Fraudsters are beginning to find the cracks in the armor of blockchains and cryptocurrencies. Initial coin offerings, Simple Agreements for Future Tokens and fake currencies are vulnerable areas. Here’s practical information for warning your organizations and clients.
When email was first introduced to the world, most thought it would to be immune to fraud. Of course, that was only wishful thinking. Now we routinely deal with ransomware, business email compromises and hundreds of phishing attempts. Sometimes, new technologies can seem to be fraud-proof only because we don’t completely understand them. Or the security around the technology hasn’t matured enough so bad actors can exploit them for lucrative payoffs. The more popular and fashionable the supposedly immutable and tamper-proof “blockchain” becomes, the more fraudsters are comprehending it and taking advantage of its weaknesses.
Blockchains, which are shared digital ledgers where transactions (such as purchases made with bitcoin) are recorded, still don’t have a central regulator. Of course, lack of regulatory oversight “when no one’s watching” often can be a recipe for scams and fraud. For example, Bulgarians Konstantin Ignatov and his sister, Ruja Ignatova, created OneCoin in 2014 as a supposed cryptocurrency competitor to Bitcoin. They called it “Bitcoin Killer,” but it was allegedly a get-rich-quick scheme that defrauded more than three million investors worldwide of more than $4 billion. (See US fed prosecutor tells court OneCoin is a $4 billion Ponzi scheme, behind MLM, Jan. 23, 2019.)
Ruja Ignatova, the so-called “OneCoin Queen,” disappeared in 2017 from Sofia, Bulgaria. Police in Mumbai, India, charged her in July 2017 of running a Ponzi scheme. (See Indian Police Prepare Charges Against OneCoin Founder Ruja Ignatova, coindesk, July 12, 2017.) The U.S. Department of Justice charged her later with wire fraud, bank fraud and money-laundering offenses. (See Manhattan U.S. Attorney Announces Charges Against Leaders of ‘OneCoin’ … March 8, 2019.)
Her brother, Konstantin Ignatov, the leader of the international pyramid scheme, was arrested March 6, 2019, on a wire fraud conspiracy charge after his indictment by the Department of Justice U.S. Attorney’s Office of the Southern District of New York. He entered into a plea agreement on Sept. 27, 2019, and he pleaded guilty to the charges in November 2019. Ignatov, who could face up to 90 years in prison, has agreed to testify against his sister, Ruja, and others in the scheme. (See Details of Konstantin Ignatov’s OneCoin guilty plea, behind MLM, Nov. 15, 2019.)
OneCoin is a multilevel marketing network; it promised commissions to members for inviting potential investors to purchase cryptocurrency packages. “As alleged, these defendants created a multibillion-dollar ‘cryptocurrency’ company based completely on lies and deceit,” said Manhattan U.S. Attorney Geoffrey S. Berman. “They promised big returns and minimal risk, but, as alleged, this business was a pyramid scheme based on smoke and mirrors more than zeroes and ones.” Their activities are also under scrutiny in China and India.
OneCoin cryptocurrency allegedly only existed in the minds of its creators and co-conspirators. “Unlike authentic cryptocurrencies, which maintain records of their investors’ transaction history, OneCoin had no real value,” said FBI Assistant Director-in-Charge William Sweeney Jr. The investigation discovered that OneCoin, which still exists, lacks a public and verifiable blockchain.
Because of the underlying blockchain infrastructure, “Bitcoins can’t be faked, they can’t be hacked and can’t be double-spent,” wrote Jamie Bartlett in his article, Cryptoqueen: How this woman scammed the world, then vanished, BBC News, Nov. 24, 2019). Bartlett is the creator and host of the BBC’s The Missing Cryptoqueen podcast about Ignatova.
In a brazen attempt to scam investors, Ruja Ignatova didn’t bother to construct a blockchain that would underpin OneCoin. Knowledgeable CFEs would’ve recognized this obvious tipoff that this was a fake digital currency, and the promoters were con artists.
Regulators could’ve stopped OneCoin in its tracks if they’d required it to pass screening for blockchain and cryptocurrency legitimacy as the U.S. Securities and Exchange Commission (SEC) has recently done for several initial coin offerings (ICOs). [See Spotlight on Initial Coin Offerings (ICOs), SEC.]
