December 29, 2021
Today we're talking about what it takes to be a good actor in the crypto space and the surprising ways in which you can accidentally act poorly. In this episode, we’ll also be discussing what it takes to keep yourself safe and avoid harming the ecosystem.
Why? Because even though many crypto users know about risks like ransomware and exit scams, it’s often difficult to know how to preemptively identify these hidden dangers in the real world. Additionally, much of the crypto community is unaware of how certain benign on-chain actions can sometimes result in malign outcomes, and how well-intentioned market participants can actually end up harming the crypto ecosystems they are trying to support. In order to support the continued success of DeFi and other blockchain-enabled industries, it’s important to learn the ins and outs of the most common cybercrimes, as well as best practices for how to conduct yourself online.
Steve Ryan is the co-founder and COO of CipherTrace, a cryptocurrency intelligence and analytics company that was acquired by MasterCard. Ryan cut his teeth in the financial security and payments markets sectors, where spent nearly three decades prior to developing a curiosity in the cryptocurrency auditability and building out CipherTrace. Prior to these accomplishments, Ryan helped bring the mobile security company Marble to market and held several leadership positions at blue-chip financial institutions, including SVP of Visa USA.
Welcome to WTF, Crypto, where we peel back the layers of the onion of the crypto universe, to understand what's really going on, and how it affects you and your portfolio. I'm your host, Mark Lurie. And as a caveat, nothing in this podcast is legal or investing advice. Today, we're talking about being a good actor in the crypto world, the surprising ways in which you can accidentally act poorly, and how you can keep yourself safe and avoid harm. We welcome Steve Ryan as a guest today. Steve is COO of CipherTrace, which was recently acquired by MasterCard. Steve, thanks so much for joining us.
Hey, great to be here Mark. Looking forward to the conversation.
So Steve, it's my understanding that if you are, an individual in a institution. And let's say you're the subject of a ransomware attack, you actually have risk if you pay that ransom from a criminal perspective, is that right?
You do. If, if the person you're paying to, their cryptocurrency address, for example, is on a sanction list somewhere. That's against the law, based on everything that I understand. And we work with a lot of regulators, we work with law enforcement, but we also work with cryptocurrency exchanges and other trading firms as well as banks. So, pretty much the guidance right now is, don't pay a sanctioned address no matter, where you are in the world for any reason. It's really, you're not supposed to do that.
I mean, I can imagine that, could really back people into a corner because, let's say you're a hospital, and you're hit by a ransomware attack. So your data is encrypted and, the attacker asks you to send them Bitcoin, in order to decrypt your files. And that happens to be a sanctioned address, which is not out of the realm of the possibilities, because they're clearly, a ransomware attacker. That means you might not actually legally be allowed to do that. It could even compromise patient data. I mean, I'm not saying that would actually happen, but in theory, that's kind what this means, right?
It does. But in that scenario, mostly when we see ransomware, when CipherTrace see ransomware, they're net new paying addresses, they've not been used before. Now, there are edge cases where they do reuse addresses, and maybe indeed they are in sanction list. But most of them are pretty much virgin addresses. So you're not going to find them on a sanction list, but, what you really should do is you should contact a blockchain analytics company. If you are, the company that's helping you pay this ransom, should you choose to do that? We always recommend you don't. But if you so choose, that's a business decision, whether you're working with an insurance company or a consulting firm, make sure they're checking the address, and they could do that with any of the major blockchain analytic companies, such as CipherTrace. And we'll immediately tell you whether it's on a sanctioned list or not at that point in time. And then you've got an audit trail for that.
Interesting. I see. So, in practice, the sanctions concern in general is probably less likely, but there are a lot of concerning corners you can, get backed into and, accidentally act in contravention to guidelines and rules and get yourself in trouble.
Yeah. I mean, again, my, guideline would be, check before you send, because you don't want to be that edge case, and cause yourself more problems that... And especially if you're not working with law enforcement, side by side. And a lot of ransomware attack victims, for some reason, choose not to, right? They'll work with a consulting firm or insurance company, and they'll do it outside of law enforcement, which they don't have to, use law enforcement in there, but, you really should check before you send I guess, that's what I would say.
I see, it's interesting, because that goes well beyond ransomware, right? I mean, every day people send, cryptocurrency to addresses that they may not actually know that much about. And, it sounds like that can create lots of problems for users, even if what they think they're doing is just investing or using platforms or sending money to someone else, or doing some sort of escrow. They actually should be checking a lot of what they do, just even in everyday activities.
