements do not apply to crypto purchases made via more traditional methods, such as a centralized exchange.

Illicit Use of Crypto ATMs

The privacy afforded by crypto is attractive to criminals, particularly those who seek to launder illicit money and obfuscate any audit trail. Globally, authorities in multiple jurisdictions have moved to shut the machines down because they provide an ideal conduit for laundering money, with limited traceability on where funds originate and where they are sent.

Although this regulatory approach is becoming more common, it should not be automatically assumed that everyone who uses a crypto ATM is party to a criminal transaction.

Impediment to Thriving U.K. Crypto Industry

It can be argued that the FCA should narrow its focus toward enhanced monitoring and regulatory compliance. It may also be said that its objective should be to ensure that crypto ATMs and, therefore, those operating and profiting from them, require customer identification and appropriate know-your-customer steps before customers can transact.

Another means of regulating the marketplace would be to create a customized set of KYC rules for crypto ATMs that would potentially mitigate their use for criminal activity.

Technology might play a part in making this work. For example, fingerprint or facial recognition technology could be used to validate an individual’s identity and enhance KYC checks. This could be undertaken in conjunction with the scanning of a passport, where a live camera scans an individual’s face and matches it to the passport photo, while background checks are simultaneously undertaken on the passport itself.

Regulatory authorities in some other jurisdictions take a different view. Crypto ATMs can be found in multiple countries, with more than 1,000 located in various European Union member states, for example.

Worldwide, users seeking to access crypto and bypass the traditional banking system can access more than 37,500 crypto ATMs, according to data provider AltIndex.[4]

Therefore, those who do wish to use them have perfectly legal options in diverse global locations.

The FCA’s excessively antagonistic language may deter crypto users who do value regulatory compliance from considering the U.K. as a potential jurisdiction to be located. Manifestly, choosing the U.K. in the current climate would be an unlikely option for any crypto ATM operator.

As current regulations stand, crypto companies wanting to operate in the U.K. must first register with the FCA, which assesses them under anti-money laundering and other regulations.

In its latest annual report published in September, [5] the FCA noted that it had rejected 87% of the applications received from crypto-asset companies seeking clearance for their money laundering defenses.

The regulator also issued 450 consumer alerts against crypto-asset promoters — only three months after rules against misleading marketing were tightened.

The charges brought against Osunkoya highlight the importance of compliance in the crypto sector, serving as a stark reminder for crypto asset businesses about the risks of noncompliance.

Conclusion

Given that the FCA is monitoring the crypto ATM sector through active policing, enforcement and prosecution, organizations in the U.K. need to take a similarly proactive approach to KYC and related protocols through constant monitoring and adaption. This means complying with the spirit of what the FCA wants, rather than just the bare minimum.

Read more here. 

Matt Green explores the tracing and recovery of stolen cryptoassets in FTAdviser

Director and Head of Blockchain and Digital Assets and Technology Disputes, Matt Green, explores the challenges of tracing stolen crypto and discusses how the recovery of digital assets is a real, established and carefully considered process.

Matt’s article was published in FTAdviser, 27 August 2024, and can be found here.

Recently, an American law firm asked for strategic advice on a multi-million-dollar crypto recovery case. Their plan was to use securities laws which required the scammers’ genuine identities from the outset. The list of defendants was endless- bogus usernames, individuals across the globe using VPNs, spurious connections based on social media. It was clear- not everyone is familiar with the alternative method- follow the money and the ghosts materialise.

According to the Chainalyasis 2024 Crypto Crime Report[1], revenue from different species of crime, including romance/ pig-butchering scams jumped from $5.9billion 2022 to $6.5billion in 2023. Similarly, Immunefi’s Crypto Losses in Q2 2024 report[2] details a 112% rise in hacks and scams compared with the previous year. Although crypto-assets are at play in these cases, to quote Aidan Larkin of Asset Reality, Ari Redbord of TRM Labs, and Nick Furneaux of both, “there is no such thing as crypto crime”. Instead, if we treat it like any other crime, we remove the inertia, and can start the recovery process.

For many, the hope of recovery dies on the pretence the assets disappear into the ether, bad actors are sophisticated masked hackers in faraway lands, that processes for recovery lack maturity or that authorities have no appetite. In the clearest terms, recovery of crypto-assets, or their equivalent monetary (fiat) value is a very real, established and carefully considered process.

However, often with crypto-assets, hackers and fraudsters operate in increasingly sophisticated ways.

Examples Of Hacks And Scams

In 2019, a Canadian hospital was hit with a ransomware attack demanding $1,200,000 to recover the data- computer screens read: “No free decryption software is available on the web… You have to make the payment in Bitcoins”. Here, my task was to help trace the Bitcoin paid using blockchain analytics tools and prepare novel Court procedures to freeze funds. This now seminal case AA v Persons Unknown, set the precedent that “a crypto asset such as Bitcoin is property” – the genesis of all crypto-asset recovery cases.

Over the past few years, I have acted on matters involving a North-Korean sponsored $100million hack at a major crypto exchange, scams in which the perpetrators utilise dating apps  (which includes blackmail after sending explicit photos), as well as fake investment platforms promoted via forums like Reddit which promise lucrative returns, falling apart when the return of capital and profits are refused until further withholding taxes (not a real thing here) are paid, usually via bank transfer. A contact of mine once met with Disney executives to pitch a Web3 gaming product, only to immediately receive a convincing phishing email offering a contract, and which led to the complete drain of his crypto-wallet. Another attended a gaming event showcasing facial-recognition technology, which was later exploited to side-line iPhone biometrics safeguards leading to loss of significant crypto-assets. 

