Will new EU crypto rules change the way ransomware is played?

Cryptocurrency has always been the preferred payment method for bad guys. Getting hit by an enterprise ransomware attack and planning to pay? You need cryptocurrency. The main reason cyber thieves love cryptocurrency so much is that it is much more difficult to track payments.

That is why an effort by the European Union has so much potential. The EU — in a move likely to be mimicked by many other regional regulators, including in the United States — is setting tracking requirements for all cryptocurrency.

If successful, and the EU has an excellent track record with exactly these kinds of changes, cryptocurrency could quickly fade as the thief’s favorite payment.

What does that mean for enterprise IT and security? It is very likely that the ransomware battles you will have in 2023 and 2024 will not necessarily require crypto. The bad guys can figure out ways to use Visa, wire transfers or ACH payments more securely. (Do you know how much easier it is to pay a ransom if you can top up a PayPal account or use Zelle or Venmo?)

A big part of the nightmare of paying ransomware is the difficulty of quickly acquiring a large amount of cryptocurrency. The company cannot hold it for the future, given its extremely volatile value. You think you’re putting away $5 million worth of crypto, only to find it’s worth $42,000 when you try to use it.

So what exactly has the EU done? The Council of the European Union said the bloc has reached a “tentative agreement” on a new groundbreaking regulatory framework for cryptocurrencies. The text of the agreement is not final, so it is not clear what it will ultimately contain. An EU official told me that “the text will be ready in time for confirmation of the provisional agreement by EU member states’ ambassadors at one of the Coreper meetings, not before September.”

“Not before September”? When deadlines go, that’s relatively pointless. But given that it’s been announced, the change seems more likely than not to happen.

From the EU statement: “The purpose of this reshuffle is to introduce an obligation for crypto-asset service providers to collect and access certain information about the originator and beneficiary of the transfers of crypto-assets they operate. to make. This is what payment service providers currently do for wire transfers. This will ensure the traceability of crypto asset transfers to better identify and block possible suspicious transactions.”

The statement also promised: “The new agreement requires the full set of sender information to accompany the transfer of crypto assets, regardless of the amount of crypto assets being traded. There will be specific requirements for the transfer of crypto assets between crypto asset service providers and non-hosted wallets.”

By the way, the EU also listed “non-cooperative jurisdictions for tax purposes” in this document, including American Samoa, Fiji Guam, Palau, Panama, Samoa, Trinidad, Tobago, U.S. Virgin Islands, and Vanuatu.

Another interesting detail is what the EU has promised consumers, although it is less clear how well one can deliver when it comes to consumer protection. The new agreement “protects consumers from some of the risks associated with investing in crypto assets and helps them avoid fraudulent schemes. Currently, consumers have very limited rights to protection or redress, especially if the transactions take place outside the EU. With the new rules, crypto asset service providers will have to comply with strict requirements to protect consumers’ wallets and be held liable in the event that they lose investors’ crypto assets. (The Agreement) will also cover any type of market abuse related to any type of transaction or service, in particular for market manipulation and insider trading.”

Those are nice goals, but let’s not forget that they impose rules on criminals who more or less earn their living by ignoring laws and other restrictions. The penalties for these offenses will likely be no more deterrent than being caught and charged with extortion, theft, fraud, and perhaps espionage. Against that background, some EU sanctions do not raise much fear.

That said, cryptocurrency exchanges are more or less legal operations. If new rules that can make operations less hospitable to the thieves, that’s good. Will it be enough to push them into the arms of PayPal and their counterparts? That will be very interesting to watch.

Copyright © 2022 IDG Communications, Inc.