Module: 02h — Cryptocurrency and Blockchain Legal Frameworks for Security Researchers Difficulty: Advanced

Questions

Q1. Under FinCEN's 2013 guidance, which of the following actors is classified as a money transmitter (MSB) required to register with FinCEN under 31 U.S.C. § 5330?

  • A) A user who mines Bitcoin for personal use and spends it to pay for goods and services
  • B) An exchanger who converts virtual currency into real currency for third parties for profit
  • C) An employee who receives wages partially in cryptocurrency from their employer
  • D) A researcher who receives a single bug bounty payment in ETH and holds it in a personal wallet

Correct answer: B Explanation: FinCEN's 2013 guidance establishes that an exchanger — someone who converts virtual currency for real currency, other virtual currency, or funds as a business — is a money transmitter and must register as an MSB. A mere user who mines or buys crypto for personal use is not an MSB; nor is an employee receiving wages or a researcher receiving a one-time bounty held for personal use.

Q2. OFAC's designation of Tornado Cash on August 8, 2022, was partially overturned by which court decision, and what was the specific holding?

  • A) United States v. Roman Storm (S.D.N.Y. 2024) — the court held the founders could not be criminally charged for operating non-custodial software
  • B) Van Loon v. Department of Treasury (5th Cir. 2024) — the court held OFAC exceeded its authority by designating immutable smart contracts that no person can "own" or control, ruling they do not constitute "property" under IEEPA
  • C) SEC v. Ripple Labs (S.D.N.Y. 2023) — the court held that smart contract interactions are programmatic sales not subject to federal securities law
  • D) United States v. Roman Sterlingov (D.D.C. 2023) — the court held mixer operators cannot be held liable for transactions processed by immutable code

Correct answer: B Explanation: In Van Loon v. Department of Treasury (5th Cir. 2024), the Fifth Circuit held that OFAC exceeded its statutory authority under IEEPA by designating Tornado Cash's immutable smart contracts, because immutable contracts that run autonomously and cannot be controlled by any person do not constitute "property" of a sanctionable person. The criminal prosecution of the founders (Roman Storm, Roman Semenov) was not affected by this ruling.

Q3. In SEC v. Ripple Labs, Inc. (S.D.N.Y. 2023), Judge Torres ruled that programmatic sales of XRP on secondary exchanges through blind bid-ask transactions were NOT securities transactions. What Howey prong did these sales fail to satisfy?

  • A) Investment of money — buyers did not pay value for the tokens
  • B) Common enterprise — secondary market trades are not linked to Ripple's enterprise
  • C) Efforts of others — buyers did not know they were purchasing from Ripple and had no basis to expect profits from Ripple's efforts specifically
  • D) Expectation of profits — exchange buyers were legally presumed to be purchasing for utility, not investment

Correct answer: C Explanation: The Ripple court held that programmatic secondary-market buyers did not know they were buying from Ripple specifically and therefore had no basis to expect profits from Ripple's efforts — failing the "efforts of others" prong of the Howey test (SEC v. W.J. Howey Co., 328 U.S. 293 (1946)). Institutional direct sales to hedge funds with explicit return promises did satisfy all four prongs and were held to be unregistered securities.

Q4. Under 18 U.S.C. § 1960, the Samourai Wallet indictment (S.D.N.Y. 2024) alleged that coordinating CoinJoin transactions through the Whirlpool implementation constituted unlicensed money transmission, even though Samourai Wallet never held custody of the funds. What is the significance of this theory for open-source software developers?

  • A) The theory only applies to developers who advertise their mixing software to dark web markets
  • B) The theory is the most aggressive application of § 1960 to non-custodial software, and if upheld, would criminalize publishing open-source privacy software that facilitates mixing — even without custody of funds
  • C) The theory is limited by the Van Loon ruling, which immunizes non-custodial software from § 1960 prosecution
  • D) The theory requires proof that the developers personally profited from each individual CoinJoin transaction coordinated

Correct answer: B Explanation: The Samourai Wallet indictment is the most aggressive application of § 1960 to non-custodial software. The government alleged that coordinating CoinJoin transactions — even without ever holding the funds — constitutes money transmission. If upheld at trial, this theory would criminalize the act of publishing open-source privacy software that facilitates mixing, creating a defining test of how far § 1960 can reach.

Q5. What does the Fifth Circuit's decision in United States v. Gratkowski, 964 F.3d 307 (5th Cir. 2020), establish regarding Fourth Amendment protections for Bitcoin transactions?

  • A) Bitcoin users have a reasonable expectation of privacy in their wallet balances but not in individual transaction amounts
  • B) Bitcoin users have no reasonable expectation of privacy in their publicly recorded blockchain transactions because the third-party doctrine applies to data voluntarily shared with the entire network
  • C) A warrant is required to access blockchain data held by a crypto exchange, but not for data on the public chain
  • D) The pseudonymous nature of Bitcoin addresses creates a constitutional privacy interest analogous to the content of encrypted communications

Correct answer: B Explanation: In Gratkowski, the Fifth Circuit held that Bitcoin users have no reasonable expectation of privacy in their publicly recorded blockchain transactions, applying the third-party doctrine from Smith v. Maryland, 442 U.S. 735 (1979). When a transaction is broadcast to the Bitcoin network, it is voluntarily shared with the world. Pseudonymity is a practical investigative obstacle, not a constitutional protection.

