Cybersecurity & Tech

Merchant Crypto Payments: A New National Security Frontier

Yaya J. Fanusie
Wednesday, March 24, 2021, 11:16 AM

A steady rush into retail crypto activity is occurring without a check of the regulatory blindspots. Many illicit actors will likely try to spend their ill-gotten crypto on goods and services online rather than cashing out into regular currency.

The Bitcoin logo on a mock coin. (Flickr,; CC BY-ND 2.0,

Published by The Lawfare Institute
in Cooperation With

Last month, the U.S. Department of the Treasury’s Office of Foreign Asset Control (OFAC), the agency that enforces U.S. sanctions, announced it had reached a half a million dollar settlement with cryptocurrency payment processor firm BitPay, a U.S. company. OFAC had been investigating BitPay for allegedly processing payments to merchants from customers in sanctioned jurisdictions. This announcement got scant public attention, even among cryptocurrency industry watchers, but it is a glimpse into thorny regulatory challenges ahead as large, mainstream corporations are jumping into the crypto space and pushing for more people to use digital assets in commerce. Much of this steady rush into retail crypto activity is occurring without a check of the regulatory blindspots ahead.

The BitPay settlement also points to how illicit actors might adjust their strategies to circumvent anti-money laundering, combatting the financing of terrorism (AML/CFT) and sanctions compliance requirements. As people’s lives become more digital and businesses become more open to cryptocurrencies, U.S. law enforcement and national security personnel may find that illicit financial activity increasingly involves crypto payments.

The business model for cryptocurrency payment processors like BitPay is straightforward. These companies provide software allowing retail merchants to accept cryptocurrencies as payment online or in brick-and-mortar establishments. The merchants do not need to handle cryptocurrencies directly. The payment processor owns the software wallets with which customers pay using Bitcoin or some other cryptocurrency, and then the processor converts those funds into regular fiat currency. The processor company then sends those converted funds to the merchant, minus a commission. This financial activity makes the payment processor a money transmitter under U.S. law and obligates it to follow all AML/CFT and sanctions regulations.

According to OFAC, BitPay failed in sanctions compliance. While BitPay screened its merchant clients to ensure they were not on the U.S. sanctions list or operating in sanctioned countries, the company for five years did not prevent individuals in sanctioned locations such as Crimea, Cuba, Iran, North Korea, Sudan and Syria from purchasing from U.S. merchants via BitPay’s crypto payment platform. Thus, it enabled customers in these locations to evade sanctions and transact with U.S. businesses.

OFAC pursued a settlement instead of a civil prosecution for these violations, acknowledging that BitPay agreed to implement multiple measures to properly screen buyers before processing their crypto payments. The good regulatory news story here is that integrating sanctions compliance measures should not be technically difficult for cryptocurrency payment processors. Systems and processes to block IP addresses from sanctioned jurisdictions and verify customer identification have been standard in conventional payment processing for decades, and they are easily applicable to crypto processors.

But the bad news is that there are aspects of cryptocurrency technology that offer loopholes to these sanctions compliance systems, which illicit actors are likely to exploit. And there are certain types of online merchants that are increasingly likely to prefer crypto payments, which may exacerbate these loopholes.

If merchants use payment processors to accept cryptocurrency payments, they can depend on those third-party money transmitter businesses to validate customers. But if a merchant owns a self-custodied crypto wallet to accept payments, there would be no third party involved to screen customers. Self-custodied wallets can be downloaded, managed and operated without a regulated financial institution. However, they are less user friendly and more cumbersome, requiring users to secure an alphanumeric private key, which, if lost or stolen, could make the funds irretrievable. Most online merchants are not in the habit of verifying customer identification documents before making a sale. So, in a peer-to-peer digital payment method, the sanctions screening process is absent. While it is illegal for U.S. businesses to transact financially with someone on OFAC’s sanctions list, most retail businesses are not obligated to do any sort of sanctions compliance. That responsibility falls on the payment processor, whether it is a bank, a credit card company or a firm like BitPay. This means that merchants using self-custodied wallets to accept crypto from customers who also use self-custodied wallets operate within a regulatory loophole where sanctions evasion transactions could occur. There’s no intermediary to screen against the sanctions list.

Some regulatory safeguards exist to mitigate this loophole, but they are not airtight. When people purchase cryptocurrencies with fiat currency, they typically must go through a cryptocurrency exchange. In all jurisdictions, these exchanges are supposed to be regulated by financial authorities and exchanges must verify the identities of their users. Any exchanges that want access to U.S. financial institutions, U.S. customers or U.S. dollar transactions must also follow OFAC sanctions guidelines. And if an exchange that does not need direct access to the U.S. dollar wants a bank account, most non-U.S. banks will only service exchanges that comply with U.S. sanctions, given OFAC’s ability to apply secondary sanctions on non-U.S. banks that offer services to designated entities.

