‘Clash of Clans,’ Other Mobile Games Being Used for Money Laundering (Report)

By Liz Lanier

A fun time-killer for some, popular mobile games like “Clash of Clans” are being used to launder stolen credit card money by tech-savvy thieves, according to a report from German cybersecurity company Kromtech.

In the report, initially noted on Gamasutra, it was found that over 20,000 stolen credit cards were used in games like “Clash of Clans,” “Clash Royale,” and “Marvel Contest of Champions.” The thieves can make purchases and then resell the accounts with the purchases to a third-party, wiping their hands of any connection to the stolen credit card information.

It’s a relatively easy process, as Apple IDs, which are required to make purchases on the App Store, only need a password, date of birth, some security questions, and then an email address— and a dummy email address is easy enough to make that its not really a hindrance. Especially for the thieves, who were reportedly automating the account making process, which in turn automated the money laundering process.

Kromtech traced the stolen data being used in “Clash of Clans” back to hacked MongoDB databases, one of which stored information of more than a hundred thousand credit cards.

“The tool we found and its users currently work with countries such as Saudi Arabia, India, Indonesia, Kuwait, and Mauritania,” the report states. “We do not know if this was simply because the tool and Facebook page is new and this is just due to initial users, or if operating through these countries provides some kind of additional benefit to the thieves.”

In the report, Kromtech is advising developers to secure the process by which users can make new accounts, to guard against those who might make an automated tool to generate mass accounts.

Automated money-laundering scheme found in free-to-play games

An unsecured MongoDB database has exposed what security researchers say is an automated money-laundering operation. The scam involves credit card thieves automatically creating fake Apple accounts and gaming profiles to profit from transactions on gaming sites.

On Monday, Kromtech’s Security Center explained that crooks are reaping profits from games that are free to play by reselling resources – for example, gems, gold, other virtual objects that give players extra abilities (known as power-ups), or games themselves.

It’s a rich vein to mine: according to one report, the gaming industry saw revenues of $108.4bn in 2017, with most of it – $82bn – coming from free-to-play titles.

Kromtech communications director Alexander Kernishniuk said in a post that money laundering in app stores is far from a new idea: in 2011, for example, Apple’s App Store was flooded with expensive, oddball apps that nobody was actually buying, the bulk of them from China.

Money laundering is one thing, but Kromtech wound up finding something Kernishniuk called “much more sophisticated.”

While conducting security audits of unsecured MongoDB databases, security researchers saw a newly created, “strange” database – open to the public, with no passwords or credentials required – that held a large number of credit card numbers and personal information. Given that the groups of records were in round numbers – 10K, 20K, 30K – the records were likely bought on the market for carders: i.e., those who buy stolen credit card numbers in large lots.

Kromtech researcher Bob Diachenko told Bleeping Computer that the group had it down to a science: they were using a special tool to create iOS accounts using valid emails accounts, then they were adding a stolen payment card’s details to one of the new iOS accounts.

Then, they used another automated tool on jailbroken iOS devices to spread the workload, which consisted of installing games, creating in-game accounts, and buying game features or premiums that they later re-sold online for real money.

The database was only a few months old. The credit card thieves were using the records to target just three games: Clash of Clans and Clash Royale, both from game maker Supercell, and Marvel Contest of Champions, from Kabam. The three games – all together, the trio has 250 million users – have a very active third-party market for selling resources.

Kromtech said that the automated tool its researchers found, and its users, currently work with countries such as Saudi Arabia, India, Indonesia, Kuwait, and Mauritania. The database contained 150,833 unique card entries, each with full card number, expiration date, and CCVs. The cards belonged to 19 different banks.

Kromtech says that it’s easy to automatically create new accounts on a large scale because Apple only requires a valid email address, a password, a date of birth, and three security questions to create an Apple ID. Email accounts from various providers are also very easy to create en masse, with little verification required. Put the two together, and accounts could be churned out lickety-split, in great numbers.

But wait, there’s still more automation yet in this scheme: not only did the crooks automatically create accounts, they also automatically filled in credit card details until they hit on a valid one, then they automatically purchased games and resources, automatically posted games and resources for sale, used a digital wallet for order processing, and used multiple Apple devices to distribute the load.

Kromtech:

The end result, an automated money laundering tool for credit card thieves.

There are a few hurdles that should slow down this type of automated thievery. For one, email services could require phone verification, which some are, in fact, doing. VoIP burner numbers are still easy to get, but at least phone verification would make it tougher to get email accounts in bulk.

