skip to Main Content

GDPR Threatens to Impair Cryptocurrency Crime Investigations

CipherTrace Cryptocurrency Threat Bulletin

The European Union’s new General Data Protection Regulation (GDPR), which takes effect on May 25, 2018, will negatively impact the overall security of the Internet and will also inadvertently aid cybercriminals. By restricting access to critical ICANN WHOIS information, the new law will significantly hinder investigations into cybercrime, cryptocurrency theft, phishing, ransomware, malware, fraud, and crypto-jacking.

Cybercriminals have increasingly focused their attention on stealing cryptocurrencies including Bitcoin, Ethereum, NEM and ICO currencies. Over $700M of cryptocurrency has been reported as stolen by cybercriminals in the last year, and hundreds of millions more of thefts go unreported by investors, consumers, and cryptocurrency exchanges. The Anti-Phishing Working Group (APWG) estimates that criminals have stolen over $1 Billion of cryptocurrency since the start of 2017.

Internet WHOIS data is a fundamental resource for investigators and law enforcement officials who work to prevent these thefts. It comprises the Internet’s database of record, containing the names, addresses and email addresses of those who register domain names for websites on the Internet. Access to WHOIS data is crucial in performing investigations that allow for the recovery of these stolen funds, identifying the persons involved, and providing vital information for law enforcement to arrest and prosecute these criminals.


Even if WHOIS data is falsified by criminals, detecting patterns of their fake information across different domain names is useful in correlating criminal activity for investigations. WHOIS contact data is also valuable for contacting the owners of small websites and blogs that are often hacked and used to launch criminal attacks and distribute crypto mining malware.

However, GDPR will mean that most European domain data in WHOIS now will no longer be published publicly after May 25.  And, unfortunately, some domain name registrars and registry operators are over-interpreting GDPR to justify the redaction of all contact data, no matter what country the contact is in or if they are a “legal person” or business rather than a “natural person” as covered by GDPR.

GDPR was intended to allow balancing the needs for privacy and security. Sections of GDPR describe the creation of codes of conduct and accreditation programs to allow legitimate users to access this kind of data and require them to properly protect it.  But thus far, no such program exists or has been deemed adequate by the European Union or any of its member state Data Protection Agencies.

CipherTrace CEO Dave Jevans has founded the Cryptocurrency Anti Phishing Working Group. Its member companies, law enforcement agencies, and universities work to prevent cryptocurrency-based crimes. CipherTrace is working with the and to explore how these non-profit organizations can provide adequate and legally acceptable accreditation systems for security practitioners to access WHOIS data in the age of GDPR.

To learn more about the work of CipherTrace in preventing and investigating cryptocurrency crimes, visit

You can learn more about the Cryptocurrency Anti Phishing Working Group here:

You can find details about the WHOIS GDPR proposal here:

You can track the developments at ICANN here:



Back To Top