“A computer in every home” was how, in the early 1980s, Bill Gates described his vision for the future of personal computing. By 2020, it is estimated that the number of connected devices (as many as six per person) will be 50 billion globally.¹

Gates’ vision was prophetic, but no one could have imagined that close to 30 years later bitcoin would be invented. Like a cuckoo, bad actors nefariously “borrow” the computing power from these connected “nests” in what has been termed cryptojacking or malicious mining; this article will refer to it as cuckoo mining.

This article explains the concept of cuckoo mining and raises questions (including legal questions) about the resulting anti-money laundering (AML) considerations and the implications for those in the virtual currency community, specifically those in the compliance area. The authors are not lawyers, but many ACAMS’ members are, and it is hoped that this article will trigger legal debate, as well as answers to some of the questions posed.

Whether one is at home or work, on a laptop or desktop, using a smartphone or any connected device (connected to the Internet) that utilizes computing power, cuckoo miners may come to visit or may already be in residence.

Operating silently in the background (and while the user foots the bill), they surreptitiously hijack and effectively steal the processing power of a device to mine for cryptocurrencies. This type of cybercrime has seen a rise almost as meteoric as cryptocurrencies themselves, and has now overtaken ransomware as the number one threat for consumers and enterprises in the digital realm.²

Like other forms of cybercrime, the goal of the bad actor is often financial gain. But the characteristics of cuckoo mining are unique and require new thinking about how to tackle this crime from an AML perspective. Questions that come to mind include “How does it work?”; “Is it a crime at all?”; “Is organized crime ‘involved?”; and “How would this ever be detected?”

Digging for Gold

In the early days of bitcoin, users with personal computers could effortlessly acquire the currency through mining rewards.³ Similar to gold mining, bitcoins exist in the protocol's design (just as gold exists underground), but they have not been brought out into the light yet (just as the gold has not yet been dug up).⁴ Among other functions, miners—through the technology equivalent of immaculate conception—bring the coins out into the light. But mining is an increasingly competitive (and for successful miners, rewarding) enterprise; gone are the days of users being able to mine bitcoin simply using their home computer’s central processing unit (CPU).

As the competitiveness and difficulty of mining has increased, mining capabilities have developed in response. Some moved to graphics processing units (GPUs) as a superior form of processing power but this too became infeasible as the computing power required grew exponentially through the emergence of application-specific integrated circuits (ASICs) and collective mining pools.⁵ Other groups even learned they could deploy snippets of JavaScript code on websites that recruited their visitors’ CPU power (known as browser-based mining) often unknowingly to mine for them as part of a bigger mining network (i.e., a mining pool).

New Tricks for an Old Dog

Cuckoo mining came into the fray and everything changed. Despite the competitiveness that now comes with mining bitcoin, there are many other “alt-coins” that are up for grabs that do not utilize ASIC technology in the mining process, and are better suited to using the more “traditional” CPU/GPU-led approach. In the context of mining, these cryptocurrencies are often referred to as “ASIC-resistant” coins.

When cryptocurrencies like Monero emerged, the attention returned to browser-based mining. One of the earliest efforts was called Coinhive—a tool developed to allow websites to borrow visitor’s CPU processing power for the process of mining cryptocurrency.⁶ What started out as a well-intentioned alternative monetization method for websites quickly captured the attention of cybercriminals. Today, hackers will often join a mining pool, sometimes only needing to provide a valid email address in order to get up and running. Once they have injected some mining JavaScript code onto a website—like that used by Coinhive—the mining begins, with visitors unaware that any mining is taking place, and at the device owner’s expense.

This form of cryptojacking is one of two primary forms of attack. The other more nefarious form is in the shape of a traditional malware attack, where a victim may receive a legitimate-looking email, text or otherwise, that contains a link with mining code embedded in it. Once clicked, the cryptomining script is placed on the victim’s computer and the mining begins. Both methods represent a new form of malware, where theft in the traditional (and tangible) sense is not present—other than the theft of the user’s CPU-processing resources, an arguably intangible asset. Nonetheless, the victim has been an unwilling participant in mining activity, with the hacker likely having made a financial gain.

