There’s no disputing the transformational impact of Decentralized Finance (DeFi) not only on trading but also on digital transactions of all kinds. The ground-breaking speed and efficiency brought about by DeFi, however, has simultaneously introduced unprecedented risks — namely DeFi fraud, scams, deceptive practices, and significant institutional and personal investment losses — requiring unprecedented regulatory response.

DeFi is an umbrella term defining the use of blockchains to replace traditional financial intermediaries and trust mechanisms. As such, regulators are scrambling to understand this new realm to begin formulating guard rails to prevent DeFi scam artists and assorted bad actors from wreaking continued havoc on unsuspecting users. DeFi users and investors have seen more than $12 billion in losses due to theft and fraud, according to Elliptic. Through November of 2021, there was an estimated $10.5 billion worth of losses for the year, up from $1.5 billion in 2020. But the real amount of funds lost to DeFi scams and fraud could potentially be even greater: individual investor, or “retail” losses, do not include recent bankruptcies — which may have resulted from theft, fraud, or other illicit activities — potentially dwarfing these figures.

The damage is accelerating, with some $678 million lost in the DeFi ecosystem owing to bad actors in the second quarter of 2022, a 150 percent increase over the second quarter a year earlier. In just the closing days of June alone, the US Department of Justice had brought criminal charges against six defendants for alleged cryptocurrency-related fraud. With so many instances of DeFi fraud cropping up and affecting thousands of unsuspecting investors, there’s a degree of urgency for increased regulatory efforts to combat digital financial crimes.

Most recent, there is weekly news about the demise of crypto lenders, hedge funds, exchanges, and investment firms. One of crypto’s largest lenders, Celsius, in mid-July 2022 succumbed to the crisis enveloping them by freezing customer accounts – which has been coined the crypto sector’s “Lehman Brothers moment.” A bankruptcy filing in the coming weeks would not be surprising, according to those familiar with Celsius, which reportedly took on increasingly more risk as its financial circumstances worsened. In May, the $40 billion crypto firm, Terra, made headlines for its own financial crisis. In addition, Three Arrows Capital (3AC) – the crypto hedge fund based in Singapore – recently collapsed and filed for bankruptcy resulting in a “run” on crypto industry firms tied to loans to 3AC. Some have compared 3AC to the well-documented scandals and financial fraud at Archegos Capital and Long-Term Capital Management. Affected firms from 3AC’s collapse include trading platforms BlockFi and, Canadian crypto investor Voyager Digital (which has since gone under after lending more than $650 million to 3AC), and numerous ordinary investors who one would think should have known better. 3AC reportedly borrowed from some of the largest crypto lenders while revealing very little or inaccurate information about its finances – leading to rumors of fraud charges against its two founders, who fled Singapore reportedly to Dubai. In total, at least a dozen crypto hedge funds, lenders, and exchanges have collapsed in the last two months alone.

Altering the course toward safe reliance on DeFi will require a new echelon of resources, beginning at the federal level. Regulators must first assess the scale of the threat in its many permutations: Interviewed by Bloomberg TV on July 19, Galaxy Digital Holdings founder and CEO Mike Novogratz confessed that “very little self-regulation” coupled with “inane risk management where companies took massive leverage” led to bankruptcies and “a full-fledged credit crisis”; he added, “Greed, ignorance… [made] the whole industry look like a bunch of idiots.”

Growing Exploitation of DeFi

Among the virtues of DeFi is the fact that, rather than entrusting third-party service providers, users retain full control of their assets throughout the lifecycle of a transaction through so-called smart contract blockchains. Developers create decentralized applications (dApps), leveraging unique “tokens,” or units of value, on their network. However, this lack of third-party custody leaves DeFi open to criminal exploits.

More than $247 billion is now stored in DeFi protocols, representing a deep pool of liquidity that can be exploited. Wide access to templates means virtually anyone can create a token with relative ease. The result is that, while legitimate decentralized apps can be easily created, it’s equally easy for individuals to create malicious apps, such as those that employ Ponzi schemes.

While decentralized applications are designed to eliminate third-party control of users’ funds, use of these applications hinges on the presumption that the application itself is free of coding flaws that could lead to a loss of funds. The fact is, such flaws are commonplace. DeFi scams are widespread and distressingly easy to find.