Yeah, they absolutely should. It's just always good to know, who your counterparty is, whether it's a place that you're receiving funds from, or you're a place that you're sending funds to, you would do that with your Fiat currency, one at your crypto. And one example. So we had a law firm contact us earlier this year and, they came to us and they said, "Hey, we've got this new client." I go, "Yeah." And they said, "They're a Bitcoin billionaire." And I went, "Okay, that's interesting." "But we're a high profile law firm. We need to kind of validate their source of funds." So they thought about this, check before you transact. And so I said, "Well, did they share any addresses with you?" And they said, "Well, yeah, they did. And by the way, here's a report from, one of your competitors." And they say, "They're clean."
He goes, "But, I don't know. I want a second source." It's sort of like having a doctor's appointment. I want that second opinion. So, we took the addresses and we looked him up. It doesn't take very long. In about 30 minutes I called him back and I said, "Well, I got some good news and some bad news." And he goes, "Well, please tell me the good news first." I said, "Well, the good news is you're, completely accurate. He's a Bitcoin billionaire, no question about it. A couple times." And then he goes, "Okay, now give me the bad news."
I said, "Well, the bad news is, he got all his Bitcoin out of a Ponzi scheme in 2015, called Hash Ocean. And, it's been sitting dormant for five and a half, six years. So some of the newer analytic tools don't have data going back quite so far. So they don't know about it. They've never seen this address transact. They didn't have historical information. So they come up clean." Well, our data goes back a bit further and we said, "Well, sorry, it's good news and bad news. He got all his funds from Hash Ocean, which was a Ponzi scheme, a well known exit scammed, Ponzi scheme."
Wow. That's an amazing story. So it, it seems like you really have a wealth of experience here. Could you give us some context for, your experience and background and, what your expertise on the subject before we dive deeper in, to the issue?
So my background, I was a co-founder of CipherTrace, with two other folks in 2015, but, my background is traditional digital banking and payments. Having worked for large banks, payment systems earlier in my career, we've always kind of looked at this whole auditability of cryptocurrency. And when we started CipherTrace, what we call attribution, which is basically telling you what we know about a particular address, does it belong to an exchange? Does it belong... Is it a paying address on the dark web? Is it part of a terrorist funding organization, stuff like that. We capture that type of information through a variety of methods, but we document how we capture that. And that's really important. So at CipherTrace, we call it creditable attribution, and it could be used not only for, intelligence, but evidence. Most of the other products out there, can only be used for intelligence because, when they created their attribution, they collected it.
While in many cases it's completely accurate. They can't tell you why they got it, when they got or how they got it. So, it's almost it's that black box. So you kind of question stuff like that, and you can have false positives through those methods. So, the one thing you don't want to do is rely on a bunch of open source websites to say, "Hey, this was a ransom address, or this was a dark web vendor. They may not get it right. And they may give you false data." So that's why, at CipherTrace, we focus in on that and, it really comes out of my DNA, coming out of banking and payments. If you decline a credit card transaction, you need to make sure you're accurate. Because what you don't want to do is, decline somebody falsely, and effectively lose the longtime value of that customer. So you don't want to do that. So we focus in on, auditable, creditable attribution that's accurate. So.
Makes sense. For context, you've also been, at the intersection of technology and finance for decades, from, first data to visa, to PayPal, to, a number of other really well known businesses. And so, you've really been around the block and know it from a lot of angles.
Yeah. And I've seen some of these business models emerge. I remember I tell this story sometimes that, back in 1999, when I was at Visa at the time, and we heard about this company in Palo Alto, that was, beaming money between PalmPilots. And, I guess that will date me. Some of the viewers here or listen, don't know what a PalmPilot is, they've never seen one. But it was a first generation kind of smart, sort of phone thing. Wasn't really a phone in the early days. And so we went down there and we looked at it and we said, "Well, they're beaming money. And they were actually... They were issuing credits, on credit cards where there was not a corresponding original purchase." And back then in the Visa and the Master Card rules that was called fraud. Because how can you initiate a credit, when there wasn't an originating purchase?
