May 22, 2024
19 min read

Crypto Fraud: “What The Fraud?” Podcast

Dive into the World of Fraud with the "What The Fraud?" Podcast! 🚀 Our guest today is Caroline Malcolm, the Vice President of Global Public Policy at Chainalysis. We will discuss fraud in crypto, including its involvement in money laundering schemes, money muling, and investment scams.

THOMAS TARANIUK: This is “What The Fraud?”, a podcast by Sumsub, where digital fraudsters meet their match. I’m Thomas Taraniuk, Head of Partnerships here at Sumsub, the global verification platform helping to verify users, businesses, and transactions.

The Securities and Exchange Commission, otherwise known as the SEC, sued cryptocurrency exchange Kraken in 2023, alleging it had violated investor protection laws. The SEC claims Kraken acted as a broker, dealer, exchange, and clearing agency without registering with the regulator. This is an extreme example of fraud in crypto, but is also a good indication of how seemingly legitimate businesses that engage in large amounts of business on a day to day basis can be secretly committing wide scale fraud.

In this episode, we’ll be exploring the issue of fraud in crypto and its involvement in money laundering schemes, money muling, and investment scams. We’ll look at the complex issues for those trying to find and prevent criminal activity in the sector and how AI and deepfakes are making things even trickier for investigators.

Today’s guest is Caroline Malcolm. Caroline is the Vice President of Global Public Policy at Chainalysis and has had a lengthy career working in global tax and finance institutions. In 2018, Caroline was the founding head of the OECD’s Global Blockchain Policy Centre. She led a team assessing the policy implications of distributed ledger technology, including topics as diverse as fintech, cyber security, data privacy, supply chain due diligence, digital skills and antitrust policy.

Caroline, thank you so much for joining us on “What the Fraud?”. 

CAROLINE MALCOLM: Tom, it’s really great to be here. Thanks for the invite. 

THOMAS TARANIUK: So let’s start with the broad strokes. Just last year, the US Department of Justice discovered 3. 6 billion US dollars worth of crypto, which had been stolen back in 2016. These are huge figures we’re dealing with, and they’re only going to get bigger.

Caroline, in broad terms, how has the landscape of fraud in the cryptocurrency industry evolved over the past year? 

CAROLINE MALCOLM: It’s a good question, Tom, because we’ve actually seen the landscape of illicit activity generally, but also that specific area of fraud change quite a lot, not just in the last year, but really since Chainalysis has been tracking the ecosystem and we’re celebrating our 10th anniversary this year.

So. Congratulations. Thank you. It’s, it’s been a while, you know, there’s a couple of different sort of trends I would highlight. Certainly, you know, when it comes to this area of fraud or what people, you know, might more commonly known as scams is that we actually see, you know, as the market goes up and down, which of course it does quite a lot when it comes to, to the world of crypto, we see the types of scams change.

So certainly in a rising bull market, like we have now, the level of investment scams, for example often starts to increase. What does tend to remain pretty constant and has actually increased significantly since, since really starting in 2020, but even just in the last 12 months alone is the area of romance scam.

So something which we might be very familiar with from the world of traditional finance. I think, you know, almost everyone’s got an email from a Nigerian prince sitting in their email inbox somewhere. 

THOMAS TARANIUK: Not myself so far, but… 

CAROLINE MALCOLM: I can send them your way. I can send them your way, but look, you know, that world has very much come to the world of crypto. And we sort of think of it as, as kind of financial grooming. It’s, it’s that idea that over time, it’s not just that one off, you know, that you tend to see perhaps in an investment scam, but it’s over time cultivating victims so that they send you more and more funds. 

THOMAS TARANIUK: Well, that’s really interesting to hear. And given the, let’s say, increase in sophistication of fraud techniques, what do you believe are the most powerful prevalent types of fraud currently affecting the crypto industry and besides romance scams, let’s say?

Main types of crypto fraud

CAROLINE MALCOLM: Yeah. So romance scam is definitely the big one. And when we look at the kind of, we tend to look at say average payment size and there’s no question romance scams sitting at about an average payment size of about four and a half thousand dollars per payment.

