Seize and Desist podcast

S&D E3 - The truth about illicit activity and analytics in crypto (pt. 1 of 2)

Author
Lo Furneaux
Marketing - Associate

Build confidence in managing virtual assets

“Blockchain analytics firms only capture a floor of illicit activity, not the ceiling”

In this insightful episode of "Seize & Desist," Aidan Larkin hosts cybersecurity expert Carole House for a rich discussion on the complexities of digital assets, cryptocurrency, and the pressing issue of ransomware. As a veteran in the field, Carole shares her unique perspective on the growth of crypto-related crime and the importance of debunking myths surrounding illicit finance statistics.

Carole and Aidan navigate through the thorny subject of quantifying illicit activities within the blockchain, how misinformation about these metrics can undermine efforts in combating crime, and the role of regulatory institutions like FinCEN.

Stay tuned for Part 2, where the duo address the persistent underestimation of cyber threats posed by state-sponsored actors such as North Korea, and the challenges inherent in our existing countermeasures against the sophisticated use of cryptocurrency in ransomware-as-a-service models.


Timestamps

02:00 | Carole’s major role in public sector policy in crypto and background 

13:00 | Blockchain analytics firms only capture a floor of illicit activity, not the ceiling

20:00 | The effectiveness of regulations in combating crypto-related crimes 

26:00 | The ongoing debate of surveillance tools and a decentralised crypto society 

31:00 | Lack of regulation and industry responsibility internationally 

35:00 | Info sharing and other lessons from cybersecurity 

Resources Mentioned

About our Guest

Carole House is a cybersecurity and risk management specialist with a background in U.S. military intelligence.

Throughout her decorated career, she has held several senior positions in the government, including Senior Cyber and Emerging Tech Policy Officer at the US Treasury; Head of Virtual Assets at FinCen and Director of Cybersecurity and Secure Digital Innovation at the White House. In these roles, she spearheaded initiatives to strengthen digital infrastructure and counter cyber-enabled national security threats.

Carole currently serves as the Executive in Residence at Terranet Ventures, where she advises start-ups and non-profits on strategies to protect against emerging cyber threats.

Disclaimer

Our podcasts are for informational purposes only. They are not intended to provide legal, tax, financial, and/or investment advice. Listeners must consult their own advisors before making decisions on the topics discussed.

Asset Reality has no responsibility or liability for any decision made or any other acts or omissions in connection with your use of this material.

The views expressed by guests are their own and their appearance on the program does not imply an endorsement of them or any entity they represent. Views and opinions expressed by Asset Reality employees are those of the employees and do not necessarily reflect the views of the company. 

Asset Reality does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in any particular podcast and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material. 

Unless stated otherwise, reference to any specific product or entity does not constitute an endorsement or recommendation by Asset Reality

Transcription

Speaker: Carole House 

Illicit use of crypto is often sort of the gateway drug to get policy professionals on other broader issues to care about crypto. It's an interesting policy arc of evolution guys are using it. It's cyber criminals' favorite way to launder. This is terrible. We need to do something about this. Maybe we should ban it. I don't know. 

Speaker: Aidan Larkin

Welcome to Seize and Desist. Today, I am joined by Carole House. I'm incredibly excited that we've got to record this. I always knew the minute that she said yes to the podcast, there would probably be two parts because there's just so much to get into. Carole is a globally recognized specialist in cybersecurity and emerging tech policy. She's held two small positions you may have heard of in, probably two of the most senior positions in cybersecurity in the world in FinCEN and in the White House. She was part of the team that developed the executive order for president Biden. She's also the executive in residence at Terranet Ventures, a senior fellow at the globally renowned think tank, the Atlantic Council, and also spent the earlier part of her career serving in Afghanistan in the infantry and holding various army intelligence positions. And today, we're really gonna deep dive into all things digital assets and sort of explore all of this wealth of Carole's background and experience like bringing things right up to date with their recent illicit finance, hearings that were held in the United States Congress. Her views on ransomware, the big cases that are currently affecting things right now in the blockchain analytics space like Bitcoin fog, North Korean state sponsored hacking, and then also navigating the sort of great debates around on-chain and off-chain activities. So whether you're new to this world of seized assets and crypto or asset recovery, this will be a very, very interesting to hear from clearly one of the leaders, in the field. So let's dive in. I'm Aidan Larkin and you're listening to Seize and Desist. Our podcasts are for informational purposes only. They are not intended to provide legal, tax, financial, and or investment advice. Listeners must consult their own advisors before making decisions on the topics discussed. Hello and welcome to Seize and Desist. I am joined by none other than the grand I was gonna say, well what is a suitably appropriate title to sort of describe you and your many achievements? I was just asking you off camera when are you going to be president of the United States. We'll get to that. I have an entire section dedicated to that. But, Carole House, thank you very much for joining us today. 

Speaker: Carole House

Thanks so much for letting me be here. I'm thrilled to talk certainly about the issues that you've been caring about and we've been talking about for years and to try to do some myth busting and debunking of, some of the noise that's out there. So I'm really thrilled to be here to chat with you. 