Well, what they did was they found out a different use case to use the payment rail. And so, this was how they were so sending funds around, they were just issuing credits. And it was pretty clever. So, at the time the company was called Confinity, it later rebranded itself as PayPal, and the rest is history. So I saw some early ideas, morph into other things. Clearly PayPal has gone well beyond, beaming money between PalmPilots, but, that's really where they started in their early days. And they were breaking glass. And much like we're doing today with crypto, there's a lot of glass, being broken in finance. I find it completely fascinating. A lot of times, maybe the glass should be broken because, just because we did something a certain way before doesn't mean we should keep doing it.
But at CipherTrace, what I try to think about every day is how do we make this ecosystem, safe and secure for everybody. And that's really, kind of our mantra. It's like, we're 110% bullish on crypto. I own crypto, full disclosure. So, I'm in it for the long haul, but it's, we got to keep the bad guys out, right? Just like the early days of the internet, there was a lot of bad guy use, on the internet in the early days and, look where it is today. All of that is dwarfed down to, minuscule amounts, and it's managed appropriately. So.
Makes sense. That's also quite a story and frankly, a good rebranding. PayPal's a much better name, I think.
Yeah. I thought it was pretty clever at the time. Yeah.
Okay. So, maybe let's start from the beginning, I agree that we need to figure out how to be good actors and, I'd like to be a good actor, but I don't really understand how the system works with respect to who is and who isn't a bad actor. So, can you help me understand at the beginning, like what is a sanctions person? How do you even define a bad actor that you might do business with?
Yeah, so there's different types. So, at CipherTrace, we score things. We have a few different criminal categories. So sanctioned is one. Sanctioned is like the worst of the worst. And we don't define what a sanction is, lawyers do. And so that's the other part about sanctions for an address or a person, or a company or anything. Because there's a lot of different things that can show up on a sanction list, not just crypto addresses. That's relatively new crypto addresses. But it has to go through a complete legal process. It has to stand the test of time, and then they determine that indeed it's a criminal. Maybe they've gone to a court of law. They prosecute them. It's taken a complete, path down this. And that's how it ends up on the sanction list. And those are clearly bad guys. The good news is, it's not a big list, but it's a really, really important list.
You don't want to send or receive to those crypto addresses. You just don't. And if you happen to know any of the people there, if you have a KYT process, you don't want to trade with the people or the companies either. So.
What is a KYT process is distinct from a KYC or know your customer process.
Yeah. Know your transaction.
So probably should have used the term KYC in that case. So KYC saying, know your customer, because a person can be at a sanction list. A company could be on a sanction list. And an address can be... A wallet address can be on a sanction list. So, KYC would catch the first two, KYT would catch that wallet address.
I see. Interesting. And so in the traditional financial system, you've had sanctioned individuals. Now, that's evolving and in the blockchain space, we start focusing more on, know your transaction because often you'll know more about the transaction than the individual.
That's right. And the blockchain, it's in the public domain, so everybody can see everything pretty much on every blockchain, supplement arrow, which we can see some on an arrow. So that's really important. But you can look at those addresses, and you can map them up against, what's on, for example, the OFAC, sanction for cryptocurrency addresses. And it's not just Bitcoin, there's some XRP on there, there's Ethereum, there's some light coin, but it's not a long list, but it's a really, really important list. If you're on the OFAC list, you've gotten in trouble. And you proven to be who you are or, that you're bad.
Office of Foreign Assets Control.
And just out of curiosity, I mean, what are the types of people that are on here, and what are the penalties for interacting with, a sanctioned address? Just so I have some context.
Yeah. Generally what I've seen is, it's a lot of nation state type crimes. It's drug cartels, it's terrorist organizations. It's, kind of the worst of the worst.
So that's really, I think what I've seen sort of come out of those, it's that level of stuff, you're not going to see people that get convicted of street crimes, on a OFAC list. I don't believe so anyways.
Got it. And so that's why the penalties are quite severe.
Yeah. And the penalties can be severe. And I think you could just Google it and find out, but they could be, in the tens or hundreds of million of dollars in some cases. So again, it's a list you don't ever want to trade with, whether it's a person or company or a cryptocurrency address, if it's all in one.
Makes sense. Okay. And you know, as I look into this, there's really only a handful of addresses on this list. That's not actually that many, it strikes me that there should be more.
And I think that's due to the legal process. That's behind all this. Those are, very well documented and verified that they should be there. And I think it does take a while for stuff to show up on a sanction list. It doesn't happen overnight, could take months, and it might even take a year or two in some cases. So they could be older addresses too.