Suggested read: Detecting Romance Scams: A Guide for Dating Platforms and Their Users

Now, that’s not per victim because obviously most victims are going to be making multiple payments, but per payment that’s certainly the highest. The other one, which I think probably has a more technical aspect and we’ve also seen growing is what we call approval phishing scams. This is essentially where perhaps unwittingly or certainly unwittingly, as to the consequences, people are giving approval to fraudsters to actually access their wallets.

Now that of course can be quite common in the world of some particular applications, particularly in the DeFi space. But when that application is actually being, you know, fraudulently developed, you’re giving access to your wallet funds and the ability to make transactions on your own behalf by someone who’s really just there to steal your funds, not to put it to a legitimate purpose.

THOMAS TARANIUK: And it does show that the importance of sort of tracking these funds and stopping them when they are going to be converted, let’s say from crypto to fiat and then source is super important. From another angle as well, there’s a lot of coined terms around rug pulls, et cetera, where media stars and celebrities are actually taking advantage of their audience.

Is that something that we’re going to continue to see in the coming years? 

CAROLINE MALCOLM: Look, we do, we certainly see sort of the, the, the growth of sort of what we’ll call the rug pull industry. And I think perhaps that word and the fact that we have seen organized crime move much more into this space. It’s not sort of, you know, just, your kind of, your individual doing something bad.

This is big business. So if we think about illicit activity, generally we are looking at about $24 billion in in 2023. Wow. But the scam space alone is about a fifth of that, just over four and a half billion dollars that we’ve tracked so far. And we keep those numbers updated because remember, we’re receiving information all the time about, well, this is a scam address, or that’s a scam address.

And as we do that, and that’s often historical data. So as we do that, you’ll see those numbers increase over the next year. So if we look back in a year, you’ll go back to our 2023 numbers and see for scams, like for other illicit activity, that it’s actually higher than we’re reporting today. 

THOMAS TARANIUK: I would love to touch on sort of the regionality of this as well.

So given recent news stories about the fraud in crypto that we’re seeing and that we’re talking about now, it could be easy to assume that much of it is primarily based out of America or is an American issue. Could you talk to us about maybe the regional differences in crypto fraud? 

Regional differences in crypto fraud

CAROLINE MALCOLM: I think we, we certainly see different types of scams all over the world.

One of the things, and coming back to this issue about kind of the rise of organized crime in the scam space, is that we’re actually seeing and kind of coming to that fraud issue. We actually did a bit of a deep dive looking at what we, we sort of see as these, you know, financial grooming sort of compounds that get developed.

And we, we spotlighted one in Southeast Asia, which is really, it’s about that not only are these large groups of people actually running these operations to undertake fairly elaborate scams. And again, over time. It’s that financial grooming aspect, but also the people who are actually, you know, making those calls or sending those emails or however, sending those text messages, however they’re reaching out to you.

Often those people themselves are people who are victims of crime. They’re often being trafficked and themselves are, you know, being kept in these compounds with their families, being asked to pay ransoms to, to get them out of those, those compounds. So it’s a very complex network. And I think one of the things we’ve seen through the use of, of crypto, you know, we’ve certainly seen used in illicit activity, but it also gives a big advantage to to law enforcement.

And they’re able actually to trace these different activities and identify, you know, where you see are those payments being made that in fact, for example, to scams which might look unrelated, do actually, you know, come back to the same source and the same organized crime group. And I think that’s a big difference that we’ve been able to make in terms of being able to make sure that these networks are properly identified.

And I, you mentioned the US and I think obviously, you know, you mentioned a particular case there last year, there’s a very large sums of money involved in a, in a particular hack in that case. And the reality is, is that, you know, a lot depends on sort of the, the willingness and skillset of local law enforcement to actually drive forward progress in tracking these issues.

And then there’s also obviously things that, you know, victims themselves can do, as well as the platforms who might be intermediating some of these transactions.

THOMAS TARANIUK: Let’s dive into the specifics then, Caroline. At Sumsub, we understand that money mulling is a particular problem in the crypto exchange industry. Can you elaborate on the mechanics of the crypto money mulling scheme? 

