The “Highlights” — To Russia, With Crypto

The Financial Crimes Enforcement Network (“FinCEN”) issued on November 1 a Financial Trend Analysis regarding ransomware-related Bank Secrecy Act (“BSA”) filings during the second half of 2021 (the “Report”).  This publication follows up on a similar ransomware trend analysis issued by FinCEN regarding the first half of 2021

In a report released June 21, 2022, the U.S. Government Accountability Office (GAO) urged the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the Department of the Treasury’s (Treasury) Federal Insurance Office (FIO) to jointly assess whether the risk to critical infrastructure and potential financial exposures from catastrophic cyber incidents warrant

The Third Circuit recently issued an opinion upholding the federal cyber-stalking statute against a constitutional challenge in United States v. Ho Ka Yung. Yung was convicted of cyber-stalking after he instituted a campaign of harassment against a Georgetown Law alumnus interviewer and his family. Though he pled guilty, Yung preserved the right to appeal

On March 1, 2022, the U.S. Department of the Treasury (“Treasury”) published its National Risk Assessment for Money Laundering, Terrorist Financing, and Proliferation Financing (the “NMLRA”), identifying the national threats, vulnerabilities, and risks facing the U.S. financial system.  The NMLRA is 74 pages long and comprehensively covers many different perceived threats and vulnerabilities, including the misuse of legal entitiesvirtual assetsreal estateinvestment advisors, and casinos.  This post therefore selects three key issues for closer analyses.

First, cybercrime (a topic we cover frequently) in the form of ransomware received the dubious honor of representing “a larger and growing share of the overall money laundering threat in the United States.”  Second, professional money laundering organizations (“PMLOs”) continue to peddle their illicit services internationally to launder the proceeds of cybercrime, narcotics trafficking, and other schemes on behalf of organized criminal enterprises.  Third, merchants and professionals, such as lawyers, real estate professionals, and financial services employees, continue to perform – knowingly or unknowingly – critical functions in support of money laundering schemes and obfuscating the source of ill-gotten gains.


Partly due to the COVID-19 pandemic, cybercrime is on the rise.  Whereas the 2018 NMLRA reported that in 2016, the FBI received 298,728 internet-facilitated fraud complaints totaling over $1.3 billion in losses, in 2020, the FBI received 791,790 complaints totaling over $4.1 billion. As the NMLRA points out, those figures likely significantly underestimate the amount of loss, because only a fraction of cybercrime is reported to the FBI.

Ransomware, as current events suggest, sharply increased in the last year.  Suspicious Activity Report data analyzed by FinCEN revealed not only that the number of reported ransomware incidents increased 42% in the first half of 2021 compared to all of 2020, but that the median ransomware-related payout increased to $100,000.  Part of the surge in ransomware attacks could be attributable to the proliferation of “ransomware-as-a-service,” whereby ransomware developers market and sell their malware to bad actors without the technical know-how to perpetrate the attack themselves.  Additionally, municipalities, hospitals, and other critical infrastructure are now common ransomware targets.

In keeping with OFAC’s September 2021 advisory warning of potential sanctions for paying or facilitating ransomware payments to sanctioned entities (covered here), the NMLRA cautioned that “[t]he U.S. government continues to strongly discourage the payment of cyber ransom or extortion demands, which can be used to finance future attacks or other illicit activity,” and that “[r]ansomware payments may therefore not only fund activities that harm U.S. national security but also risk violating OFAC regulations.”

The NMLRA identified two additional cyber-threats: (1) business email compromise, in which bad actors pose as company officers via email and convince others in the company to transfer money to spoofed accounts; and (2) the compromise and sale of financial information, in which a bad actor harvests consumers’ personal information in large scale and sells it in online black markets to fraudsters.

Professional Money Laundering Organizations

The NMLRA pays special attention to PMLOs – groups that facilitate money laundering on behalf of other criminal enterprises continue to proliferate globally.  These entities, for a fee, transport money from illicit activities into the retail banking system or to other individuals or entities.  Two schemes highlight how PMLOs can both co-opt unsuspecting third parties into the money laundering process, and operate independently.

The first scheme is money-broker PMLOs, which purchase at a discount illicit proceeds from drug sales.  The money-broker PMLO then acts as an intermediary to exchange and transfer funds across international borders and obfuscate the funds’ sources.  In one example, the money-broker PMLO, in exchange for a commission, allegedly collected drug money in the United States and arranged for a corresponding amount of foreign currency to be transferred to the Drug Trafficking Organization (“DTO”).  As cover, the money-broker PMLO arranged for the delivery of electronics from the United States to Colombia.  This scheme avoided detection at customs because no physical money ever crossed the border.

The second scheme, dubbed Chinese Money Laundering Organizations (“CMLOs”), is a growing, if perhaps idiosyncratic, method by which wealthy Chinese nationals circumvent China’s capital flight restrictions and simultaneously facilitate money laundering on behalf of drug trafficking organizations in Mexico or elsewhere.  For example, a Mexican DTO in the United States will sell dirty dollars to the CMLO, which pays the DTO in pesos.  The CMLO then advertises the dirty money for sale to Chinese nationals via internet bulletin boards or private WeChat forums.  The Chinese nationals buying the dollars circumvent China’s strict limits on exporting capital, and use the dollars to fund their lifestyles in the United States, purchase real estate or pay school tuition.

The NMLRA describes these PMLOs as purely criminal organizations – they exist solely to provide and launder illicit cash to those that are cash-starved.  Further, the new PMLO trend is the co-opting of an array of third-party professionals.  These professionals’ roles are discussed below.

