In the Midst of Yet Another Hot Month for Crypto Prosecutions, DOJ Recruits Private Sector Companies and Foreign Governments to Join in the Fight to Combat Cyber Threats
Speaking at the Munich Cyber Security Conference on February 17, 2022, Deputy Attorney General Lisa O. Monaco announced that the U.S. Department of Justice (“DOJ”) plans to prioritize “cyber disruption,” foster international partnerships, and increase its investigative and deterrent capabilities to bolster its crypto-enforcement arsenal and to combat cyber threats. DAG Monaco’s remarks came less than two weeks after the DOJ seized cryptocurrency linked to the 2016 hack of virtual currency exchange Bitfinex, valued at $3.6 billion — the DOJ’s largest financial seizure ever — and announced the arrest of two individuals for an alleged conspiracy to launder the stolen cryptocurrency.
Just weeks later, on February 25, a federal grand jury in San Diego indicted the founder of BitConnect for allegedly orchestrating a cryptocurrency scheme that defrauded investors of more than $2 billion. During this same period, Russia invaded Ukraine and threatened follow-on cyberattacks. Recent activity in this area signals that cryptocurrency enforcement and combatting cyber threats will continue to be top priorities for the Department, as well as its regulatory and enforcement partners in the U.S. and around the globe. The private sector should take note, as DAG Monaco’s remarks regarding “cyber disruption” suggest that private companies may soon be deputized to join in the fight.
Key Takeaways from DAG Monaco’s Speech
- Focusing on “Cyber Disruption”
Against this backdrop, DAG Monaco outlined three priorities for the DOJ in its ongoing effort to combat cyber threats and crypto abuses. One of the most notable takeaways from DAG Monaco’s speech is the DOJ’s prioritization of “cyber disruption.” Borrowing from an approach used by prosecutors in the counterterrorism context, the DOJ is shifting its focus to disrupting cyber threats before they materialize. Specifically, prosecutors will have to assess whether there are steps they can take to prevent or reduce the risk of a cyber threat, even if doing so might tip cybercriminals off and jeopardize the potential for charges and arrests. While the practical effects of “cyber disruption” remain to be seen, DAG Monaco suggested that prosecutors may share decryptor keys with hacked entities or seize servers used to further cyberattacks. DAG Monaco implored using “all available tools,” including disruptive capabilities, sanctions, export controls, and “those of our international and private sector partners.” DAG Monaco’s remarks indicate that the DOJ may soon effectively deputize private sector entities to “take their own actions against these threats.” Doing so will allow the long arm of the law to “stretch much farther into cyberspace.”
- Fostering International Partnerships
The DOJ is also shifting its focus outside the U.S. in an effort to facilitate more cross-border partnerships. Recognizing that it is “the rare cyber investigation that does not have an international dimension,” DAG Monaco stated that the DOJ is prioritizing cross-border partnerships in its fight to combat crypto abuses and other cyber threats. The newly created Cyber Operations International Liaison will work with DOJ’s European partners to “up the tempo of international operations against top-tier cyber actors.” In addition, the DOJ is launching the International Virtual Currency Initiative to combat the abuse of virtual currency. The Initiative will bring law enforcement agencies from around the world together to track money through the blockchain and promote responsible anti-money laundering requirements.
- Growing Crypto-Specific Investigative Capabilities
DAG Monaco also announced the formation of the Federal Bureau of Investigation’s Virtual Asset Exploitation Unit (“VAXU”) to “keep pace with the threat actors who exploit innovations as fast as the marketplace produces them.” DAG Monaco described VAXU as a “nerve center” of cryptocurrency experts tasked with providing equipment, blockchain analysis, virtual asset seizure, and training to the rest of the FBI. While not much else is known about VAXU at this time, based on DAG Monaco’s remarks, the fight against cyber ransomware will likely be a top priority for the unit. VAXU is expected to work closely with the DOJ’s National Cryptocurrency Enforcement Center (“NCET”), which was created to ensure the DOJ meets the challenges posed by the criminal misuse of cryptocurrencies and digital assets. The DOJ also announced on February 17, 2022 that NCET will be led by Eun Young Choi, a career federal prosecutor with extensive experience leading high-profile cyber cases. Taken together, this indicates that the FBI and DOJ are making a concerted effort to further specialize and develop their crypto expertise to meet head-on the challenges presented by ever-mounting cyber threats.
Why This Matters
Companies dealing in cryptocurrency and other digital assets should take note of the DOJ’s priorities. DAG Monaco called upon such companies to “root out cryptocurrency abuses” and cautioned that those who do not will be held accountable. At a minimum, companies can — and should — protect themselves by prioritizing strong know-your-customer (“KYC”) procedures and anti-money laundering (“AML”) programs, as well as staying apprised of the ever-changing regulatory and enforcement landscape. Companies should also anticipate receiving requests from the DOJ and its U.S. and international partners to assist in cyber disruption efforts. While the extent of the cooperation required by such requests remains to be seen, companies should take steps now to prepare where they can. In addition to shoring up their KYC and AML programs, companies should formulate a basic response plan that includes internal reporting mechanisms and bringing in outside counsel if need be. Public companies also must be prepared to meet the SEC’s enhanced cybersecurity disclosure obligations, should the proposed rule amendments announced on March 9, 2022 pass. If adopted, the proposed rules could have a meaningful impact on the current and periodic reporting process and compliance incident response by requiring companies to disclose (i) any material cybersecurity incidents on Form 8-K within four days after determining such a breach is material, (ii) its governance, risk management, and strategy with respect to cybersecurity policies and risks, and (iii) the board of directors’ cybersecurity expertise. As cyber disruption requests become more commonplace, it also may be prudent to provide training to IT personnel on responding to these requests and on collecting information about the scope and extent of a cybersecurity incident. Taking the time to consider these measures now means that companies will not be caught flat-footed if or when they receive a request from the DOJ in the future.
This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.