“Even $1 of funding to Hamas is too much,” I was told, in a private meeting with a good friend, to explain the antipathy of some US politicians towards crypto.
This was after my previous tweet taking apart the Treasury request for additional authority, and was in the context of trying to understand why I opposed the majority of those proposals and, it was implied, stopping terrorism financing. When I explained that I opposed the majority of the Treasury proposal because my goal was stopping terrorism financing, they got very, very confused, as this was not the rejoinder they expected.
Using that as a starting point, I wanted to take the time to post a detailed explanation of why I believe public blockchains are a better, not worse, method of detecting illicit finance. To cover that, we need to plant a few seeds first.
One, what is the substantive transaction, with no specification of the rails?
In this case, we are going to start with American A, who is an otherwise law-abiding citizen who is going to send a transaction that ultimately reaches Hamas. This happens because American A sends money to Relative R, in another jurisdiction. Relative R then sends their money to Business B, either in a valid appearing transaction that is “overpriced”, or simply in a fake transaction where no value is actually exchanged. Unfortunately, to make this somewhat more complicated, Business B is the sort of hard to detect hybrid business that does have legitimate business operations, just not all legitimate business, so it’s a mix of bad stuff and legitimate stuff; maybe it’s a charity, maybe it’s a dog-walking service, maybe it’s an FX broker, maybe they make furniture. Sometimes they do sell you a chair! But sometimes they just launder money. Sometimes they sell you a chair but at a huge markup. Problematic to untangle from the outside. Lastly, Business B pays a dividend out to Owner O, who is actually a member of Hamas, and Owner O sends the money to Hamas.
Therefore, our total chain is A -> R -> B -> O -> H, meaning that the money went through five entities and passed through a combination of legal, semi-legal, and definitely not legal steps in order to reach the final resting point.
Two, what is our goal?
This one is important, because mis-definition of goals is part of how we got here. Importantly, is our goal to interdict as much terrorism financing to Hamas as possible, or is our goal to shut down all of the platforms where we can easily detect terrorism financing, so we just don't see it, even if lots of it happens?
The former is likely to materially improve the situation, if done properly. Legislation that would facilitate effective enforcement, monitoring, and interdiction of bad actors while preserving privacy for the majority of law-abiding folks is absolutely key. However, the latter option is likely to do a lot of collateral damage without improving anything (unless all avenues were easy to detect), as all you are doing there is forcing the activity out of the light. This is a bit like the Streetlight Effect problem, where we are searching for something not where the problem occurred, but rather where the light is, because it’s easier.
In short, we need to focus on actual security, not security theater.
TradFi
Now, having laid all of this out, let’s talk about how the transaction we designed above moves through the snake in the traditional financial system.
Step one would be the transaction to the relative. This could be done via a bank transfer (wire, ACH, etc.), this could be done via cash, check, or via a payment app (PayPal/Venmo, etc.). Regardless of which one of these is done, here is what happens: the company, if any, processing the payment knows about it, and the two people know they transferred money between each other. It could be companies in the case of an international bank transfer, as this probably moves through correspondent banks, and they would all know American A and Relative R, in theory. It could be a payment company to a bank if Relative R receives the money via PayPal and transfers locally.
Step two is the transaction between the relative and the business. What is this in? Cash. Credit Card or bank payment, payment app. Roughly the same stack of possible ways to send money. Here is what is interesting, though: does the originating company for American A know about this step? Probably not, unless it’s the same institution. If, for example, American A banked at Citi but the money ended up at HSBC (to pick two large international banks) then Citi won’t know about the next step, where money goes from HSBC to a local bank when a payment is made to Business B. Potentially nobody will really be connecting the dots if it was cash. If it’s a card payment, then the card networks might see something between these two, but unclear if they saw the first step. Here’s the point: we’re only on the second hop, and it’s already incredibly fragmented and we have no way to assume the institution involved in step 1 knows what is going on here, much less American A.
