Criminals have always found efficient ways “to launder the proceeds of their crimes and avoid increasingly stringent anti-money laundering regulations,” according to an update from CertiK.
One such technique, uncovered by CertiK, poses “a direct threat to Web3 projects.”
Criminal organizations are using this scheme “to transform their illegal funds into seemingly-legitimate Web3 startups and reap high returns.”
CertiK’s former law enforcement investigators share their observations and “provide practical takeaways on how to maintain the financial integrity of Web3 ventures.”
Venture-Based Money Laundering (VBML) in Web3 is “the manipulation of the venture seed funding ecosystem to convert crime proceeds into legitimate businesses and revenue streams through seed investment in early-stage ventures.”
The investigation team at CertiK conducted “a study on 272 blockchain and Web3 startups and discovered the ways in which certain criminals use the VBML scheme to infiltrate the Web3 industry.”
When an individual or organization commits a crime and accumulates illicit profits, they need to “use a scheme to launder their funds in order to use the money freely without raising suspicions.”
VBML is one such scheme. Applied to the Web3 context, VBML consists of criminals seed-funding “a new crypto project with ‘dirty’ funds.”
This initial seed funding is used “to hire developers, invest in marketing, and launch the project.” The criminals spend the entirety of the illegal funds “on these expenses and in return, own or co-own a productive Web3 project.”
From here, they can obtain “clean money” that is easily justifiable because they “have a publicly known business to show as the origin of the funds.”
The “clean money” can be “extracted multiple times throughout the life cycle of the project, such as during following fundraising rounds, token or NFT sales, payments for salaries, expenses, dividends, and when the criminals sell their project ownership.”
This criminological study “on the risk of money laundering in Web3 ventures was conducted on a sample of 272 Web3 crypto projects launched in 2022, in order to help criminal investigators understand the money laundering tactics currently used by career criminals.”
The researchers specifically “focused on the risk of illegal proceeds being injected as initial equity in new crypto ventures.”
The “founding” or seed funding round is particularly “appealing to criminal operators” because it is generally considered “personal investment” and is “subject to less scrutiny, controls, and anti-money laundering (AML) regulations, making it less likely to be detected by law enforcement.”
Additionally, this round has “the potential for a very attractive return on investment.”
The research did “not evaluate the risk of illegal proceeds being injected in subsequent rounds of fundraising as these rounds are typically sourced from larger, specialized venture capital firms which are subject to more thorough due diligence, accountability, and controls and are less accessible to core criminal operators.”
In addition to the risk of external attacks, the Web3 industry also faces “the risk of scams by malicious project teams and legitimate projects being compromised by insider threats.”
To address this, CertiK created the KYC Badge program, which “focuses on verifying and vetting the teams behind projects.” Only project teams “that agree to undergo a thorough background investigation are granted the badge.” This distinguishes “the verified, transparent, and accountable teams from other projects.”
During the enhanced due diligence process and thorough audit of the team and project management, the investigators were able “to detect and identify certain projects with hidden issues pertaining to the origin of their seed-funding.”
This risk was repeatedly “detected through an analysis of discrepancies, a proprietary dataset of risk-signals, and a dataset of known malicious Web3 operators.”
CertiK’s investigators, “who have previous experience in large-scale money laundering investigations, further assessed these issues through direct conversations with the applicants identified as highly exposed to this risk.”
In some instances, the investigations “revealed that the real project founders and owners were using deceptive tactics to hide behind a front team and were directly linked to criminal activities such as previous exit scams, various crypto scams, and even international drug trafficking.”
Using a third party security auditor to conduct due diligence assessments and investigations can significantly “enhance the security and integrity of Web3 projects.”
Security experts with specialized training and experience in criminal and background investigations are “adept at detecting fraud and efficiently assessing criminal risk.”
The team of professional investigators at CertiK come “from diverse intelligence and law enforcement agencies and utilize a comprehensive background investigation and risk assessment process.”
They also have access “to a proprietary dataset of repeat Web3 fraudsters and tailored risk signals to aid in fraud detection.” Organizations seeking “to ensure the integrity of their blockchain ventures can contact CertiK’s Technology and Risk Advisory Team.”
Meanwhile, projects experiencing an immediate security incident can “reach out to the CertiK 24/7 Incident Response Team for consultation with their investigators.”