GDPR Will Weaken Cryptocurrency Crime Investigation Initiative

The new General Data Protection Regulation by the European Union, which took effect on 25th May 2018, will have a negative impact on the Internet security at large. It looks like cybercriminals will have insulation, as they will be protected by the critical ICANN WHOIS information. It seems like the new law will be on their side as it will hinder investigations of cybercrime, phishing, theft, malware, ransomware, fraud and crypto-jacking.

In the recent time, cybercriminals have focused on cryptocurrencies, while they also steal bitcoin, ethereum and ICO currencies. There are reports that around $700M of cryptocurrency has been stolen by the cybercriminals over the year. This figure excludes the million more of theft that goes unnoticed. According to the APWG (Anti Phishing Working Group), nearly $1 billion worth of cryptocurrency has been stolen since 2017.

WHOIS is a fundamental resource for law enforcement officials who are assigned to check and prevent theft. It comprises the details of the users from the name, address, email id, who will be the owner etc. So WHOIS act as a point where the investigator can get all the details of the stolen funds, know the people involved, and initiate the legal procedure and prosecute these criminals.

Even cybercriminals have managed to falsify WHOIS data. This was found when they detected a pattern of fake information across different domain name was used to correlate criminal activities. WHOIS contact data are also helpful for contacting the owner of the website and blogs, which are often hacked or used to distribute crypto mining malware.

However, GDPR will mean that most European domain data in WHOIS now will no longer be published publicly after May 25.  And, unfortunately, some domain name registrars and registry operators are over-interpreting GDPR to justify the reaction of all contact data, no matter what country the contact is in or if they are a “legal person” or business rather than a “natural person” as covered by GDPR.

GDPR was a kind of bridge that will balance the need for privacy and security. The GDPR drafted the code and conduct to allow legitimate users to access the required data and protect it. Ironically, not a single program has been in existence by the European Union or other member states. This led to the inception of CipherTrace, which founded the Cryptocurrency Anti Phishing working group. The law enforcement agencies and member companies together with Universities worked together to prevent cryptocurrency based crimes. The non-profit organization like Ciphertrace along with APWG started working on how to give acceptable and accreditation system to access WHOIS when GDPR is here.