Crypto money muling

CAROLINE MALCOLM: Yeah, so this is quite an interesting space because it, It touches that intersection of what we think of as off chain and on chain.

So obviously at Chainalysis, we focus very much on the on chain. And when we talk about the data we have about, say, the volume of scams, we’re very much focused on that on chain activity. But the reality is also crime or, you know, money mule activities which have an off chain element. So it might be that funds are being received by a person who’s acting as an agent in the money mule case, who are receiving those funds potentially in a fiat currency, or they may be receiving them directly in crypto.

And then they might, if they’re receiving them in fiat, they might bring them into the crypto ecosystem, but they’re not really doing that on their own account. They’re doing it on the account of somebody else. And again, we’ve seen that kind of money mural activity crypto. And the challenge I think, you know, for, for law enforcement there is making that transition from the off chain world to, to on chain world.

But it’s certainly, you know, the use of crypto for for money laundering as well as these other specific types of illicit activity is again something we’ve seen increase over time. 

Suggested read: What’s Money Muling? Understanding Red Flags and Why Businesses Should Be Concerned

THOMAS TARANIUK: Often money mules are individuals who are willing to sell their credentials to criminals so they become part of a criminal network but there are also victims who don’t fully understand what they’re signing up for and can be taken advantage of.

How do we educate users of crypto platforms to help them better understand how to not become victims of fraud networks? 

How to avoid falling victim to crypto scams

CAROLINE MALCOLM: Yeah, look, I think there’s a couple of things that can be done that sort of, you know, the traditional education, I think, which is not specific to crypto about, you know, making people really verify and think about, you know, just essentially sort of just stop and think, giving them awareness about the different types of scams that are out there.

And so if they receive, for example, a particular type of email or a particular text message, or, you know, particular wording that it uses, it should start to set off a few kind of warning bells. The other thing we can do is kind of leveraging the transparency of blockchains is that we’re able to identify, you know, particular wallets associated with, with illicit activity and you know, platforms work hard to flag to their customers, you know, you know, whether it be popup messages, be calls to clients, video calls to sort of say, you know, are you sure you wanna make this transaction? You know, and the struggle there is often is that, particularly in those financial grooming situations, this is like the heart of the manipulation is that people have been told, you know, that the platform’s going to ask you if you want to go ahead with the transaction. You know, they’ll tell you it’s a fraud, but it’s not, you know, you need to trust me. They’ve built up that trust over time. And so it’s, it can be a very tricky space that I think doesn’t have a single answer, but certainly sort of education about, you know, the types of wording, the types of approaches that you can receive, those, those messages that the platforms can can trigger to say, you know, to verify that you do in fact want to make this, this transaction to try and get you to think twice or three times about what you’re doing.

Suggested read: Crypto Hygiene: Tips and Best Practices for Clean Crypto

And then of course, you know, once the transaction’s been made, there are some various tools where there’s sort of, you know, tracing, you know, whether that tracing happens into, you know, a personal wallet or to another service or particularly depending on what type of assets happening. So we know, for example, stable coins have been an area where law enforcement have been effectively been able to kind of ask for the freezing of those coins because they have that, that kind of technical capability so that even if somebody has received those funds illicitly, they’re not able to do anything with them because they can’t move them anywhere from, from that wallet. 

THOMAS TARANIUK: Definitely. And given that, I mean, we are in a bull run now as they would coin it, right?

There’s going to be a lot of green faces entering the market and, don’t necessarily have all the information they need as a new investor or someone who’s interested in the DeFi space. Do you think if we took a snapshot of the crypto industry now, including exchanges, that they are doing enough, these businesses to educate all of these new newcomers basically into into this sphere?

CAROLINE MALCOLM: Yeah, no, it’s a good question. And look, I think even the awareness on the services, the exchanges side of things has increased over, over time. And so it’s almost, you know, part of their education that as you get more involved in this space and your obligations towards your consumers, you know, come alongside that.

That’s kind of license to operate in a sense, whether that be a social license or an actual license. And people really start to sort of see, okay, there’s much more awareness today than there is of those kind of social or legal obligations. And I think regulators also have gotten a lot more active in that space.