I mean, it seems tough that law... If due process takes that long, it seems tough, and given that you can create, in five minutes, you can create 10, 50 addresses, seems like,, the process could never keep up with the reality of the technology and how it's used by bad actors.
I think they'll get much better, obviously with some of the technology that's out there, and some of the clustering capabilities. So some of the things we've seen is, okay, here's this address that belongs to this bad guy that was involved in this bad thing. Well, if you use some of the modern blockchain analytic companies, we could cluster those together, into a broader wallet. And then we could say, "Okay, you caught one address, but guess what? There's 150 actually in that wallet. That same entity controls the other 149 too." So it's always been my belief, those should be on the OFAC list too, or I'm just picking on OFAC, there's other lists around the world. Because they're controlled by the same individual or organization. So most likely they're doing the same thing, but again, I'm not a lawyer, that I think gets into a conversation of, well if we didn't see it happen with that address, can it be on the list versus, it's just part of his same sort of wallet structure. Right?
Makes sense. Okay. And so, sounds like OFAC is working on this problem and will, come out with an improved approach and they're good, hardworking people. So, I think I'm optimistic, but until then, what are the other places that, I might want to go to, make sure that I'm working with a legitimate person? I mean, OFAC's only a handful, presumably there's a lot of other sources.
Yeah. There's, UN, Euro Pool, there's other places around the world that have similar lists. I think crypto's mostly on the US OFAC list. I haven't seen it. I don't think on these other international lists, but it's just a matter of time, right? These organizations, Euro Pool's, a world class organization. Does a lot of good work around crypto investigations, trying to find really bad guys and stuff. So, I'm sure those lists will evolve over time. And it's not that anybody's against crypto, right? That's not the message here. It's like, they're against the bad things that could be done with crypto. So, nobody wants to see human traffickers, drug cartels, selling fentanyl. People selling credit card dumps on the dark web. Those are all really bad things.
If we could just leave crypto to all the good stuff, like the investors and remittances, you can move money anywhere in the world in 10 minutes, across borders, you could send money back home. You could be sheltered from hyperinflation, like what's going on in some of the Latin American countries. So, there's so many positive uses for crypto. We just got to, just make sure it gets used for that.
Well, I mean, the interesting thing is we're having conversation about sanctions and various lists and, KYT and all of this, is based on a, set of lists and systems, that emerged because, this problem existed in the banking system, right? I mean-
It's all excited.
... for the banking system. So, the idea that we have to do this for crypto, it's hard to say that means there's something wrong with crypto. I mean, this has to be done in the traditional financial system too. They've just had a little longer to figure it out. And, aside from whether they're actually successful at it.
I think it goes back to the stone age when people traded corn and stuff, there was probably fraudulent corn or bad corn and, it's whatever. But, it's, anywhere where there's a monetary instrument, you're going to have some of this, whether it's Fiat based or crypto, it's not a problem, with the payment instrument. It's just, I think it's a bit of human nature that there's going to be some bad people out there, and we need to sort of manage around that.
Yeah. Well, so how do the most sophisticated people out there, manage this problem? Because, I may worry about it as an individual, but, presumably a Coinbase or a, big exchange is trying to deal with this at scale. And they must have some pretty sophisticated approaches.
They do. And many of these, especially the more regulated exchanges will all have KYT processes, and in some cases, multiple. So, they'll license tools like CipherTrace and others, and they'll check a particular address that they receive or send to, across one, two or three tools, to make sure they get a common feedback loop of, double up, thumbs up, that's good, or thumbs down. You get three thumbs down. Okay, you want to really think about, what do you do that, what those coins you just received, or that address you just sent to.
It's interesting you say that because, if you have to check three different tools that observe the blockchain and provide analytics to ascertain, the history of an address. And, you told us the other anecdote earlier about a law firm who talked to, asked you for a second opinion. And your second opinion was different. I mean, if professional analytics firms like that can differ on, the insight they have in an address. To me, that kind of says that, it's actually, not a solved problem. It's really tricky. I mean, if it were solved, they'd come back with similar answers, right?
It's complex though. It depends on, the attribution collection methods, the capabilities of the firm, how long it's been around. So, it's one of those your mileage may vary. And so, if you're in a really important business, at least in today's world, none of the analytic firms are perfect. They're just not. I don't think any of them ever will be perfect. There'll be some that are much better than others.
