Security researchers warn that another large-scale ransomware campaign using the Locky malware is unfolding in the U.S. and Japan. Encrypting a victim’s hard drive and demanding money to decrypt it is clearly illegal in both countries. Unfortunately, ransomware criminals who demand payment in Bitcoins often manage to get away because they hide their identity, leaving the Bitcoin transaction in public view on the block chain, but leaving no way to figure out who received the coins. Although researchers at George Mason University and the University of California, San Diego, found ways to defeat the anonymity of Bitcoin transactions, these tools—while promising—are neither foolproof nor readily available. It is time to rethink what Bitcoin is and the legal remedies available to disrupt illegal transactions involving it.
Ransomware effectively constitutes two crimes: an illegal computer intrusion to encrypt files systems, followed by coercing the victim with a threat to not turn over the decryption key unless payment is made. The latter half qualifies as blackmail or larceny in most jurisdictions, a crime that covers situations where a criminal threatens to cause the victim some harm, and then demands money or property from the victim in return for not acting on the threat. Virtually everywhere, blackmail covers demands for money or for goods, and there is an important legal distinction between the two. The law “follows” stolen goods. Even if a stolen good is sold in good faith to a third party (multiple times), the original owner can reclaim the property upon identifying the stolen good. The current owner of the property—even if a completely honest, unwitting purchaser—loses it without any compensation from the state or from the original owner. (We periodically see this legal principle applied in cases involving personal property stolen by the Nazis.) Money, however, is fungible, which means that once the criminal uses the stolen cash in a transaction with an unwitting third party, the currency is “clean.” Even if a stolen bill is tracked by serial number, the original possessor cannot seize it from the current holder.
Law enforcement should treat Bitcoin as a commodity as well. In doing so, the victims of ransomware who pay would have recourse against all future owners of the ransomed Bitcoins to reclaim them.
There has been a lot of legal debate about whether Bitcoin is a currency, a security, or a commodity. That judgement will ultimately determine whether Bitcoins used to pay ransom are treated as stolen money (fungible) or stolen goods (reclaimable). The IRS recently announced that, for tax purposes, it is treating Bitcoin as a commodity. In line with that view, law enforcement should treat Bitcoin as a commodity as well. In doing so, the victims of ransomware who pay would have recourse against all future owners of the ransomed Bitcoins to reclaim them. That right could be facilitated by a clearinghouse of “bad” Bitcoins maintained by the Secret Service in the U.S. and Financial Services Agency in Japan.
Bitcoin exchanges licensed to operate in either country would be required to freeze the wallets holding these Bitcoins, if deposited. A criminal might be able to trade the Bitcoins to a third party via an overseas Bitcoin exchange, but if the list of “bad” Bitcoins is updated quickly, a purchaser would be able to see that the coin was “stolen” and that if she bought it, it would come with a “clouded title.” If undertaken comprehensively, blacklisting illegally obtained Bitcoins would disrupt their value as a currency of extortion.
Additionally, diplomatic pressure, combined with OFAC-style sanction lists, could be used to pressure overseas exchanges into choosing to operate on the fringes or to enjoy ready and legal access to U.S. and Japanese customers. The idea that Bitcoin operates outside the regulatory framework of civil society is already in tatters. Now is the time to look at how legal remedies can be brought to bear on criminals victimizing society with Bitcoin-funded ransomware.