Q6. The Bitfinex hack proceeds laundering case (United States v. Ilya Lichtenstein and Heather Morgan) resulted in what was at the time the largest financial seizure in DOJ history. How did the government recover the private keys to the wallets holding the 119,754 BTC?

  • A) The FBI exploited a vulnerability in the Ledger hardware wallet firmware used by the defendants
  • B) The government obtained the private keys by executing search warrants on cloud storage accounts containing encrypted backup files, then cracking the passwords through password recovery techniques
  • C) Lichtenstein voluntarily provided the private keys as part of a cooperation agreement before his arrest
  • D) The FBI traced funds through Chainalysis Reactor to an exchange that held the keys in custody on behalf of the defendants

Correct answer: B Explanation: When the government arrested Lichtenstein and Morgan, it executed search warrants on cloud storage accounts and found encrypted files containing private keys. The keys were recovered by cracking the password on the encrypted backup files through password recovery techniques, resulting in the $3.6 billion seizure — the largest financial seizure in DOJ history at the time.

Q7. OFAC's enforcement framework for ransomware payments establishes strict liability for payments to SDN-designated actors. Which ransomware group creates the "alias problem" — where multiple rebranded variants are covered by a single designation — requiring OFAC screening of variant indicators before paying?

  • A) REvil / Sodinokibi
  • B) Evil Corp (the Maksim Yakubets group), whose variants include WastedLocker, Hades, Phoenix, and PayloadBIN
  • C) LockBit 3.0 and its BlackMatter predecessor
  • D) Lazarus Group operating under the Bluenoroff and APT38 aliases

Correct answer: B Explanation: Evil Corp (the Maksim Yakubets group) is sanctioned, and OFAC issued guidance that payments to rebranded variants — WastedLocker, Hades, Phoenix, PayloadBIN — potentially expose payers to civil sanctions liability. A company facing any of these ransomware variants must run the indicators through OFAC's published lists and blockchain analytics before deciding to pay, creating the "alias problem."

Q8. A security researcher receives a bug bounty payment in BTC from a DeFi protocol. Under IRS Notice 2014-21 and Rev. Rul. 2023-14, what are the immediate and subsequent tax treatment steps?

  • A) The BTC is not taxable until converted to USD; capital gains tax applies at conversion
  • B) The fair market value of the BTC at the time of receipt is ordinary income; subsequent appreciation or depreciation when the BTC is sold or exchanged is a capital gain or loss
  • C) Crypto bug bounties are treated as gifts and are not taxable income unless the annual gift exclusion is exceeded
  • D) The researcher pays self-employment tax on the BTC only if they receive more than $600 worth in a single calendar year from a single payor

Correct answer: B Explanation: IRS Notice 2014-21 and Rev. Rul. 2023-14 establish that all virtual currency is property. Receiving a bug bounty in BTC is a taxable income event: the fair market value at receipt is ordinary income. Any subsequent appreciation or depreciation from that basis is a capital gain or loss when the BTC is later sold or exchanged.

  • A) The money laundering statute (18 U.S.C. § 1956) requires only that the funds were moved, not permanently retained, so returning them is still a completed offense
  • B) The CFAA violation, wire fraud, and money laundering offenses were completed at the moment of exploit and transmission of funds; returning funds is a significant mitigating factor in prosecutorial discretion but is not a legal defense to the underlying completed crimes
  • C) The Computer Fraud and Abuse Act (18 U.S.C. § 1030) creates a statutory safe harbor for any attacker who returns 100% of stolen funds within 72 hours
  • D) Federal forfeiture law requires that the government prove ongoing possession of the funds, so returning funds before arrest defeats the forfeiture basis and therefore defeats the prosecution

Correct answer: B Explanation: As illustrated by Poly Network and Euler Finance, returning funds does not erase the crime. The CFAA violation (§ 1030(a)(4)), wire fraud (§ 1343), and money laundering (§ 1956) occurred at the moment of exploit and transmission. Whether DOJ charges depends on identity, scale of harm, recovery of funds, and prosecutorial discretion — returning funds is mitigating but not a defense to the completed offenses.

Q10. The Liberty Reserve prosecution (2013) and the BTC-e / Alexander Vinnik indictment (2017) were landmark cases under 18 U.S.C. § 1960. What maximum sentence does § 1960 carry per count, and what was Arthur Budovsky's actual sentence in Liberty Reserve?

  • A) § 1960 carries up to 10 years per count; Budovsky was sentenced to 10 years
  • B) § 1960 carries up to 5 years per count; Budovsky pled guilty and was sentenced to 20 years (with counts running consecutively or through additional charges)
  • C) § 1960 carries up to 20 years per count; Budovsky was sentenced to 20 years on the § 1960 count alone
  • D) § 1960 carries up to 5 years per count; Budovsky received a 5-year sentence as the statutory maximum for a single count

Correct answer: B Explanation: 18 U.S.C. § 1960 carries a maximum of 5 years' imprisonment per count. Arthur Budovsky pled guilty in Liberty Reserve and was sentenced to 20 years — reflecting a combination of counts and sentencing factors that produced a sentence well beyond the per-count maximum. The case established Liberty Reserve as the first major global § 1960 prosecution of a virtual currency MSB.