Speaker: Aidan Larkin

You've hit the nail on the head, the sort of demystifying, debunking, all of those things. We keep going back to this theme that people are afraid to ask the sort of simple questions, and I do not envy the position of a first time prosecutor, first time investigator, someone trying to get into this world of sort of no asset recovery is a big and broad and bad enough sector in itself, but at least there's lots of examples. If you're seizing your first oligarch vessel, there is someone that's done it before. But what we're seeing is because the world of digital assets and crypto is changing so rapidly, we wanna sort of use this episode to sort of, you know, pretty much hone in on digital assets given your vast expertise in this. Before we sort of get into things to sort of set the scene, in case there is someone out there, shock horror, that doesn't know you, I first actually bumped into you. I believe you were given a keynote at Linx, one of the first Linx in New York at Chainalysis, many years ago. It was off the back of that. I normally ask people about, like, their favorite books and things like that. And, actually, how we got talking was you talked about a certain crypto book, which you, happen to like, which just so happened to be my cofounder's book, Nick Furneaux. So we'll get into, like, books, quotes, podcasts, and sort of resources for people to look up. Yeah. I'd sort of met you when you were in your White House role, and then everyone was waiting to see sort of what you did next. So why don't you give us a bit of an intro into the wonderful world of Carole House, sort of who you are and how you got here, how you have hit the career pinnacle of being guest number five of Seize and Desist podcast. It's all come to this. This is the culmination. 

Speaker: Carole House

Absolutely. This is my feature spot. I'm so excited to be here and also thrilled that Nick works with you, and I'm excited to talk about some of my favorite books, both of which are written by Brits, actually. Basically, my background, Aidan, I know you know, but for those listening, I've had an interesting patchwork quilt of different national security issues, and I'm sure other people in this space have found that their own career paths probably didn't take exactly the same trajectory that they had envisioned. So I started in the army, if you can believe it, not doing cyber. I was chemical, biological, radiological, and nuclear defense, which might sound really cool to the certain nerds out there, but it really means all the gas mask stuff that not everybody loves. I did think it was very cool, though. It was exciting, and then I did intelligence work as a collection manager, meaning that I managed all the assets that watch and listen to people and got to work with the operators to make sure that they were pointed in the direction that was most useful to helping our mission. After that and after grad school at Georgetown for security studies I got the presidential management fellowship, which brought me from on my first tour into the White House at the Office of Management and Budget, this little known part of the White House that does the president's budget that is kind of serves as a regulator for civilian agencies. We create policies and oversee federal civilian agencies on a variety of different fronts and in my office specifically for cybersecurity. We were standing up a cyber and national security unit, so I was running a couple of different programs to help stand up some of DHS's cyber capability and oversee its efficacy as well as federal civilian agencies' cyber risk profiles, making sure that they were aligning money, people, and stuff to fix their major points of cybersecurity risk. Then I went over to the Hill, and worked for the Senate Homeland Security and Governmental Affairs Committee. That was a wild experience. I did learn there that I think I'm executive branch through and through. The people on the Hill are made of sterner stuff than I. They have so much patience to just work so hard for it taking many, many years to get a bill through, but it was so interesting to get to see the way that those things worked. I worked on supply chain risk management, critical infrastructure, and cybersecurity issues there, including helping to create and stand up our cyber agency, the cybersecurity and infrastructure security agency, CISA, under DHS, and working on some of the legislation like for Huawei. That was part of what I worked on on the Hill. Then I, at the end of my tenure as a PMF, presidential management fellow, I went over to treasury. I heard that there was a bureau there that hunts down money launderers and terrorist financers. And I asked, like, do you have a cyber unit? And they're like, yes. And I went over there. And, you know, I've started out in the intel division there because, again, I was an intel officer, and I loved you know, I wanted to go hunt down cyber bad guys. And when you go to hunt down cyber criminals, you inherently get into crypto, especially at Treasury, since it is a cyber criminal's favorite way to launder and to, like, purchase all their exploit kits. But then I went over to policy division because we needed someone in policy to work on things like cyber, crypto, digital identity, and I got volunteer distribute because I was always the one arguing about definitions and authorities. So I got to do things like I was the lead for the FinCEN delegation to the FATF, the Financial Action Task Force, which is like the UN for anti money laundering. It's the international standards body for anti money laundering. And we created and adopted the first ever international standards for virtual assets. 

Speaker: Aidan Larkin

So we've just had David Lewis on the show. Yeah. So I again, I'd met David when he was in FATF and when I was involved in one of the first crypto seizures. So, yeah, we had a we you'll have to listen to that one. Now he's off the leash, and he's, he's in Kroll. Yeah. He was able to share some of his very sort of direct thoughts on what he thinks the sort of the world needs to do now. So for those listening, FATF is the watchdog that helps sort of implement those standards globally. One of the main reasons this show exists is because of FATF's new focus on asset recovery. So we are specifically going there's been a lot of tick boxes over the years by a lot of governments sort of making sure that they look good for FATF, Whereas now we're getting into the weeds of effectiveness. And effectiveness in asset recovery means seizing assets, taking it off bad guys, and actually putting that money to you. So we'll definitely wanna dig into that because of your unique insights. And where did that where did you end up next then after that? 

Speaker: Carole House

Yeah. And that's so great, David is brilliant. So I went from treasury to the National Security Council for my last tour in the White House, and that was my most recent position in government. 

Speaker: Aidan Larkin

What is that for the non-US folks? For the non-US folks, they won't know that. What's a sort of a European or British equivalent? How would you describe that? 