Giving Birth to the Proceeds of Crime

In theory, cryptocurrency generated through legitimate mining produces a coin that is clean and free from any previous “baggage,” just like mining a diamond harvests a stone that has no history other than the time spent in the ground, waiting to be mined.⁷ However, for both diamonds and cryptocurrency, this is not always the case. Cryptocurrency that has been mined through the process of cryptojacking is arguably tainted from the point of creation given the nature of its creation, similar to a diamond mined in an illegal mine or known conflict environment.

In order to realize a monetary gain, the criminal has to break the money trail and convert the mined cryptocurrency rewards to another form. There are several ways this can be completed. When a victim’s device has been cryptojacked by a cybercriminal, it is common for the processing power generated by the victim’s device to contribute to a mining “pool” of other infected users’ devices, all directing hashing power to the job of mining cryptocurrency.

The cybercriminal might be a member of a popular and legitimate mining pool website such as Slush Pool or Mining Pool Hub where, once a coin has been generated, it is deposited into the cybercriminal’s crypto wallet at the mining pool. The criminal has several options. Many mining pool sites offer functionality such as “auto exchange,” whereby once a certain amount of currency is built up in the individual’s wallet, it can be sent to an address at an exchange for auto-conversion into an alternative cryptocurrency of the individual’s choice.

Alternatively, the cybercriminal could elect to send their crypto-jacked coins, along with other coins, through increasingly popular mixer/tumbler services, serving to further obfuscate the true origin of the coins, and through to an exchange ready for withdrawal. It is important to note that, unless converted to fiat currency, it is entirely possible for a criminal to undertake these processes having only provided as little as an email address to any of the platforms described in the above scenarios.

The reality is that exchanges and other such platforms with the liquidity and infrastructure to support the processing of such coins may be a primary target for bad actors looking to move their illicit crypto gains through the system. To the casual observer, or the exchange facilitating the trade, the freshly mined coin may not look any more suspicious than another coin mined through legitimate means. Neither will have transaction histories, both appearing “untouched.”

To further complicate matters, it may be rare that a newly-mined coin was created solely using hijacked computing power. Arguably more likely (and an analogy to the traditional concept of co-mingling), particularly in a pooled-mining operation, the majority of the computing power resulting in the mining reward may have been from legitimate contributors to the pool. A coin may be tainted, but by how much, and is such a coin the proceeds of crime?

Forget Tradition

Traditionally money laundering is viewed as a three-stage model: placement, layering and integration. Recently, ACAMS members Joseph Mari and Peter Warrack⁸ have spoken and published on the four-stage model: predicate offense, placement, layering and integration.⁹

The theory behind the four-stage model is that the three stages cannot exist and are dependent upon the existence of a predicate offense that gives rise to the proceeds of the crime; in the context of cuckoo mining, this begs the question, “The crime of what?”

The Financial Action Task Force (FATF) Recommendation 1 provides guidance as to what constitutes a predicate offense, but this is open to jurisdictional interpretation and translation into actual law. The FATF guidance suggests that all serious offenses should be predicate offenses to money laundering and that serious offenses may be defined as those carrying minimum sentences of six months in prison.¹⁰

Perhaps the best example of what may be considered a predicate offense in the context of cuckoo mining is the U.S. 1986 Computer Fraud and Abuse Act (CFAA).¹¹ The act is all-encompassing and addresses computer hacking, accessing a computer to defraud and obtain anything of value (qualified as in excess of $5,000 in a one-year period) among other subjects; it also makes the distinction between intent to defraud or cause harm and computer trespassing (a misdemeanor and arguably not a predicate offense). In addition, it begs the question of how the value of “borrowing” a user’s computer power is measured and how the borrowed usage contributed to the successful mining of a coin as a percentage of the total hashing power that was required.