Step three, which is the business to the owner, often is going to be completely impenetrable to outside persons. Why? Because often they bank at the same institution and it’s an internal transfer. Literally only one company knows about it, and the question about if this is understood or reported outwardly is going to be a very difficult one to answer. Depending on the jurisdiction , the rules may vary, and certainly, no external entity will know about this happening. If they bank at different banks, then at least those two banks know about it, but again, what do they see about the rest of the chain of events? Also, if this was a cash transfer, even more difficult. Again, we have a break in the chain of events. It’s quite possible the sender in the previous transaction is in the dark here, much less the long chain back to the originator, American A. Even more interesting is the fact that we are dealing with a partially legitimate business. Those are usually the hardest to trace for the financial entities. Even if Relative R is knowingly giving money to terrorism finance, would any of the entities in this chain understand that without a complete picture of the books on all sides?
Step four, finally, is Owner O sending money to Hamas. This part is definitely bad! However, depending on the method used, unless it’s all going through the same bank, here’s the interesting part: none of the previous entities really understand this happened. If a well-known US bank like Citibank or Bank of America was the sender in the first case, do they know anything about what is happening this far down the chain? Almost certainly no (otherwise they would not have sent the first payment and would have been filing SARs about it). Instead, we are three levels down through multiple layers of other entities, and there’s just not much to be done here. Especially if funds moved through cash or local banks that don’t follow sanctions regimes.
This reveals the problem with the traditional financial system: it is fragmented, it is opaque, and it’s not particularly good at knowing what the other parts are doing. The majority of the activity is only in silos, the interior of which is dark to outsiders, and they can only see one door of many doors.
Put differently, let me ask a question that tradfi folks will find truly wild: After a dollar was first deposited for the first time at a bank, can you tell me every single transaction involving that dollar from that point forward? Go ask someone at a bank that. They will tell you to stop being stupid. Guess what?
You can do that with a blockchain.
Blockchain
Let's shift to a blockchain.
Now, American A sends money to Relative R. These are two wallet addresses. The world as a whole may not know who owns the wallets, but obviously they know each other. Importantly, everyone can see this (and all subsequent) transfers.
The next step is the same: Relative R sends money to Business B. However, because it’s on a blockchain, this is still visible to everyone. Again, publicly, we do not know who R is and we do not know who B is (unless the wallets have been doxxed), but we can see the time, amount, and wallets involved in the transfer. In this case, very much unlike the Tradfi system, American A can see their money passed through R and to B.
After that, B sends their money to O. Again, we’re still using a blockchain. Same rules apply to yet another on-chain transfer. Therefore, again, nobody knows the exact owners, but we can see the addresses that were involved.
The final step remains that O sends the money to Hamas. Once again, the path is clear. If, at the time, we don’t know that wallet belonged to Hamas, then it does become clear when and if we find out who it was. Public blockchains are public records!
In this case, using public blockchains, we have strictly more information than the previous case. If they wanted to, American A could figure out where the money went. Proving intent or knowledge at each step is harder, but unlike in the first case, they can see their money eventually went to the final wallet.
Second, once we know the bad wallet, it’s easy to map the ecosystem around it. Here, the pathway of the money starts to become much more clear once these elements are known.
Interdiction
Now, let’s go back to the original point of this post. I said that I was pro-blockchain because I was anti-terrorism financing. To really have that be a credible stance, I need to believe two things based on the cases that we’ve laid out above:
1: just because blockchains are transparent doesn’t mean the wallets are, so can we identify the wallets?
2: just because we have identified the wallets doesn’t mean we can stop the funds, so can we stop the funds? If we can do those things, then I think it becomes trivial to see that blockchains are likely to be more effective than traditional finance at stopping illicit activity (in addition to just detecting it).
Can we?
Identifying Wallets
I have good news on this front: it’s shockingly easy.