Speaker: Carole House

Absolutely. So it's inside of the White House. So basically, it is the penultimate, like, national security policy wonks role that we all aspire to, and I was so lucky that I got to go there. So it's the policy shop for national security issues that serves inside of the administration. It’s this wonderful behemoth of the government. So many functional and regional issues on National Security and policy and I would specifically work for the deputy National Security Advisor Advisor Anne Neuberger, who covers cyber and emerging tech policy issues because ransomware was rising as a major issue. And I spoke with her, and we both really bonded over our concern about rising ransomware. 

Speaker: Aidan Larkin

And when was this just the date this for us? When, what year is this? 

Speaker: Carole House

It's 2021. So right as the Biden administration was coming in, I think we started talking in February, and then I came aboard in April of 2021. So right towards the beginning of the administration came in, this was a couple months before Colonial Pipeline happened. So I know it was an interesting trial by fire situation, but coming in to help stand up the US counter ransomware campaign, which I sort of find that illicit use of crypto is often sort of the gateway drug to get policy professionals on other broader issues to care about crypto. It's an interesting policy arc of evolution that I normally see starting from, like, who would care about crypto? Like, this isn't a dollar. It's funny money and pictures of gorillas to going, oh my god. Bad guys are using it. It's the cyber criminals' favorite way to launder. This is terrible. We need to do something about this. Maybe we should ban it. I don't know. And then going, oh, it publishes to a public ledger. That's kinda nice. You know, Swift and Fedwire and Chips don't do that. Cash transactions don't do that. And so far as I can see it on that public ledger and it can support investigations, maybe it's not so bad, and we can harness this as a tool. So it was interesting to start with the counter ransomware campaign, then getting that going, which had a whole prong on countering illicit use of crypto, moved into the executive order on ensuring responsible development of digital assets that president Biden ultimately issued. And then all the while, I also worked on digital identity policy. So it was so much fun. It was the most incredible job and rewarding experience of my life alongside my deployment to Afghanistan. They were the most rewarding experiences of my life professionally. And after that, I left government, and now I'm an executive in residence at Terranet Ventures, which is an interesting little research and advisory firm as well as investment firm. So we support security technologies. Basically, that support can be through operational support, direct incubation. Inside of Terranet, I've been kind of operating as a basically interim COO for, like, a fintech due diligence capability that we've been growing. And then we also do research advisory support as well as direct investment. I'm also a senior fellow at the Atlantic Council, which is a think tank in DC focused on a lot of interesting foreign policy issues, and I'm especially focused on things like cybersecurity and the future of money. There's a variety of other nonprofits and regulatory bodies that I'm on advisory boards and committees for also, but it's been a wild ride. It's fun being on the outside. It's interesting. I get to say more without accountability on the outside. That's fun. My CEO doesn't have a problem with that. He said I could say whatever I want to about crypto because we're very aligned on our feelings about the technology and the fact that tech can solve these policy problems, but that it has a lot of maturing 

Speaker: Aidan Larkin

Before I put my foot in it, what is the American, I’m saying this as if we have millions of listeners, we're very early in the arc but let's assume that we have a good spread of sort of UK, European, and US sort of, folks. What would you call, like, the store bought, like, equivalent of Coca Cola? Like, in the UK, it's like the Aldi or the Poundland equivalent. It's like the cheap version. There's a point to this, but just I wanna make sure I've got my terminologies right. Yeah. So what's the US version?

Speaker: Carole House

It'd be RC Cola. 

Speaker: Aidan Larkin

Yeah. Like, what's, like, the US analogy of, like, the cheap version of, like, the store brand version of, like, the big brand? 

Speaker: Carole House 

Yeah. Like, RC Cola would be that. Yeah. RC Cola. 

Speaker: Aidan Larkin

RC Cola is like the Coca Cola? Yeah. So I often look at your career, and I find that I'm, like, the RC Cola version of your career because, like, a lot of the things you mentioned, I have done, like, a quarter of a percent of that thing on a smaller level. But when you're actually dotted so, like, you did your note all the ransomware work. Only last year, I got to do my first hearing in the House of Commons in the UK on ransomware, but it took, like, three years after you. And we got to be involved at a super early stage, formally working in law enforcement, and then accidentally work getting involved in crypto and sort of seeing that arc. And then you're in Atlantic Council. I'm now in RUSI. But I'm always, like, a thousand steps behind you guys, which is infuriating but inspiring at the same time. So I'm a big fan of perspective. I love the perspective you bring to all of this because when I hear and think about sort of what you've been doing in terms of the sort of the intelligence work, the sort of right down to the chemical and the, sort of nuclear work. What that sounds like to me is that you've always had to be, like, a sensible voice in the room that takes all of these big polarizing topics like nuclear defense, national security, you know, intelligence, privacy. I can imagine there's a lot of people with canned peaches right now will hate a lot of the things that you've been involved in and will also hate crypto and will also love crypto and will unlock everybody up. I'm gonna so, again, you've made a bit of a career sort of out of this about trying to be that person that can wear all of those hats and that can sort of cut through a lot of the nonsense. And that's kind of exactly the purpose of this podcast. So I'm sort of thrilled that we can sort of start diving into a couple of things. And one of the things I actually wanted to start off is by asking you a question, and it's around with all of this context that you have and with all of these things that you've done and with all of these sort of projects you've been involved in, just people you've spoke to, all around the world. And I know we have a small circle of sort of friends and people that we all know around the world in the sector. What is one of, because I know there's gonna be more than one, that drives you in saying the most? Like, when you constantly hear, like, polarizing debates, well, what is that one thing that people cling on to or you just think, oh, for the love of God. Like I wish I either had a billboard or I could just announce en masse or I could put this to bed or I could tell people what to do next. I have my Room 101. What's yours? 

