Insights

Cryptoterror_SOCIAL

Cryptocurrencies and Risk Under the Antiterrorism Act

In Short

The Situation: Terrorists may be increasingly turning to cryptocurrencies to evade sanctions and finance terrorist acts, as recent prosecutions and reports suggest. Under the Antiterrorism Act ("ATA"), as amended by the Justice Against Sponsors of Terrorism Act ("JASTA"), companies working with cryptocurrencies may expose themselves to civil terrorism litigation or governmental investigations if they indirectly support operatives perpetrating terrorist acts—such as through the provision of banking services, or assistance transacting with, transferring, or "mixing" cryptocurrencies. 

The Result: Cryptocurrency companies may find themselves targeted in civil actions and criminal investigations as the use of cryptocurrencies by terrorists continues. Even when such claims rest on weak foundations, ATA cases may require costly investigations and litigation. 

Looking Ahead: Companies should review their due diligence practices with respect to existing customers and new business opportunities to account for sanctions compliance considerations and exposure under the ATA, particularly to the extent they or their suppliers or counterparties operate in regions where terrorism is prevalent. Companies should also prepare to retain seasoned ATA litigation counsel should they face allegations in connection with terrorism-related civil litigation and criminal investigations. 

Reported Terrorist Use of Cryptocurrencies

Since the late 2000s, cryptocurrencies have exploded in growth and popularity. Even accounting for recent turbulence in the sector, such currencies—including Bitcoin, Litecoin, and Ethereum—and organizations participating in that sector continue to proliferate. Most cryptocurrencies are not managed by central authorities or administrators. Instead, they rely on algorithms and distributed ledgers (sometimes referred to as "blockchains") for accounting, and on cryptography for security and transaction validation. Although cryptocurrencies can serve a variety of purposes, their decentralized nature and the potential anonymity of users make them especially attractive to criminals, including terrorists.

The U.S. government and the United Nations ("U.N.") have sounded the alarm about the potential malign uses of cryptocurrencies by criminal enterprises. The U.N. Security Council has expressed "grave concern" at the potential for financial technologies such as cryptocurrencies to be "misused, including for terrorist financing." The U.N. Counter-Terrorism Committee Executive Directorate estimates that the use of cryptocurrencies by terrorist organizations is growing—financing as many as 20% of terrorist attacks.

Because some features of cryptocurrencies make them attractive to malicious actors, companies operating in the cryptocurrency space—token manufacturers and "miners"; those enabling businesses to transact using cryptocurrencies; those "mixing" cryptocurrencies (a process enabling even greater anonymity); and others—may face heightened risks of being exploited by terrorists.

Among other things, cryptocurrency technologies "pose a more complex money trail for financial investigators to follow." Foreign states—including North Korea and Iran—have relied on that feature to circumvent U.S. sanctions. As documented by the Congressional Research Service, North Korea recently attempted to convert one cryptocurrency into another (a practice referred to as "chain-hopping") to launder stolen cryptocurrency and to evade sanctions.

Laying the foundations for future efforts, the U.S. Attorney General's Cyber-Digital Task Force described the increasing role of cryptocurrency technologies "in many of the most significant criminal and national security threats our nation faces." In 2020, following criminal investigations, the Department of Justice ("DOJ") employed civil forfeiture tools to try to disrupt Al-Qaeda's bitcoin money laundering network as well as a scheme by another terrorist organization to solicit bitcoin donations from its supporters on social media. (Following the first known use of a nonfungible token by a terrorist organization in September 2022, the DOJ may expand its disruption efforts to other digital instruments.) In 2021, the DOJ formed the National Cryptocurrency Enforcement Team to lead complex investigations and prosecutions of "criminal misuses of cryptocurrency."

In July 2022, President Biden issued Executive Order 14067, "Ensuring Responsible Development of Digital Assets." Warning of the role of digital assets such as cryptocurrencies in terrorist financing, the President directed a range of federal agencies—including the DOJ as well as the Departments of State, Defense, the Treasury, and Homeland Security—to, among other things, take steps to "mitigate the illicit finance and national security risks posed by misuse of digital assets."

Both before and after the issuance of E.O. 14067, cryptocurrencies have drawn scrutiny from officials at a range of other U.S. agencies. For example, shortly after the Order was issued, the Treasury's Office of Foreign Assets Control ("OFAC") sanctioned two "virtual currency mixer[s]," Blender.io and Tornado Cash, for their role in efforts to launder the proceeds of cybercrimes, particularly by a sanctioned North Korean state-sponsored hacking group. In October 2022, OFAC and the Financial Crimes Enforcement Network ("FinCEN") announced settlements with Bittrex, Inc., a Washington-based virtual currency exchange, following accusations that Bittrex willfully violated multiple sanctions programs as well as the Bank Secrecy Act's anti-money laundering and suspicious activity reporting requirements. Most recently, in April 2023, the Treasury published the 2023 DeFi Illicit Finance Risk Assessment, signaling the U.S. government's growing interest in decentralized finance ("DeFi") and the threats posed by illicit actors exploiting DeFi services. 