By requiring KYC at the point of initial introduction of funds (e.g. where dollars turn into crypto), you can have a good idea of the starting point of most transactions. In our terms, this means we can know who American A is, and who their first bank-equivalent entity is (usually an exchange, currently) in each case. This also becomes true for every other user who exists in a cooperating jurisdiction, meaning that in this case, we probably also knew Relative R and maybe even Business B from a surveillance standpoint. Did we know Hamas? Probably not initially, but it’s pretty quick to find them when you can triangulate funds being sent from all over and you know a some of the network.
Why else? Well, people are really stupid. And by really stupid, I mean they publicly post their wallet addresses all the time, or people adjacent to them do it. There are very few wallets out there which are completely unknown, and you are not solely reliant on blockchain analytics to find them. There are many other tools. Suffice to say, we know a shocking number of wallets associated with Hamas, or sanctioned Iranians, or Russians, or North Korea, etc. Combining listening operations of various sorts with the KYC data above, you can find almost all the wallets with enough effort.
Are you a crypto skeptic at a regulator, in law enforcement, or with a financial institution and you don’t believe me? Go talk to my friends at Inca Digital. No, seriously, go do this. You’ll be shocked.
Confiscating Funds
Here, the picture is a bit more convoluted. In traditional finance, to seize funds, you usually need to know where the holding entity of those funds is, and then give them a judicial order and have them be in a jurisdiction where they will cooperate with you (e.g. you can probably get BofA to do that in the US, but you can’t easily get an Iranian bank to do that if you are the US). This works in crypto as well: if you are dealing with an exchange or custodian in a jurisdiction that cooperates, you can usually get the funds just like in TradFi.
However, the real magic bullet in TradFi would be if you could identify the funds and then, if they were in dollars, just magically teleport them back out of the account of the bad guy and confiscate them. This isn’t how that system works (and the fear of this kind of behavior is one of the things often raised with CBDCs). Obviously, if that was going to be allowed, there would also need to be some incredibly strong legal and judicial guard rails around the process or it’s going to be abused, as has recently happened in Canada in their banking space, for instance.
So what if I told you that’s possible in crypto?
It’s not for the crypto-native tokens that power blockchains (unless you controlled the entire blockchain, which is a discussion beyond the scope of this post). For BTC? For ETH? This capability does not exist.
However, for a significant subset of token standards, there exists a capability called freeze and seize. This allows the issuer of a token to, without the private key of the wallet holding the tokens, freeze the tokens in a wallet so they cannot be transferred or, more interestingly, remove them entirely (and possibly burn them). The main tokens that have this capability? Fiat-backed stablecoins. Tether can do this. PayPal can do this. Circle can do this.
So going back to our transaction from above, at that final step, where Hamas has the funds: if they are in dollars or other currency at an institution that won’t comply with our sanctions regime, we can’t do much. If they are in BTC and in a Hamas wallet or at an exchange that is non-compliant, we can’t do much. But if they are in a fiat-backed stablecoin that complies with the US sanctions regime?
Yoink!
Building A Better System
Once you understand these tools, if your goal is the effective interdiction of illicit finance without massively compromising privacy, here is what you would actually want as a US legislator, regulator, or prosecutor:
As many regulated crypto companies doing business in the United States or a friendly jurisdiction as humanly possible. The more people who are onshore or in cooperating jurisdictions, the more KYC information we have to know the chain of transactions and persons sending money to bad wallets, and the more opportunity we will have to seize tokens at exchanges, custodians, and so on.
As many people using properly designed dollar-backed stablecoins as humanly possible in friendly jurisdictions. As I said, these things have a superpower: freeze and seize. If the standard currency of blockchains is a dollar with these features, it becomes increasingly easy to choke out bad actors as you identify them, because the money itself can be taken from them.
Effective ecosystem monitoring, with information sharing agreements, so that firms doing intelligence operations on-chain can quickly identify the wallets of bad actors and then pass this information along so they can be interdicted.