In 2008, an anonymous person or persons, using the name, Satoshi Nakamoto, created blockchain technology that underlies and supports Bitcoin. Nakamoto designed blockchain to solve the “double-spending” problem (cybercurrencies can be easily replicated and therefore “spent” again and again), minimize the amount of required trust in the absence of a central authority and, most importantly, create a distributed ledger of transactions that’s cryptographically authenticated and allows for an immutable audit trail. (See Blockchain Basics and Hands-on Guidance: Taking the Next Step toward Implementation and Adoption, by Deniz Appelbaum, Ph.D., and Sean Stein Smith, DBA, CPA, The CA Journal, June 2018.)
A blockchain is a system in which digital ledgers — records of transactions made with Bitcoin or another cryptocurrency — are maintained across several computers that are linked in continually updated and synchronized peer-to-peer networks. “Block” and “chain,” in this context, refers to digital information (the block) stored in a public database (the chain). A network of tech-savvy “miners” (or “nodes”) independently maintain and verify their transactions. They’re independent computer experts not directly associated with the underlying Bitcoin.
Each block equals a cryptographic mathematical code with its own “hash” (a function that converts an input of letters and numbers into an encrypted output of a fixed length) that connects a block to the previous block, which adds further information. A series of connected blocks validated in this fashion constitutes a blockchain. Once a block is added to the blockchain it becomes immutable — difficult to edit and impossible to delete.
Beyond cryptocurrency, blockchains show great promise as digital ledgers for publicly and accurately documenting any rules and changes. Large enterprise technology companies, including IBM and Oracle, are actively designing blockchain products for shipping and contracts. (See Maersk and IBM to Form Joint Venture Applying Blockchain to Improve Global Trade and Digitize Supply Chains, IBM news release, Jan. 16, 2018, and Oracle is jumping on board the blockchain bus and could help drive it to the mainstream, by Becky Peterson, Business Insider, Oct. 2, 2017.)
In fact, as of fall of 2018, IBM had more than 1,500 employees working on more than 500 blockchain projects in industries, such as shipping, banking, health care and food safety. (See IBM is betting big on blockchain technology. Is it worth the risk? by Ahiza Garcia, CNN Business, Sept. 12, 2018.)
Blockchains make it easy to create unique digital tokens, or units of value, that companies sell to investors to raise money via ICOs or allow customers to use on their sites and services as a medium of exchange.
The many different types of blockchain tokens have varying characteristics and uses. Distributed applications, such as “app coins” (a cryptocurrency that enables users to make purchases with apps), use software that runs on multiple computers simultaneously within a network and represent the next phase of innovation in blockchain technology.
Such fintech innovation carries the potential for new types of business models that are decentralized but aren’t well-established nor associated with known brands, e.g. cloud computing without Amazon, social networks without Facebook or online marketplaces without eBay. (See A Securities Law Framework for Blockchain Tokens, from an initiative of Coinbase, Coin Center, Union Square Ventures and Consensys.) Blockchain is on the rise, and advocates say it’s safe and resistant to hackers. (See How secure is cryptocurrency and blockchain technology? Security benefits and issues of DLT, by Divya Joshi, Jan. 14, Business Insider.)
Bitcoin is still the most recognized cryptocurrency. A Bitcoin transaction consists of a transfer of funds between a sender’s and receiver’s Bitcoin “wallets.” Each wallet contains Bitcoin addresses, the public key — available to anyone to use to encrypt the data — and the private key — a confidential password known only by the owner. These keys provide mathematical proof for Bitcoin miners who verify that the owner of the wallet is the true owner.
Bitcoin relies on blockchain as its decentralized ledger. So, the transactions can’t be copied because the blockchains contain a complete record of all transactions. All nodes using a network are aware of all transactions, which enables a consensus algorithm — a process to achieve agreement on a single data value among distributed processes or systems.
All the transactions must await confirmation before they’re verified and added to a blockchain. However, each block contains its own time stamp — a record of event occurrence, sometimes accurate to a fraction of a second — as well as the time stamp of the previous block so miners can determine invalid transactions and remove them. The majority of the nodes in Bitcoin must agree on the first transaction that was received, given by the blockchains’ timestamps, which lead to a single, agreed-upon version of the truth. Although the value of a bitcoin exceeded $12,500 in July 2019, it was USD$6,549.91 at press time.
When a company seeks to raise capital by issuing blockchain-based tokens, including cryptocurrencies, it launches an ICO. Purchasers of tokens are entitled to shares with differing rights depending on the company. The ICO market raised approximately $8.7 billion as of February 2018. (See SEC Issues Subpoenas in Hunt for Fraudulent ICOs, by Matt Robinson, Bloomberg, Feb. 28, 2018.)