For another thing, Apple does try to validate the credit cards by charging and then refunding, $1. But Kromtech isn’t impressed by the company’s verification processes, given that researchers spotted many transactions that went through using cards that had an incorrect name and address.

Perhaps verification is minimal due to the low dollar amount of the charge, but a stricter credit card verification would make it a bit more difficult for the carders.

Kromtech has notified the US Department of Justice about the operation. Ditto for Supercell and Apple. I’ve reached out to Apple for a comment and will update the story if I hear back.

While the focus here is on Apple, Google Play isn’t immune to this type of abuse too. Kromtech’s researchers said they saw instructions on how to rebind Google accounts, with payments, to user IDs in Supercell. Rebinding means that a player can log-in on other devices, as long as they remember their binding details.

Don’t play into the scammers’ hands

Kromtech advised players not to fall for offers of cheaper gems/diamonds. They’re scams. Such third-party services request private login data such as Apple ID or your Google Play credentials to access your account, but they often hijack the account and sell it to other players. Also, once they have access to your credentials, scammers can jeopardize not only your gaming security but your financial security, as well.

If that’s not harsh enough, buying gems or diamonds from third-party vendors can lead to having your in-app currency revoked, or even get your account permanently banned.

Finally, here’s a rare thumb’s-up for unsecured databases: Like we’ve said in the past, they’re still the low-hanging fruit of the internet.

MongoDB, a NoSQL database, turns up all too frequently in security-breach headlines, which is why we always urge people to make sure they read the security manual of whatever NoSQL database service they’re using, and that they implement all the available security controls.

However, fortunately for all of us law-abiding citizens, carders and other crooks are also mere humans, prone to the same poor database security that others grapple with. This money-laundering scheme came to light because of it – a rare instance of a silver lining on a security failure!

Peer-to-Peer Crypto-Exchanges: A Haven for Money Laundering

By Tara Seals

Buyers and sellers can exchange cash in person, transfer bank funds online or can exchange funds for prepaid cards, gift cards or other cryptocurrencies.

The need to launder money is omnipresent in the criminal world, and lately, a new way of doing it has come to the fore: peer-to-peer cryptocurrency exchanges.

These exchanges offer one-to-one relationships and transactions; buyers and sellers of virtual currency sign-up with their location information, IP address and other data to verify their identity, link to their wallets, and from there can swap and cash out currencies with other people who decide to trust them. Parties sometimes take the relationship offline too, meeting face-to-face to close out deals. After striking a bargain, a buyer can exchange cash in person, transfer bank funds online or can exchange funds for prepaid cards, gift cards or other cryptocurrencies.

These platforms offer an alternative to the marketplace methods represented by big Bitcoin exchanges such as Coinbase, and many users feel they can get better deals and a better service experience by using them. There’s another difference though: Peer-to-peer exchanges are decentralized and often lack the accountability, security and transparency measures used by the larger players.

Coinbase for instance monitors for dark web activity and recently implemented the Know Your Customer identity verification service (not that it’s not in hot water in other ways), which in theory makes it harder for criminals to launder money or use the funds to buy items from the underground. So, peer-to-peer alternatives have started to be a go-to choice for criminals looking to take advantage of the anonymity of cryptocurrency.

“Although certain peer-to-peer cryptocurrency exchanges might willingly cooperate with law enforcement, there are readily available methods that threat actors utilize while laundering their illicitly gained funds to maintain anonymity,” said Flashpoint, which flagged the increasing criminal activity on the exchanges in a post Monday. Intelligence analyst Kathleen Weinberger told Threatpost that these include tried-and-true methods like using forged documents to sign-up for the services.

“A lot of what’s going on here is just a criminal rather than a technical story,” she said in an interview. “It’s easy to look for a technical solution to prevent this – there certainly is one (or rather a thousand of them). But there’s pressure on services to try and make their service usable – they don’t want their average user having to struggle for days to have their identity verified. At the same time, they have to make sure that this isn’t getting in the way of things being safe and accountable.”

Being a relatively new arena, that’s a work in progress. So for now, “it’s law enforcement having to crack down on those buying and selling identities and fake documents to combat this,” she said.

Law enforcement has seen some successes despite the hurdles that the exchanges present; for instance, OxyMonster, a notorious dark web purveyor of drugs and other illicit goods, was nabbed in May after detectives made a connection between a Facebook page and his dark web site on the Dream marketplace. Even though he was using a peer-to-peer Bitcoin “tip jar” for transactions, they managed to track him down by other means, arresting him as he entered the country from France, on his way to a beard contest in Miami.