Speaker: Carole House

In this particular space, there are a few. You're right. One of them is citing the figures on illicit activity that come from the blockchain analytics firms about how much illicit activity is happening as if that is gospel and that that is the stealing on illicit activity and not the floor, which is actually what it is. 

Speaker: Aidan Larkin

So explain this for people that don't know. So and also just to separate the two things. We talk about asset recovery underperforming and only one percent of assets being recovered. Park that. Completely separate issue is you have a transparent blockchain that allows you to track and monitor things and within that then you could say “Oh, Aidan has just sent some assets to Carole, but we know Carole is a darknet criminal. Therefore, Aidan's transaction to Carole is illicit. If we track all of the Aidan's in the world, then therefore we can work out what percentage of the total volume of transactions are at a minimum illicit as you've rightly said because the world is sort of looking at that as a fine act. Oh, this company said it's one. This company said it's four. This company said it's five. But I'm writing saying the vocabulary around it is still that's it. Like, that's the amount of it. And you were involved in some interesting conversations at the illicit finance hearings about, you know, on-chain and off-chain. So for those that don't know, can you just explain that concept and unpack that a little bit? 

Speaker: Carole House

Yeah. Absolutely. So first, exactly like you said, there's these metrics that the analytics firms, which are absolutely critical evolutions that we needed in this ecosystem. Right? And the crypto space is made very well to enable RegTech grow, like public ledgers, public records. There's tons of information out there. It's been ripe for RegTech to grow, and there's still lots of evolutions that I think will continue to evolve and make even better RegTech in this space. So they're able to see a lot of illicit activity. They can detect it through their own understanding of what money laundering looks like in these spaces. They de- and and understand based on tips and other, publicly available information when scams have been reported on social media or other indicators on the dark net that, okay. This looks us. So they can mark that as illicit. And then they come up with metrics based on the entire market cap of crypto activity, and they say, okay, well, under one percent of crypto activity is illicit. And they compare that to, like, the UN metrics and that have been cited and maybe the IMF metrics also that point to, like, three to five percent of global GDP is seen as associated with illicit activity. Those are rough estimates that are really very hard to actually capture. And this is a problem because those metrics that the analytics firms are projecting are based on what they know for sure is illicit. Like, that is a very high confidence level score based on the information that they have available. They don't see any of the activity that, like you mentioned, is happening off chain. Even activity that's happening on-chain that they don't recognize is illicit is not going to be captured in that. Like, there's always going to be information that law enforcement and other authorities have about what's illicit that industry isn’t going to necessarily see and have access to. On the off-chain vs on-chain picture, there isn’t a lot of activity that happens on-chain and certainly transactions may end up getting settled on-chain eventually. But there's a lot of activity that happens outside of the view of that public ledger, whether it's activity that's happening inside of exchanges within their own transaction accounts and as well as what's happening on layer two solutions, basically things that are built on top of that first layer one blockchain that everyone can see, things like lightning network. Like, there's lots of activity that happens. There can also be individual transfers that are happening off-chain and exchanges of private keys. These are all just examples illustrative of the fact that off-chain activity does happen. And at the illicit finance hearing, I know there were some people that felt that, well, that's not crypto. I don't agree. I don't feel that way. Like, that may not be

Speaker: Aidan Larkin

It’s the ecosystem. 

Speaker: Carole House

Yeah. Exactly. It's all part of the ecosystem, and there's a reason why crypto is currently attractive to illicit users, and we can get into all of those reasons why it's not inevitable to stay that way, but why it absolutely remains a favored tool for for money laundering and increasingly being used by other types of transnational crime. But it's just the reality that there is a lot of activity that those analytics firms would not see. Again, RegTech is critical as a component in this ecosystem, but they're not going to see everything. So they need to capture this as a floor and not a ceiling. FinCEN, for example, in 2019 oh, no. I'm sorry. It was 2020 rulemaking, and they cited the metric from 2019 highlighting that what they saw was actually twelve percent of the market cap was reported in suspicious activity to FinCEN. Now we know that suspicious does not equal illicit. Right? So that does not mean that twelve percent of crypto activity is illicit. But I will say that twelve percent like, that was only the compliant reporting US regulated institutions compared to the global market cap. So there was a lot of other suspicious activity. 