In early 2019, BitMEX reckoned that ICO funding reached $13 billion by calculating how much ICOs originally raised in 2017-2018 and then adjusting for how much prices have declined since then. BitMEX is a cryptocurrency exchange and derivative trading platform owned and operated by HDR Global Trading Limited. (See ICOs Printed $13 Billion Out of Thin Air: BitMEX, TokenAnalyst Research, by Colin Muller, nexo, Jan. 17, 2019.)
On Feb. 6, 2018, U.S. SEC Chairman Jay Clayton testified before the congressional Committee on Banking, Housing, and Urban Affairs on virtual currencies. (See his written testimony.) “From what I have seen, initial coin offerings are securities offerings,” Clayton said during the hearing. “They are interesting companies, much like stocks and bonds, under a new label. You can call it a coin, but if it functions as a security, it is a security.” (See SEC and CFTC Give Testimonies at Senate Hearing on Virtual Currencies, by Andrew Nelson, Bitcoin Magazine, Feb. 7, 2018.)
Going by SEC Chairman Jay Clayton’s cautionary remarks, many difficult and thorny legal questions surrounding blockchain tokens remain unsettled. For example, blockchain tokens, depending on their features, could be regarded as “digital assets or securities” that might be subject to U.S. federal and state securities laws. This would mean that it could be illegal to offer them for sale to U.S. residents except by registration or exemption. Similar rules could apply in many other countries. (See “1946 SEC v. Howey Co. might help define blockchain tokens as securities” at the end of this article.)
The SEC has viewed blockchain tokens as a blend between securities and currencies. They don’t readily fit into traditional legal frameworks, and there is no clear set of financial rules regarding their distribution. (See Framework for Securities Regulation of Cryptocurrencies, by Peter Van Valkenburgh, Coin Center Report, August 2018.) However, the SEC has become more proactive in monitoring digital assets for fraud. (See Oversight of the Securities Exchange Commission, Testimony of Jay Clayton, Dec. 10, 2019.)
Regardless of its touted immutability, predatory fraudsters — beyond offering Ponzi cryptocurrency schemes — are finding gaps in the armor. For example, consider Simple Agreements for Future Tokens (SAFTs). In a SAFT deal, venture capitalists invest money in a startup business in exchange for the firm’s promise in the future to give them an agreed-upon number of tokens it sells in an ICO. (See Venture capital has a new way of cashing in on blockchain bonanza — here’s what you need to know about SAFTs, by Becky Peterson, Business Insider, Nov. 19, 2017.)
Beyond cryptocurrency, blockchains show great promise as digital ledgers for publicly and accurately documenting any rules and changes.
Peterson writes that SAFTs are akin to “a mashup of buying a gift card for a store that hasn’t yet opened and purchasing shares in a private company.” The startups issue SAFTs so they can create their own cryptocurrencies and tokens. Typically, such an investment network automatically converts to a trading right in tokens once the network is complete, but investors are gambling that it will ever be ready to go live. (See Blockchain-based initial coin offerings chart uncertain legal terrain, by Jason Tashea, ABA Journal, March 1, 2018.) Unlike an IPO, or initial public offering, an ICO doesn’t confer equity in the company, according to the ABA Journal article.
It’s clear that the very existence of blockchain paints a tantalizing picture of oversized returns if an implied fintech venture succeeds. When investors get greedy, and the market becomes frothy, predatory fraudsters smell opportunity and get excited. The likelihood of securities fraud risk increases.
At its core, blockchain has securities-like features, but because it remains largely unregulated, promotors and buyers rationalize that it’s a legitimate trade. Hence, bad actors can and do exploit it. Unsuspecting investors could lose a lot of money.
“Fraud is not theft by force, but by deception,” according to the book, “A.B.C.’s of Behavioral Forensics: Applying Psychology to Financial Fraud Prevention and Detection,” by Sridhar Ramamoorti, David E. Morrison, Joseph W. Koletar and Kelly R. Pope. “The dance of fraud, therefore, is a dance of deception. As such it requires the cooperation of the victim.”
The role of customers’ human motivations and emotions has largely been neglected in discussions about blockchain and cryptocurrency sales. Fraudsters frequently resort to preying on victims’ emotions to distract, persuade and help them rationalize greed. For example, a seller of blockchain securities can point to supposed investors who turned $40 into $10,000.
Gullible victims also rationalize away the obvious fact that something sounds “too good to be true” by marshalling emotional defenses such as “social proof” — that is, others are similarly invested or they’ve been rarely fooled. (See Harnessing the science of persuasion, Robert B. Cialdini, Harvard Business Review, October 2001.) Fraudsters often also use multi-level marketing of the type used in the OneCoin scam to swindle large groups of unsuspecting investors globally.