Hacking is clearly an offense for which the perpetrator could be charged, at least in the U.S. However, it is still unclear that hacking is a predicate offense to money laundering, and whether coins obtained in whole or in part from cuckoo mining are the proceeds of crime in the traditional and reportable (i.e., by suspicious activity report [SAR] filing requirements) sense.

Further, cuckoo mining is a power-intensive business. The computing power required drives up hydro costs of the unknowing user, and arguably, the shelf life of infected computers is reduced due to the tangible and intangible wear and tear; again, the user foots the bill. Traditionally the theft of hydro (theft of a utility service) is considered in the context of bypassing a meter or hooking up to a grid without permission. It is unclear if a law exists that covers the cuckoo mining situation, and how the cost would be calculated.

Making an Assumption

Assuming cuckoo mining is a criminal (and predicate) offense that gives rise to the proceeds of crime by extension means that the coins are tainted. In the context of the traditional money laundering model, the coins have not been “placed” into the financial system, but they already exist. Therefore, arguably thereafter, further movement (e.g., sale to an exchange for fiat or conversion into another virtual currency) constitutes the layering stage of money laundering, and is reportable by SAR—not necessarily….

Again, more questions than answers. Is virtual currency part of the financial system, or depending on the jurisdiction, a currency at all? Maybe in Japan where virtual currency is legal tender.

The fiat on/off ramps are easier to understand; for example, an exchange knowingly (or even suspecting based on the threshold of reasonable suspicion) receiving bitcoins generated from cuckoo mining and paying the miner in fiat in return may be at risk of being accused of money laundering, and in most jurisdictions would be required to file a SAR. How an exchange or anyone else would be able to identify such activity would be difficult to say the least.

So, what should be considered by those dealing in virtual currencies when attempting to apply a risk-based approach in identifying this risk in their business? Here are some thoughts:

1. Coin Characteristics

Understand the characteristics of different coins, particularly through what mining technique has the coin come to be. As mentioned, a natural target for cuckoo miners are ASIC-resistant coins, which can be mined using basic CPU-processing power. Added to this, many of these coins have a high level of “fungibility,” i.e., the ability for the currency to be interchangeable and untraceable at the same time. Coins like Monero openly describe this as an advantage over other cryptocurrencies and include privacy built in to their blockchain. These are a natural target for cuckoo miners.

2. Source

A number of software services such as Chainalysis, Elliptic, Blockchain Intelligence, Scorechain and CipherTrace provide the ability (to a degree) to look back on the transaction history of an address and understand where a coin has been in its life. These tools can be useful in profiling different factors about a particular crypto transaction or set of transactions that may be considered high risk or suspicious, such as association with other known high-risk addresses, even other stolen coins to the extent they are known.

There is also an increasing amount of information available on popular mining pool sites used in the process of cryptojacking. Being aware of these sources is one important step in identifying potentially “tainted” coins.

3. Distribution

A coin can enter the market for distribution through a number of avenues. The most popular is through cryptocurrency exchanges. Today, while many exchanges work to design and implement robust anti-money laundering/counter-terrorist financing compliance programs in their business, for some, know-your-customer (KYC) controls only kick in at certain thresholds, which differ across exchanges and between exchange types. For a cuckoo miner looking to cash out their coins, these exchanges with limited controls represent a big opportunity.

4. Behavioral Indicators and Other Considerations

What do crypto users do with their coins once they are on exchange? Are they regularly and quickly converting consistent amounts of one coin into other alt-coins or privacy-based coins, which may obscure the transaction history of that address? Alternatively, are they traders for whom this type of activity may make sense?

What about the wallet addresses themselves? Are new addresses continually used to send and receive cryptocurrency; is this a function of the wallet type or an illicit intent? What about other indicators, such as use of proxy servers or IP masks by customers?

