Ubiquitous and Creative Fraud is Regular Feature of DeFi
If you read the hype, then you will have read that lack of regulation, speed of transactions, irreversibility of trades, and hidden identities are positive features of the crypto world. Crypto enthusiasts say that finance can only be improved by avoiding banks, regulators, and rules. But faster and looser isn’t always better when we are talking about your investments. In fact, it is a recipe for you to be defrauded out of your money.
Moving money quickly is the essence of crypto. It is also the essence of any organized fraud scheme. And once taken, cryptocurrency can be moved quickly and laundered to avoid detection.
CNBC reports that fraud and scams in crypto took $14 billion in 2021 “thanks in a large part to the rise of decentralized finance (DeFi) platforms.” This is separate from the $3.2 billion of cryptocurrency stolen in straight crypto theft hacking schemes. “More than $2.8 billion of this [fraud] total came from a relatively new but very popular type of scheme known as a “rug pull,” in which developers build what appear to be legitimate cryptocurrency projects, before ultimately taking investors’ money and disappearing.” This “relatively new” scam sounds like one of the oldest frauds in the book – the fake investment scheme. CNBC also notes that many of the new DeFi protocols have code vulnerabilities that hackers are able to exploit.
Who is taking your cryptocurrency and what are they doing with it? North Korean hackers stole almost $400 million in cryptocurrency in 2021 alone from crypto exchanges and investment funds, according to the BBC. A United Nations panel that monitors sanctions on North Korea has accused Pyongyang of using stolen funds to support its nuclear and ballistic missile programs as a way to avoid international sanctions. The Secret Service has noted Romanian crypto scams last year targeted nearly 1000 U.S. victims last year, taking crypto payments for non-existent luxury goods. NBC News reported that Russian cybercrime syndicates use crypto to launder their funds, transferring stolen Bitcoin to stablecoins to avoid volatility in their stolen prize. Fortune favors the brave.
Moving money quickly is the essence of crypto. It is also the essence of any organized fraud scheme.
Much of the crypto fraud is classic old-school scam based on selling to investors’ “fear of missing out.” Like the Ormeus Coin company whose sibling executives were just slapped with criminal and civil charges by the Justice Department. The SEC said the Ormeus Coin execs raised $124 million from over 20,000 investors, lying about the source of Ormeus Coin’s value and spending the money on travel, real estate and personal expenses. The company CEO has been arrested and faces 65 years in prison. Like Stephan Curry, you don’t need to be an expert to invest. But it might help to avoid being scammed.
And some of these scams are creative. For example, a DeFi cryptocurrency project called Beanstalk held hundreds of millions of dollars’ worth of stablecoins that were advertised as being worth $1 apiece. They aren’t worth anything now. Who would have expected an investment disaster from an enterprise whose business model is described in the press as an “honest Ponzi,” which relies on the promise of future investment to assure the claimed value of today’s coins? Disaster may have been predictable, but not the quite-possibly-legal scam that led to the losses.
DeFi and crypto enable a financial tool called flash loans, borrowing large sums to complete a purchase, then selling at a profit and paying the loan back very quickly. Flash loans can allow immediate access to large sums to take advantage of a short-lived investment opportunity. In this case, the loan was used to buy up at least a supermajority of the voting rights in the “decentralized autonomous organization” that controls Beanstalk. Once in control, the new controller of Beanstalk submitted a proposal for a vote, voted the controlling shares in favor of the proposal, and then when the proposal’s work was quickly completed, according to the Guardian “it sold the rights, retuned the loan, and began the process of laundering the proceeds.” And what did newly voted proposal do? On its face it seemed like the proposed program would simply donate $250,000 to Ukrainian relief, but once passed, the program quickly moved nearly all the Beanstalk investor funds, $180 million, into the personal account for the person who just bought the shares.
The shareholder took control of the company for a moment, successfully proposed and passed an action to pay himself all the money held to repay crypto investors, and then sold the shares and paid back the money borrowed to buy control of the enterprise. Nifty trick. This is effectively the same as buying a community back for $5 million, removing $30 million in accountholder deposits to pay yourself, and then selling your shares in the bank once all its accounts were reduced to zero balance by you. This would be against banking rules because banks are highly regulated. But crypto is not, so maybe running this scam here won’t violate laws. That doesn’t make it OK.
Games without rules can work for you or against you.
On the day of the attack, the Beanstalk founders wrote, “Honestly not sure what to type. We are f-cked … It is highly unlikely there is any sort of bailout coming.” The Guardian wrote, “By the rules of the real world, there is almost certainly a crime here, although it’s not easy to identify which one. Maybe fraud? Probably you cannot hand someone computer code that says in quite clear English that it is a proposal to donate $250,000 to Ukraine but which actually donates $180m to you, and then when they run it, say “haha suckers” and not get in some sort of legal trouble. But the deeper you get into the crypto sector, the less the rules of the real world apply. In the real world, you also cannot start a wildcat bank that mints its own currency to pay double digit interest rates out of customer funds.”
That is the core problem. Games without rules can work for you or against you. People looking to defraud others love a world like the crypto-verse because it moves fast and has fewer rules. Just like people who want to cheat at basketball or soccer would prefer to play without referees. The less real authorities exist, the more you can get away with. But what happens when someone bigger, meaner, and more willing to cheat takes advantage of you?
If there is one thing we can count on in the world, it is that bad people will use an absence of rules or non-enforcement of norms to invade their neighbors, enrich themselves, and prey on others. Crypto investors may not set out to finance North Korea’s nuclear program or the Beanstalk bandits, but the scarcity of rules and enforcement allows this to happen, and makes a significant amount of fraud and theft predictable.
The Biden Administration has called for explicit regulations of cryptocurrencies and the blockchain-based economy. The EU has voted to remove anonymity from crypto transactions so that law enforcement has a better shot at following criminal and fraudulent transactions back to their source. There is reason to believe these policies will improve the crypt-sphere, rather than degrade it. A land without rules is a placed ruled by the lawless, and that leaves less space for the rest of us.