Europol Embraces Bitcoin and Urges Cryptocurrency Training

The police agency of the European Union, Europol, released their annual Internet Organised Crime Threat Assessment (IOCTA) report for 2015 yesterday. In the report the agency’s European Cybercrime Centre dissects the future risks and emerging threats of cybercrime, and provides recommendations to prevent and fight it. This 76-page annual report offers an eye-opening view from a law enforcement perspective, based on contributions by EU Member States and Europol staff experts, with further input from private industry, the financial sector and academia.

“Cryptocurrencies are slowly gaining acceptance at government level, with a number of EU jurisdictions either proposing regulation of cryptocurrencies or already recognising them under existing legislation. It is inevitable that more jurisdictions will follow suit although it would appear that there is currently a lack of harmonisation in approaches.”
— – IOCTA, Europol’s European Cybercrime Centre

In recognizing that bitcoin and other cryptocurrencies are increasingly being accepted at the government level as well as at businesses, the agency also cited that its’ popularity has grown among cyber criminals. However, as the report points out, cyber criminals will use whatever is convenient and serves their purpose at the time, whether it is digital currency or not.

“It is clear that cybercriminals will continue to use whichever payment mechanism is convenient, familiar or perceived to be safe, including those that are already regulated and maintain anti-money laundering controls.”
— – IOCTA

According to the report, although bitcoin currently accounts for approximately 40% of all identified criminal-to-criminal payments of the EU law enforcement investigations, it is far from being the only currency used.

“PayPal is another notable payment system used for transactions of this nature, accounting for almost one quarter of identified payments. To a lesser extent paysafecard, Ukash, Webmoney and Western Union were also used.”
— – IOCTA

For comparison, when cybercriminals need to pay for legitimate services such as hosting or travel, the IOCTA observed that over 60% of transactions were done using traditional financial instruments such as credit cards or bank transfers. Of course, whether these cards or accounts were legitimate or fraudulently obtained is unknown.

The agency also mentioned that it has observed “a continuation of migration from traditional payment mechanisms to those offering a greater degree of anonymity, particularly pseudonymous payment systems.”

The IOCTA further revealed that even though there are currently over 650 cryptocurrencies recorded, with more being created almost daily, it named only bitcoin as being widely used: “Bitcoin is establishing itself as a single common currency for cybercriminals within the EU. Bitcoin is no longer used preferentially within Darknet marketplaces but is increasingly being adopted for other types of cybercrime as well.”

In the previous year’s IOCTA report, more niche, privately-controlled currencies had been anticipated, but this prediction has not materialized. Since bitcoin offers many benefits including privacy, it has been widely used by many people including cybercriminals.

“Bitcoin features as a common payment mechanism across almost all payment scenarios, a trend which can only be expected to increase.”
— – IOCTA

Since cryptocurrencies are inevitably going to be used, the agency strongly recommended that law enforcement focus on learning about the technology in order to fight cybercrime: “Investigators must familiarise themselves with the diverse range of account and payment references and file formats of digital wallets used by the different payment mechanisms in order to recognise these in both standard and forensic investigations.”

The agency also argues that it is not efficient to regulate cryptocurrencies, because those who are not breaking the law will comply and be at a disadvantage. Those breaking the law will continue to use it illegally: “Any regulation of cryptocurrencies would likely only be applicable and enforceable when applied to identifiable users such as those providing exchange services.”

“The inability to attribute transactions to end users makes it difficult to imagine how any regulation could be enforced for everyday users.”
— – IOCTA

Since regulations would likely not be very useful at preventing and stopping cybercrime, the IOCTA advised that laws will not be conducive to maintaining a good relationship with the public: “While there may always be a need for laws which compel private industry to cooperate with law enforcement, there is greater benefit in establishing and building working relationships in order to stimulate the voluntary and proactive engagement of the private sector.”

Cybercrime remains a growth industry, as well as becoming more aggressive and confrontational. Cybercriminals will work harder to to come up with new technologies to get ahead of law enforcement to make catching them harder, no matter what kind of payment systems or technologies are present.

In a rare admission of responsibility by a police agency, the IOCTA surprisingly admitted, “a key driver of innovation within cybercrime may be law enforcement itself.”

“Every law enforcement success provides impetus for criminals to innovate and target harden with the aim of preventing or mitigating further detection and disruption of their activities.”
— – IOCTA

After recognizing that cyber criminals will always find a way to stay ahead of law enforcement technologically, the IOCTA pointed out that cybersecurity tactics need a lot of improvement: “Many of the so-called smart devices are actually quite dumb when it comes to their security posture, being unaware of the fact that they are part of a botnet or being used for criminal attacks.”

An example of devices that are prone to attack is the Simple Service Discovery Protocol (SSDP), which is enabled by default on millions of Internet devices using the Universal Plug and Play (UpnP) protocol, including routers, webcams, smart TVs and printers. They became the leading DDoS amplification attack vector in the first quarter of 2015, according to the IOCTA.

In dealing with smart devices and the Cloud, law enforcement faces many challenges, including access to data, training, education, and digital forensics.

“Law enforcement must continue and expand successful initiatives to share knowledge, expertise and best practice on dealing with Bitcoin and other emerging/niche digital currencies in cyber investigations.”
— – IOCTA

The need for people to be connected and use smart devices opens up many scenarios for attacks. The IOCTA gave a range of examples from hacked smart cars to hacked medical devices, to even hacked weaponized drones.

“The rising adoption of the IoT and the Cloud continues to create new attack vectors and increases the attack surface for cybercrime… Common-mode failures or failures that result from a single fault in software or hardware components used in smart devices will continue to present a major cybersecurity risk to the IoT.”
— – IOCTA

Recent statistics show that the global number of cybersecurity incidents has been steadily rising. In 2014, companies detected and reported 42.8 million IT security breaches.

With better technology, the number of cybercrimes is rising but the report’s author feels that law enforcement has also been doing a good job in keeping up with the technology to prevent cybercrime.

“The last 12 months have shown some remarkable successes by EU law enforcement in the fight against cybercrime.”
— – Rob Wainwright, Director of Europol

Throughout the report, there were mentions of other complementary technologies and programs commonly used with bitcoin as well, including BitTorrent, a few encryption suites, and up-and-coming programs like OpenBazaar. Overall, the report made for an interesting read, and it leaves its’ audience with a clear impression that Europol’s European Crime Center has been doing their homework and is keeping an eye on the greater bitcoin community, with an interest to learn as much as they can to combat crime within it.