Speaker: Aidan Larkin

Yes. So so so just to be clear, that was twelve percent within a regulatory mature compliance framework that there was suspicion around those transactions. So you can kind of imagine what is happening in the other jurisdictions where there is it's like that, you know, the Internet meme of the guy sitting behind the metal fence that's only two meters wide and it's a giant, like, football field. And it's like, you know, regulating sort of crypto sometimes is like and I think that was the big theme in the illicit finance hearings. What can we do about these other countries? Well, not a lot really until they actually regulate. You can ask and you can provide help and support and training. But I do you think that people still don't get it? I mean, I've seen in the UK the new powers that have been passed and there's some wonderful, wonderful powers, but it still links back to those with a UK nexus or, I think it's called the connection to the UK is how they how they frame. So they've given investigators wonderful powers, but there's a lot of conditions attached to it. And one of the conditions is this connection to the UK. And you're saying, but the worst criminals in the worst cases, they're not gonna use a UK registered entity or a UK company's house entry. But I think that the victim being in the UK is a way that you could sort of look at that case, but it's still a reaction after the event. Do you think that this combination of these sort of statistics and the lack of it's an over there problem, it's not our problem is causing because it's all starting to seem a bit circular. It seems like every time there's a crypto rally, we all have this conversation. Now everyone gets to know really sort of uppity about, you know, ransomware, and there's lots of concentrated efforts. And, like, I've just literally today, they published the government response to the the hearings that we were part of on ransomware, and we were sort of talking about the fact that no ransomware and I know you've got strong points on this, but no ransomware can't exist without with a crypto assets at scale, as it currently does. And you're going, it's enabled by it. But the government response was just like, yeah. We're on it. That was it. And it's like, this is not going to change anytime soon. Is it things like Operation Shamrock and Erin West? Like, what do you think are the changes that we'll need that your Room 101 about the statistic and the reporting? Like, how do we change that? I know education and awareness is a big thing, but do you think it needs more than that? 

Speaker: Carole House

So on the metrics piece, the biggest thing is definitely awareness. And even RegTech companies that don't like to include the phrase at least or, like, at a minimum at the beginning of their statement, they should. And, honestly, even when regulators and enforcement authorities rely on these companies and have great relationships with them, they should absolutely feel empowered to call them out when they're being disingenuous with that kind of messaging. 

Speaker: Aidan Larkin

Why do you think they don't? Now that you're out and you're off the leash, why is it? Is this a conflict of interest? Is this a case of they don't wanna sort of talk badly about the sector they're involved in? Like, why aren't they going, oh my god. It's one percent at the very least that it could be so much more. Like, what have they got to lose by saying it can be terrible? 

Speaker: Carole House

Absolutely. And I'd say, like, this isn't representative of all the RegTech companies or of everyone in front of even the ones that I think are the most likely to message things this way. But, basically, yes. It's because there are people there that are absolutely deeply embedded in the crypto space that have a great level of belief in cryptocurrency as the future of money. So it's both like a tie into a true belief in the space, also because they are trying to navigate a really tough position to be in where they are literally the antithesis to some of the ethos of the creation of this space. They are the surveillance tools that are being used. 

Speaker: Aidan Larkin

For the asset that's not meant to be surveilled. 

Speaker: Carole House

Exactly. So for some of the more libertarian views or, like, cryptoarian, seismics call them to shorten crypto and libertarian views, that the people that feel very much more like that this was meant to be, an asset to take them out of the regulated financial system and out of surveillance of government or other authorities. The idea of the RegTech companies is horrifying to them. And then even with the more centralized entities that understand that compliance is going to be a requirement, whether they liked it or not, depending on which ones that we're talking about, there are relationships, including as customers for these reg tech companies and potentially other strategic partnerships that I could imagine that might end up creating some tough incentives. So I understand that some of the RegTech firms can be in a tougher position where they don't wanna come out slamming the space. Sometimes they'll try to default to be, like, the point of truth telling and just state facts and not advocate one side or the other on particular issues. It's just problematic to me when they then characterize their own findings without the right caveats that need to come before them. 

Speaker: Aidan Larkin

Yeah. Because we all know how the sound bites are gonna be interpreted. And in fairness, a lot of the analytic companies, when you actually read the reports, the reports are pretty clear, but they know what people are gonna grab in the first paragraph. They know what the journalist is gonna grab it and sort of run with. And I think, like, I do share your frustration with it because I see it on the ground. I've worked with countries directly that literally you have investigators trying to, you know, help the victims of, you know, these horrible scams or victims of trafficking they're trying to disrupt. And ironically, a lot of the analytic companies, I talk to, I'll say, look, you're actually hurting yourself here. Now I know you might be, you know, maybe the bigger compliance client is more important, but if you're thinking of this from a law enforcement from a mission sort of statement I mean, I'm sitting with a financial investigator that needs the tools and wants to buy the tools from the analytic companies. And, actually, the people that are holding the pen on the budget are going, why? It's just not a big deal. Apparently, in our country, it's only, you know, half a percent and there's not a lot of adoption here. And why would we need that? That's a problem over there. And it's so ironically, I'm seeing the statistic used the other way that it's actually underplaying the scale of the problem. And previously, sir, of our paths crossed in person as well at at the FT crypto event last year, which is actually which is coming up this year by myself, Jared Koopman, Amanda Wick, we have a whole sort of crime sort of session coming up, actually at the the next event next month. But, we were talking about the FT sort of had asked me for a quote on the famous sort of illicit finance example. And sort of off the cuff, it's not a great example, but my dad gets it and that's always my benchmark, was like saying that if everybody who reported a burglary, if we accept it, there's a lot of people don't report it after the event. But if you take the burglary statistics and you're a Metropolitan Police officer and you say, oh, there was fifteen reported burglaries last night. You wouldn't say there's only fifteen burglaries happening in central London right now. Very confident about that because that's what people told us. And you're right. I think it's that sort of that zooming out piece. And there is then a bit of the double standard sort of sets in because, like, as you mentioned, we have the Bitcoin fog. And there was a good example where you've got the crypto sector, you know, screaming for I've seen it with Ross Ulbricht as well that how dare you, you know, convict and lock up these people who are involved in these types of cases. And I sometimes I don't get it. I don't get the double standard where everyone wants to combat financial crime better. No one wants ransomware. But then it's like crypto wants its own lane sometimes where it's like we we can't say, No HSBC, Goldman Sachs, you're all getting your sort of criminal charges against you for money laundering, but then these crypto companies and exchanges that wanna become billion dollar companies wanna benefit from that and wanna be, you know, big successful sort of corporate shiny towers, but then they don't want to be falling into the purview of regular AML and KYC. What are your thoughts on those? Are they double standards? What are you seeing in the general temperature check when you see the likes of the sort of Roman starting off case, the the likes of those that I know divide a lot of opinion, the Ross Ulbrichts of the world. I'd love to hear your perspective. 

