TL;DR
Introduction
Your author was recently invited to join the Bloomberg Asharq team to discuss the latest FBI (IC3) report examining trends in crypto-related fraud over the past few years, highlighted by the headline number of $5.6B of losses in 2023. It seems a timely opportunity to share our takes on this article, crypto fraud in general, and put that eye popping number in a little more context.
This is admittedly quite a pivot from the direction of the last few posts (Ethereum economics and the resultant L2 models), but a topic that is vitally important for any investor in the space to understand, especially as the market looks to get back on track after the summer doldrums. By no means is this a blind defense of the industry but rather aims to be a neutral look at how big the problem is and what are some of the underlying reasons for its pervasiveness.
First Things First: Fraud in Crypto is a Real Issue
While to many this statement is akin to stating “water is wet”, it is important to be clear that fraud and scams in crypto are unfortunately quite common. Even the FBI’s reported numbers, which specifically looks at complaints they received that have a ‘crypto nexus’, are most definitely an underestimate of the true size of the issue. Off the top, their 2022 number of ~$3.8B very likely does not account for the full impact of the $8.7B FTX fraud, which clearly had a “crypto nexus”. (Note: although all creditors of FTX will be repaid in full plus interest, this was not known in 2022 when the complaints were filed).
Importantly, the FBI also notes that although crypto-related fraud represented just 10% of total fraud claims in 2023, it amounted to just under 50% of losses suffered. A more comprehensive FBI report, of which this crypto-crime report is a carve out, estimates $12.5B in total internet crime. This roughly track’s the FTC’s separate report of ~$10B in internet fraud losses in 2023. The $5.6B of losses where crypto is involved appears to represent an outsized share of the total losses due to internet crime.
Chainalysis, one of the top blockchain forensics companies in the world that counts the FBI as a partner, estimates “illicit” crypto activity to have been $39.6B in 2022 (inclusive of FTX fraud), and down to $24.2B in 2023. Chainalysis’ methodology is designed to capture global illicit onchain activity covering fraud and a wide range of other activities, such as malware/ransomware, cybercrime, darknet markets, terrorism financing, sanctioned entity activity and money laundering. As such, it is far more expansive than the subset of losses that the FBI’s US-focused report shows and provides a more robust view of the breadth of illegal activity taking place.
Source: Left chart - FBI’s 2023 Cryptocurrency Fraud Report; Right chart – Chainalysis’ 2024 Crime Report
Either way one cuts it - $5.6B or $24.2B – the magnitude of fraud and illicit activity using the technology is clearly significant. Directionally, however, there are differences in what the IC3 reports and what Chainalysis tracks in terms of how much the issue has grown (or not?) between 2022 and 2023. In this case, both are likely true, as we explore later.
Next Things Next: The Truth is Difficult to Find
Unfortunately, misinformation is frequent here as well. For example, an off-cited study by Elliptic, another leading blockchain forensics company, highlighted potential Hamas donations via blockchain. Many, including the Wall Street Journal and U.S. Senator Warren and other US lawmakers, took a few pieces from that report and used them to buttress claims that Hamas is reliant on crypto for its fundraising, claiming they raised $130M in just a few years through crypto, and ultimately tying the group’s use of the technology to the October 7 attack on Israel.
Source: The Wall Street Journal
This claim has made headline news and been frequently used by members of Congress to underpin their stances against crypto. Unfortunately, it is largely inaccurate, and the very firm that published that report had to publicly denounce the misuse of its findings and documented attempts to contact e.g. The Wall Street Journal and Senator Warren to retract or correct their use of the report, to little success. Curious readers can dig in deeper here in a detailed analysis by another fund manager, Nic Carter.
Muddying the waters further, most often one will see the headline numbers - $130M, $5.6B, $24.2B – but without any additional context as to the size of the problem space beyond ‘crypto’. For example, $24.2B is undoubtedly a massive number, but how much money is laundered globally each year through traditional systems? (answer: potentially 5% of global GDP, or $2 trillion).
Without that context, it is simply impossible to understand whether crypto is exacerbating the issue, improving it, or simply maintaining the status quo. We’ll try to better contextualize this in the next section.
Crypto fraud and scams are a real issue, but the continued conflation of facts and politicization of the technology, of which these are simple illustrative examples, has somewhat blown the problem out of proportion relative to reality, especially for most casual observers.
So Then, What is Reality?
Let’s look at both the $5.6B fraud estimate and the broader $24.2B onchain crime estimate relative to ‘traditional’ (e.g. non-crypto) financial systems to get a sense of how big this problem actually is.