The promoters of a fintech venture involving cryptocurrencies and blockchain, or their emissaries, might paint a rosy picture of investment returns. And they might tell would-be victims that they have to immediately seize the opportunity the promoters have worked so hard to create for them. Then the investors can finally be special people who’ll belong to an elite club (akin to Bernie Madoff’s strategy of emphasizing exclusivity). The head promoter might also try to shame hesitant investors into investing and “honoring the commitment” to a stellar board of directors, for example, because they don’t want to disappoint associated luminaries and those they respect who might have celebrity status.
Because questionable entrepreneurs are raising billions of dollars in short periods of time, the SEC and the U.S. Federal Trade Commission (FTC) would do well to monitor these developments, and where they can, require registration of blockchain as securities related to the purchase and sale of digital assets.
Hopefully, continued and effective regulatory intervention will put unscrupulous actors on notice. Beyond the SEC and the FTC, U.S. regulators and agencies are continuing to increase their monitoring of cryptocurrency transactions, including the Internal Revenue Service, the Financial Crimes Enforcement Network and the Commodity Futures Trading Commission. Other countries around the world have also ramped up regulations. (See Cryptocurrency Regulations Around the World, Comply Advantage.)
According to Shamoil T. Shipchandler, director of the SEC’s Fort Worth Regional Office, “Attempting to conceal what we allege to be fraudulent securities offerings under the veneer of technological terms like ‘ICO’ or ‘cryptocurrency’ will not escape the Commission’s oversight or its efforts to protect investors.” (See SEC Halts Alleged Initial Coin Offering Scam, Jan. 30, 2018.)
Shipchandler made his comments after the SEC in January 2018 had obtained a court order halting an allegedly fraudulent ICO that targeted retail investors to fund what it claimed to be “a first-of-its-kind decentralized bank offering a variety of consumer-facing banking products and services using more than 700 different virtual currencies.” The AriseBank case is a bellwether in the ICO space scrutinized by regularity agencies.
According to the SEC, Dallas-based AriseBank used “social media, a celebrity endorsement, and other wide dissemination tactics to raise what it claims to be $600 million of its $1 billion goal in just two months.” AriseBank and its cofounders, according to the SEC, allegedly offered and sold unregistered investments in their purported “AriseCoin” cryptocurrency.
“AriseBank’s sales pitch claimed that it developed an algorithmic trading application that automatically traded in various cryptocurrencies,” according to the SEC. (See SEC Halts Alleged Initial Coin Offering Scam, Jan. 30, 2018, and SEC Halts AriseBank ICO, Calling It ‘an Outright Scam, by Shawn Gordon, Bitcoin Magazine, Jan. 31, 2018.) More recently, the Telegram Group Inc. raised $1.7 billion before the SEC obtained an emergency order to prevent Telegram from selling digital tokens that were unregistered. (See SEC Halts Alleged $1.7 Billion Unregistered Digital Token Offering, U.S. Securities and Exchange Commission Press Release, Oct. 11, 2019.)
Cases like this have increased the pressure on the SEC to provide resources to warn would-be investors so they’ll know the risks beyond those contained in companies’ required “risk disclosures” that are as part of any ICO prospectus or offering document. (For example, Mass Coin listed these risks in its 2016 prospectus: loss of value, regulatory risks and risk of weaknesses in coin transport software.)
Sophisticated institutional investors probably will be knowledgeable about the risks and hazards of investments. They know that when risks are high, returns can also be high. Most importantly, when a sophisticated investor loses money on a bet, they can’t claim ignorance. But an ordinary, naïve investor can easily say shady operators have deceived them.
In the OneCoin case discussed earlier, multi-level marketing efforts targeted unsophisticated investors through social media and celebrity endorsements. We suspect that others using blockchain might similarly exploit gullible and unsophisticated investors into purchasing fool’s gold. So, perhaps the governmental focus should be on providing resources and expertise for unsophisticated investors. The SEC’s Office of Investor Education and Advocacy furnishes investors with numerous services and tools. “We cannot tell you what investments to make, but we can help you to invest wisely and avoid fraud,” the website states.
Bartlett probably best summarized in his BBC article why cryptocurrency fraudsters are able to scam naïve investors. OneCoin “represents the dark side of rapid technological change — the way that every new technology creates amazing new opportunities and possibilities for people who understand it, but also the chance to exploit the people who don’t,” Bartlett says.
