The Treasury Department,
"The assessment finds that illicit actors, including ransomware cybercriminals, thieves, scammers, and Democratic People's Republic of Korea (DPRK) cyber actors, are using DeFi services in the process of transferring and laundering their illicit proceeds. To accomplish this, illicit actors are exploiting vulnerabilities in the U.S. and foreign [anti-money laundering and counter-terrorist financing] regulatory, supervisory, and enforcement regimes as well as the technology underpinning DeFi services. In particular, this assessment finds that the most significant current illicit finance risk in this domain is from DeFi services that are not compliant with existing AML/CFT obligations," said the report.
DeFi systems, unlike traditional finance, do not use intermediaries like banks but, rather, operate in a peer-to-peer fashion using smart contracts, which are self-executing lines of computer code that automatically enforce the rules and conditions of an agreement between two or more parties, stored on a blockchain, a type of public digital ledger. However the Treasury report noted that there is vast variation within the realm of DeFi, and that there is little in a way of a consistent, universal definition that everyone can agree on.
The Treasury report noted that DeFi systems, despite their claims of being decentralized (with the extent to which this is true varies from entity to entity), they are still subject to anti-money laundering and counterterrorist financing rules. However, many entities fail to comply with these rules, which the report said is serving to increase vulnerabilities systemwide.
"In some cases, industry providers may purposefully seek to decentralize a virtual asset service in an attempt to avoid triggering AML/CFT obligations, without recognizing that the obligations still apply so long as the provider continues to offer covered services. At the same time, some DeFi services developed with opaque organization structure may present critical challenges to supervision and, for cases in which DeFi services are not complying with their AML/CFT obligations, enforcement of applicable statutory and regulatory obligations," said the report.
The report said that illicit actors can launder their money through the DeFi ecosystem in a number of ways, such as using cross-chain bridges to transfer cryptocurrency from one blockchain to another, asset mixers that comingle the proceeds of criminal activities with legitimate monies, or liquidity pools that provide fee income. The Treasury said that ransomware gangs in particular are fond of laundering their money through DeFi networks.
It also noted, however, that there is also a lot of straight up theft in the DeFi world. DeFi services have been particularly lucrative for cybercriminals, accounting for a majority of stolen virtual assets in 2022. Increasingly, this is done through exploiting the vulnerabilities in the smart contracts that govern the services.
The report said that at least some of these issues could be addressed by focusing on the service providers that give these networks access to fiat currency, as they represent a key chokepoint in the system. It noted that these services tend to have simpler internal structures than DeFi services, are always covered within the regulatory perimeter of the FATF standards, and are more likely to implement AML/CFT measures than DeFi services. This would be part of a larger effort to conduct additional outreach to industry to further explain how applicable regulations apply to DeFi services, in line with previously issued regulations and guidance.
Based on feedback from industry, regulators should also consider taking additional regulatory actions and issuing additional guidance to provide further clarity, as well as possible enhancements to existing regulations. It also recommended advocating for cyber resilience measures, testing of code, and threat information sharing to harden these entities against attacks and frauds, as well as promote responsible mitigation measures. The Treasury report recognized, though, that regulating DeFi is a moving target, and the necessary steps to do so effectively will likely change as the industry does.
"This assessment recognizes that the virtual asset ecosystem, including DeFi services, is changing rapidly. The U.S. government will continue to conduct research and engage with the private sector to support its understanding of developments in the DeFi ecosystem, and how such developments could affect the threats, vulnerabilities, and mitigation measures to address illicit finance risks," the report stated.
