The metaverse is expanding at a rapid rate, bringing with it new types of fraud, money laundering, and other financial crime risks that must be countered, writes Andrew Pimlott.
The internet-enabled virtual world of the metaverse is capturing the imagination of so many people that by the end of the decade five billion could be using it, according to a forecast by Citi. The metaverse is also becoming a massive money-making machine, with the bank’s Metaverse and money report predicting it could be a $13 trillion market by 2030.
There are undoubtedly many benefits emerging from this latest version of the internet. But there are also many risks. With all those people and all that money, there are countless new opportunities for criminals, and they are already committing fraud, money laundering offenses, and other crimes.
Although these illegal activities take place in the virtual world, they have real-world consequences for victims. That is why financial institutions, regulators, law enforcement agencies, and governments globally are worried and are taking action to manage the threats. Interpol, the International Criminal Police Organization, has been quick to mobilize its forces.
“For many, the metaverse seems to herald an abstract future, but the issues it raises are those that have always motivated Interpol – supporting our member countries to fight crime and making the world, virtual or not, safer for those who inhabit it,” said Interpol Secretary General Jürgen Stock at its annual general assembly in New Delhi last October.
At its meeting, the organization announced the creation of an expert group on the metaverse to gather the views of police officers globally, and to ensure “this new virtual world is secure by design.” In a surprise session, Interpol also unveiled its own fully operational metaverse to be used by police forces worldwide. It allows police officers fitted with virtual reality (VR) headsets to tour a virtual version of Interpol’s headquarters in Lyon, France, interact with other officers via their avatars, and take training courses in forensic investigations and other policing capabilities.
The Metaverse Explained
So what is the metaverse? It is a virtual world that exists on the internet and is accessed from computers, mobile phones, tablets, and – in 3D – augmented reality (AR) and virtual reality (VR) headsets. The term was coined by author Neal Stephenson in the 1992 science fiction novel Snow Crash, which envisaged a virtual world separate from reality. It is a portmanteau of the prefix meta, meaning “transcending”, and universe, meaning “all existing matter and space.” What started as fiction is now fact.
The metaverse is built on Web 3.0, the latest version of the world wide web based on blockchain technologies, decentralized controls and data, and cryptoassets. The other four technologies involved are artificial intelligence, extended reality (XR, combining AR and VR), the internet of things (IoT), and edge computing.
What is the point of the metaverse and what is it used for? I put that question to ChatGPT, the AI-enabled chatbot launched by OpenAI in November. This was its reply: “The metaverse is used for social interaction, entertainment, education, and commerce. It allows users to interact with each other and digital objects in a shared, immersive environment. It can also be used for remote work, remote learning, virtual events, and as a platform for creating and experiencing digital content.”
All is well and good. But does the metaverse also provide rich pickings for criminals? “Yes,” was its honest answer. “The metaverse can provide opportunities for criminals to engage in activities such as fraud, hacking, and identity theft.”
The Financial Crime Risks in the Metaverse
Now that ChatGPT has confirmed what we already knew – that criminal activity does take place in the metaverse – I, as a human, will elaborate on what other people are saying about the problem. Fighting financial crime in the metaverse was one of the overarching themes of a conference organized by ACAMS – the Association of Certified Anti-Money Laundering Specialists– in Las Vegas last October.
“Technology advancements are a great thing, but the metaverse combined with Web 3.0 allows people to be more anonymous than ever,” Jim Lee, Chief of the Internal Revenue Service Criminal Investigations unit, told delegates. “As a result, we all know that the criminal element is going to come out somewhere, somehow.” The consensus among the audience was that anticipating how criminals could exploit the metaverse is the key to preventing it.
The European Parliament in a recent briefing paper entitled Metaverse: Opportunities, risks and policy implications said that “the sheer volumes of data circulating in the metaverse…constitute a growing risk for users.” It said that current cybersecurity challenges such as phishing, malware, and hacking will persist “and extend to devices enabling a metaverse experience and to avatars.”
Elliptic, a provider of cryptoasset risk management services to crypto businesses and financial institutions worldwide, has analyzed the problem in great detail. Its report The future of financial crime in the metaverse lists a number of “potential metaverse financial crime typologies.”
“Wherever there are concentrations of value, there will be crime – and the metaverse is no exception,” it says. “From analysis of Elliptic’s data set, we can already see that there is illicit activity linked to the metaverse-related assets MANA [Decentraland’s cryptocurrency] and SAND (Sandbox’s cryptocurrency]. Of this illicit activity, 99.5% is linked to cryptoasset thefts.”
It goes on to say that this mirrors wider criminal activity across NFTs (non-fungible tokens) where social engineering, fake giveaways, and MetaMask browser wallet attacks can create a dangerous environment for people buying, selling, and transferring NFTs.
Other financial crimes carried out in the metaverse according to Elliptic include:
- Money laundering, where criminals exchange their ill-gotten gains for metaverse-based assets such as land, wearables, or cryptoassets.
- Wash trading, where someone sells an item to himself or a collaborator with the intention of artificially pushing up the price.
- Scams, which are frauds such as “rug pulls” where someone raises capital for a project and then disappears without doing any work, and investment scams where the capital invested is never returned.
- Sanctions evasion, whereby entities use metaverse assets to evade sanctions, although this risk seems low at the moment.
- Code exploits, where criminals exploit poorly constructed smart contracts – self-executing code on a blockchain – in order to steal funds.
Detection and Prevention
It is therefore incumbent on businesses and financial institutions active in the metaverse to take steps to protect themselves and their customers. First, they should properly screen all metaverse transactions for illicit connections, followed, if necessary, by further investigations, blocking withdrawals, and alerting the authorities. Second, they should conduct full customer due diligence on trading counterparties. Third, they should use the latest and best technology to monitor transactions.
The World Economic Forum (WEF) has set up a Defining and Building the Metaverse initiative bringing together businesses, governments, civil society, and academia. Its objective is to “create a metaverse that is economically viable, interoperable, safe, equitable, and inclusive.” This January it produced a briefing paper, Interoperability in the metaverse, which among other things noted that “as in Web 2.0, users will experience harms, such as identity fraud, transaction fraud, and other social harms,” and that everything must be done to “create safe digital spaces.”
The European Commission and the other main EU institutions are working on new anti-money laundering (AML) measures which will be extended to the entire crypto sector. The measures will oblige “all crypto-asset service providers (CASPs) to conduct due diligence on their customers,” said the Council of the EU in a statement in December. The regulation on transfers of funds is also being changed to make transfers of cryptoassets more transparent and fully traceable.
An article in the International Financial Law Review entitled “The metaverse needs to police financial crime,” noted that criminals who “cheat, lie and steal in the real world will do the same in the metaverse” and carry out identity theft, money laundering, and fraud.” Financial regulators thereforeMetaverse Money Report “need to think and plan ahead for the crimes that could potentially take place in the metaverse, before they spin out of control.” At the same time, financial institutions must conduct comprehensive know-your-customer and transaction checks.
Time to Act
Even if Citi’s predictions in its Metaverse and money report – that more than half the world’s population will be using it in a market worth as much as $13 trillion – are only half realized, the potential for crime will still be huge. Although these crimes will be committed in cyberspace, they will have real-life consequences.
That is why bankers, regulators, law enforcers, and politicians need to look closely at the risks. They need to ensure that existing laws, regulations, standards, investigatory powers, and crime prevention techniques are applied to the metaverse. They must add new ones where necessary. Above all, they must remain vigilant.
Andrew Pimlott is Senior Managing Director, Financial Services, Data and Technology, EMEIA, Ankura Consulting.