So even things like, you know, we see in some countries like Singapore, for example, customer suitability requirements, you really have to screen what type of customers that you allow on your platforms. They have to have a certain level of awareness about what they’re actually getting involved in. And do they understand, you know, some basic details about how the, you know, digital asset ecosystem works, or, you know, in other jurisdictions, they’re looking at levels of wealth to sort of say, look, we consider this a particularly high risk area and you can see that in their financial promotion rules, for example. And so if you want to get into this space, the, both the services have a high threshold to, to reach, but also consumers might have to be a particular type of consumer qualified investor, for example.

THOMAS TARANIUK: We’ve now touched on perhaps the money muling side, but there is a whole other sort of element of fraud here around account takeover. So I mean, account takeovers is a real problem. It’s a problem that obviously lots of businesses are trying to solve outside of the crypto space. But take the CEO of Ripple, whose account was actually stolen.

And this is a was a big news article. How can individuals as well as the businesses actually protect themselves from these account takeovers? 

Protecting against account takeovers

CAROLINE MALCOLM: Yeah. So those account, I mean, account takeovers can happen in, you know, a variety of different ways, sort of whether it be sort of social media based phishing attempts or more, more direct avenues, technical avenues to actually, you know, infiltrate somebody’s account.

And there, as I said, there’s, again, it’s probably not one solution, but like a significant amount of vigilance, uh, on the individual side in terms of, you know, how they keep their private keys, for example, you know, very, very basic things we’ve seen. We continue to see some sort of fairly kind of low technical level attacks on the ecosystem where, you know, even through things like, you know, having, you know, two factor authentication, for example, like what we would, you know, what many people certainly in the cyber security area would consider sort of be sort of table stakes. We still haven’t fully adapted to that. to the risks that exist in the online world in general.

And that’s true in crypto with account takeovers, as it is in other parts of sort of the digital realm. 

Suggested read: How to Prevent Account Takeover Fraud: Use Cases

THOMAS TARANIUK: A hundred percent. And there’s always more at stake when money’s involved, of course, as well. But there’s also been a concerning rise in, and you mentioned romance scams earlier, but in financial grooming, where innocent victims are actually befriended by the so called fraudster.

And are then, let’s say, conned into investing into a crypto scheme. So I maybe touched on this maybe with the overall influencer market, where they’re creating these rug pulls, they’re creating interest and generating this false marketing to drive customers towards investing and pumping up a market price, but then withdrawing everything.

Once the innocent party decides to withdraw their investments, they’re usually left out in the cold in these instances, with some losing their life savings or a lot of money. So from the criminals getting more sophisticated at these investment scams, let’s say, what do you think the individual can do to actually spot them?

CAROLINE MALCOLM: Again, there’s a lot of information which is available online, you know, sort of encouraging people to always seek another sort of verification point, just another test point, you know, and I’m not talking about staying within the same discord channel and asking others what they think of this, but really kind of going outside that environment.

There are a lot of websites which will identify, you know, This has been identified as a scam address, for example, and really actually kind of go and verify if it’s something new, if it’s something you haven’t heard about, it’s the classic, you know, if it sounds too good to be true, it probably is. 

THOMAS TARANIUK: So with everything that we’ve spoken about so far, Caroline, it seems there’s a real issue with identity verification. So from your perspective, what kinds of security processes do crypto exchanges currently have in place to stop fraudulent activity from happening? 

Security processes for crypto exchanges

CAROLINE MALCOLM: Yes, look at the state of the kind of the obligations that exchanges are under. The world of identity verification, which is part of that broader world of sort of anti money laundering rules, has definitely progressed and that really began, you know, even earlier, sort of going back to 2013 in the US when the first rules were sort of developed. We have the international standard developed in 2019. And so there’s a couple of things that the exchanges are required to do in most countries of the world today, certainly identity verification when it comes to their customers and sort of enhanced customer due diligence where that’s required.