The U.S. Congress has likewise taken aim at the crypto industry. In December 2022, Senators Elizabeth Warren and Roger Marshall introduced the Digital Asset Anti-Money Laundering Act, aimed at bringing digital assets "into greater compliance" with existing anti-money laundering/countering the financing of terrorism ("AML/CFT") regulations. And, in March 2023, a bipartisan group of senators accused crypto exchange Binance of evading U.S. regulators and being "a hotbed of illegal activity."

The United States is not alone in its efforts to impede criminals' cryptocurrency initiatives. In 2021, for example, Israel began seizing cryptocurrency accounts used by the terrorist group Hamas to raise money for the group's military campaigns. (One cryptocurrency exchange estimated that, as of 2021, Hamas had raised almost $1 million in cryptocurrency—more than any other terrorist organization.) Foreign governments are also updating their laws: The European Union Parliament and Council recently agreed to new rules for tracking cryptocurrency transfers to prevent money laundering and terrorist financing, and the United Kingdom passed legislation making it easier for law enforcement agencies to seize cryptocurrencies linked to terrorist activities. 

These recent actions exemplify governments' increasing focus on cryptocurrencies and policing their use. 

The Legal Framework

Civil Liability. The ATA provides for a federal civil cause of action for U.S. nationals injured by acts of international terrorism. In 2016, Congress passed JASTA, which extended liability to anyone that aids and abets acts of international terrorism "by knowingly providing substantial assistance." 18 U.S.C. § 2333(d)(2). To bring a claim, plaintiffs must allege facts showing (i) an injury caused by an act of international terrorism; (ii) that the act was committed, planned, or authorized by a designated Foreign Terrorist Organization ("FTO"); and (iii) that the defendant aided and abetted the terrorism by knowingly providing substantial assistance. In analyzing the third element of aiding and abetting civil liability, courts consider (i) whether plaintiffs alleged the defendant was "generally aware" that it was playing a role in the FTO's unlawful activities from which the terrorist attacks were foreseeable; and (ii) whether the defendant provided knowing and substantial assistance. See, e.g., Kaplan v. Lebanese Canadian Bank, SAL, 999 F.3d 842, 856, 860 (2d Cir. 2021). The Supreme Court has recently held that for knowing and substantial assistance, a defendant must "consciously, voluntarily, and culpably participate in" the terrorist act that injured plaintiffs. Twitter, Inc. v. Taamneh, 143 S. Ct. 1206, 1223, 1230 (2023).

Prior to the Taamneh decision, recent decisions from appellate courts show that companies accused of aiding and abetting may face, at a minimum, years of costly civil discovery. In Kaplan, the U.S. Court of Appeals for the Second Circuit noted that a defendant's "general awareness" that it was assisting terrorism could be pled by, among other things, citing media reports suggesting a connection between its customers and a terrorist organization. 999 F.3d at 864. 

Likewise, the U.S. Court of Appeals for the District of Columbia Circuit allowed ATA claims against medical-supply and manufacturing companies to proceed in Atchley v. AstraZeneca UK Ltd., 22 F.4th 204, 220 (D.C. Cir. 2022). Plaintiffs alleged that the defendant companies entered into contracts with the Iraqi Ministry of Health, which the plaintiffs alleged was controlled by an organization that was intertwined with Hezbollah. According to the Atchley court, the "allegations support[ed] an inference that [the] defendants were generally aware they were engaged in illegal activity." Id. 

Together, Kaplan and Atchley show the risks of dealing with customers or contractual counterparties who may be alleged to be terrorists or intermediaries of terrorists. It remains to be seen whether Taamneh—in which the Court narrowed the scope of liability under the ATA—will prompt lower courts to more readily dismiss terrorism-based claims against companies accused of supporting acts of terrorism.

Criminal Liability. The ATA also criminalizes the provision of any "material support" to terrorists, 18 U.S.C. § 2339A(a), and FTOs, id. § 2339B(a) as well as "willfully provid[ing] or collect[ing] funds" to be used to carry out terrorism, id. § 2339C(a). It is, in turn, unlawful to launder funds in connection with any of those offenses. Id. § 1956(a). In addition, foreign governments may seek to investigate and police the use of crypto assets by terrorists.