Importantly, if you are going to do this, you also need a strong civil rights regime backing to these operations, where they can only be used against people who are actually engaged in suitably illicit activities and there is due process around them that will necessarily have to be transparent and public in the end (if not at the beginning, to avoid compromising an investigation). Why do I say this? Because if you want people to use money with these properties and you just randomly take it from people and don’t explain why (which is what this will look like if you don’t explain), they won’t trust it and won’t use it. And nor should they, I would add. You’ll shoot yourself in the foot before you start if the bar for using freeze and seize is not much higher than the current bar we use for things like civil asset forfeiture in the United States. People have to be able to trust that if they are not literally terrorists or murderers, you won’t just steal their shit because they said mean things about you or something. Rule of law matters.
This also does reveal the objection to Tornado Cash as being at least partially legitimate; tools that obscure the transaction chain, primarily being used by illicit actors? That's a problem. I am for privacy and I am for stopping crime. We have to have a careful discussion about a fair balance.
How Close Are We?
Right now? I give it a solid D-. We are often doing the exact opposite of what we should, though to our credit, we haven’t been good enough at doing that to really break things completely.
First, we have refused to license stablecoins at the federal level, and they are largely moving offshore as a result. This is definitely bad, given the framework I laid out for success. We want those here! There’s a lot more on how to do stablecoins well that is beyond the scope of this post, but as a starting point, it doesn’t matter how well one is done if it’s also done out of Russia and won’t comply with our legal system for the purposes of this exercise.
Second, we are driving exchanges offshore as well. The SEC in particular has been a huge driver here, and ironically, they are probably a major contributor to the ability of the North Koreans, Hamas, etc. to make money in crypto, because there are major exchanges outside the US that will tolerate their presence. Ooops!
Third, we don’t have a good conduit for our regulators and law enforcement to work with the best blockchain intel folks, and to be honest, the government has done a very poor job of execution here. The DoJ, Treasury, etc. need to do better, more than they need new powers. This is an area where the chickens are coming home to roost for not investing more heavily in technological transformation in the United States, especially in the government arena and at various regulatory agencies. A heavy lift, but one we have to get right if we want to do better.
Fourth, we’re doing a really bad job of understanding the problem. Right now, because crime can be observed in crypto, we assume it is bad. However, something like 1% of Hamas’ total funding comes from crypto, which as both a professor and math major I can tell you means that something like 99% of it comes from the traditional system. This means there are 99 times the problems in the traditional system than in crypto, but because we can’t easily see them, we freak out about crypto. This is the classic fallacy of only caring about crime under streetlamps at night (because you can see it there); that’s not where most of the crime is! We have to stop mistaking visibility for severity. After all, how much of Hamas’ funding could we detect if we could force all banks,FX brokers, and hawaladars to use public blockchains for their activities, instead of their fragmented private systems? Probably close to 100%.
Why Has This Been Hard?
I’ll end with a final note on why we’ve been stumbling so hard on this:
Banks hate it. It will force them to expose how much bad activity there is and how ineffective their controls are. Plus they have to upgrade their tech stack to use blockchains.
Regulators hate it. It forces them to actually grapple with new ideas instead of falling back on the old methods, and it will also expose how wildly ineffective some of the current regimes are by bringing information into the light. Plus, being blunt, there is a significant technophobia problem at many US regulators.
Crypto hates it. Why? A lot of hardcore libertarians in that space think such a system will inevitably be used for extreme control and evil (ignoring that the current system often already is), and nobody wants to add cost and effort to do these things.
Everyone will agree with the thrust of the goals, but the reality is local short-term concerns that damage long-term aggregate better outcomes dominate right now. It is, in short, the Prisoner’s Dilemma writ large. Which is why, ironically, we need Congress to act more than ever. You unlock a lot of game theoretical problems with collective action and rules changes, not individual movement. We can, and should, do better.
TL;DR
Crypto reveals far more bad actors than the traditional system. If we truly want to stop terrorism finance, corruption, and more, we should not ban public blockchains. Instead we should force banks to use them!