Because of this Wild West element, Flashpoint analysts have observed a growing number of underground discussions around using these exchanges for criminal means, including recommendations around certain peer-to-peer services that threat actors consider valuable or the safest. Some discussions include listings of established—also known as “aged”—local exchange accounts for sale, which are less likely to be flagged for fraud because they have the appearance of long-term use.

“Discussions among threat actors in these forums primarily are concerned with recruiting others to cash-out schemes,” explained Flashpoint. “They also spell out the prerequisites for others to join and the terms necessary to convert stolen funds to Bitcoin or Monero, even in large amounts.”

Some discussions around peer-to-peer exchanges date back at least four years, but the interest is growing and likely to continue as larger exchanges stiffen their security controls.

“We’ve seen threat actors on a daily or weekly basis looking for ways to clean Bitcoin or Monero – it’s not a huge secret,” Flashpoint intelligence analyst Carles Lopez-Penalver said in an interview. “It’s somewhat easy to commit tax fraud and money laundering in general, or to purchase drugs with these methods, so the government needs to crack down. I appreciate blockchain technology – but I think that there has to be a better understanding of what’s happening out there, and that people doing very bad things with cryptocurrency.”

Former Rumrunners bouncer sentenced to 20 years for involvement in drug ring, money laundering crimes

By Beth Verge

ANCHORAGE (KTUU) – An Anchorage man was sentenced this past week to 20 years in prison followed by a 10-year term of supervised release for his role in a local drug ring.

Murville Lavelle Lampkin, 45, was sentenced July 10 following a conviction for conspiracy to distribute methamphetamine and heroin, possession with the intent to distribute methamphetamine, distribution of heroin, and money laundering, with some of the activity dating as early as January of 2015.

That month, law enforcement officials found about 400 grams of methamphetamine packaged into 15 individual Ziploc baggies inside a locked safe at the foot of Lampkin’s bed. They also discovered smaller baggies into which doses of drugs could be packaged and a digital scale used to measure drug quantities.

The final sentencing follows an eight-day trial in November of 2016, during which evidence presented showed Lampkin was a member of a conspiracy led by Toa Danh “Tony” Ly: Two years earlier, Ly and others had begun to distribute marijuana and methamphetamine in Anchorage, the Valley, and Kenai Peninsula, later adding heroin to the list. Money made from the drug sales was deposited into Wells Fargo bank accounts controlled by Ly, to which Lampkin contributed about $57,000.

According to the Dept. of Justice, Pao Lee, Rennie Davis, Robert Rast, Tracey Trujillo, Mark Hanes and Susan Bradshaw are also known to have sold drugs and made deposits of drug money for Ly.

As for Lampkin, this conviction is his third: In 2002, he pleaded guilty in federal court to distribution and possession of cocaine with the intent to distribute, and was sentenced to 10 years in prison. While in custody, he was then convicted – in Alaska state court – of promoting contraband in the first degree for possessing oxycodone and tetrahydrocannabinol.

In 2012, as a bouncer at Rumrunners Old Towne Bar & Grill, he was also convicted in state court of fourth-degree assault following a fight with a patron. He was sentenced in that case to two months in jail and two years of probation.

Read the full DOJ release here.

“Bitcoin Maven” Theresa Lynn Tetley Sentenced To 12 Months Jail For Money Laundering

By Yuri Besmanoff

Theresa Lynn Tetley, the so-called “Bitcoin Maven,” who admitted to running a Bitcoin-for-cash exchange business without a license, as well as laundering Bitcoin purchased from the proceeds of drug trafficking, was last week sentenced to 12 months and one day in federal prison and also fined $20,000.

The Downfall Of The Bitcoin Maven

She reveled in being known as the “Bitcoin Maven,” a moniker she gave herself because of her deep knowledge of cryptocurrency. That knowledge enabled her to make a substantial amount of money in a shorts space of time.

However, this week, Theresa Lynn Tetley, aged 50, of Southern California, who in a former, less complicated life had been a stockbroker and real estate investor, pleaded guilty to one count of money laundering and one count of operating a money transmitting business without a license, and was sentenced to 12 months in prison by US District Judge Manuel L. Real.