Most heartbreakingly, my client lost her husband following a heart attack and was manipulated by an individual in a Facebook group called “I Miss My Husband” into transferring over £500,000 worth of Tether (a stable coin designed to hold value to the US dollar) to a fraudster. Funds were traced to individuals in South East Asia, with certain physical addresses including a human organ harvesting facility in Myanmar, which resulted recovery of funds. This is not merely naivety – rather, these are highly sophisticated scams that prey on emotions, utilise data that is designed to instil trust, or by virtue of a small mistake, like phishing.

All too often, it seems there is no recourse for victims. However, it is not only possible but in fact a real and effective process.

Tracing Shadows

The first step is to instruct investigators who utilise blockchain analytics software to trace the funds. Where a victim has paid a threat actor (the thief/ scammer) in cryptocurrency, there will be an immutable public record of the transaction including the blockchain address receiving the funds, and a transaction identifier. Some might point to issues in tracing, like mixing services which seek to obfuscate the movement of funds. The trend leans to shutting these down these facilities- consider the now sanctioned Tornado Cash. Also mixing software can largely be undone by unmixing software, subject to the obfuscation processes and technology available. However, in any event, it must be remembered that the focus here is not on the who, but on the assets themselves, their movement and their whereabouts.

Like those examples given above, organised criminal gangs (OCGs) use crypto-assets to extract funds from victims, then convert into fiat money as part of the laundering process. They utilise cryptocurrency exchanges, which convert those gains into local currencies, at the demand of their money mule customers. Investigators can see that the funds moved from the threat actor’s address to several other addresses and landed at an exchange. The exchange is then put on notice that it has the proceeds of crime, and requests are made about its customers’ identities, usually provided subject to a Court Order.

Helpful Ghosts

Importantly, substantive claims and injunctive relief (orders to freeze assets) can be obtained against a hypothetical category called Persons Unknown (PU). In doing so, we can use ghosts to our advantage. In this instance, there are usually two: PU who committed the act, being the threat actor (D1) and PU who received the proceeds of the misappropriated funds, being the customer of the exchange (D2). D2 is the target and exchanges can provide identifying data taken during the onboarding processes (anti-money laundering and counterterrorism financing checks) including passport information and email addresses. Even questionable information (I have seen 123[expletive]@protonmail.com), is useful. Vitally, this identifying data allows D2 to be served with the claim and kick starts the formal process.  

Role Of Crypto Exchanges

Despite mixed reputations, crypto-exchanges are often open to helping victims of fraud, namely because it builds sector confidence, improves their reputation and avoids time-consuming and costly legal proceedings. However, there are instances where exchanges are registered offshore, claim to be decentralised, or simply fail to reply to requests. Debate reigns on whether crypto exchanges owe a duty to consumers where they are on notice of fraud and allow a withdrawal, and a formal duty may mitigate risks in the future and compel exchanges to act. In any event, market pressures ensure customers, including OCGs, are attracted to the reliability, ease and stability of trusted exchanges.

Service and Recovery

Once the individual has been identified, they then must be served with legal documents and victims can rely on the crypto-exchange’s disclosure: email and physical addresses. However, in certain instances exchanges fail to onboard customers properly and no data is available. Here, parties can still be served documents via non-fungible tokens (NFTs), a process ratified by the Courts utilising blockchain technology. In addition, information gathered via intelligence agencies, as well as published data on the dark web following a hack, or proprietary software to identify individuals, can assist, starting with very few breadcrumbs. Investigators are also able to review open-source intelligence, social media sites, those behind websites, and gather clues via geolocation of account access.

In most cases, D1 and D2 do not respond, given bad actors’ resistance to open Court procedures. This usually results in an on-paper win for victims.  

Next is getting the funds back. In the instance there are funds at the exchange, Court sanctioned processes allow for the repatriation of those funds, whether in crypto or fiat currency. In the event exact funds are not in the account, victims are often entitled to compensation on a restitutionary basis. There is usually a clear link between D1 and D2, so any funds associated with either are fair play. Intelligence plays a key role in identifying potential assets- firms like GreyList utilise big data to determine whether email addresses are registered at banks or exchanges, so more funds can be located.

Centralised Token Issuers

Importantly, in instances where there is a centralised token issuer (Tether, for example), there are alternative processes. If the funds have not reached a crypto-exchange and are instead sitting in a private address, blacklisting the address with a token issuer’s assistance can freeze assets by preventing withdrawals.

For example, in November last year US authorities worked with Tether and exchange OKX resulting in a freeze of $225m, with assets linked to a human trafficking syndicate in South East Asia. Further, Grant Thornton’s Independent Audit Report[3] of Circle Internet Financial, Inc., the issuer of USD Coin (another stable coin) notes the “ability to blacklist addresses”, stopping private wallets from transacting altogether.

These processes are available via civil routes too, usually with help from law enforcement. Through these methods, including a token burn and remint, victims can be made whole again.

Moving Forward

Quiet stoicism keeps the industry at a plateau and all instances of fraud should be reported to law enforcement. Of course, more should be done to discourage bad actors and prevent frauds altogether, but by sharing stories we can educate other potential victims and break the fraud cycle. The Law Commission has also recommended that the direction of travel should be driven by case law, so the more trodden the path, the more precedents set for recovering crypto-assets.

While the recovery of crypto-assets can often feel like chasing ghosts, in many instances those ghosts are incredibly helpful – casting a wide net to allow exchanges and token issuers to be the force for good in helping recoveries.