Sen. Menendez Scrutinizes Bitcoin’s Role as Ransomware after Equifax Breach

WASHINGTON – U.S. Senator Bob Menendez (D-N.J.), senior member of the Senate Banking Committee, today sent a letter to the Acting Director of the Financial Crimes Enforcement Network (FinCEN) posing a series of questions around the Trump Administration’s efforts to prevent the use of cryptocurrency and digital payment systems such as Bitcoin for ransom in future cyber-attacks.

The Senator’s letter comes after cyber thieves demanded Equifax pay them 600 Bitcoin in exchange for deleting the stolen personal information of over half the U.S. population. The widespread cybersecurity breach exposed consumer’s birth dates, addresses, credit card information and Social Security numbers began in March and lasted through the end of July when it was discovered by the credit reporting agency. 

“Because of the anonymous nature of bitcoin transactions, the digital currency is an ideal choice for criminals,” wrote the senator, who has been a leading voice in Congress to protect consumers and hold bad actors accountable following the Equifax data breach. “The Internet presents a formidable obstacle to law enforcement, with new bad actors constantly replacing those who have been apprehended. Nonetheless, we have a responsibility to do everything within our power to remain vigilant and prevent harm wherever possible.”

Ransomware attacks, which lock a user’s computer to prevent them from accessing data until a Bitcoin ransom is paid, has become a multi-million dollar business for online criminals.  As a bureau within the U.S. Department of the Treasury, FinCEN is tasked with protecting the U.S. financial system from illicit use, combating money laundering and promoting national security. The Senator’s missive requests FinCen provide responses to the following requests and questions no later than November 30:

(1)  An update on what proactive steps FinCEN is taking to prevent criminals from gaining an advantage by using digital currency and digital currency exchanges;

(2)  Does FinCEN have both sufficient authority and resources to effectively track the illegal use of digital currency in ransomware attacks? Specifically, is the 2013 FinCEN guidance on virtual currency in need of an update?^[1]

(3)  In what capacity, if at all, is FinCEN engaged with the Board of Governors of the Federal Reserve System to ensure that use of digital currencies does not interfere or create a threat to the banking system, economic activity, and financial stability?

(4)  What steps can FinCEN take to ensure that hackers are not emboldened to steal consumer data knowing that digital ransom is easily paid?

A copy of the full letter can be found here and below.

October 31, 2017

The Honorable Jamal El-Hindi

Acting Director

Financial Crimes Enforcement Network

1500 Pennsylvania Avenue, NW

Washington, DC 20220

Dear Acting Director El-Hindi:

As you know, the recent Equifax data breach exposed the personally identifiable information of more than 143 million people. Shortly after news of the data breach broke, reports surfaced that the perpetrators were demanding 600 bitcoin in ransom.^[2] These reports raise serious concerns about the role of bitcoin in future breaches. As such, I write to request information on the Financial Crimes Enforcement Network’s (FinCEN) oversight and engagement on the use of digital currency in ransomware attacks.

According to research from New York University (“NYU”) and Google, “ransomware” is quickly becoming a multi-million dollar business.^[3] Ransomware is malware that locks your keyboard or computer to prevent you from accessing your data until you pay a ransom, usually demanded in bitcoin. Ransomware is quickly becoming profitable criminal enterprise. Notably, the NYU and Google research team found a sharp increase in the number of cases in the second quarter of 2016.^[4] Where ransom was paid, 95 percent were paid through BTC-E, a Russian-operated bitcoin exchange platform.^[5] In sum, ransomware victims paid out more than $25 million during a two year period from 2015-2016.^[6] Just this past June, hackers withdrew $143,000 worth of bitcoin from an online wallet following the WannaCry ransomware attack that locked down files throughout the United Kingdom, including the National Health Service.^[7] These attacks have clear global repercussions for security and privacy.

Because of the anonymous nature of bitcoin transactions, the digital currency is an ideal choice for criminals.  Law enforcement is deliberately and steadily making strides in tracing the movement of online criminals. For example in 2013, the federal government arrested Ross Ulbricht, the founder of a major underground drug market, and seized more than $3.5 million worth of bitcoin.^[8]

The Internet presents a formidable obstacle to law enforcement, with new bad actors constantly replacing those who have been apprehended. Nonetheless, I have a responsibility to do everything within my power to remain vigilant and prevent harm wherever possible. I am aware FinCEN is already working to combat financial crimes that utilize currency exchanges.^[9] However, given the recent uptick in ransomware crimes, please provide responses to the following requests and questions no later than November 30:

(5)   An update on what proactive steps FinCEN is taking to prevent criminals from gaining an advantage by using digital currency and digital currency exchanges;

(6)   Does FinCEN have both sufficient authority and resources to effectively track the illegal use of digital currency in ransomware attacks? Specifically, is the 2013 FinCEN guidance on virtual currency in need of an update?^[10]

(7)   In what capacity, if at all, is FinCEN engaged with the Board of Governors of the Federal Reserve System to ensure that use of digital currencies does not interfere or create a threat to the banking system, economic activity, and financial stability?

(8)   What steps can FinCEN take to ensure that hackers are not emboldened to steal consumer data knowing that digital ransom is easily paid?

The severity of the damage inflicted by largescale data breaches demands our immediate attention.  Left ignored, this threat is likely to get worse before it gets better. 