The official charge was conducting an illegal business and engaging in unlawful monetary transactions involving Bitcoins. Tetley was also ordered to forfeit some 40 Bitcoin, worth around $250,000, to forfeit $292,264.00 in cash, as well as 25 assorted gold bars (worth around $12,500) that were deemed to be the proceeds of her illegal activities.

Between $6-$9.5 Million In Illegal Transactions

The court heard how Tetley ran a Bitcoin-for-cash exchange platform without first registering with the Financial Crimes Enforcement Network (FinCEN). She had also failed to implement anti-money-laundering mechanisms such as customer due diligence, and had failed to report certain transactions required for these types of businesses.

Tetley advertised on the website LocalBitcoins.com, and took part in illegal transactions that totaled between $6-$9.5 million. Her customers were almost all from the United States. Ironically, clients that used her exchange received no special favors, as Tetley actually charged higher rates for Bitcoin transactions than legal exchange platforms do.

Laundered Drug Money Earned On The Dark Web

The most serious offence – at least in the eyes of the public – was that Tetley knowingly laundered funds from an individual suspected of receiving Bitcoin as payment for selling drugs on the “Dark Web.” During the investigation, an undercover agent representing himself as a drug trafficker successfully swapped Bitcoin for cash using Tetley’s exchange platform.

According to sentencing documents, the prosecution had successfully argued that:

“In light of the growth of the dark web and the use of digital currency, unlicensed exchangers provide an avenue of laundering for those who use digital currency for illicit purposes. Tetley’s business fueled a black-market financial system that purposely and deliberately existed outside of the regulated bank industry.”

The case against Tetley was the first of its kind in the annals of the Central District of California.

Tether Hires Anti-Money Laundering Specialist as Chief Compliance Officer Read more: https://cryptovest.com/news/tether-hires-anti-money-laundering-specialist-as-chief-compliance-officer/

By Peter Genoff

Tether Ltd. recruited former anti-money launder quality control manager Leonardo Real as Chief Compliance Officer (CCO). Real, whose previous position was at Bank of Montreal, will be responsible for managing regulatory compliance issues within the organization. The company behind the USDT cryptocurrency announced its new appointment in a press release this Thursday.

“We are all very excited to introduce Leonardo as Chief Compliance Officer at Tether, as he joins us on what has already been a remarkable journey to date disrupting the legacy financial system,” said Jean-Louis van der Velde, CEO of Tether Ltd., in the announcement.

Tether (USDT) is one of the few alt-coins claiming to be backed by fiat money. The company behind the currency claims that they hold $1 in for every USDT in circulation. However, this claim has been challenged by other crypto experts, including cybersecurity expert Tony Arcieri, who published a detailed report in January.

Much of the controversy surrounding the cryptocurrency revolves around its association with the crypto exchange Kraken, and claims that Tether was used to manipulate Bitcoin’s prices to create the Bitcoin spike in December of 2017.

Tether’s new appointment comes after the company has repeatedly denied such claims in the past half year. Leonardo Real’s previous experience includes positions within the finance and funds compliance industries. According to the press release, at Bank of Montreal, Real was in charge of establishing policies and procedures “in line with regulatory requirements”. More importantly, he was also responsible for the quality control of anti-money laundering investigations.

“Joining Tether as CCO is an incredibly exciting move for me personally, and I am particularly impressed by the motivation, dedication, and talent of the Tether team. I look forward to helping showcase Tether’s commitment to transparency and regulatory compliance within the blockchain and cryptocurrency space,” said Tether’s new Chief Compliance Officer.

 

‘Bitcoin Maven’ Jailed for Multi-Million Dollar Bitcoin-for-Cash Money Laundering Operation

By AJ Dellinger

Bitcoin has lost most of its (likely inflated) value in the last few months, but it still has plenty of value for law enforcement agencies looking for financial crimes to punish. The latest cryptocurrency criminal to get the book thrown at them is “Bitcoin Maven,” a 50-year-old woman who ran a bitcoin-for-cash exchange operation.

The Department of Justice announced Theresa Lynn Tetley, a former stockbroker and real estate investor, was sentenced to 12 months and one day in federal prison this week for operating an unlicensed money transmitting business and money laundering. She was also ordered to forfeit 40 Bitcoin (valued at about $250,000), $292,264 in cash, and 25 gold bars acquired through her illegal business.

Tetley’s scheme, highlighted by Ars Technica, involved offering people Bitcoin in exchange for cash, which on its face probably doesn’t sound like much of a crime. But Tetley did everything off the books. She failed to register her operation as a money services business and didn’t offer any sort of “anti-money-laundering mechanisms,” per the Justice Department.