  • Last year, more than $600 million was stolen in what has since been regarded as one of the largest cryptocurrency thefts ever. Hackers exploited a vulnerability in Poly Network, a decentralized platform that connects multiple blockchains. In a surprise development, the hackers returned almost half of the stolen funds — a professed altruistic move by the hackers intended to expose vulnerabilities, but that also points to another argument for DeFi: laundering and liquidating stolen crypto assets remains extremely difficult due to the transparency of the blockchain and the use of blockchain analytics.
  • Though smaller in scale, another type of scam came to light last year when an individual investor lost $470,000 on a dog-inspired crypto project. The project, called AnubisDAO, raised $60 million with the sale of its token, ANKH. (A DAO is a decentralized autonomous organization that runs on blockchain technology.)
    • According to the victim, and others who said they invested in AnubisDAO, the entirety of the $60 million in funds was transferred and went missing. Some think it was a phishing attack, where attackers typically send emails with links prompting the entry of the holder’s private keys. Others believe it was a “rug pull,” a common type of crypto scam where developers abandon a project and leave with investors’ funds. A Vietnamese national caught up in the DoJ’s June crackdown faces up to 40 years imprisonment for alleged involvement in, and money laundering via, in the “Baller Ape Rug Pull” estimated to have cost investors $2.6 million.
  • Another criminal tactic targets those with little knowledge of DeFi, and slowly drains their funds through a technique that has been labeled “liquidity mining scams.” Users are being incentivized to provide liquidity (lend out their coins, essentially) by receiving a percentage of the trading fee associated with a specific DeFi protocol, among other things, but that often requires users to connect their crypto wallets with the DeFi protocol.
    • Scammers will create fake apps, protocols, or tokens and reach out to potential targets via social media using fake identities. Eventually, they persuade the victim to provide liquidity for a certain pair of cryptocurrencies that promise great returns. They’ll sometimes generate fake reports and will even allow withdrawals early on to establish trust and investor complacency. Scammers will urge the victim to keep investing, in order to earn greater returns; meanwhile, the target’s account is drained and the scammer vanishes.

A Regulatory Arms Race

The regulatory community is responding with a complex array of responses designed to mitigate and, where possible, thwart DeFi fraud schemes and activity. In the US, the Biden Administration has called for explicit regulations of cryptocurrencies and the blockchain-based economy in order to curb abuse and fraud related to digital assets. Among other approaches, two US senators introduced bipartisan legislation, the Responsible Financial Innovation Act, in June 2022 to create a regulatory framework for crypto markets that “encourages responsible financial innovation, flexibility, transparency and robust consumer protections while integrating digital assets into existing law.”

The bill has broad backing, including support from Coinbase, Kraken and the Crypto Council for Innovation. If passed, the legislation would classify most digital assets as commodities, which in turn would grant the Commodity Futures Trading Commission (CFTC) clear authority over virtual currency spot markets. The plan would be consistent with CFTC’s existing commodity markets oversight.

Meanwhile, the SEC’s Crypto Assets and Cyber Unit, established in 2017, has brought more than 80 proceedings against companies and individuals in relation to “fraudulent and unregistered crypto asset offerings and platforms,” according to an SEC press release. Due to the now-apparent high-risk and potentially illegal practices at various crypto firms (as outlined above), the SEC is grappling with how to best protect investors going forward. Experts agree that a regulatory crackdown on the crypto space is coming. SEC head, Gary Gensler, has been vocal about enhancing protections for ordinary investors, and has called for enhanced due diligence by sophisticated investors: Interviewed by Bloomberg TV on July 19, Gensler said the SEC is seeing “a lot of Crypto non-compliance,” and that “if the Crypto sector is going to persist, it’s only with trust … otherwise a lot of people will get hurt.” European Central Bank president Christine Lagarde has made comments recently to the effect that the EU should look to regulate “the activities of crypto-asset staking and lending.”

Ramped-up enforcement is just one example of how regulators and policymakers are trying to keep up with the growing problem of fraudsters and cybercriminals targeting cryptocurrency consumers.

European Union regulators, meanwhile, continue to weigh whether a key cryptocurrency law known as Markets in Crypto Assets (MiCA) should be broadened to reach beyond currencies such as Bitcoin to address other digital assets. In Germany, recent media coverage cited a senior German financial regulator who contends that the potential for DeFi fraud and related abuses calls for new regulations, though the matter remains under review. Across the board, regulators will play a key role in creating a more secure space within the realm of digital currency and assets, and more robust regulations will be needed to keep cybercriminals in check.

Responding to DeFi Threats

Innovative disruption introduced by DeFi has already reshaped the nature and function of various financial and digital transactions. Identifying, interrupting, and prosecuting fraud, scams, and deceptive practices must be addressed for crypto investment products to flourish in the future. Regulatory scrutiny was already on its way but has been accelerated due to the recent contagion affecting the DeFi space, in particular the financial losses for so many ordinary investors. Appropriate steps can and should be taken by all investors entering this nascent space, but especially by institutional investors. Enhanced due diligence on founders is a must:  once a relationship is established, there should be regular check-ins and monitoring of the company/founders’ activity. And the old adage certainly applies in today’s DeFi world of tokens and new products – “If it sounds too good to be true…”

For comprehensive, practical information on how to navigate the world of DeFi, get in touch with the experts at IntegrityRisk.