                                                   Sincerely,

­­­­­­­­                                                              

                                                               Robert Menendez

                                                               United States Senator

Cc: The Department of Justice

WASHINGTON – U.S. Senator Bob Menendez (D-N.J.), senior member of the Senate Banking Committee, today sent a letter to the Acting Director of the Financial Crimes Enforcement Network (FinCEN) posing a series of questions around the Trump Administration’s efforts to prevent the use of cryptocurrency and digital payment systems such as Bitcoin for ransom in future cyber-attacks.

The Senator’s letter comes after cyber thieves demanded Equifax pay them 600 Bitcoin in exchange for deleting the stolen personal information of over half the U.S. population. The widespread cybersecurity breach exposed consumer’s birth dates, addresses, credit card information and Social Security numbers began in March and lasted through the end of July when it was discovered by the credit reporting agency. 

“Because of the anonymous nature of bitcoin transactions, the digital currency is an ideal choice for criminals,” wrote the senator, who has been a leading voice in Congress to protect consumers and hold bad actors accountable following the Equifax data breach. “The Internet presents a formidable obstacle to law enforcement, with new bad actors constantly replacing those who have been apprehended. Nonetheless, we have a responsibility to do everything within our power to remain vigilant and prevent harm wherever possible.”

Ransomware attacks, which lock a user’s computer to prevent them from accessing data until a Bitcoin ransom is paid, has become a multi-million dollar business for online criminals.  As a bureau within the U.S. Department of the Treasury, FinCEN is tasked with protecting the U.S. financial system from illicit use, combating money laundering and promoting national security. The Senator’s missive requests FinCen provide responses to the following requests and questions no later than November 30:

(1)  An update on what proactive steps FinCEN is taking to prevent criminals from gaining an advantage by using digital currency and digital currency exchanges;

(2)  Does FinCEN have both sufficient authority and resources to effectively track the illegal use of digital currency in ransomware attacks? Specifically, is the 2013 FinCEN guidance on virtual currency in need of an update?^[1]

(3)  In what capacity, if at all, is FinCEN engaged with the Board of Governors of the Federal Reserve System to ensure that use of digital currencies does not interfere or create a threat to the banking system, economic activity, and financial stability?

(4)  What steps can FinCEN take to ensure that hackers are not emboldened to steal consumer data knowing that digital ransom is easily paid?

A copy of the full letter can be found here and below.

October 31, 2017

The Honorable Jamal El-Hindi

Acting Director

Financial Crimes Enforcement Network

1500 Pennsylvania Avenue, NW

Washington, DC 20220

Dear Acting Director El-Hindi:

As you know, the recent Equifax data breach exposed the personally identifiable information of more than 143 million people. Shortly after news of the data breach broke, reports surfaced that the perpetrators were demanding 600 bitcoin in ransom.^[2] These reports raise serious concerns about the role of bitcoin in future breaches. As such, I write to request information on the Financial Crimes Enforcement Network’s (FinCEN) oversight and engagement on the use of digital currency in ransomware attacks.

According to research from New York University (“NYU”) and Google, “ransomware” is quickly becoming a multi-million dollar business.^[3] Ransomware is malware that locks your keyboard or computer to prevent you from accessing your data until you pay a ransom, usually demanded in bitcoin. Ransomware is quickly becoming profitable criminal enterprise. Notably, the NYU and Google research team found a sharp increase in the number of cases in the second quarter of 2016.^[4] Where ransom was paid, 95 percent were paid through BTC-E, a Russian-operated bitcoin exchange platform.^[5] In sum, ransomware victims paid out more than $25 million during a two year period from 2015-2016.^[6] Just this past June, hackers withdrew $143,000 worth of bitcoin from an online wallet following the WannaCry ransomware attack that locked down files throughout the United Kingdom, including the National Health Service.^[7] These attacks have clear global repercussions for security and privacy.

Because of the anonymous nature of bitcoin transactions, the digital currency is an ideal choice for criminals.  Law enforcement is deliberately and steadily making strides in tracing the movement of online criminals. For example in 2013, the federal government arrested Ross Ulbricht, the founder of a major underground drug market, and seized more than $3.5 million worth of bitcoin.^[8]

The Internet presents a formidable obstacle to law enforcement, with new bad actors constantly replacing those who have been apprehended. Nonetheless, I have a responsibility to do everything within my power to remain vigilant and prevent harm wherever possible. I am aware FinCEN is already working to combat financial crimes that utilize currency exchanges.^[9] However, given the recent uptick in ransomware crimes, please provide responses to the following requests and questions no later than November 30:

(5)   An update on what proactive steps FinCEN is taking to prevent criminals from gaining an advantage by using digital currency and digital currency exchanges;

(6)   Does FinCEN have both sufficient authority and resources to effectively track the illegal use of digital currency in ransomware attacks? Specifically, is the 2013 FinCEN guidance on virtual currency in need of an update?^[10]

(7)   In what capacity, if at all, is FinCEN engaged with the Board of Governors of the Federal Reserve System to ensure that use of digital currencies does not interfere or create a threat to the banking system, economic activity, and financial stability?

(8)   What steps can FinCEN take to ensure that hackers are not emboldened to steal consumer data knowing that digital ransom is easily paid?

The severity of the damage inflicted by largescale data breaches demands our immediate attention.  Left ignored, this threat is likely to get worse before it gets better. 

                                                   Sincerely,

­­­­­­­­                                                              

                                                               Robert Menendez

                                                               United States Senator

Cc: The Department of Justice