Source: FBI’s 2023 Cryptocurrency Fraud Report
According to the FBI, of that $5.6B in losses, roughly 71% was the result of investment-related fraud most commonly through confidence-building schemes, more colloquially known as pig-butchering. As the FBI describes it, “The schemes are socially engineered and trust-enabled, whereby criminals use dating applications (apps), social media platforms, professional networking sites, or encrypted messaging apps to establish relationships with their targets. Once trust is established, criminals introduce the topic of cryptocurrency investment”.
As a quick aside, this is just old-fashioned fraud, plain and simple. There is nothing unique about this that is only possible because of crypto. In fact, reading through the list of other types of crime presented, it is difficult to make the case that any of them exist because of crypto. Personal data breaches, employment fraud, phishing, real estate, extortion and tech support impersonation all exist separately.
Zooming out, if we take the $12.5B in total internet crime losses the FBI reports in 2023, investment fraud where crypto is used accounts for $3.96B of that, or roughly 32%. Undoubtedly a very high share, especially given the aggregate market cap of the industry is less than that of Apple. The below charts show the breakdown of total reported losses due to internet crime in 2023 next to the breakdown of only those with a crypto nexus. Shown categories account for over 90%, respectively. Although investment fraud was just 37% of total losses, the share of losses due to investment fraud where crypto was used nearly doubled to 71%. Other categories where losses associated with crypto use were highest include personal data breaches (9%), tech support schemes (8%) and exploitation through confidence/romance schemes (4%). The losses due to internet crime more broadly fall along a wider spectrum. The biggest deviation is in the form of losses due to business email compromise (BEC). 24%, or $2.95B was lost through this channel, with 99.84% going through traditional payment channels. Just $4.8M of these losses, 0.16%, touched crypto.
Source: FBI’s 2023 Internet Crime Report and 2023 Cryptocurrency Fraud Report
In terms of relative share across all categories, the FBI found that losses with a crypto nexus accounted for 45% of all losses reported. Excluding investment fraud, crypto-related losses fall to just 20.6% of all losses. Again, excluding investment fraud, there are just 4 categories where losses associated with crypto account for a higher share than through traditional rails (personal data breaches, SIM swaps, botnets and phishing/spoofing). For the other 21 tracked categories, traditional payment systems remain the primary channels.
Source: FBI’s 2023 Internet Crime Report and 2023 Cryptocurrency Fraud Report
So, what does this all mean? The relative amount of losses associated with investment fraud with ties to crypto is far, far higher than traditional investing markets – 87% of all losses, a tremendously skewed amount relative to the industry’s size. But outside of that, internet crime related to the use of crypto is just 20.6%, meaning that the majority of other types of fraud still occurs through the ‘traditional’ financial system.
Going Beyond Investment Fraud
Investment in crypto is a tiny subset of what the technology is used for, and investment fraud is a very narrow category tracked by the FBI. Looking at just about all of the other categories, fraud losses would come from money being paid to the criminals. This distinction is interesting because broadly speaking, cryptocurrencies are primarily value transfer platforms, e.g. internet native payment networks. Though the messaging and positioning of Bitcoin has morphed over the years, one needs not look any further than the title of the original whitepaper to understand the idea behind Bitcoin’s creation: “A Peer-to-Peer Electronic Cash System”.
The FBI report does not provide a more detailed breakdown of payment mechanisms in their report, but the FTC provides a more holistic picture. In terms of the payment mechanism used in these fraud claims, the FTC finds the largest category of losses to be attributed to bank transfers or payments, and not cryptocurrencies. In fact, the nominal counts of reported fraud according to the FTC is substantially higher through traditional rails such as credit and debit cards, payment apps and bank transfers. The FTC finds that losses through bank transfers alone totaled $1.8B vs. just $1.4B in crypto. This largely tracks with the relative use of crypto across the various categories in the FBI’s report: traditional payment mechanisms are still used far more often. In fact, of the 18 distinct categories tracked by the FTC, traditional payment rails were used most in 16. Crypto was used most in investment fraud and ‘business and job opportunities’ related fraud. In terms of share, crypto was used as a payment mechanism in 28% of all losses, inclusive of investment fraud claims.
Source: FTC’s 2023 Consumer Sentinel Network Data
A key observation from all of this data so far is that while crypto definitely accounts for a disproportionately greater share of investment related fraud, it accounts for only a minority of payments-based fraud.
