With tensions rising between Washington and Tehran in the wake of the U.S. killing of Iranian general Qasim Soleimani earlier this month, U.S. officials should expect more Iranian responses, although not solely through military action. Iran for years has conducted sporadic information operations against the U.S. on social media. Such activity will most likely intensify, especially in an American election year, and cryptocurrencies are likely to play a role. The robust political influence campaigns Russia recently mounted against the U.S. show clearly how state actors may use cryptocurrencies to help facilitate these operations.
Iran, due to its weaker military strength compared to the U.S., is likely to prefer tactics against the United States that do not need much firepower and materiel, that require minimal personnel, and can be deployed easily through proxies to expand reach and gain plausible deniability. Cyber activity fits this mold.
As far back as 2011, Iranian operatives started deploying fake Facebook, Twitter, and YouTube accounts against U.S. audiences, manipulating hundreds of thousands of people to follow bogus users and possibly share regime propaganda. These were rudimentary campaigns, but other U.S. adversaries took influence operations to another level.
When Russian military intelligence mounted a cyber operation to exploit political and social divisions in the U.S. in the runup to the 2016 presidential election, they secured an array of Internet infrastructure: website domains, virtual private networks (VPNs), and computer servers spread across multiple nations. Russia reportedly used about $95,000 worth of cryptocurrencies to acquire those resources. Using “crypto” helped to mask the identities of the operatives as they hacked computers, stole files, and published private email messages.
There are already signs that Tehran is ramping up a cyber offensive. A few days after the strike on Soleimani, the governor of Texas said that his state’s official IT systems were receiving 10,000 probes per minute from cyber actors emanating from Iran. Also, a group calling itself the Iran Cyber Security Group Hackers defaced a U.S. government library website with pro-Iranian, anti-U.S. messages, although it is unclear if the group actually is from Iran. U.S. military recruitment centers have received inquiries about scam text messages circulating telling civilians they are being drafted to fight against Iran, even though the U.S. no longer has a draft.
If these activities are directed by Tehran, they appear to be quick, test runs revealing perhaps more sophisticated campaigns in the works. There are anecdotal reports that the Iranian regime has increased its social media propaganda since Soleimani’s death, especially on Twitter. And the regime certainly shows intentions for larger-scale disruption. The U.S. Department of Homeland Security recently re-released an advisory from June 2019 warning of a rise in Iranian regime actors and proxies trying to steal online login credentials at U.S. government agencies and commercial firms. Cybersecurity experts report that this activity is ongoing, with much of it targeted toward critical infrastructure like electrical grids.
Most major U.S. industrial firms and large banks employ experienced cybersecurity officers who would be aware of these threats. But up-and-coming cryptocurrency exchanges, most of which are still essentially startups, may not be mindful of how Iranian cyber actors could exploit their businesses. While many exchanges watch out for state actors such as North Korea who frequently hack exchanges to steal cryptocurrencies, they may miss state actors posing as legitimate customers to fund cyber operations. Here are some ways to mitigate these risks:
To begin, cryptocurrency exchanges should employ strict Know-Your-Customer (KYC) measures to verify the identities of their users. They should have thresholds and limits to ensure that larger volumes of activity require higher levels of customer validation. There should be appropriate transaction monitoring to flag activity involving darknet websites and sanctioned or criminally-linked addresses. They should be assessing patterns of behavior, especially with transfers involving external, unhosted wallets that have no KYC requirements. Exchanges must flag customer use of mixers that obfuscate the trails of digital tokens. These are basic procedures to counter all types of illicit exploitation of exchanges, whether by state or non-state actors.
To uncover a state-run information operations campaign would require more sophisticated analysis, due diligence, and investigative work. Exchanges essentially need Financial Intelligence Units (FIUs), or at least some personnel who can go beyond basic monitoring and are trained in intelligence analysis or criminal investigations. Taking the 2016 Russia operation as a sample of state actors’ capabilities, FIUs should be aware of signs of activity that might be dual-use, plausible for benign or malicious purposes.
Exchanges should identify when customers are using cryptocurrencies to fund computer network services like website maintenance, server rentals, and VPNs. Payments to such services should not be viewed as illicit, but would simply deserve additional scrutiny to help compliance teams understand the financial flows involved with their platforms.
This is not an affront to privacy standards. In fact, most banks today categorize their customers’ credit card usage according to type of merchant or vendor. There is no reason why exchanges should not have similar awareness of the general nature of their customers’ transactions. In fact, it could be argued that having customers transacting largely with unknown services is a recipe for an eventual compliance disaster.
Just as terrorist financiers, drug cartels, and human traffickers want to conceal their true intentions when moving money through financial institutions, a hostile nation’s intelligence service wants to stay hidden. Information operations bring even trickier challenges because unlike terrorists, drug organizations, and traffickers, cyber influence hackers are most immediately interested in wreaking havoc in cyberspace rather than cashing out funds in the real world. Digital currencies can facilitate that havoc better than dollars, euros, or rials.
The Russian hackers used multiple European cryptocurrency exchanges for the 2016 operation. Back then, most jurisdictions had few regulations for the crypto industry. In 2020, countries around the world are supposed to implement new anti-money laundry and combatting the financing of terrorism (AML/CFT) standards for cryptocurrency businesses. These standards should make it more difficult for illicit actors to operate on exchanges. A big complication, however, is that not all jurisdictions will move at the same pace to regulate their crypto industry. Some countries will be known for lax AML/CFT regulation on digital assets.
The Iranian regime is likely to know which countries have exchanges that make it easier to transact anonymously. Exchanges that want to keep the Iranian regime’s information operations off of their platforms should be aware of customers transacting with other exchanges in poorly regulated jurisdictions. While such activity is not innately illicit, it can point to the types of illicit finance risks exchanges might be exposed to.
U.S. intelligence officials need to remain vigilant, realizing that the cryptocurrency-funded Russian operation provided lessons learned for other state actors. In 2016, the Russian military intel used mostly Bitcoin, leaving a trail for investigators. But the cryptocurrency space has evolved. U.S. adversaries today are more likely to use less-traceable privacy coins that are in circulation or to experiment with a variety of anonymity-enhancing protocols that blockchain developers are engineering. The Iranian regime has stepped up its support for blockchain technology research, particularly after the U.S. reimposed sanctions on many Iranian banks when President Trump withdrew from the Iran Nuclear deal in 2018.
Even if tensions subside between Tehran and Washington, it does not mean that Iranian information operations will cease. Keep in mind that Iran’s social media campaigns throughout the 2010s did not abate during negotiations over the Iran nuclear deal or after it was signed. And in a world where people are consuming more of their news and developing their opinions through social media, information warfare is probably the new normal. This warfare aims to influence government policymakers and civilians. The public and private sectors both need to work to counter it.