We are pleased to welcome Jarod Koopman, Director, IRS – Criminal Investigations (CI), for this Q&A session, the second in a two-part interview. You can read the first part here.
Q: What are the top challenges/obstacles that you face in detecting, investigating and preventing fraud and cybercrime?
A: By its inherent nature, cryptocurrency is pseudo-anonymous and certainly provides additional challenges when trying to make attribution. For most of my career, we knew the criminal and looked to prove the crime and now, we know the crime and are trying to prove the criminal. The speed at which transactions occur and the anonymity provided by the dark web and encrypted communication require coordinated efforts globally and further engagement with industry. The financial sector has had a hundred-plus years to grow and develop, whereas exchanges are trying to replicate that in less than five.
IRS-CI, like most other agencies, rely heavily on third-party companies that provide tools for blockchain analytics and related data. They have platforms that assist in the tracing of crypto transactions. Others provide an aggregated platform for open-source intelligence (OSINT) or scraped publicly available social media information.
These companies are also embedded within the ecosystem and have close relationships with the exchange community, tech companies, academia and other bodies. These tracing tools allow us to follow the crypto trail through many levels and identify potential markets or known wallets for related interaction. These tools, however, are just that – tools. They serve as intelligence and information for use by our investigators; they are not evidence and do not provide such. We still need to go through traditional means to acquire evidence (exchange data, assets, bank info, etc.).
Crypto: Newfangled Tech for Old-Fashioned Fincrime
This area changes so much, and it’s hard to look past one to two years. I would assume in the near future we’ll be dealing with quantum computing issues, additional and advanced AI/machine-learning components. We continue to see the same types of schemes, which represent the underreporting of cryptocurrency tax, illicit exchanges, unlicensed MSBs, initial coin offerings (ICOs), dark web marketplaces and vendors.
IRS-CI is taking innovative approaches to address privacy/anonymity-enhanced coins (AEC), such as Monero and Layer 2 coins. I appreciate the aspect of privacy these coins provide. But when they’re used for crimes – tax evasion, terrorism financing, child exploitation and others, there must be a way to trace or determine attribution of the users. We are constantly working to solve this problem and determine how to gain some visibility into these transactions. It’s a fine balance between privacy and proper controls to prevent criminal activities.
Increased obfuscation techniques such as decentralized finance, mixers, cross-chain transactions (Coinjoin/Coinswap) and wallets with these built-in features continue to present significant challenges. Additionally, off-chain transactions provide no financial trail. This is nothing new. This is how hand-to-hand cash transactions have been done for many years.
Unlicensed MSBs and peer-to-peer transacting will continue – it’s the nature of value transfer. We will be required to look at other data points or use other law enforcement methods and means to identify criminals and make attribution. For example, indirect methods of proof – all of a sudden, when this person that reports $50,000 a year is living far beyond their means and spending/converting millions of dollars, there’s a discrepancy and we can prove unreported income and ultimately tax evasion, if done willfully.
Also, new regulations by FinCEN now afford statutory abilities for CI to go after these unlicensed MSBs transacting in P2P exchanging worldwide. There still needs to be additional regulation implemented to provide global standards for reporting and AML/KYC practices – U.S. law enforcement and regulatory agencies have a good handle on the U.S.-based exchanges/virtual asset service providers; however, that disappears depending on the country we’re dealing with.
Q: Looking ahead, what type of new and innovative solutions can financial institutions leverage to help the IRS-CI in the fight against cyber- and financial crime?
A: I believe artificial intelligence and machine learning components will be important in the near future as more and more criminals institute sophisticated bots and automated attacks. That being said, it will remain extremely critical to have a human in the loop (HITL) to provide necessary context and intuition. Also, financial institutions will need to adopt these new ways of transacting and understand the landscape in which they occur.
The ecosystem continues to grow, and realizing where potential threats or vulnerabilities exist will be important. Lastly, increased security authentication will be needed. I foresee new and creative two-factor authentication, identity verification and other compliance measures being introduced. Again, this will be met with mixed support as we sacrifice privacy for capability.