Yeah. I see. So there's kind of two aspects to this. One is, have you done the minimum to cover your ass, and hedge yourself against negligence. And the other is you really want to stop, fraudulent people or bad actors. And those are two very different thresholds for risk and diligence, it sounds like, yeah.
Yeah. When we look at, in CipherTrace, we look at about 1100 exchanges around the world and every country imaginable. About 50% of them today, still don't have KYT programs.
So it's the wild west. Yeah. So when you think about, Coinbase and Gemini and, all these cracking, these are all kind of the gold standards, right? For cryptocurrency exchanges. There's a lot of exchanges, because they're in countries that have no regulation, and therefore they don't have to, nobody's telling them to. And they marketed their platform to a particular type of customer that, doesn't want them to know who they are. And so, they just, they cater to a different clientele. So, a few years ago that number was probably 70%. So it's clearly going up, there's more regulation, more exchanges are doing it, because it's the right thing to do too. And as a eco system, I mean, we should just do that to make sure that we're getting good clean crypto everywhere, and to try and, minimize any of the bad stuff.
Now we're talking about all this negative stuff, but, our belief is, better than 99% of all crypto is completely healthy, low risk, not related to criminal activity, 99% plus. So we're really talking about that 1% or less problem. It's mostly all good. And this is mostly all good on, as a ecosystem across the world. Now you'll have pockets where you'll have particular exchanges that might, cater to ransomware actors, and things like that. And generally those things, they end up getting shut down over time, so-
Because become targets for law enforcement and so forth. But most crypto is completely clean. And that's frankly, why you see, a lot of banks getting into it now, doing crypto custody, right? Because they actually, see it as fee income, new fee income. It's another payment rail, right? So you have wires, you have ACH, you have cards.
Well now you have crypto, and a lot of consumers want to buy and hold crypto or transact with it. And so, you'll see more and more banks get involved, in a variety of strategies around crypto currency. I think, if you fast forward 10 years from now, every bank in the world, and there's about 20,000, will have a crypto currency strategy. Most will do custody somehow, either through a service provider or they'll roll their own platform and have it in their own data centers and stuff. But it's just, it's changing finance. So it's just another payment rail.
Makes sense. I read somewhere, I believe it was a UN report that something between two to 5% of GDP, each year is laundered or at least is criminal in nature, through the traditional financial system, which sounds like it's actually several times more than the less than 1% number you quoted, with respect to cryptocurrency.
Yeah. I haven't seen that study and, I wouldn't claim to be an AML expert. That's not my thing. I'm more of, a technology guide with a lot of entrepreneurial spirit. So, I don't know. That sounds like it could be right. I don't know. That'd be an interesting statistic. What we do know is in crypto, what we see is the data that we see and collect with our attribution. We think it's 1% or less. And then, it varies depending on whether or not you're looking at transactions or value. If you actually go to value, it gets way under 1%. If you just go to transactions, it's up around 1%
Interesting. A lot of petty crime. So, the average transaction value is actually low when it does happen.
Yeah. And we've published reports on this. We do quarterly AML reports. It's all on our website at ciphertrace.com. Anybody can go there and look at it. We've got some really good stats there for anybody who wants to kind of look at some of those trends.
Interesting. So presumably the people who have the highest motivation to, figure out what's going on with the given transaction is law enforcement, because they're presumably... They've already decided after the fact, something's happened here and they're kind of collecting evidence. And it sounds like they're often engaged with you. So you've worked a lot with them. I mean, how does that work? Who tends to go after these transactions in the government and, how sophisticated are they?
Oh, wow. That's a broad question. So, it's another one of these. Your mileage may vary. It just depends. It depends on where it is in the world, the type of law enforcement agency. I'll tell you from my view, federal level law enforcement agencies, most all of them are really good at it today. They've been doing it for a while. They get involved in the larger crimes. I'll call it the more important crimes. But I think it goes all the way down to street level crime in some cases. So I think that's very possible. And I think, if you start looking at city and state type law enforcement agencies, I think, they do need to come up the knowledge curve of, what's going on. They run into the street crime of the fentanyl sales of the human traffickers, the illegal gun sales, and sometimes the payment for those services and products is crypto.
