© 2023 PDN Cyber Security Consultant. All rights reserved.
In the first part of this article, we saw how crypto-currencies, originally designed to foster financial independence, have been massively hijacked by cybercriminals: ransomware, money laundering, large-scale scams… The pseudonymous and decentralized nature of crypto-assets makes them a tool of choice for those seeking to cover their tracks.
But traceability exists, tools are being perfected and national and international legal frameworks are being strengthened… Today, we take a look at the practical means available to companies and institutions to respond to the threats posed by crypto-currencies.
Yes, they can indeed be traced, but not always easily. Contrary to popular belief, the blockchain is a huge public database. Every transaction is recorded, immutable and visible… but you still need to know how to read it.
In recent years, specialized companies have developed very powerful analysis tools for visualizing and reconstructing financial flows on blockchains. Among the best-known:
These platforms cross-reference blockchain data with databases derived from judicial seizures, darknet analyses, KYC reports and behavioral algorithms. As a result, they are able to attribute addresses to known entities (platforms, hacker groups, laundered wallets, etc.), and detect suspicious behavior.
These tools are now used extensively by the authorities (FBI, Europol, French Gendarmerie, etc.) and by some major cybersecurity companies like ours, as part of their incident response.
No company is completely immune. But a quick and structured response can make all the difference. Here are the key steps to follow if you are faced with an attack involving a demand for payment in cryptocurrency:
1. Never pay in a panic
Even if the pressure is immense, paying a ransom offers no guarantees. Your data may never be returned, or worse: your company may be targeted again, as you will be identified as a “payer.”
From a legal standpoint, payment may also expose you to prosecution if your attacker is later punished (OFAC, EU, etc.). In the United States, for example, the US Treasury has explicitly warned against paying ransoms to entities subject to international sanctions.
2. Set up a crisis response team
As soon as the attack is identified, set up an incident response team with the following participants:
Internal IT team and/or cybersecurity service provider
The objective: assess the extent of the attack, secure the remaining systems, identify the source, and limit the spread.
3. Trace the receiving addresses
If you are provided with a crypto address (often in the ransom note), it is essential to forward it immediately to the experts. They will be able to:
In some cases, this allows the address to be reported to exchange platforms and the funds to be blocked before they are laundered.
4. Notify authorities and regulators
Depending on your jurisdiction and the type of data compromised, you will be required to notify the relevant authorities within 72 hours:
Failure to notify may result in penalties that are more severe than the attack itself.
Long lagging behind, cryptocurrency regulation is now gathering pace. But on a global scale, approaches remain fragmented, sometimes contradictory, and often ill-suited to the speed of cyber threats. Between attempts at harmonization, regulatory influence wars, and geopolitical pressures, companies are navigating a shifting legislative jungle.
With the adoption of the MiCA (Markets in Crypto-Assets) regulation, the European Union has clearly demonstrated its desire to become a regulatory leader in the crypto sector. This text, which will came into full effect at the end of 2024, goes far beyond simply regulating platforms: it lays the foundations for a regulated internal market for crypto-assets, with requirements for transparency, traceability (travel rule), and governance.
But this shift is also a direct response to the rise of crypto-based money laundering and cyberattacks involving anonymous payments. The gradual ban on unverified wallets, the monitoring of stablecoins, and reporting requirements for crypto service providers are all responses to a growing demand for digital security at the European level.
The paradox is that this regulatory tightening could ultimately shift criminal flows to non-cooperative areas where anonymity remains the norm. Hence the challenge for European companies to also monitor entry and exit points outside the EU.
On the US side, the situation is more complex. Players in the crypto sector operate in a fragmented ecosystem, where several agencies are vying for leadership:
But no unified regulatory framework has yet emerged. This uncertainty fuels tensions between innovation and protection.
The CCPA (California Consumer Privacy Act), often compared to the GDPR, is one of the few US laws to set rules for notification in the event of a cyberattack. But it remains confined to a single state. The adoption of a federal law on cybersecurity and crypto assets, promised for years, still seems a long way off.
As a result, for companies operating in the United States, managing a crypto incident requires active legal monitoring and close coordination with authorities, whose jurisdictions overlap.
In Canada, PIPEDA (Personal Information Protection and Electronic Documents Act) governs the management of personal data, including in the event of a security breach. Although not specifically designed for digital assets, this law requires companies to notify significant privacy breaches, including those related to crypto ransom demands.
But Ottawa is preparing for a paradigm shift. The CPPA (Consumer Privacy Protection Act) bill aims to modernize Canadian law in the era of AI, blockchain, and mass breaches. It would strengthen penalties, the powers of the Office of the Privacy Commissioner, and introduce a new dedicated tribunal.
For Canadian companies, this will mean:
Canada, often seen as a bridge between European and American models, could thus play a strategic role in the international standardization of crypto rules.
The legal framework is not just a matter for lawyers. It has very real consequences for CISOs, CFOs, CIOs, and compliance officers:
More broadly, the rise of regulations requires companies to proactively manage crypto risks, even if they do not directly deal with digital currencies.
Should crypto assets be banned? No. That would mean missing out on their immense potential: seamless cross-border payments, decentralized contract management systems, secure micropayments, etc.
But we must stop viewing them as “outside the system” tools. In a modern enterprise architecture, cryptocurrencies must:
At the same time, training for IT, legal, and management teams is essential to anticipate crypto-centric cyberattacks, including in sectors that do not expect them (industry, healthcare, construction, etc.).
Join us in July for our new theme, on the influence of AI on the internet business model. In the meantime, if you have a movie, TV series, software, or e-book that you want to protect, don’t hesitate to contact one of our account managers for assistance. PDN has been a pioneer in cybersecurity and anti-piracy for over ten years, and we are sure to have a solution that can help you. Enjoy reading, and see you soon!
Share this article
© 2023 PDN Cyber Security Consultant. All rights reserved.