And that might include things relating to safe source of funds. So where is this money that they’re looking to invest actually coming from? Is it coming from illicit or illicit sources and it can it be justified, but then also counterparty due diligence so if I’m the exchange and I’m sending on behalf of a customer money to another exchange. I have to verify that that exchange is in fact who they say they are, but also they have the proper controls in place or it might be that in the case that I have an accountant in exchange and I want to send those funds to either my own personal wallet or somebody else’s personal wallet. If we look at the European rules, for example, under the transfer of funds requirements, then actually verifying that person. You know, either if it’s my own wallet that I have control of it, control verification. And if it’s not my own wallet, that I’m at least collecting some basic details about, you know, name, you know, first name, last name, kind of address something to be able to identify those people that, you know, are touching a, you know, intermediated service in some way.

Crypto Travel Rule

THOMAS TARANIUK: The Travel Rule implemented in the 1st of September 2023, it requires UK based crypto asset businesses to collect, verify and share specific transaction information relating to the transfers of crypto assets at VASPs or virtual asset service providers as well. So how are regulatory requirements, such as the Travel Rule, shaping the efforts of crypto companies to combat fraud within this industry?

CAROLINE MALCOLM: Yeah. So look, they’re pretty fundamental. I think the, the, the financial action task force has highlighted in a report they brought out about a month ago and sort of said, you know, we brought this standard out on things like the Travel Rule in 20, end of 2018 for sort of five, six years down the track.

And they sort of said, you know, we haven’t made as much progress as we’d like. And that’s certainly true. And that’s been slow in terms of individual countries. So the UK, you know, you gave that example. We have a standard pushed out in 2018. Now it’s just coming into force in the UK in 20, you know, 2023.

So it’s never as quick as anybody would like. And I think people see this as frustration or, you know, perhaps that the crypto ecosystem is moving slowly. I do like to bring people back to kind of, you know, ground them, I guess, in other similar scenarios. And certainly when the similar rules got brought in traditional financial institution, it was about 10 years for implementation to actually take place.

So not to excuse the sort of slowness, but there are, you know, regulatory requirements. There’s a lack of a common what we call a sunrise date, a lack of a common start date between countries. So I might have an exchange here in the UK that’s required to meet the Travel Rule. But if I’m transacting with an exchange in another country, which hasn’t yet implemented, the Travel Rule.

Suggested read: What is the FATF Travel Rule? The Ultimate Guide to Compliance (2024)

That exchange may not have all those details that I’m required to, to receive from them. And so like, just some of the very practical, very boring things that can actually, you know, slow down that, that process. Look, I think we’re getting there and we’re on the right path and the technology is developing as well.

And I guess we, you know, we have seen a lot of progress is the reality. 

THOMAS TARANIUK: Definitely. It sounds like it has taken a long time to come to fruition, right? But now that it is here. And that we’re hopefully going to be benefiting from it. How do you think the Travel Rule has impacted, let’s say, the level of trust and transparency within the industry, particularly around the issues of money laundering or terrorism financing?

The impact of the Travel Rule on trust and transparency in the crypto industry

CAROLINE MALCOLM: Look, I think it’s given a lot of comfort to people who may not You know, there may not have been the early adopters of crypto, I mean, they may not be kind of your, your Bitcoin maximalists, for example, but over the years they’ve sort of taken an interest in the space for, for various reasons. And, but they might’ve been hesitant to get involved, but seeing that there are some of those safeguards in place, I think give people a degree of comfort.

You know, the reality is most people don’t want to find out that, say, North Korea is on the other side of a transaction that they’re making. And so it kind of gives that level of comfort that there is these sort of regulatory safeguards in place. And I often say to policymakers, decision makers who are considering making these rules that, you know, people often say, well, you know, If we pass these rules and we’re sort of agreeing with crypto and it’s not really a question of, you know, liking crypto, not liking crypto.

It’s really a question of whether you, you know, people are already in this space, you know. 

THOMAS TARANIUK: It’s not going to go away. 

CAROLINE MALCOLM: It’s not, it’s clearly not going away. And, you know, given that, you know, Given that fact, you’re better off to kind of be very practically minded and put in place some of those safeguards so that we have more transparent markets, we have more consumer protection, and some of those very foundational things like sanctions or money laundering, terrorist financing, those are actually protected against by having, having those rules.

Web3 and compliance in crypto

THOMAS TARANIUK: What changes and challenges will Web3 bring in terms of compliance in crypto? 