Complicit Merchants and Professionals

The NMLRA identifies four types of professionals posing a money laundering risk: (1) merchants; (2) attorneys; (3) real estate professionals; and (4) financial services professionals.  We repeatedly have blogged on money laundering concerns regarding third-party professionals, including herehere and here.

Unlike PMLOs, which the NMLRA considers a “threat,” these professionals represent vulnerabilities to the security of the financial system because they, wittingly or unwittingly, may become “complicit” and “help effectuate . . . money laundering schemes.”  This language is perhaps understated—the NMLRA provides a litany of examples of professionals’ alleged knowing and active engagement in a money laundering scheme.  For example, perfume store owners in Texas purportedly accepted loose bulk cash that was described to them as “narco dinero,” and for which the owners did not file the required Form 8300 to the Internal Revenue Service.  In another example, a real estate broker allegedly purchased residences for overseas buyers, knowing that the homes would be used to illegally grow cannabis and taking steps to disguise the source of the funds.

While these cases are clear examples of professionals abusing their positions, the NMLRA’s discussion of an attorney’s “representation” of a narcotics trafficking organization may be the strongest example of a professional service allegedly transforming into criminal assistance.  According to the superseding indictment filed in Baltimore, an attorney received drug proceeds from his client and the client’s associates, then used that money to promote the client’s unlawful business, pay for legal representation for his client’s co-conspirators, and pay himself commission for the laundering activities.

However, the NMLRA’s list regarding a few outlier prosecutions of knowingly complicit professionals does not address a much more difficult issue, which is the degree of due diligence that an average professional should conduct when onboarding a new client (and thereafter).  The vast majority of fact patterns confronting professionals are much less clear and dramatic than the examples set forth in the NMLRA – and what type of KYC steps professionals not directly regulated by the Bank Secrecy Act should take in a given case is often a challenging question.

Continue Reading  U.S. Treasury Identifies Ongoing and Emergent Money Laundering Risks and Vulnerabilities

OFAC Updates Advisory on Enforcement Risks Relating to Agreeing to Pay Ransomware

First Post in a Two-Part Series on Recent OFAC Designations

On September 21, 2021 OFAC issued its first sanctions designation against a virtual currency exchange by designating the virtual currency exchange, SUEX OTC, S.R.O. (SUEX) “for its part in facilitating financial transactions for

In a long awaited opinion, the Supreme Court recently resolved a circuit split regarding the proper interpretation of a statute implicated in many post-employment disputes. Since its enactment, federal courts of appeal have been divided over the proper interpretation of the phrase “exceeds authorized access” under the Computer Fraud and Abuse Act (“CFAA”), a primarily criminal statute that also includes a civil cause of action where an individual accesses a protected computer without authorization or exceeds authorized access. Some courts have held that the “exceeds authorized access” requirement only applies where the individual was authorized to access the computer itself but not the particular files or information that are the subject of the dispute.
Continue Reading  Supreme Court Limits the Scope of Computer Fraud and Abuse Act

On May 12, 2021, President Joe Biden issued an Executive Order to implement new policies aimed at strengthening the nation’s cybersecurity. The Executive Order was issued in response to the recent SolarWinds, Microsoft Exchange, and Colonial Pipeline cybersecurity incidents, which were, according to the White House, “a sobering reminder that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals.”
Continue Reading  President Biden’s Cybersecurity Executive Order Has Implications for the Private Sector

As people across the country and world try to figure out how to protect themselves against the spread of coronavirus, hackers are working hard to spread their own viruses.  Indeed, various cybersecurity firms have reported that the amount of malicious emails containing the word “coronavirus” has significantly increased since the end of January.

Many of

On November 13, 2018, Ballard Spahr lawyers presented a webinar on the SEC’s recent “Report of Investigation” into “business email compromises” affecting public companies.

As noted in our prior blog post, the Report was prompted by the SEC’s investigation into whether nine public companies violated U.S. securities laws “by failing to have sufficient accounting controls” to prevent approximately $100 million in losses as a result of business email compromises targeting their personnel. The SEC investigated whether these companies violated Sections 13(b)(2)(B)(i) and (iii) of the Securities and Exchange Act of 1934. Although declining to pursue enforcement actions against the companies, the SEC emphasized its recent cybersecurity guidance, advising public companies that “[c]ybersecurity risk management policies and procedures are key elements of enterprise-wide risk management, including as it relates to compliance with federal securities laws.” (See our prior alert and blog post regarding the Interpretive Guidance).
Continue Reading  Listen to Our Webinar on “The SEC’s Special Report on Business Email Compromises: What It Means and What You Should Do”

The fallout from the Yahoo data breaches continues to illustrate how cyberattacks thrust companies into the competing roles of crime victim, regulatory enforcement target and civil litigant.

Yahoo, which is now known as Altaba, recently became the first public company to be fined ($35 million) by the Securities and Exchange Commission for filing statements that failed to disclose known data breaches. This is on top of the $80 million federal securities class action settlement that Yahoo reached in March 2018—the first of its kind based on a cyberattack. Shareholder derivative actions remain pending in state courts, and consumer data breach class actions have survived initial motions to dismiss and remain consolidated in California for pre-trial proceedings. At the other end of the spectrum, a federal judge has balked at the U.S. Department of Justice’s (DOJ) request that a hacker-for-hire indicted in the Yahoo attacks be sentenced to eight years in prison for a digital crime spree that dates back to 2010.
Continue Reading  The Hacked & the Hacker-for-Hire: Lessons from the Yahoo Data Breaches (So Far)