The DOJ's recent prosecution of Lafarge S.A. signals the U.S. government's growing interest in enforcing the ATA against corporations. Lafarge, a French cement maker, and its Syrian subsidiary pleaded guilty to providing material support and resources to the Islamic State of Iraq and al-Sham and the Al-Nusra Front. Following its plea, Lafarge, which reportedly reaped $70 million in total sales revenue from the scheme, was ordered to pay fines totaling $777.78 million in addition to being placed on probation. Following the guilty plea, in March 2023, the DOJ announced an increase in the number of prosecutors focused on counterintelligence and exports controls. If the Lafarge plea agreement and the DOJ's staffing announcement foreshadow future prosecutions, companies should anticipate greater government scrutiny and the potential for costly investigations.

Risks to Companies Working With Cryptocurrencies

Parties that engage with cryptocurrency—whether to issue tokens, process or validate transactions, maintain accounts on behalf of customers, or trade—should be sensitive to this shifting legal landscape. In particular, given the growing use of cryptocurrencies to evade U.S. sanctions and fund acts of terrorism and the increasing U.S. government enforcement efforts in the industry, such parties should take steps to mitigate their risks.

A customer's use of cryptocurrency to evade sanctions or support terrorist attacks may be the basis for future ATA/JASTA civil claims or criminal prosecutions. As a result, legitimate businesses may find themselves in the crosshairs of governmental investigations and civil litigation. Even apart from any ultimate civil liability, companies working with cryptocurrencies may find themselves forced to engage in extensive civil discovery. While acknowledging that such discovery could be "intrusive," the Atchley court permitted claims against the defendants to proceed because of the "challenges of establishing a defendant's state of mind without the benefit of discovery." 22 F.4th at 220. Moreover, the risks of investigations by U.S. government agencies are increasing. On the heels of its major win securing the Lafarge plea agreement, the DOJ may be eager to bring additional criminal prosecutions under the ATA. Such criminal investigations will no doubt overlap with civil investigations by the other federal agencies taking interest in cryptocurrencies—including OFAC, FinCEN, the U.S. Securities and Exchange Commission, and the Commodity Futures Trading Commission. As with civil discovery, such investigations will be time-consuming and costly. 

Reducing the Risks

Companies working with cryptocurrencies should take steps to limit their exposure to legal, financial, and reputational harms. First, companies should consider conducting risk assessments to understand how, if at all, their services may be exploited by bad actors and how to minimize that risk. Such assessments may be conducted on a confidential and privileged basis with the assistance of outside counsel. Companies should also consider reviewing their policies, procedures, and practices to ensure compliance with relevant laws and regulations. Moreover, if a company receives an allegation of misconduct involving cryptocurrencies or uncovers any concerning conduct by its employees, agents, or customers, the company should engage qualified legal counsel to determine next steps, including whether an internal investigation is called for and whether modification of corporate practices, enhancement of employee training, or other remediation is necessary.

Second, cryptocurrency companies should consider implementing due diligence procedures to mitigate against future litigation exposure under the ATA, in addition to those already in place to address sanctions and AML compliance considerations. For banks and other financial institutions, such procedures should meet or exceed ordinary "Know Your Customers" industry standards. Companies should monitor OFAC's list of sanctioned individuals and entities before engaging new customers and consider whether to screen existing customers on a regular basis. 

Third, cryptocurrency companies should familiarize themselves with the red flags indicative of terrorist funding. In addition to U.S. government guidance, such as OFAC's Sanctions Compliance Guidance for the Virtual Currency Industry, the international Financial Action Task Force's Terrorist Financing Risk Assessment Guidance outlines some of the strategies companies can take to identify and prevent abuse of those companies' services. 

Finally, given the evolving landscape of virtual currencies generally, and cryptocurrencies in particular, companies should keep apprised of changes in the law that are relevant to their business models and geographic and industry profiles. 

Four Key Takeaways

  1. Cryptocurrencies are an expanding source of funding for terrorist groups around the world. 
  2. Under the ATA, companies that are generally aware they are indirectly supporting terrorist acts may be secondarily liable. Recent decisions by courts of appeals have relaxed the standard for alleging such general awareness, and ATA secondary-liability cases are surviving motions to dismiss. It remains to be seen whether recent Supreme Court precedent narrowing the standard will prompt lower courts to more readily grant motions to dismiss.
  3. The ATA also criminalizes support for terrorism. As indicated by the recent Lafarge plea agreement, the risks of investigations by the DOJ and other U.S. government agencies are multiplying.
  4. Companies working with cryptocurrencies should take steps to anticipate and mitigate against legal risks under the ATA, including conducting risk assessments and implementing due diligence procedures.
Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.