CAROLINE MALCOLM: Yes, it’s a really interesting space because when we think a lot about kind of crypto people think of them as say either financial or quasi financial assets. Now you get into the world of Web3 and I, it’s a very blurry world I think where we have assets which aren’t necessarily sort of financial in nature but they have the fungibility, they have the portability and they have some sort of value in a marketplace that we come to think of as financial assets, but they might be, you know, they might be particular attributes in a game, for example. And so I think one of the questions which is still, you know, yet to be answered is we’ve applied particular types of regulation to the financial space and we’ve applied different types of regulation, or if we think about the internet, very little regulation to other parts of the space.

Suggested read: Web 3.0: The Future of Identity

If you have a spectrum, which on one end is the financial asset, on the other end is your data asset. And in the between you have all sorts of different things. They might be, you know, you know, music files, which get tokenized. For example, it might be tokens that you use in games, for example, NFTs, exactly.

So if you think about these things, where do they sit? Are they more like a financial asset or more like a data asset? Because historically, we’ve treated financial assets and data assets very, very differently. And so I think it’s going to be interesting to see, and I think we’re not quite there, that that part of the ecosystem sort of hasn’t reached maturity, although in some parts of the world, you know, Philippines, Thailand, Vietnam, huge levels of adoption.

And then we really see like big growth in the Web3 space there. But sort of as that happens and these new business models can arrive where, you know, we don’t, it’s not even about sort of paying one penny for something, it’s like 0.0001 micropayment space. As that opens up, I think it’s going to be some very interesting question.

Do I apply the same know your customer rules to a video game where I might be trading in these things? Because we haven’t done that historically if we think about sort of multiplayer online games, we haven’t done that level of KYC before for those. 

Top 3 tips for crypto companies to protect their assets

THOMAS TARANIUK: So Caroline, what are your top three tips for crypto companies to protect their assets and their customers from fraudsters?

CAROLINE MALCOLM: Yeah, good question.

  1. Number one is user education. And certainly, you know, some of that sits on the user themselves, but also there’s a huge opportunity that these platforms have to, to kind of run in education campaigns generally about the types of frauds.
  2. Secondly, is the alerting. So, you know, the tooling is there to be able to tell your customers in specific instances where when they’re about to make a transaction, which goes to a wallet, which has been identified as involved in illicit activity.
  3. And the third thing is the follow up and you kind of alluded to this a little bit before in terms of not just in the moment, but continuous sort of verification, because again, this is one of the advantages. So no, maybe this is a customer who, when they made the first transfer out of your ecosystem, didn’t transfer it to illicit activity. But we can now see that if you run those transactions again, a couple of months later, for example, that maybe, you know, that money ultimately made it into a darknet marketplace, for example, you know, and that should raise some flags, you know, how did we get there? What, what actually occurred in that chain?

And I think, you know, using those, those tools available, sort of the compliance approach, not just to alert, but also then to actually do those deeper dives is kind of fundamental. So it’s user education, using the technology to deliver like real time alerts and thirdly is the sort of compliance follow up, the investigation side.

THOMAS TARANIUK: I think it’s a fantastic sum up. Thank you for joining us on “What The Fraud?”. It’s been great having you. 

CAROLINE MALCOLM: Tom, really appreciate it. The work you’re doing here is really important to bring awareness to everyone. Thanks a lot. 

THOMAS TARANIUK: Thanks for joining us once again. The next edition of “What The Fraud?” will be the final episode of the series, and we’ll be looking into the psychology of a fraudster, and how ego, the economy, and addiction can all play a part in turning someone to a life of financial crime.

We’ll explore the differences fraudster. and how understanding a fraudster’s thought processes can better help us protect ourselves against fraud.

What an episode this has been. I’ve learnt so much, and I think it will be incredibly valuable for companies and customers when protecting themselves against fraudsters and criminals. And, as always, Please like comment, follow, and subscribe wherever you’re listening to us. Now, any feedback you can give us is incredibly helpful and also makes it easier for other people to find us.

And if you want to hear more about what we do at some sub and how your business can benefit from our verification services, definitely check out our website at and subscribe to our socials.

CryptoFraud Prevention