Speaker: Carole House

I do. I'd say that this so, again, the ethos of a lot of the, like, original players in this space and a lot of the early adopters are people that were very much of this anti establishment, like Bitcoin even in the white paper and in the Genesis block, that they included a title to an article that was about the failures of the major banks and financial institutions

Speaker: Aidan Larkin

To the financial crisis? Yeah. The collapse. 

Speaker: Carole House

Exactly. Because it was in 2009 and was the genesis block after the white paper was released towards the end of 2008, I believe. And it'll help people understand, like, where crypto came from, how it was originally envisioned. I do believe that lots of other ethoses have come into the ecosystem, including a lot of mine that do care about things like compliance, while maybe not liking the costs associated with it. But the original viewpoints there like, I think that if you understand that that's why crypto was created and the people that originally found it really attractive, this, this peer to peer, in their mind originally, anonymous, you know, payment system, this was completely attractive to people that wanted to take things outside of the financial ecosystem, why it was also attractive to illicit users and I think the people that feel this way and want to defend those who provide anonymity services and enabling, like, darknet marketplaces for people to be able to conduct this commerce that in their mind isn't dark, like, illicit commerce or it's just dark and that it's outside of of the the reach and surveillance of the of the government, so they think until they get caught and prosecuted. 

Speaker: Aidan Larkin

They realise they've been using the most traceable ledger in the world. 

Speaker: Carole House

Exactly. Even though it takes years later for our enforcement to come, which is a whole other separate issue. But at least, you know, there is enforcement and, again, using it on a public ledger. Like, I don't know why criminals are all using these public ledgers to conduct their transactions on, but, god, I hope we can get to the point where we could dare criminals to launder on a public ledger. I guess that gets into some of the evolutions that you mentioned that we need, some of the changes that we need in the space. The fact that criminals now a decade and a half into this ecosystem existing can still successfully so well-launder on a public ledger is kind of horrifying. 

Speaker: Aidan Larkin

I agree with you. That is our failing as a global community. I was trying to give someone an example the other day saying you've got the most traceable ledger in the world, but why do people still use it? And it's like, well, if I said to you, would you smuggle narcotics through a busy airport if you were a wannabe criminal? And you said, absolutely not. I would never do that. I know what the offenses are. I know I'll get locked up forever, and I'm bound to get caught. But if I said, ah, but this country has a port that has no customs controls, no sniffer dogs, and you can easily go it borderless and get into other countries, pretty much there is no chance you'll get caught because nobody has the tools or technology to trace it so even though there’s breadcrumbs no one knows how to find the breadcrumbs or even connect you to the breadcrumbs. That’s this sort of regulatory arbitrage we always talk about and as you say it’s a sad indictment on like the global amount of funding that is not being invested into tackling this that as you say it's a good benchmark that it's almost like a sign of the times that if people still use Bitcoin to launder, it shows just how far we have to go because it should be the one area. It's kind of like the advent of sort of DNA or our forensics and cyber forensics. Everybody knows now you know if you're a murder suspect and you've got an Apple Watch, I mean the average criminal on the street knows that they're gonna ping and they're gonna find out that your Apple Watch was in the area. Like there's just an awareness of like your cyber and your digital footprint nowadays, but I think criminals are still aware but they're happy that the the odds of detection, and we see this in the pig butchering case, is that you know instead of going after one person for millions go after thousands of people for thousands of dollars and even if they tell the police it's kind of like getting mugged in Times Square. You know they grab your purse they run away they jump the desk and tell the police you're like, go report it. Like, I know as the criminal, they're not coming after me with sirens and helicopters and thermal imaging because it's just not big enough. Like, what do you think needs to change? Is it the old sort of cliche of just more resources, more training? Or is there something more fundamental than that? 

Speaker: Carole House 

So definitely internationally, more resources and training for jurisdictions. Most countries have still not taken any steps five years into us adopting the FATF standards, which means that best practices had existed previously because best practices feed into creating standards. 

Speaker: Aidan Larkin

We have seen those examples, though. We've seen those like IRS-CI, like thirteen, fourteen billion dollars worth of seizures. We've seen some incredible DEA and FBI early seizures. But, again, we're not really seeing it state and local. We're not seeing but we're not seeing at scale sort of seizures right now. 

