It should not be a crime to help victims of ransomware

A recent court filing suggests that selling a victim the bitcoins needed to pay a ransom may be seen as complicity in the attack. 

Ransomware is a detestable scourge on the internet, and it’s a shame that for many it is their first exposure to Bitcoin. As we have previously explained, Bitcoin is not the root cause of ransomware , yet its censorship resistance is exploited by criminals to facilitate the extortion of unsuspecting internet users. When a victim of ransomware reaches out because they’ve been hacked, you would hope that the response of the Bitcoin community, especially exchanges, would be to help them get out of a bad situation. A recent court filing, however, suggests that federal prosecutors view helping a victim exchange dollars for bitcoins to pay a ransom as complicity in unlawful activity.

In a superseding indictment filed in December 2016, prosecutors for the Southern District of New York charged the operator of Coin.mx with a violation of federal anti-money laundering law because, among other things, he “knowingly processed and profited from numerous Bitcoin transactions conducted on behalf of victims of ransomware schemes.” This, according to the indictment, satisfies 18 U.S.C. 1960 ’s prohibition on the “transmission of funds that are known to the defendant to have been derived from a criminal offense or are intended to be used to promote or support unlawful activity[.]”

It’s important to note that the defendant in this case have pleaded guilty to several of the charges, and many of the allegations against him, if true, which is likely the case, are indefensible. That said, the charges against him related to helping victims pay ransoms with bitcoins could be just as easily be leveled against another person or exchange that exchanges dollars for bitcoins knowing that they will be used to pay a ransom, and that is preposterous. Helping a desperate victim acquire bitcoin is not clearly an act “intended to be used to promote or support unlawful activity.” In fact, the intent may often be to aid the victim, and regardless of intent the service helps victims.

Paying a ransom is never ideal since it encourages hackers, but sometimes victims are left with little choice and they are not unjustified in doing so. Police departments , hospitals , and schools have unfortunately had to pay ransoms. While these incidents are regrettable, it would be against good public policy to punish those businesses that helped these victims acquire bitcoins.

Indeed, the FBI’s guidance to citizens on ransomware states, “While the FBI does not advocate paying a ransom, there is an understanding that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.” And the FBI has also previously advised the victims of ransomware to “just to pay the ransom.”

The indictment in the Coin.mx case highlights the fact that it profited from the exchanges of dollars for bitcoins when it knew these coins would be used by ransomware victims to pay ransom. Such profiting is obviously in poor taste, but it’s important to note that this fact has no bearing on the requirements of the law, which, again, prohibits the “transmission of funds that are known to the defendant to have been derived from a criminal offense or are intended to be used to promote or support unlawful activity.” It is the transmission of funds, whether it results in a profit or not, that triggers liability if we accept the contention that doing so to pay a ransom is supporting an unlawful activity.

We certainly hope the court in the Coin.mx case will understand the terrible precedent and bad incentives this argument, if accepted, would set for law-abiding actors in this nascent and innovative industry that has to date worked hard to aid both victims and law enforcement. We also hope that the approach taken in this case is not reflective of Department of Justice policy.