About 2,000 years ago during its Han dynasty, China made peace with some of the nomadic people of Central Asia who continuously ransacked Silk Road traders for an easy payday. It did so in order to fully establish the Silk Road trade route, which stretched from China to Europe, and to secure a great source of wealth from trading in luxury goods.

Now, as trade increasingly has shifted to the digital realm during the global COVID-19 pandemic, cyberattackers are taking advantage of organizations’ lax cybersecurity measures. They are using ransomware to lock these organizations’ data with encryption until a ransom payment in cryptocurrency is made. Back in 2019, 98% of ransomware payments were made in Bitcoin (BTC).

Related: Not like before: Digital currencies debut amid COVID-19

Anne Neuberger, United States deputy national security adviser for cyber and emerging technology, explained:

“The number and size of ransomware incidents have increased significantly. […] The U.S. government is working with countries around the world to hold ransomware actors and the countries who harbor them accountable, but we cannot fight the threat posed by ransomware alone. The private sector has a distinct and key responsibility.”

The administration of President Joe Biden is moving to treat cyberattacks — which are estimated to cost $1 trillion a year and often take the form of ransomware — as a national security threat. Intelligence agencies have concluded that they pose an elevated threat to the country, with gasoline, food supplies and hospital systems at risk.

Recently, the U.S. Department of Justice seized 63.7 BTC (worth approximately $2.3 million at the time) representing the proceeds of a ransom payment made by Colonial Pipeline to the group known as “DarkSide.” It did so via a coordinated effort with the DoJ’s Ransomware and Digital Extortion Task Force, which collaborates with domestic and foreign government agencies in addition to private-sector partners to combat this significant criminal threat.

Related: Cybercrime task force monitoring the global digital financial system

Lisa Monaco, the DoJ’s deputy attorney general, noted: “Following the money remains one of the most basic, yet powerful tools we have.” She continued:

“Ransom payments are the fuel that propels the digital extortion engine, and [..] the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises.”

Paul Abbate, deputy director of the Federal Bureau of Investigation, added:

“We will continue to use all of our available resources and leverage our domestic and international partnerships to disrupt ransomware attacks and protect our private sector partners and the American public.”

U.S. tax implications of ransom payments in cryptocurrencies

One question is whether ransomware payments can be considered an “ordinary and necessary” cost of doing business and be deducted from taxable income as a theft loss under Sections 162(a) and 165(a) of the Internal Revenue Code, which provides the authority to deduct any losses that were not covered by insurance or some other means. There are several judicial and administrative definitions of theft, and the Internal Revenue Service’s definition seems broad enough to encompass a cyberattack and allow for ransomware payments made in cryptocurrency to be deducted as a business expense for federal tax purposes.

However, under Section 162(c), if the ransom payment in cryptocurrency constitutes an illegal bribe, illegal kickback, blackmail payment or other illegal payment — such as one made to a group classified as a terror organization under any U.S. law — it would not be tax-deductible. Thus, a taxpayer should distinguish illicit payments from ransomware cryptocurrency payments by highlighting the theft of property. Questions of illegality may arise when paying a ransomware demand in cryptocurrency to a cybercriminal with a known connection to a sanctioned or boycotted foreign government.

Related: Sanctions compliance for transactions in fiat and cryptocurrencies are the same: Expert take

Here is an example, provided by Elliptic co-founder and chief scientist Tom Robinson: “Elliptic was first to identify the Bitcoin wallet used by the DarkSide ransomware group to receive a 75 Bitcoin ransom payment from Colonial Pipeline. […] DarkSide [which is believed to be based in Eastern Europe] is an example of ‘Ransomware as a Service’ (RaaS). In this operating model, the malware is created by the ransomware developer, while the ransomware affiliate is responsible for infecting the target computer system and negotiating the ransom payment with the victim organisation. This new business model has revolutionised ransomware, opening it up to those who do not have the technical capability to create malware, but are willing and able to infiltrate a target organisation.”

Ransomware attackers may even offer a victim company a discount if it transmits the infection to other companies. These ransom payments in BTC are then laundered on dark web markets, according to a report issued by Flashpoint and Chainalysis.

Any ransom payment made in cryptocurrency is taxed as property rather than currency. Therefore, taxpayers are expected to keep detailed records of these ransom payment cryptocurrency transactions, report any gains and report the fair market value of any mined cryptocurrency on their tax returns as well.

Additionally, the Financial Crimes Enforcement Network, or FinCEN, also regulates cryptocurrency-related transactions pursuant to the Bank Secrecy Act (BSA) by stating that “An administrator or exchanger that (1) accepts and transmits a convertible virtual currency or (2) buys or sells convertible virtual currency for any reason is a money transmitter.”

Thus, under the BSA, a cryptocurrency transmitter is required to complete a risk assessment, develop a written program to avoid money laundering, designate an individual compliance officer and complete other action items.

Related: The United States updates its crypto AML/CFT laws

It should be noted that other profiting and culpable participants in a Bitcoin ransom payment scheme might find themselves facing criminal and tax fraud/evasion penalties. For example, John McAfee, founder of the antivirus company bearing his name, had recently been charged with various tax crimes in the U.S. relating to nominee-held cryptocurrency transactions and was facing many years in prison if convicted. This may have been a factor in his decision to commit suicide in a Spanish jail after the court ruled he could be extradited to the United States.

Related: John McAfee’s suicide reports raise disbelief, spark conspiracy theories


In remarks to the U.S. Senate Appropriations Committee, FBI Director Christopher Wray advised ransomware victims to not pay a ransom to retrieve hijacked data or regain network access. He said that “In general, we would discourage paying the ransom because it encourages more of these attacks, and frankly, there is no guarantee whatsoever that you are going to get your data back,” adding: “We have to make it harder and more painful for hackers and criminals to do what they are doing.” And he continued:

“We took upwards of 1,100 actions against cyber adversaries last year, including arrests, criminal charges, convictions, dismantlements, and disruptions, and enabled many more actions through our dedicated partnerships with the private sector, foreign partners, and at the federal, state, and local entities.”

The views, thoughts and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

Selva Ozelli, Esq., CPA, is an international tax attorney and certified public accountant who frequently writes about tax, legal and accounting issues for Tax Notes, Bloomberg BNA, other publications and the OECD.