Ruja identified and exploited society’s weak spots, Bartlett says. Her targets were those who either sufficiently desperate, greedy or confused to take the bet, she says. The line between truth and lies is becoming fuzzier, and law enforcement and the media are struggling to understand. “And, most frustratingly of all,” Barlett says, “she correctly guessed that by the time we realised [the fraud], she’d be gone, along with the money.”
The issuance of blockchain tokens as SAFTs and ICOs appears to be a dangerous trend because the purchase and sale of digital assets under these terms seems to constitute a sale of securities, but it isn’t advertised as such. Regulatory agencies such as the SEC and the FTC would do well monitor this evolving space and take preemptive actions to protect unsuspecting and gullible investors.
The SEC appears to be quite concerned about possibly fraudulent businesses raising funds using cryptocurrencies and violating securities laws. The agency has issued dozens of subpoenas and information requests to technology companies and advisers about structures for sales and pre-sales of ICOs because they probably don’t adhere to the same rigorous rules that govern public offerings. (See SEC issues subpoena to cryptocurrency company Riot Blockchain, CNBC, April 18, 2018, and Cryptocurrency Firms Targeted in SEC Probe, by Jean Eaglesham and Paul Vigna, The Wall Street Journal, Feb. 28, 2018.) The SEC, after reviewing the information on the ICO offering of Enigma MPC, issued a cease-and-desist settlement order to register its securities, allow for claims to be paid out to purchasers of its ICO and pay a civil fine of $500,000.
The real danger of SAFTs and ICOs involving cryptocurrencies and blockchain is that most of these so-called agreements are largely unregulated. Certified Fraud Examiners need to understand that blockchain could lead to rampant fraud. A “tactic known is a tactic blown.” So, well-informed CFEs will recognize suspicious activities they encounter in the fintech space and warn would-be investors.
Sri Ramamoorti, Ph.D., CFE, CPA, CIA, is an associate professor of accounting at the University of Dayton. Contact him at sri.ramamoorti@udayton.edu.
Sarah J. Webber, J.D., CPA, is an associate professor of accounting at the University of Dayton. Contact her at swebber1@udayton.edu.
Mira Khalil, a former graduate accounting student at the University of Dayton, is now a member of EY’s Financial Services Office (FSO) Assurance Staff in Chicago. Contact her at mira.khalil@ey.com.
A 1946 ruling, SEC v. Howey Co., provides guidance to the Securities and Exchange Commission in regulating blockchain tokens.
In 1946, the Howey Company, a large citrus farm in Florida, wanted to lease half of its acreage to finance more development. They sold hundreds of acres of land to non-farmer businessmen investors who effectively became speculators. The land was the vehicle for investment.
Howey Co. broke federal law by not registering these transactions to the SEC per the 1933 Securities Act. The SEC filed an injunction that was blocked by an appeal from U.S. District Court for the Southern District of Florida. The Fifth Court of Appeals affirmed the decision, which removed the injunction.
However, the U.S. Supreme Court upheld the SEC’s order by ruling that Howey’s contracts were investment contracts and must be regulated as such. The ruling birthed the Howey test, a simple criterion to determine the purview of SEC jurisdiction over securities.
Under the test, a transaction is an investment contract if the transaction:
SEC v. Howey Co. guides the SEC’s framework to regulate securities to this day. As such, “If that test be satisfied,” wrote Justice Frank Murphy in 1946, “it is immaterial whether the enterprise is speculative or non-speculative, or whether there is a sale of property with or without intrinsic value.” What matters is whether “the scheme involves an investment of money in a common enterprise with profits to come solely from the efforts of others.” A security has been sold, in other words, when the value of one’s transaction hinges on another’s work. Therefore, the Howey test could help determine the future of blockchain tokens.
(See Passing the Howey Test: How to Regulate Blockchain Tokens, by BitTrust on Medium, March 4, 2017, and SEC v. Howey Co.)
Unlock full access to Fraud Magazine and explore in-depth articles on the latest trends in fraud prevention and detection.
Read Time: 5 mins
Written By:
Roger Seifert, CPA, ABV, CFF
Jamal Ahmad, J.D., CFE, CPA/CFF
Read Time: 7 mins
Written By:
Patricia A. Johnson, MBA, CFE, CPA
Read Time: 7 mins
Written By:
Robert E. Holtfreter, Ph.D., CFE
Read Time: 5 mins
Written By:
Roger Seifert, CPA, ABV, CFF
Jamal Ahmad, J.D., CFE, CPA/CFF
Read Time: 7 mins
Written By:
Patricia A. Johnson, MBA, CFE, CPA
Read Time: 7 mins
Written By:
Robert E. Holtfreter, Ph.D., CFE
