Massive exit scams have dominated cryptocurrency crimes in the last two years. In 2019, the Ponzi scheme PlusToken netted $2.9 billion with its exit scam— 64% of the year’s major crime volume. 2020 saw WoToken, a similar scheme operated by some of the same people as PlusToken, defraud investors out of $1.1 billion in its exit scam—58% of 2020’s major crime volume. While major fraud volume saw a significant decrease, it still made up 73% of 2020’s crime total.

While 2019 and 2020 saw a similar number of thefts, hacks, and fraud, the average value[1] taken by criminal actors in 2019 was 160% higher than in 2020, indicating maturity in the crypto space as entities continue to harden systems and take precautions against inside and outside threats. While 2020 did see a large $281 million hack of cryptocurrency exchange KuCoin, the exchange claims to have already recovered 84% of the stolen funds—something almost unheard of in previous years.

Another factor contributing to this discrepancy is that 2020 was overrun by dozens of DeFi related hacks and scams, which were much smaller in size. Half of all 2020 crypto hacks were of DeFi protocols—a pattern that was virtually negligible in all prior years—and nearly 99% of major fraud volume in the second half of 2020 stemmed from DeFi protocols performing “rug pulls” and other exit scams in a pattern eerily reminiscent of the

2017 ICO craze. In a rug pull, which is similar to a pump and dump, some investors will liquidate the entire DeFi pool, leaving the remaining token holders with no liquidity and unable to trade, wiping out the remaining value.

On the regulatory front, the cryptosphere has been inundated with new legal attention as regulatory and policy making bodies weigh in on how the space should operate. In the US, FinCEN has proposed two major rule changes to the regulatory obligations banks and virtual asset service providers (VASPs) face when conducting certain virtual currency transactions.

One notice of proposed rulemaking (NPRM) issued in October sought to amend the recordkeeping and Travel Rule regulations to collect, retain, and transmit transfer information on international payments at a much lower threshold. As it stands, financial institutions currently transmit records for any transfers in excess of $3000. The new rule would see much smaller transfers—anything over $250—come under the same requirements if the transmittal of funds begins or ends outside the United States. The rule specifically includes cryptocurrency transfers as a class of transactions to which the proposal would apply.

Another NPRM issued in December would require banks and VASPs to verify the identity of their customers, keep records of virtual currency transactions greater than $3,000, and submit CTR-like reports for virtual currency transactions over $10,000, if the counterparty in the transaction uses an unhosted (noncustodial) or “otherwise covered” wallet. The NPRM defines “otherwise covered” wallets as wallets held at a financial institution that is not subject to the BSA and is located in a foreign jurisdiction identified by FinCEN as being of primary money laundering concern, such as Burma, Iran, and North Korea.

Upon taking office in January 2021, the Biden administration has declared a freeze on all agency rule-making, pending a review by a department or agency head appointed or designated by the President. While the Trump administration had already extended the unhosted wallet NPRM for 15 days regarding the $10,000 threshold and 45 days regarding the remaining rules, FinCEN has since extended and consolidated both deadlines to 60 days. There has yet to be an indication that the “Travel Rule” NPRM will get a similar reopening and extension.

It is likely that these rules—or something close to them—will take effect in the first half of 2021, creating significant new crypto compliance requirements and dramatically increasing the sense of urgency felt by banks and VASPs to file crypto CTRs and SARs.

Globally, FATF released their 12-Month Review of the Revised FATF Standards on Virtual Assets and Virtual Asset Service Providers in June. In it, FATF decided not to revise previous recommendations related to virtual assets or VASPs but has documented the need for future continued direction.  Reassessment of progress towards a Travel Rule solution and further guidance is slated for June 2021, at the next 12-month review.