What constitutes suspicious activity in the crypto sense is still being learned, but groups in the industry are starting to come together on this. As AML professionals, it is important to continue to build our knowledge of this technology and keep abreast of trends and emerging cryptocurrencies that exhibit the characteristics described in the article, The Blocktrain has Left the Station.¹² Like other crimes, cuckoo mining activity will follow the path of least resistance and target what is “hot” in the world of crypto at any point in time.

Is a cuckoo in residence?

Without getting too technical, a simple way to tell when a website is mining cryptocurrency is to keep an eye on your computer’s CPU usage. While this varies between computer types, a normal percentage for casual usage (e.g., browsing the web, taking notes) is generally 20 percent or less.

In Windows, right click the task bar and select Task Manager. Open the Performance Tab.

In MacOS, open Activity Monitor by searching for it with Spotlight (pressing Command + space bar) or by going to Applications > Utilities > Activity Monitor. Once open, click the CPU tab. Total CPU usage in MacOS is the sum of system and user usages.

Summary

Malicious mining is another example of a technology being exploited by the few at the expense of the many. Like the cryptocurrency world itself, it is unique and thus brings unique challenges for the AML community. While progress is being made, as people become more connected through devices, the world moves closer to something akin to Gates’ original vision discussed at the beginning of this article with one addition—a computer in every home may also mean a miner in every home…whether it is known or not.

Giles Dixon, CBP, BA, senior associate, Financial Services Advisory, Grant Thornton LLP, Toronto, Ontario, Canada, giles.dixon@ca.gt.com

Peter Warrack, CAMS, CBP, CFE, chief compliance officer, Bitfinex, peter.warrack@bitfinex.com

Adnan Tahir, CBP, AML investigator, Bitfinex

1. “Internet of Things (IoT) connected devices installed base worldwide from 2015 to 2025 (in billions),” statista, https://www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide/
2. Paolo Passeri, “Step Aside Ransomware…Cryptojacking Is The New Kid On The Block!,” Information Security Buzz, May 14, 2018, https://www.informationsecuritybuzz.com/articles/step-aside-ransomwarecryptojacking-is-the-new-kid-on-the-block/
3. Shayan Eskandari et. al, “A first look at browser-based cryptojacking,” Cornell University Library, March 7, 2018, https://arxiv.org/abs/1803.02887
4. Noelle Acheson, “How Bitcoin Mining Works,” CoinDesk, January 29, 2018, https://www.coindesk.com/information/how-bitcoin-mining-works/
5. A. Narayanan, J. Bonneau, E. Felten, A. Miller, and S. Goldfeder, “Bitcoin and Cryptocurrency Technologies: A Comprehensive Introduction,” Princeton University Press, 2016.
6. Shayan Eskandari et. al, “A first look at browser-based cryptojacking,” Cornell University Library, March 7, 2018, https://arxiv.org/abs/1803.02887
7. Noelle Acheson, “How Bitcoin Mining Works,” CoinDesk, January 29, 2018, https://www.coindesk.com/information/how-bitcoin-mining-works/
8. Peter Warrack, “Money Laundering and Blockchain,” JEBcl, September 30, 2016, jebcl.com/symposium/wp-content/uploads/2016/09/Warrack.pptx
9. Joseph Mari and Peter Warrack, “Blockchains and Money Laundering,” Bank of Montreal, June 2016, http://docplayer.net/41556396-Blockchains-and-money-laundering.html
10. “FATF Recommendation 1: Scope of the criminal offence of money laundering,” United Nations, 2016, https://www.un.org/sc/ctc/wp-content/uploads/2016/03/fatf-rec01.pdf
11. “Prosecuting Computer Crimes,” Department of Justice, 2015, https://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/01/14/ccmanual.pdf
12. Leonardo Real and Joseph Mari, “The Blocktrain Has Left the Station,” ACAMS Today, June 9, 2017 https://www.acamstoday.org/the-blocktrain-has-left-the-station