Let’s double click on cryptocurrencies as payment mechanisms. While all cryptocurrencies can be used for payments, stablecoins (cryptocurrencies typically pegged 1:1 to the US dollar) are emerging as a predominant use case of blockchain technology, with $172B circulating as of writing. The top two, USDT and USDC, account for 90% of this total, or $156B. Over the past 365 days, they facilitated a combined $10.5 trillion in transactions. Visa, for reference, facilitated $12.3 trillion in payments volume in 2023, roughly comparable totals. In fact, stablecoins have grown to such a size that Visa itself now actively tracks onchain activity: they estimate stablecoin transaction volume to be closer to $21 trillion over the past year across the top 5 (of which USDC and USDT represent the vast majority).
Just to underscore this point: two stablecoins, USDT and USDC, now facilitate as much transaction volume as Visa.
Returning to the FBI report, any complaint that contains ‘cryptocurrency’ or ‘cryptocurrency wallet’ is classified as fraud with a crypto nexus. Definitionally, any use of these stablecoins would fit into that classification. Excluding investment fraud, the FBI reports a $1.6B in losses associated with crypto. That is, of the $10T+ of payment activity, just $1.6B has been reported as fraudulent. Naturally, this is the low end of the estimate. If we include every single illicit transaction that Chainalysis traces online - $24.2B – we can get an upper limit of all illegal activity. Note, Chainalysis tracks all cryptocurrencies, not just stablecoins, so this count includes Bitcoin, Ethereum and any number of other currencies, but we’ll stick with just USDC and USDT for this comparison.
This gives us a range - $1.6B of fraudulent activity on the low end, up to $24.2B of total criminal activity on the high end through crypto transactions. At the same time, Visa reported blocking $40B in fraudulent activity throughout 2023. Relatively, this means that at least 0.33% of activity on Visa’s network is fraudulent, relative to a high estimate of 0.23% of stablecoin activity. This 0.33% of fraud on Visa’s network translates into major impact: 60% of US card holders have suffered from fraud, or 52 million consumers in the US alone.
An important key difference: by their design, blockchains have no middlemen or intermediaries controlling the transactions, and transactions are essentially instant and irreversible. That is to say, when a fraudulent crypto payment is attempted, it is successful. Visa monitored and blocked $40B of attempted fraud on its network as the intermediary (not accounting for the fraud that was successful), while, with no ability to intervene in fraudulent payments, stablecoins saw anywhere from 40% to 96% less fraudulent activity in 2023. Again, this is accounting for the entirety of crypto related fraud relative to only USDC and USDT – a small subset of total crypto activity.
Source: Author’s calculations based on Visa, Defillama, and Chainalysis data
Interestingly, in Visa’s December 2023 Biannual Threats Report, it noted “a shift in threat actor focus veering away from cryptocurrency and towards authentication bypass; a focus that intensified in 2023.” That is, Visa is identifying a decreasing use of cryptocurrency relative to other technologies in payment fraud.
Zooming out even further, we can look at the amount of illicit activity taking place through traditional payment rails and compare that to how frequently crypto is used in relation. The UN estimates that roughly 2-5% of global GDP is laundered each year. Equivalently, that amounts to $800B-$2T annually. Using the high estimate of illicit crypto activity ($24B), 99% of global money laundering still occurs through traditional systems. In terms of share, 2-5% of global GDP represents a far higher prevalence of illicit activity relative to the 0.34% of total crypto activity that is estimated to be illegal, as estimated by Chainalysis.
Source: UN and Chainalysis
Illicit Activity Is Not New
One final point to serve as a grounding mechanism. Crypto seems to receive an outsized share of the spotlight relative to the size of the problem because it is the shiny new technology on the block. Many people – regulators and lawmakers included – are still unfamiliar with the technology, and with that naturally comes suspicion, a general lack of trust, and thus resistance. But crypto is not unique nor creative when it comes to illicit activity. Unfortunately, financial fraud committed by the world’s most trusted institutions is egregiously common and largely overlooked by the public relative to the attention crypto receives. A few concrete examples that come to mind:
As the examples sadly go on-and-on, a summary might have to suffice: since 2000, banks have been fined nearly $400B for violations stemming from illicit or predatory activities. Below shows just the penalties against the top 10:
Source: Top 10 offending banks since 2000 via goodjobsfirst.org
The point of bringing up illicit activity of banks is not to throw mud or obfuscate the issue. Rather, it is to simply point out that fraud and scams are inherently a part of human nature and have occurred throughout history, and no matter the guard rails, laws, regulations, or other protections in place, people will without fail find a way to use the latest technology to rip others off.
