As criminals target crypto wallets with malware, a record $100 million fine by the SEC against BlockFi may signal regulators taking cryptocurrency more seriously. Pictured: Pedestrians walk past a display of cryptocurrency Bitcoin on Feb. 15, 2022, in Hong Kong. (Photo by Anthony Kwan/Getty Images)

Crimes involving cryptocurrency nearly doubled last year to roughly $14 billion in transactions globally, up from $7.8 billion in 2020, according to Chainalysis, a crypto investigations firm.

While this leap in crypto-crime still only represent 0.15% of all cryptocurrency transactions, it still represents a 79% growth in fraud in this nascent market, even as cryptocurrency transactions overall have more than quintupled (567% growth) in the past year to $15.8 trillion in 2021, according to a Chainalysis report. Aside from outright fraud, cryptocurrencies have also come under the U.S. regulatory gaze, as they have been at the center of various scams and money laundering schemes. Case in point: The Office of Foreign Assets Control (OFAC) sanctioned two Russian crypto services, Suex and Chatex, that were found to be very involved in laundering funds.

And, it’s not just the cryptocurrency schemes themselves that are falling prey to bad actors. According to reports, more and more cybercriminals are targeting crypto-wallets directly. According to a recent report from BlackBerry Research, at least one new malware variant, BHunt Scavenger, actually “harvests” the crypto-wallets of basic users.

“BHunt scavenges systems for access to a victim’s cryptocurrency, while trying to hide its activities on the system and to slow analysis in a variety of ways,” according to the BlackBerry blog, adding that BHunt’s primary goal is to harvest the victim’s crypto wallets. “It also attempts to steal browser passwords in the process, which is likely intended to help it find login credentials stored there for online crypto accounts, along with online banking or social media accounts that could be used for financial gains."

BlockFi fined $100 million by SEC

As cryptocurrencies become increasingly "legitimate," they are also being held to a higher standard by regulators, which demand the same compliance from these alternative payment schemes as they would from more conventional financial and payments companies. Just look at the recent case of crypto startup BlockFi Lending LLC, which agreed to pay $100 million in federal and state penalties and fines for failing to properly register the offers and sales of its lending product to consumers, in a precedent-setting action that could herald more crypto-concerns falling in line with conventional financial rules.

The Securities and Exchange Commission announced earlier this month that BlockFi would pay a $50 million penalty to the federal regulator for “violating the registration provisions of the Investment Company Act of 1940,” and agreed it would stop making such “unregistered offers and sales of the lending product, BlockFi Interest Accounts (BIAs),” according to the SEC release. In addition, the popular crypto lending platform will pay an additional $50 million in fines to 32 states that had levied similar allegations about BlockFi’s practices.

Industry experts did not find the settlement itself surprising, but Arvind Nimbalker, head of product at Tribal Credit, which develops corporate card programs for startups, pointed out that “most people probably didn't anticipate the size of the settlement figure, nor the fact that the SEC found that BlockFi made a false and misleading statement for more than two years on its website.” About 600,000 investors had held BIA accounts valued at $10.4 billion, according to the SEC filing.

The penalties and fines were assessed based on the SEC order that found that from March 2019 forward, investors had lent crypto assets to BlockFi for its BIA product in trade for a promise of variable monthly interest payments — making these interest accounts securities under the law, and required to be registered or receive an exemption from the SEC, according the release. BlockFi was also found to have been operating for more than 18 months as an “unregistered investment company because it issued securities and also held more than 40 percent of its total assets...in investment securities, including loans of crypto assets to institutional borrowers.”

Perhaps an even more telling long-term result of the settlement, for BlockFi and the wider crypto market, the crypto lending startup agreed that it would “attempt to bring its business into compliance with the Investment Company Act of 1940 within 60 days... and register [its[ parent company under the Securities Act of 1933,” signaling a significant movement by crypto to fall in line with conventional financial compliance and practices. As part of the SEC settlement, BlockFi also agreed to cease offering or selling BIAs in the United States.

“This is the first case of its kind with respect to crypto lending platforms,” SEC Chair Gary Gensler said in a prepared release Monday. “Today’s settlement makes clear that crypto markets must comply with time-tested securities laws... It further demonstrates the Commission’s willingness to work with crypto platforms to determine how they can come into compliance with those laws.”

Crypto accountability recognizes legitimacy

Aaron Rose, a security architect in the office of the chief technology officer at CheckPoint, said the latest settlement and subsequent moves from BlockFi make him “hopeful.” 

“Until now, the crypto space has been operating in a world of ambiguity,” Rose said, “but this [settlement] gives direction for crypto-platforms to operate with regulatory certainty in the United States.”

Nimbalker noted that “considering that the SEC has previously announced that it was shifting away from the ‘neither admit nor deny approach’ [in its enforcement actions], the fact that BlockFi was able to do [this] is interesting.”

Rose believed that this may answer the need of many blockchain and crypto companies that have been hoping for progress.

“Although this ruling might appear to be a blow to cryptocurrencies, it’s actually the complete opposite,” he said, adding that these settlements help clear up years of U.S. regulatory “ambiguity around the use of cryptocurrencies in the United States.”

By holding crypto platforms accountable to laws established to regulate existing economy and trading platforms, the SEC has “recognized the legitimate use of such currencies and that it is willing to work with the platforms to form a precedent on how they can act within established regulations,” Rose said.

However, for the crypto-businesses that do not want to meet more conventional compliance, there could be a rocky regulatory road ahead.

“Crypto-focused startups that are not handling their business in a compliant manner will continue to see enforcement actions brought against them, just as any other business that's operating in a non-compliant manner,” Nimbalker said, adding that the result of these enforcement actions will be “key.”

“We still do not have any federal laws specifically addressing the crypto industry, nor do we have dispositive court rulings,” he said. “Settlements provide, at best, guidance. However, it’s the best information that we currently have available.”