Most of Tetley’s transactions were completed in person, with cash being provided for the virtual currency. She advertised her service through localbitcoins.com, a site that facilitates such exchanges, where she posted under the name “Bitcoin Maven.” She lived up to it, too; According to the DOJ, she exchanged $6 and $9.5 million over the course of several years.

Her undoing came when she began unwittingly started doing business with an undercover agent from the Drug Enforcement Administration. The agency started closing in on her in 2016, and dragged her along for nearly a year as they built a case against her.

The plan to bring Tetley down included introducing a second agent, posing as the first agent’s boyfriend, to conduct a number of large transactions with the Bitcoin Maven. According to Ars Technica, at one point the fake boyfriend informed Tetley that he possessed a large supply of “coke, meth, and weed” that had been “stolen” and was selling that stash for the bitcoin he was trading with her. Tetley moved forward with the transactions anyway, at one point showing up with $300,000 in two Trader Joe’s grocery bags to make a trade with the undercover agent.

“Providing cash in envelopes (and in the significant amounts she did), in coffee shops and restaurants, is no way to conduct legitimate business, certainly when that volume exceeds the millions,” prosecutors wrote in a sentencing memorandumper Ars Technica. “Someone such as defendant—a former stockbroker and real estate investor—was certainly aware of that.”

Not helping her case was the fact that Tetley was also doing business with William James Farber, a man believed to be at the head of one of the largest drug rings on the now-shuttered dark web marketplace Alphabay. Ars Technica noted Farber was arrested last year and charged with conspiracy to possess and distribute controlled substances.

For her run as the Bitcoin Maven, Tetley will spend 366 days behind bars in a federal prison. Her stash of bitcoin collected from the business, which now belongs to the government, is worth about $250,000 as of Wednesday evening—but it’ll likely be worth $400,000, then $75,000, then $250,000 again by the end of the week.

‘Bitcoin Maven’ sentenced to a year in prison for money laundering

By James Koren

Bitcoin and other cryptocurrencies have for years been a preferred payment method on the so-called dark web — anything-goes corners of the internet where you can find drugs and other illegal products and services.

But once a drug dealer accepts crytocurrency, how do they turn that money into real currency? The case of Theresa Tetley is instructive.

The Marina del Rey woman exchanged millions of dollars in cash for bitcoin, including for a suspected online drug dealer. She was sentenced Monday to a year in federal prison after pleading guilty to money laundering.

Tetley, a former stockbroker turned bitcoin enthusiast who called herself “Bitcoin Maven,” will also pay a $20,000 fine and give up nearly $300,000 in cash, 25 gold bars and 40 bitcoin — worth about $270,000 as of Monday afternoon — that federal authorities seized last year.

From 2014 to last year, Tetley exchanged as much as $9.5 million in cash for bitcoin, meeting clients at restaurants, coffee shops and other public places to hand over envelopes of cash in exchange for the virtual currency, the Justice Department said in court filings.

She was arrested in March 2017 after a sting operation orchestrated by the U.S. Drug Enforcement Administration. She offered to exchange $300,000 in cash — carried in two Trader Joe’s paper grocery bags — for bitcoin held by an undercover DEA agent posing as a drug dealer, prosecutors said.

The Justice Department also alleged that Tetley made $6 million worth of bitcoin-for-cash exchanges with William James Farber, a Los Angeles man charged last summer with running an Altadena drug ring that sold cannabis on dark-web marketplaces Silk Road and AlphaBay.

Tetley was charged with money laundering and operating an unlicensed money-transmitting business and pleaded guilty to both charges in January.

It’s not illegal to exchange bitcoin or other digital currencies for cash, but Tetley did so without obeying federal rules that require banks and other financial firms to report suspicious activity and large cash transactions — measures that aim to curb money laundering by drug traffickers or other illegal businesses.

Bitcoin and other virtual currencies, which are not issued by governments and can be directly exchanged from person to person without going through banks or other regulated institutions, are a preferred payment method for dark-web transactions.

But those who accept virtual currency payments for illicit transactions may have a difficult time exchanging those holdings for real currency — unless they find someone like Tetley who would not report suspicious activity to federal regulators.

Brian Klein, one of Tetley’s attorneys, called the 12-month sentence a victory, noting that it is substantially shorter than the 30-month sentence sought by federal prosecutors. In a sentencing document submitted to the court, her attorneys argued that Tetley, though guilty, “did not set out to engage in a broad-ranging criminal enterprise.”