Technology is neutral. It is neither inherently good nor bad; it simply provides the ability for people to do things in a new, hopefully better way. How that is ultimately implemented comes down to human nature, which all too often skews negative, especially in the earliest days of a new technology. It likely comes as no surprise that Visa is already highlighting the increased use of AI in payment fraud. Still early in its development, AI is already giving criminals new methods through which they can facilitate illicit activity, such as deepfakes, voice clones, avatars, bots and automated agents, and any range of scams that have yet to be invented.
Often, critics of blockchain technology point to use of it by criminals and discount the entire industry as a criminal hotbed. But as we’ve explored, this is an overstatement of the issue and fails to appreciate the power of blockchain tech to create internet native payment platforms and everything those will ultimately enable.
Crypto for Investment Fraud, but not for Payment Fraud?
But why are criminals even turning to crypto as the option in the first place? The FBI notes that while crypto-related fraud only accounts for 10% of claims, it amounts to almost 50% of fraud losses – the vast majority of which is due to investment fraud. Obviously, this is highly disproportionate and points to a real issue. But as we found earlier, though crypto sees higher involvement in investment related fraud, it seemingly sees a lower share of payment related fraud. Why is this the case?
Pop quiz: what asset over the past 15 years frequently sees annual returns of 100%+, over 1000% on a few occasions, and returned an incredible 5481% in 2013 alone? Though Nvidia and AI are making a run in 2024, the fact of the matter is Bitcoin and crypto have provided astronomical returns that are borderline detached from traditional investing reality. We have covered digital assets as an investment class in other posts, but raise this point as a likely explanation as to why investment fraud is higher in crypto. It is largely a confluence of three main factors:
Each of these factors contribute to the relatively high share of investment fraud that takes place in digital assets relative to traditional securities, especially in developed markets. There are major efforts underway in the industry to build up protections and better abstract the user experience to reduce risks. But that is a multi-year problem to solve and until that time, any investor new to the space must be very cautious if they are looking to participate directly.
As a shameless plug, this is why getting exposure through liquid funds such as Triton is one of the best ways to gain exposure to the space. Deep experience in digital assets and robust custody, security and trading infrastructure are all necessary to safely navigate investing in the industry. Though the returns can be substantial, building exposure beyond Bitcoin and Ethereum opens investors up to many of the risks that come with the technology.
There are unique aspects of crypto that, much like cash, undoubtedly present it as a viable vehicle for crime: anonymity, peer-to-peer, instant, and irreversible. After all, cryptocurrencies are simply distributed ledger technology that enables internet-native value transfer. This leads to a higher share of investment fraud but works to reduce its use in payment-related fraud.
Crypto is an Awful Way to Conduct Payment-Based Illicit Activity
The earliest days of Bitcoin are often associated with the Silk Road, a Tor-based marketplace famous for its drug listings. In just over 2 years, Silk Road facilitated $183M in Bitcoin-denominated sales. At the time, Bitcoin was still an under-the-radar cryptocurrency with almost no infrastructure built up around it. That meant that Bitcoin was very much seen as a way to transact online anonymously. The perceived nature of cryptocurrency in the early days lent itself to this use: all of the anonymity and privacy of cash, but transactable at the speed and reach of the internet.
That association has very much stayed with Bitcoin and crypto in general, despite the opposite largely being true in 2024. While all of the benefits of crypto remain, such as being peer-to-peer, permissionless, instant, irreversible and accessible around the world, the other aspects that were previously exploited, such as anonymity and difficulty tracking, are no longer there. Firms such as Chainalysis and Elliptic, and a whole host of other service providers and infrastructure exist that make it amazingly easy to track onchain transaction activity. Further, stablecoins such as USDT and USDC have freeze functions embedded in their smart contracts, so, if for example Circle sees a new address added to OFAC’s sanction list or receives a valid court order, it immediately freezes the address, prohibiting any funds from being moved.
For example, Bloomberg recently reported that a group behind a cyberattack against drug company Cencora received $75M in extortion payments following a data breach in February. Chainalysis, and another security firm Zscaler, had previously identified the attack and payments in July, before the company itself made the numbers public. A private individual, well known for his ability to trace onchain activity, easily identified all of the Bitcoin addresses involved, and exactly how much was sent between each and when. This is a level of transparency and openness that does not exist in the traditional system: imagine a random stranger being able to track your Bank of America or HSBC payment activity and account balances. This is true for almost any asset on public blockchains such as Bitcoin, Ethereum or Solana. It is trivially easy to trace transactions, even for the public. For those curious, the entirety of USDC’s transaction activity on Base can be watched in real time here.