Right? It's pretty easy to do it, with a QR code between phones. But yeah, so I think there's a lot of room for growth, and knowledge and kind of the city and state level. Most of the federal guys, not only US, but Canada, Europe, UK, Australia, other places, they're getting pretty good and they've been doing it for a few years and most of them have a number of tools that they use, probably can't get into it much more than that because that's how they do their work. And it's kind of not something we could probably share on this. So.
Makes sense. I guess you don't want to expose all the techniques. People will just find the loopholes.
Yeah. They're pretty good at it, but, they're chasing the bad guys that, if we don't do that, it's going to force undo regulation on us. Right? So you kind of need some of that stuff to dissipate, so that people don't think, crypto's a bad thing. Right? Because it's.... People need to look at the facts too. A lot of people think all these bad things happen in crypto, without actually having any knowledge or facts. And that's where we try at CipherTrace, is sort of state the facts. It's a 1% or less problem. And it depends on whether you looking at transactions or value. If you're looking at value it's well, under 1%, at least based on the, studies we've done in the past.
One thing I feel like I've observed is I see headlines about crypto attacks and illicit activity, it's often followed up with and the money was recovered or, and the money was frozen. I'm unclear whether to think of that as a negative or positive for crypto as, a toolless activity or as a crime fighting tool because, if it were really problematic, they wouldn't be getting caught. If they're getting caught, then it actually seems like maybe it's working quite well. And, there's plenty of ways to track people down. And, the colonial pipeline, I think is a great example of that, right? I mean was a pretty high profile ransomware attack that, meaningfully disrupted gas distribution in the US. But some assets were recovered.
They were, and many times they are. Sometimes not, because sometimes they'll just go and sit and, sort of like the Hash Ocean example I gave you, sat for six years before the guy moved it. So, some people can become very patient, but then, it depends if it's an individual or organization and some time they get greedy and they're looking at all that and they're going, "Wow, I could get that nice Porsche if I just cashed in some of that stuff."
There's always the allure of the Lambo.
Yeah. And that's usually what gets people caught, but, crypto is completely traceable. CipherTrace has proved that as well as many other blockchain analytics companies. We even do it with Manero. But we do it for, looking for the bad guys so that we can help grow this ecosystem. We want to grow the ecosystem. We want it to become bigger, broader, more innovative products, like Dexis, like DeFi. Some of the new lending stuff that's going on, a lot of this stuff is breaking glass, but it's, back to kind of that earlier example. They were doing credits when there wasn't an originating purchase. Well that broke the rules at that point in time. But it's a pretty good transaction. It's not fraudulent. And the payment rails were still getting basis points off of every one of those.
And there was nothing wrong with it. It was just a different use case, for a legacy payment rail. So, I think we're going to find all kinds of innovative stuff. And, my hope is we don't get too much regulation. We probably need a little, sure, to put the bumper rails on the bull and alley. But hopefully it won't be overreaching too far that it stifles innovation. Because I think this can solve a lot of issues that the world is tried to figure out over the years, including the underbanked and the unbanked. It's a new way to reach those people, give them access to assets that, really don't have bank accounts or they have limited bank accounts, or they're in a market where there's hyperinflation.
They go to bed and they wake up in the morning and whatever funds they have is worth 20% less, when they wake up in the morning. It's like, put your money in a stable coin. It's going to be pegged to the US dollar. It'll be at least at a US dollar level, whatever our inflation is. But that's better than let's say the Argentine peso or something else. So it could do a lot of good.
So there's a lot that we've talked through here and it's quite complex. And it seems like the spectrum of sophistication varies a lot. Whether your federal law enforcement, an exchange or an individual. As individuals, what is the practical advice I should follow just to avoid doing something problematic. I mean, I can't engage five different tools. What should I do, day to day?
So, I think, best practices are use products that have, have KYT built into them, right? Just know your transaction, know your counterparty, whether it's somebody you're receiving from or sending to. Do your best possible effort, and then just go enjoy crypto and whatever you're going to do with it. Hopefully, all good stuff. But look at your counterparties, try to find a way to kind of do that if you can. Many of the exchanges will do that for you, at least 50% up or more in the world, and those are all available to you. So if you go to the exchange and they say, "Hey, all you need is an email address and you're up and running." You may want to think about it, but if they ask to KYC you, and it's a centralized exchange, they're going to be running KYT under the covers, they'll check those transactions for you.
The way they treat you is indicative of the way they handle the rest of their business most likely.