Speaker: Carole House

Absolutely. Like, in the US, you're right. State and local is especially where capacity isn't enough, and we still need more capacity at the federal level. Good gosh. If you look at many of our cases, even, like, some of the largest seizures that have ever happened in the US government that have been crypto, it was only the largest seizure because it took six years to seize it, and the price of Bitcoin had skyrocketed since it was originally stolen. So it's like I take some of those numbers. The absence of our ability to scale enforcement is a real problem. Resources and prioritization is a major issue with training as well, but also absence of regulation internationally, like you mentioned, regulatory arbitrage, but then also industry. Industry is claimed to be operating compliantly and responsibly for many years. That definitely looks different across jurisdictions, I would say. Like, I do credit the US for having the earliest and most comprehensive anti money laundering framework in the world, actually, for for crypto, thanks to some brilliant people that worked there long before I did that saw Bitcoin coming and ensured that our rulemaking in twenty eleven for money transmission covered value substituting for currency. And only because of that, we had a huge head start on other jurisdictions to have the authorities, the expertise to actually be looking at this space. And that meant that the US sector, I at least felt, had been the most compliant on the AML front. But it took many, many years. I mean, our enforcement cases were many years in between and, again, like, often would take a long time in order to come to fruition. Honestly, the sector still hasn't complied with the travel rule at scale, which is a major issue. But the biggest issue that the industry can solve besides just following compliance practices is setting up incident response capabilities. Like, I don't understand why the institutions are not availing themselves of the government has given not only as much information as they can consistently, whether through publishing information about illicit crypto activity on the OFAC sanctions list and publishing crypto addresses or designating certain institutions and entities and also giving liability protections for sharing cyber threat indicators and illicit finance indicators in the US. We have two different liability protections. And since so much of crypto crime is cyber enabled, in my view, they are doubly indemnified in different ways. 

Speaker: Aidan Larkin

The table is set to allow them to sort of share information and be more proactive. 

Speaker: Carole House

Exactly. Like, in the cybersecurity world, there's a standards body called OASIS, and it has come up with standards that entities use internationally, called STIx and Taxii. That's basically, like, the language and the way that you transmit machine readable, real time info sharing on cyber indicators of compromise. I don't know why illicit finance and crypto indicators haven't been adapted like this. Like, crypto information that is highly, highly structured in most instances.

Speaker: Aidan Larkin

It should be right for AI. But if this separate, for those who don’t know, this is completely separate from the likes of the suspicious activity reports and STR reporting. Which are already going into the likes of FinCEN in the US where someone in exchange sees something suspicious and they notify. This is a different level of customer's told us something's wrong or we've seen or we've spotted something proactively. You're talking about getting that information out the door quickly as well to law enforcement? 

Speaker: Carole House

Exactly. It follows more of a model of something that in the US since then worked with law enforcement and with international partners via the Egmont Group of Financial Intelligence Units as well as international law enforcement to stand up the financial fraud kill chain that the FBI, drives and then the rapid response program at FinCEN, which right now is only scoped for recovering cyber enabled fraud proceeds. But it started with BEC because we recognized that if you didn't get the assets within the first seventy two hours, that possibility for recovery would get almost to nil. So basically, we stood up with the rapid response program where you realize you get defrauded, you tell law enforcement, they shine the bat signal and alert financial fraud kill chain and the rapid response program. And then based on that, if it moves domestically, the financial fraud kill chain especially tended to work and then internationally, financial fraud kill chain and law enforcement would work through the MLAT process. But the FIU, information sharing channels, through Egmont would typically be a lot faster than the MLAT process. So FinCEN would work with many financial intelligence units through Egmont to share information saying, hey. This wire is suss. Is it still there? Please don't let those funds move anywhere. Okay. It did move. Great. Where did it go? Alright. Go to the next going jurisdiction by jurisdiction. 

Speaker: Aidan Larkin

It's that combination of the sort of the slower moving formal court ordered networks versus those informal networks like Egmont. And, obviously, you've got the asset recovery equivalent of that, the CARIN network, where before you put in your regular court order to seize a boat or a car or crypto assets at an exchange, you'll use your CARIN contact point to say, hey. I've got a request coming into you. You know, it's about that account. Here's the account. And maybe they could say, yeah. Hurry up. We need that. Or, oh, look at this. But with that in mind, we're saying this is about business email compromise. What are your thoughts then on having that within the industry and that killed Shane? So from a layman's point of view, that means that it's like a lost child, and all of a sudden you've told all the airports and everybody's on alert. 

Speaker: Carole House

Yeah. 

Speaker: Aidan Larkin

Surely that's easier with crypto Yeah. Because of the movement of information, transparent ledgers. If everyone in the industry all just signs up to some sort of code, then you could effectively have, I'm a victim of crypto crime. Here's the addresses. Here's the analytics. Like, surely within very, very quickly, you could build up a gray list of those bad addresses. And I know that the industry is doing this. I've seen examples of this with things like chain abuse. I know that, you know, the government has IC3, but it's clearly not enough because there is no compulsion for anyone to do unless someone voluntarily signs up. Is there something the government can do in terms of making those things mandatory? But I also know that takes time? Are you expecting that the industry needs to kinda do this? Like, the UK had GEMLIT for banking, take a proactive task force. And I know that Global Coalition, again, the fight against financial crime, which I'm happy to be part of, is trying to do things like that within the sector and be proactive with Interpol and FATF's involvement, but it always still seems like it's just it's not enough. There needs to be bigger. You need these billion dollar exchanges to be really driving and putting resources behind this. 