Source: ZachXBT via X.com
As the FBI itself notes in its report, “[c]ryptocurrency transactions are permanently recorded on publicly available distributed ledgers called blockchains. As a result, law enforcement can trace cryptocurrency transactions to follow money in ways not possible with other financial systems”. Remember that Elliptic report we mentioned earlier that was held up as proof that crypto is key to terrorist financing? Well, the opposite is actually true. As TRM Labs points out in a report here, “As a result of the repeated and successful targeting of Hamas’ cryptocurrency infrastructure by Israel and the United States, the group announced a halt in crypto fundraising in April 2023”. It turns out, crypto was actually a bad way to raise funds.
So, if this is the case, why is there still illicit activity happening? Ironically, a significant reason why public blockchains are still used at all for this is a result of a lack of coordination and alignment between regulatory and law enforcement bodies around the world. As the FBI goes on to explain, “since cryptocurrency also allows transfers of funds to exchanges overseas, US law enforcement may encounter significant challenges when following cryptocurrency that enters other jurisdictions, especially those with lax anti-money laundering laws or regulations.”
In June 2022, the US Attorney General’s Office published a report highlighting many of these issues and proposing ways to improve. Of the main challenges arising, only one section has to do with the technology itself (namely, speed and cross-border nature, which are also fundamental improvements in payment technology) and the other three have to do with regulation and law enforcement cooperation.
The AG notes that “[blockchain technology] has the potential to enhance law enforcement’s ability to detect suspicious criminal activity, generate leads to further investigations, and provide a permanent record for use in an eventual prosecution.” The report goes on to detail challenges that arise. Most frequently, it highlights issues interacting with Virtual Asset Service Providers (VASPs) and other centralized entities in other jurisdictions as the main restricting factor in investigating and prosecuting illicit activity with cryptocurrencies. Jurisdictional issues and lack of cooperation from service providers is not an issue created by nor uniquely attributable to blockchain technology.
Source: The 2022 US Attorney General’s Office report detailing “Challenges Arising in the International Investigation of Crimes Related to Digital Assets”
Ironically, as the FBI explains in the section on why “criminals exploit cryptocurrency”, they also underscore some of the reasons why the technology is so powerful. Though specifically talking about criminal use in terms of money laundering, the explanation is eye-opening as to what crypto enables: “actors connected to the Internet from anywhere in the world can also exploit these characteristics to facilitate large-scale, nearly instantaneous cross-border transactions without traditional financial intermediaries that employ anti-money laundering programs”. Though highlighting a criminal use case, the flip side is very true too for above-board, regulatorily compliant actors. It is possible today for institutions to send $100M to any country in the world instantly for less than 1 cent. That presents multiple step-changes in improvement over traditional rails.
This lack of regulatory clarity around the world has been a headwind to the industry. This post has made it clear that fraud and scams are highly present in digital assets and in no way attempts to deny that. However, this regulatory issue exacerbates that reality. For example, in the US is still unclear whether the SEC or CFTC is the main regulator for the industry, or even whether Ethereum and Solana are securities. Staking (e.g. earning rewards from participating in network security) and airdrops (e.g. earning reward from helping teams test new protocols and products) have been effectively outlawed in the US. and enforcement action against the largest crypto companies are common despite frequent attempts to gain clarity.
As a result of this regulatory uncertainty, a lot of development is being pushed offshore to other countries: in 2024, 74% of developers now live outside the US, a significant rise from the 60% share in 2018. Rather than increase regulatory oversight, this has pushed the locus of development out from under better-regulated markets to those with weaker financial protections in place.
Source: Electric Capital’s Developer Report
Conclusion
It is clear that investment fraud related to cryptocurrencies is a significant issue, skewed far beyond its relative size and adoption to date. However, its use in payment-related fraud and scams, relative to other traditional rails, is far less prominent. Many of the characteristics that make it a preferred choice for investment schemes also make it a comparatively poor choice for payments-based schemes. The industry is still very young, but the abilities of the technology have thus far outpaced regulators and law enforcement’s ability to react. As such, the requisite infrastructure around compliance and law enforcement, though improving, remains lacking.
While the industry acts to improve (and it must), the onus is also on authorities to develop adequate frameworks and agreements to effectively cooperate and provide a fair, consistent lattice for the industry to build against. Jurisdictional and other legal issues that have long existed are only exposed by the introduction of digital assets, not created because of them. There are undoubtedly growing pains as the technology matures, but as the industry develops and regulation adapts, the long-run benefits of blockchain technology will only become more evident as it is further embedded in the global financial system.