Yeah. Look, things will still slip through because nothing's perfect. But at least you're trying to do the right thing, which is keep the ecosystem sort of clean, and just utilize crypto in a good way.
This raises a philosophical question, which is, what is the difference between best efforts, good faith and, checking the for plausible deniability. I mean, what actually is the difference there?
So, that's a great question. So, again, I'm not a lawyer. So this is not legal advice.
Yeah. And, put aside the legal advice, I'm just more philosophically, how do you think about that?
So, I spoke to an exchange a couple years ago when regulation was really just kind of emerging. And they said, "Hey, we use a competitor of yours for KYT. So we don't even need to look at you." And I went, "Oh, okay." I said, "I want to see if our data's better. We can get you better results. Maybe we can save you a little bit of money. They said, "No, we've got it under control. And we don't even use them, unless the transaction's above $25,000." So if I do a transaction on your platform and it's $24,000, you don't call that, that KYT provider to validate the source of the coins or the destination. They said, "Absolutely not." I said, "Why do you do that?" They go, "To save money, and our regulator is not forcing us to do it."
So, that's an example of... That's really, that's a gray area, that I don't think that's appropriate. Right? Either do it on everything, with the product that you have, or you do it on nothing. The fact that it... Because it's almost like a white lie. Yeah we do KYT. Does somebody have to ask you, do you do it on all transactions? And in their case they don't. And then, the third question is, if you do KYT and you get a negative, high risk score back on that address, do you do anything about it? Or just keep going? And there's some exchanges that'll do that. Just to check the box, they'll call a KYT, a blockchain analytics company. And it doesn't matter what it comes back with. They're still going to process the transaction. It doesn't matter. So, if somebody found that out and something bad happened, some illegal drugs being sold or being sent to, somebody that was doing human trafficking or something, you could argue that was pretty negligent, I guess. But again, I'm not a lawyer, I don't know, but that's for people to decide. Right? So.
What do you find, separates the people who are really trying from the people or organizations who, take that approach of doing just the minimum. Do you think it is different people, just make kind of different decisions for themselves? Or do you think it's a function of, the jurisdiction they're in and the society that they operate in? How much of is internal versus external influences in their decision making?
I think it's a little bit of both. So they don't... Obviously in some of those markets, they don't have the regulator push. It's a little immature than other countries. Maybe it just hasn't gotten to where it needs to be. And then some of it is really, they're just, it's a little bit of greed, right? So, they're not looking at the ecosystem as a whole. They're looking at just their little fraction of it. And they're only looking out for themselves. They're trying to maximize the fee income that they can generate today on their platform and not saying, "Well, what am I doing to the broader ecosystem, because I'm operating this way?" We should all find clever ways to build products, new innovative products, and find clever ways to attract new people, to use our innovative products.
I don't think we should try and skirt the system on some of these other things. To me, it doesn't make sense. I think it falls apart in a long haul and it just doesn't do the ecosystem. At the end of the day, we're trying to grow this thing. And if we grow it appropriately, all boats will float, and they'll float higher. And so, that way everybody gets the benefit of whatever their core features and innovation is. So.
My one concern with that is, if everyone is exerting a high degree of diligence, is there a risk that innocent people could get, caught up in the noise? I mean, what due process, do I have if my transactions, are accidentally, or incorrectly tagged?
Yeah. That's a great question. So here's one of the things that goes on, in sort of the analytics world. There's some companies that's say, they'll go into whatever organization, whoever they're selling in to, law enforcement and exchange or a bank, and they'll say, "I can trace an address, 20 hops, 50 hops, a hundred hops." And I'll tell you if it ever was associated with anything and then I'll risk score it appropriately. I don't think that does anybody any favors? I think it's confusing people. I personally believe direct association. So if a particular address was the paying address for a terrorist funding round, boom, that's it. A paying address on the dark web that is known to sell fentanyl? That address is bad. But, at least the way I think about it and maybe it's one hop away or two hops away, but, you start getting more than two hops away.
I think you get into the scenario you're talking about, with this degrees of separation, how I've explained it sometimes is, it's one thing if I did something bad, you know I'm the bad guy, but my brother, okay. If he's bad, if he's known to be bad, and I hang out with him, am I bad? What if I hang out with him every day, or I hang out with him, I only see him once every three years. Is that the same level of risk? I mean, he's just my brother. And then what about your cousin? You go to a family reunion every 10 years and he/she's really bad. Does that make me bad? Right?