So, in theory, individuals in sanctioned jurisdictions are quite restricted in their ability to directly purchase crypto on foreign exchanges, unless those exchanges are in sanctioned countries that do not comply with U.S. sanctions. Alternatively, to get fresh crypto that could be moved to a self-custodied wallet, these individuals may trade through informal, peer-to-peer exchanges often using physical cash, or they may participate in cryptocurrency mining to earn digital tokens when they first come into circulation. This makes large-scale crypto acquisition difficult, which is why North Korea in recent years has tried to gain hundreds of millions of dollars worth of crypto by another, more intensive strategy: cyber-hacking exchanges to steal tokens.

The North Korean regime most likely wants to use these stolen cryptocurrencies to finance its operations. But with North Korea under U.S. and United Nations sanctions, cashing out to regular currency is difficult. Exchanges can identify stolen tokens through public blockchain analysis and flag them if a customer tries to trade them for cash. Thus far, North Korea-linked operatives have tried to overcome this hurdle by mounting intricate laundering operations to move hacked tokens with clean wallets and obfuscate the origin of their ill-gotten crypto funds. This is not always successful, so North Korea probably has not been able to use much of its hacked crypto.

It would not be surprising for North Korea to seek an alternate way to use stolen crypto to its advantage. Instead of trying to cash out, regime operatives could try to spend it directly on tools and services. Based on the Kim Jong Un regime’s growing ability with cryptocurrency technology, what follows is a hypothetical scenario they would likely try to employ.

A North Korean cyber operative located in a nonsanctioned country—probably in Southeast Asia, where cryptocurrency regulations are not very robust—could move stolen crypto into a self-custodied wallet. He or she would not have to provide any personal identification documents to use such a wallet. From there, the operative might establish a fake online persona, setting up a clean email to correspond with external businesses and individuals. The operative could identify online services needed for North Korean cyber operations such as virtual private networks, website domains and additional self-custodied software wallets to hold and launder additional cryptocurrencies.

The operative might then seek online merchants that accept cryptocurrencies for these services. These merchants would probably require only an email as contact information for sales. The operative might analyze the merchant’s cryptocurrency address to assess whether the merchant’s wallet is self-custodied or hosted by a regulated entity such as an exchange or cryptocurrency payment processor. If it’s a self-custodied wallet, the operative would purchase the needed cyber tools, with high confidence that the vendor would not inquire further about the operative’s identity and that no third-party financial institution would evaluate the transaction for any suspicious activity. And because the vendor is a retail merchant and not a regulated money transmitter, it would be under no clear legal obligation to check whether the cryptocurrency it accepts is from criminal sources or a sanctioned individual. This is analogous to how a corner grocery store is not obligated to assess whether the cash it accepts from a customer came from illicit activity or from someone on OFAC’s sanctions list. In this scenario, the North Korean operative would gain tangible value for the stolen cryptocurrencies for as long as the online vendors do no due diligence on their cryptocurrency-paying customers. This is a regulatory loophole.

There are other examples of how merchant crypto payments can enable illicit activity despite current financial regulations. For instance, the adult sex entertainment website Pornhub reportedly has been unsuccessful in permanently removing many videos of rape, child sexual exploitation and human trafficking victims on its platform. Because of this, PayPal in 2019 discontinued its payment processing for the site. Then, Pornhub began accepting the Tether cryptocurrency stablecoin to give customers more payment options. After the New York Times in December 2020 ran an in-depth article about the website benefiting from trafficking and child sexual exploitation, Visa and Mastercard severed their payment services to the site’s parent company. Then, Pornhub announced it would move to a cryptocurrency-only payment model for its premium services, accepting over a dozen different tokens. The conventional payments industry considers pornography businesses as high risk for illegal activity and also sees such merchants as risky to the payment companies’ reputations. High-risk merchants often have difficulty finding and keeping payment services. Thus, high-risk merchants that operate online are probably more likely to accept cryptocurrencies than most other businesses.

If sex entertainment sites that host illegal activity use crypto wallets from exchanges or crypto payment processors, the payment providers would be susceptible to public or regulatory pressure to discontinue payment services. But if the sites use self-custodied wallets to accept funds, there would be no easy way to block payments, especially when the customers also pay from self-custodied wallets. Self-custodied wallets do offer a way to protect freedom of speech and creative content that might be controversial, but they undeniably offer a loophole for transactions to enrich online criminals trafficking in significant human exploitation. This is a tension that businesses, regulators and society in general are going to have to reconcile. The illicit finance risks from self-custodied wallets are unlikely to lessen in the near future.

Online sexual exploitation appears likely to rise in the wake of the coronavirus pandemic, with people spending increased time on social media. The FBI warned in March 2020 that school closings brought greater risks of children being lured by sexual predators on the internet. Behavioral research published in November 2020 found an increased consumption of pornography websites due to the isolating conditions of lockdowns and social distancing. And in general, more commerce today is occurring remotely and digitally. While most online transactions use conventional banking platforms and not crypto wallets, some traditional payment companies like PayPal and Mastercard plan to make it easier for their customers to purchase cryptocurrencies. The writing on the wall is that more people will soon have greater access to cryptocurrencies. As that happens, many online retail vendors will be more likely to accept cryptocurrency payments. This already has been happening quietly. Two National Basketball Association franchises have accepted Bitcoin for game tickets and team merchandise for the past few years. And earlier this month, BitPay announced a deal to process customer crypto payments for a U.S. luxury hotel brand.