Speaker: Carole House

Yeah. Totally agree. And this is where there's lessons to learn from the cybersecurity ecosystem because there's these things in cyber called information sharing and analysis centers, which include not just US institutions, but also many multinational corporations and others that operate internationally. And honestly, most of them only have a liability protection in the US, but they still share info because they recognize that a cyber threat that's pwning one is likely to pwn another. Like, it took time, but the sector recognized and evolved from that. And illicit finance, it's just not happening at scale. And you're right. The major exchanges internationally need to be playing and investing proactively in this. The hardest thing for info sharing is that it's very hard to mandate those kinds of points of information sharing given things like customer privacy and just the level of burden that we're willing to put on institutions to mandate that they work together in this certain network. Most of the time, that's meant to be voluntary, and it's supposed to be incentivized through, like, and we will consider that and your level of cooperation. 

Speaker: Aidan Larkin

You're talking years. Yeah. To get something like that embedded and done and sorted. And I guess is that sort of what part of the frustration is is that we kind of know the blueprint or the playbook as to how you could mitigate against these things. But if everyone digs in and hides if I hear one more sort of exchange talk about, well, I know our customer terms and conditions don't allow us to do that, We'll change the terms and conditions. 

Speaker: Carole House

Exactly. Like, there's nothing that prevent them from from doing this other than their own choice to not be a part of fighting illicit finance and not being a part of the intent in the US and congress's intent for giving authorities like the three fourteen b information sharing protection, but that's the illicit finance info sharing liability protection. 

Speaker: Aidan Larkin

That's the government doing its bit sort of going, like, if you're worried about sharing information, we'll give you some top cover. 

Speaker: Carole House

Exactly. And the latest iteration of the international counter ransomware initiative, part of the major of the huge counter ransomware campaign that we were driving at the White House, and that has, I think, around sixty jurisdictions that are a part of it now if you count all the different EU members since the European Commission is a, is a member. But many countries are a part of this initiative that has five prongs, one of which is countering illicit financing crypto. One of the initiatives that they announced at the end of last year was that they are creating a list of ransomware associated crypto wallets, and that's a good thing. And I'm sure that that'll be shared by authorities. 

Speaker: Aidan Larkin

So this is kind of like the OFAC sanctions list that a regular company can screen against. The idea is we just start to share more and more data. But is that gonna be locked up behind a paywall? Is that an analytic company is gonna sell that as a tool, or is that gonna be an open list? 

Speaker: Carole House

So that's a good question. It could be government only. I hope that the government would consider publishing that kind of list. 

Speaker: Aidan Larkin

And allow those companies to enhance the data around because that's where there is the value. It's when you have those companies that do have access to nodes, do have access to data, do have access to OSINT and IP information. That's where, as an investigator, that's where the magic can happen if you could actually take all of that together 

Speaker: Carole House

Absolutely. 

Speaker: Aidan Larkin

You can actually see some positive results. 

Speaker: Carole House

Yeah. I think that those kinds of things can be shared. There's some interesting questions about there's a level of due process certainly that occurs before the government can do things like publish crypto addresses on the sanctions list, figuring out the right authority for publishing this kind of a list, whether it's for ransomware or for other types of illicit activity. But there are authorities where the government can do that and ensure those kinds of indicators. So I hope that they will consider making that kind of information available to industry. But also, like, industry could share that easier and faster, and they need to step up because, like, there's nothing that stopped them. They've just not taken the action to put us in a position where we could dare criminals to launder in this ecosystem. So I'm hoping that as the industry recognize certainly as international regulation comes into force and they recognize their need to be compliant because hopefully we'll have enforcement actions faster than six years after the fact. But with that and with the recognition that the only way to get at scale adoption that they want and to gain the kind of consumer trust that they want means ensuring that there are mechanisms for victim recourse. And given that I think that the future of this ecosystem is only with privacy enhancing technology, I don’t think that people are going to want to publish their financial information on a public unobscured ledger ten to twenty years from now given the current rate of AI, of democratized access to, like, very highly sophisticated AI capabilities. I think that the privacy enhancements and obfuscation is the only future for crypto. 

Speaker: Aidan Larkin

Thank you for listening to Seize and Desist. Don't go anywhere. We will be continuing with part two and continuing our conversation with Carole House as we dive into information sharing, state sponsored hacking, what she would like to change in the digital asset ecosystem, and how that'll affect asset recovery overall. If you enjoyed today's discussion, please like and subscribe. And share your thoughts on the discussion that Carole and I had, and I would love to hear your suggestions for future episodes, future topics you wanna explore, or future guests. Just leave a comment or connect with us on the usual social media channels. As we said at the outset, this is sort of the very, very beginnings of our exploration into the world of seized assets and asset recovery and unpacking the key topics. Hugely grateful to Carolel for navigating us through this world of digital assets. And I think the more we can speak to sensible people and objective people in this space, we can continue to have an educated discussion around it. So huge thank you to Carole. The views expressed by guests are their own, and their appearance on the program does not imply an endorsement of them or any entity they represent. Views and opinions expressed by asset reality employees are those of the employees and do not necessarily reflect the views of the company. 

Want to learn more?

GET STARTED