So you get in to these degrees of separation. So, I think we have to be careful. I think there's a strong argument to say, beyond two hops, it kind of doesn't matter, or it should be significantly discounted. The data should be used in a different way. The other thing that people out there say, and some of these analytic schools don't understand it. We do. But, if an address goes into an exchange, you can't trace it out the backside, not in exchange because basically what it does, it's sort of like, walking up to a bank and putting in $10 as a branch deposit, then you walk down to the next branch and you would all $10. You're not getting the same $10, right? It just goes into this pool.
It breaks the chain, breaks the breadcrumbs.
So you can't trace through centralized exchanges. You can show that, a bad address went into an exchange and then you ask the question, "Well, did you guys identify it? Did you freeze it? What'd you do it about it? Did you file a SAR?" But you really can't trace it out the back door.
Well, it also begs the question, who should be making those judgment calls. I mean, should it be the government, should it be the private enterprise themselves? That's a tough question.
Yeah. Well, that's where we get back to this whole creditable attribution, that we strive a lot for at CipherTrace. So, we're trying to make sure that what we have is factual and actionable. So, our data, could be used both for intelligence and evidence. So imagine somebody says, this is a bad address. The last mile in a bad scenario is a court of law. And then you get into a court of law and then, some smart defense attorney who's read a couple crypto books comes in there and says, "Well, how did you find out that address was that? When did you find that out? And by the way, why did you find that out?" Can you explain that to, to the jury and the judge today? And, this is where, if we're targeted that question, CipherTrace, we'll go, "We're happy to answer all three questions for you. And here's the answers." Say A, B and C.
But other blockchain analytics companies can't do it. And then you wonder, is there data really creditable? And are they doing anybody a service? They still could have accurate data, but they really need to do it justice, to verify and make auditable, their data and, take this serious, because you're affecting transactions. You're affecting people's lives when you negatively, rate or rank something.
Makes sense. Super interesting. There's one more thing I'd love to touch on. And that's the really, the fundamental difference here, between, this problem in crypto and this problem and the traditional financial system. And it seems to me that there's a trade off. In crypto, transactions are perhaps more anonymous than in traditional finance, but, there's one database of all transactions, which means, you can see the flows and investigate what's happened, pretty easily. Whereas in the traditional financial system, the actors are often known, but each bank has their own database, and it's impossible to really link things together, unless you have reactionary subpoena power, or I guess you're at FinCEN and you look into all the SARS reports, but that's a small team. And that seems to be the really the fundamental difference. And I'm trying to think about like in the long run, which is actually better. And I think maybe your answer is, well betters the wrong frame. They're both payment rails. They both have trade offs and, they both have benefits and they both have drawbacks.
That is the right answer. Now, with crypto because, they are public blockchains for the most part, everything is a auditable, right? It's a ledger in the sky. You can't find that in ACH and wires or even card. Right? And, in the banking world, when you let's say, you're looking at wire transfers, we had this thing called correspondent bank. So if you're a small community bank or one of your customers wants to wire something overseas, that community bank won't actually have the capability to do that. They'll send it to a bank that has a correspondent banking function and they'll actually, you'll send it to them. They'll send it somewhere else. It may go two or three hops, which is sort of like crypto, right? So that's the, when I talk about hops, those are almost like correspondent banking stops, but the difference is in crypto, you could see them all, unless they've actually gone into an exchange and then you really just need to cut it off at that point.
Because anything that's coming out is not the same thing that went in. But, there's a lot of same analogies and there's no perfect payment system. What's good about crypto is, it's auditable, it's viewable, it's efficient in most cases, unless you're paying these high gas fees that we all have lately. But then I guess that depends on the size of the transaction, whether it's efficient. But, I just like it. I think it's the greatest remittance instrument of all time. I think it's better than the legacy stuff. I think it's more cost effective. I think it powers the underbanked and the unbanked, in ways that we've not seen before. And I just think there's massive amounts of innovation that we'll see over the next few years. So it's just a new... It won't be perfect, but none of the payment systems are.
That is a great summary. And, I suppose we each have a responsibility to do our best, to encourage good activity and prevent bad activity. Really appreciate you joining us. Thank you so much, Steve.
Thanks Mark. It was great to chat. See you next time.