The exploding decentralized finance (DeFi) space is now firmly on the radar of regulators and concerns are growing that it could become a magnet for criminal or nefarious activity, according to blockchain analytics provider CipherTrace.
DeFi has grown from a science project into a $11 billion market, one in which there appears to be almost zero know-your-customer (KYC) provision and a considerable risk of potential manipulation.
DeFi is such a young space, it’s hard to tell whether the sort of money-laundering activities typically associated with cryptocurrency mixing services will migrate there. But preliminary findings after the recent KuCoin hack suggest this new generation of decentralized exchange (DEXs) could be added to crypto mixers as an attractive service for crooks, said CipherTrace CEO Dave Jevans.
“I think there's a lot of concern that these platforms can be used as effectively the next generation of money-laundering mixing services,” said Jevans. “If I can put my stuff into a DeFi contract, it gets mixed up with other people’s money when it comes back out. Because there’s no tracing and there’s no KYC, it effectively is operating as an old-school crypto money-laundering service.”
In the case of the KuCoin hack, the thieves used five DEXs – Uniswap, Kyber Network, DEX.AG, Tokenlon, and 1inch.exchange – and have so far sold over $17 million in tokens that could be frozen by the owners of their respective projects, according to analysis by crypto sleuthing service Elliptic.
But while these DeFi services are acting as a useful layer to exchange tokens, they are not actually covering the hacker’s tracks at this stage, said Elliptic co-founder Tom Robinson.
“The hacker isn’t using DEXs to hide their tracks, they’re doing it so they can sell their stolen tokens,” Robinson said via email. “The token issuers (Tether, Ocean Protocol, etc.) are freezing accounts or reversing transactions associated with the stolen funds in order to aid their recovery. So the hacker needs to convert them into something like ether, which is much less likely to be taken from them.”
Speaking hypothetically, there are some other interesting reasons why DeFi could benefit potential money launderers, said Jevans of CipherTrace. Ironically, interacting with a smart contract (computer programs that run on top of blockchains, and on which DeFi is based), could provide a layer of safety and security for the hacker, Jevans said.
“Because these are contracts, it’s much harder to get ripped off,” said Jevans. “Some of the mixing services, when they get sufficient volume, they pull an exit fraud and just basically stop working. That’s the way a bunch of these guys make money; they’ll charge low fees on mixing and wait until there are a few tens of millions in the hopper, then they just take off.”
Another risk for criminals using crypto mixers is the chance the service itself gets busted by law enforcement and the funds are seized.
“We’ve seen a number of seizures and arrests. Well, if your money was in there at the time, I assure you, you’re not getting it back,” Jevans said.
And despite the fact that gas fees on Ethereum-based DeFi apps are becoming ridiculously high, it’s still cheaper than using a mixer, Jevans added.
“Mixers are expensive,” he said. “DeFi platforms present less risk and the fees are less, too. In my view, a DeFi platform is also better because you’re mixing your bad funds with a lot of good funds,” Jevans said, adding:
DEXs are very different from mixers because the flow of funds through them is clear to see on the blockchain, said Robinson of Elliptic.
“Mixers are used to break the blockchain trail by making it difficult or impossible to link incoming funds to outgoing funds,” Robinson said. “In contrast, this is very easy to do with DEXs – the operation of the smart contract is auditable on the blockchain, so the incoming transaction in one asset and the outgoing transaction in another asset, are clear to see.”
DeFi platforms contribute a particular black spot on the overall crypto KYC landscape, the general topic of the report released Thursday by CipherTrace. But DeFi is undoubtedly on the regulatory radar, as evidenced by recent comments from U.S. Securities and Exchange Commission (SEC) crypto czar Valerie Szczepanik.
“We’ve seen [DeFi] projects that are subject to vulnerabilities, attacks, hacks, manipulation,” Szczepanik said at the Parallel Summit on Sept. 18, 2020. “We’ve seen structures that purport to enable users to lend money, earn interest, borrow money, exchange, take positions; these are all financial activities and they are likely subject to various laws already, including securities law, potentially banking and lending laws – definitely AML/CTF laws.”
So are DeFi platforms thinking about adding KYC at any point in time? Jevans doesn’t think so.
“From what we have experienced over the last couple of months is that they don’t want to have anything to do with KYC,” Jevans said. “They just say they are writing software and, while they get beneficial funds from it, they are not ‘operating’ it. But it’s interesting to see what the governance of the platforms is, which often happens to be from venture capital-backed companies.”
Indeed, the CipherTrace report suggests this could be an avenue a regulator like the SEC might pursue, especially when faced with a U.S.-domiciled firm like Uniswap inhabiting a kind of decentralized lacuna.
“While the operations of DeFi exchanges are decentralized, the scale of the governance decentralization varies greatly. For instance, Uniswap – located in San Francisco – has received venture investment capital from Andreessen Horowitz and Union Square Ventures,” states the CipherTrace report.
Andreessen Horowitz and Union Square Ventures did not return requests for comment by press time.
“So there is a place to go if you are a lawmaker or a regulator,” said CipherTrace’s Jevans. “At the end of the day, all of the governance is centralized by a for-profit company.”
CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk offers all employees above a certain salary threshold, including journalists, stock options in the Bullish group as part of their compensation.