“We are pleased the judge made such a dramatic departure,” Klein said.

The U.S. attorney’s office argued in court filings that Tetley should have received a longer sentence because her conduct showed she knew or should have known some of her clients were engaging in illegal activity.

“Providing cash in envelopes (and in the significant amounts she did), in coffee shops and restaurants, is no way to conduct legitimate business, certainly when that volume exceeds the millions,” government attorneys said in court filings. “Her decision to continue to proceed in this manner highlights the seriousness of the offense.”

Businessman pleads not guilty to drug conspiracy, money laundering

By Lorenzo Zazueta

McALLEN — The owner of a Houston-based Chicago-style pizzeria may have played a role in drug trafficking and money laundering, according to an indictment unsealed last month.

During a brief arraignment hearing, a Houston man pleaded not guilty to charges related to an alleged drug trafficking ring going back more than six years.

DeAllen Jerome Nettles stood before U.S. Magistrate Judge Peter E. Ormsby Thursday afternoon after his attorney’s written waiver for the arraignment was not accepted by the court, obligating Nettles to appear before Ormsby.

Nettles also waived the reading of the indictment during the hearing, and pleaded not guilty to all three counts he’s facing — one count of conspiracy to distribute more than five kilos of cocaine, and two counts of money laundering.

The indictment alleges in part that the 30-year-old man and at least more than 20 others — the majority of whom have their names redacted in the court record partially unsealed June 13 — conspired to distribute more than 5 kilos of cocaine for more than six years, beginning in May 2012 to the date of the filing this June.

A Chicago nativs, Nettles made his initial appearance in a Houston federal courtroom June 13 and was released the next day on a $10,000 bond. His social media profiles state he is the owner of a Houston-based business called ChItalian Pizzeria.

Nettles is also accused of two money laundering charges, one alleged incident occurred in November 2012, the other Dec. 29, 2015, the court documents state.

The second money laundering charge gives more detail, showing Nettles allegedly moved more than $300,000 to Mexico from Chicago “with the intent to promote the carrying on of specified unlawful activity that is the distribution of a controlled substance,” according to court documents.

In total, the feds are looking to seize more than $150,000 in property, and more than $7 million in U.S. currency as part of the case against the multiple defendants, court records show.

Nettles remains free on the $10,000 bond. Nettles’ attorney, Houston-based Cornel A. Williams, declined comment based on his policy not to comment on pending litigation.

Jury selection is set for Aug. 7, with the trial beginning shortly after, court records show.

Crypto Thefts Triple, Driving Growth in Coin Money-Laundering

By Olga Kharif

Criminals are stealing more cryptocurrency from exchanges, and that’s driving growth in a cottage industry of services that allows for money laundering of coins, according to a new report.

In the first half of the year, more than $760 million in cryptocurrency was stolen from exchanges — nearly three times more than in all of 2017, CipherTrace said in its initial quarterly report on the subject. CipherTrace is a Menlo Park, California-based blockchain security firm that works with more than 40 companies and governments to trace crypto transactions.

The current market value of the top 100 cryptocurrencies is around $270 billion, according to CoinMarketCap.com. Services that clean dirty funds are widely available, CipherTrace said, and some have even advertised through Google AdWords.

“There are so many cryptocurrencies now, and they are worth so much money, and there are so many exchanges globally where you can cash out, that we’ve seen not just traditional cyber gangs but we’ve seen a new set of criminals enter this space,” Chief Executive Officer David Jevans said in a phone interview. “This overall market expansion has created a whole new generation of cyber criminals that didn’t exist 15 months ago.”

Crypto coins number more than 1,600, and tracking them all is increasingly difficult — which gives criminals an opening. Regulators have said that many exchanges and startups issuing new coins still don’t do enough to check customer identities and verify that users aren’t laundering stolen funds. Users buying and selling coins are typically represented by anonymous addresses.

Meanwhile, many exchanges — and new ones are opening all the time — have security vulnerabilities. And cryptocurrencies, once stolen, often can’t be returned or even traced to the thieves.

“It’s a lot easier than robbing banks,” Jevans said.

Regulators globally are likely to crack down on crypto money-laundering, Jevans said. While that’s probably good for investors, some coins could suffer.

“There are going to be small coins kicked off exchanges because it’s going to be difficult to track transactions,” he said.