Because merchants taking crypto payments have been the exception rather than the rule, there has been little public discussion about how or if such transactions should be regulated differently from physical cash sales or conventional online payments. Cryptocurrency payments are the only digital payments that can be almost as anonymous as cash. But their virtual nature allows for remote sales that are impossible in cash transactions. Theoretically, in a fully crypto-accepted retail world, a person using a self-custodied wallet could purchase millions of dollars worth of online services without exposing their true identity to merchants, regulators or law enforcement. But there are ways to manage the profound privacy benefits of merchant crypto wallets with the significant money laundering and national security risks. Businesses, financial authorities and the general public should consider the following measures.

Regulators should require merchants to place transaction-volume limits on payments received from self-custodied wallets. An argument could be made to set the highest limit at $10,000, which is the threshold where financial institutions under U.S. jurisdiction have to record customer deposits or withdrawals of large cash amounts. But the virtual nature of crypto payments probably calls for something much lower, such as $3,000. OFAC was satisfied with BitPay’s plans to verify customer identities at transactions at $3,000 or above as part of its compliance improvement plan. However, separately, U.S. regulators in recent months have proposed requiring more customer identification recording for international banking transactions as low as $250, due to the prevalence of terrorist financing transfers in just hundreds of dollars.

While transaction limits on self-custodied wallets might seem burdensome, they may be less impactful because such wallets are less user-friendly than those hosted by exchanges. Self-custodied wallet users have more privacy, but they must manage their own private keys, requiring greater security awareness and vigilance. It can be assumed that if many more people do start paying in crypto, most will use hosted wallets where a regulated institution manages their keys and verifies their identity. On the merchant side, most vendors are likely to prefer using crypto payment processors rather than self-custodied wallets given their ease of use. So, self-custodied wallets will probably be used by only a small percentage of customers and merchants. If regulators place transaction restrictions on self-custodied wallets in merchant retail, that should mitigate some of the illicit finance risks while keeping these wallets available for those who want independent control of their digital wealth. The only wrinkle in transaction limits is that some actors will try to circumvent the restrictions by using multiple self-custodied wallets. This may call for merchants to use additional software to identify such behavior, but it may be impossible to close every technical loophole exploitable by cryptocurrency technology.

Regulators and the private sector should also keep in mind that there may be other policies to counter online illicit activity outside of the payment sphere. For example, the problem of minors, trafficked persons and acts of rape appearing on pornography websites is exacerbated when sites allow video downloads. By the time sites remove illegal content, the videos may have been downloaded to be uploaded again on the same site or elsewhere. Pornhub in December 2020 decided to significantly restrict video downloading and to allow users to upload videos only if they first verify their identities. This probably should be an industry standard. In fact, some members of U.S. Congress have proposed that the adult sex website industry adopt it wholesale.

The emerging risks around self-custodied wallets and merchant payments also demonstrate the need for the public and private sectors to collaborate further on digital identity solutions. For years, technologists, privacy advocates and regulators have been warning about the problems of fraud and identity theft in the growth of online transactions. In March 2020, the Financial Action Task Force, the intergovernmental body that sets anti-money laundering regulatory standards, published guidance for countries to follow in developing systems to authenticate people’s identification during online transactions. But digital identity problems are hard to solve. There’s no one-size-fits-all technical solution, with societies varying in their legal and cultural perspectives on personal data collection and storage.

In the United States, where standards for privacy, cybersecurity and national security are all extremely high, the holy grail solution may be digital identity that relies on private-sector technology to authenticate identity data without warehousing personal information. This is more important now as many nations are considering developing national digital currencies. In June 2020, Canada’s central bank published a note exploring strategies to preserve privacy in a central bank digital currency (CBDC). In February 2021, Canadian researchers at the University of Toronto and York University produced a paper proposing that CBDC architects could create a system giving all users a private digital identity that could be revealed to authorities only under a court order or a specific anti-money laundering requirement. Another set of researchers at McGill University proposed that a state digital currency could employ cryptographic methods known as zero-knowledge proofs to protect users’ privacy while giving authorities some measures to verify identities for regulatory compliance. All jurisdictions are going to have to tackle this challenge of ensuring identity verification while preserving privacy as retail digital transactions expand, whether in CBDCs or cryptocurrencies.

More merchants accepting crypto payments is on the horizon. It would be a small technological shift with major repercussions. Illicit actors always exploit financial innovations and seek out the spaces of regulatory loopholes. U.S. national security and law enforcement personnel must prepare for illicit actors’ adaptive behavior, think through the potential illicit scenarios and close the loopholes.

Yaya J. Fanusie is a former CIA analyst and is the Director of Policy for AML & Cyber Risk at the Crypto Council for Innovation. He also is an adjunct senior fellow at the Center for a New American Security.

Subscribe to Lawfare