When Criminals Abuse the Blockchain: Establishing Personal Jurisdiction in a Decentralised Environment

: In August of 2022, the United States Department of Treasury sanctioned the virtual currency mixer Tornado Cash, an open-source and fully decentralised piece of software running on the Ethereum blockchain, subsequently leading to the arrest of one of its developers in the Netherlands. Not only was this the ﬁrst time the Ofﬁce of Foreign Assets Control (OFAC) extended its authority to sanction a foreign ‘person’ to software, but the decentralised nature of the software and global usage highlight the challenge of establishing jurisdiction over decentralised software and its global user base. The government claims jurisdiction over citizens, residents, and any assets that pass through the country’s territory. As a global ﬁnancial center with most large tech companies, this often facilitates the establishment of jurisdiction over global conduct that passes through US servers. However, decentralised programs on blockchains with nodes located around the world challenge this traditional approach as either nearly all countries can claim jurisdiction over users, subjecting users to criminal laws in countries with which they have no true interaction, or they limit jurisdiction, thereby risking abuse by bad actors. This article takes a comparative approach to examine the challenges to establishing criminal jurisdiction on cryptocurrency-related crimes.


Introduction
Cryptocurrency has exploded in popularity in recent years, with Bitcoin adopted as a national currency in two countries.The blockchain technology on which cryptocurrency is built is an important tool used not only to facilitate a medium of exchange but also in many industries, including healthcare and education.As with all technologies, blockchain is a tool and can be abused by malicious actors.However, the decentralised nature of the technology creates an obstacle to establishing jurisdiction in transnational crimes.
For Bitcoin and most cryptocurrencies, the association with cybercrime and fraud is not due to a lack of transparency but rather the ease of use in international transactions, something that increases the complexity of establishing jurisdiction.While Bitcoin and many cryptocurrencies are on public ledgers, transferring money between banks and across borders creates barriers to identifying the criminals, as it takes time for law enforcement to obtain information from each bank, which may require time-consuming processes in each country, and banks may even be owned by criminal actors (Levi 2002).If banks in any jurisdiction stop cooperating, the trail is lost (Hedayati 2012).In order to truly remain anonymous, cybercriminals could use stolen identities to transfer funds and eventually withdraw the cash, making them nearly untraceable.However, selecting a specific currency is inefficient for those engaging in cybercrime.Human time is valuable while running code is low cost.As such, cybercriminals play a numbers game allowing code to attack any computer with identified vulnerabilities or assume the identities of anyone whose information has become available, often through phishing attacks (Ghazi-Tehrani and Pontell 2021).Insisting on bank transfers in dollars would make sense in the US; however, if the victim's computer is located in Poland or China, a request to transfer dollars to a US bank account may pose a greater challenge and prevent the criminals from receiving some of the funds.As cryptocurrency is jurisdiction-non-specific, cybercriminals can establish a single demand message for a virus that can harm systems globally.Due to the global nature of cryptocurrency, which uses a distributed ledger system, the appropriate jurisdiction for those involved in crypto-related crime is not always clear.
This article explores the difficulties in ensuring that states can protect their citizens by prosecuting bad actors while simultaneously protecting individual rights and upholding the rule of law by following clear legal standards to establish jurisdiction.In doing so, it expands on the literature addressing jurisdiction over internet crimes by extending the discussion to those crimes involving decentralised blockchains.After addressing the methodology in Section 2, this article first provides a background section (Section 3) that explains how blockchain technology, and Bitcoin in particular, operates.The section addresses the role of nodes, types of consensus mechanisms, and how individuals interact with the blockchain.With this foundation, Section 4 introduces the types of crimes involving crypto assets with short case studies, including ICO scams, the FTX fraud, the Mt Gox hack, and allegations of money laundering with Tornado Cash.Through the lens of these types of crimes, Section 5 then addresses the approaches to establishing extra-territorial jurisdiction and argues that to protect the rights of individuals and rule of law, nonterritorial jurisdiction should only be extended in cases where the criminal act necessarily causes direct harm.This article then concludes in Section 6.

Methodology and Limitations
This research is primarily doctrinal (Pradeep 2019) in nature, using comparative (Farrar 2001) and normative analysis (Indriati and Nugroho 2022;Schauer 2021) to evaluate the current state of criminal personal jurisdiction regarding crimes involving the use of cryptocurrencies and addressing challenges posed by the existing legal landscape.To this end, this article seeks to answer the question of when jurisdictions can exercise personal jurisdiction over criminal defendants for alleged crimes involving decentralised digital assets (cryptocurrencies).This paper also addresses when countries should not exercise jurisdiction.Several small case studies are used to critically examine the impact and weaknesses of existing legal frameworks.As an emerging technology, there is limited literature addressing criminal jurisdiction and cryptocurrency (Lukings and Habibi Lashkari 2022).However, there is a large body of literature addressing civil jurisdiction (Yang 2022;Co 2021;Pecharsky and Yahya 2022) and the scope of regulatory authority (Caudevilla 2022), including whether digital assets are securities (Gonzalez 2022;Colesanti 2022).These were reviewed in addition to the literature on internet and cybercrime jurisdiction as they have important implications for cryptocurrencies.The relevant literature is addressed in its respective sections.
This article is limited to criminal jurisdiction and focuses on the use of cryptocurrency as a medium of exchange.It does not address civil jurisdiction or crimes that are specific of web3 (Wu et al. 2023), the use of governance tokens, or the possibility of criminal liability for decentralised autonomous organisations (DAOs) as legal persons (Kotlán et al. 2023), an important area for future study now that some jurisdictions are permitting the incorporation of DAOs (Moore 2021;Mondoh et al. 2022;Gurkov 2022).This article also does not address the use of governance structures or on-chain dispute resolution to resolve issues (Guillaume and Riva 2022).

Background: Cryptocurrency and Blockchain Technology
Bitcoin and other cryptocurrencies are a form of distributed ledger that uses blockchain to record transactions (Soltani et al. 2022;Pinto et al. 2022;Gorbunova et al. 2022).As a record of assets, ledgers are ordinarily kept by one centralised person or entity, requiring trust in that entity.For example, when someone opens a bank account, the bank does not store physical money for the customer but rather maintains a ledger tracking how much money to which the customer is entitled.As a highly regulated sector, people trust that banks will maintain accurate ledgers instead of changing the amount in customer accounts (Cardona 2022).With cryptocurrencies, the ledger is stored across multiple nodes around the world and the blockchain functions to prevent improper changes to the record.The greater number of nodes and the greater the decentralisation, the more secure a cryptocurrency is.Startup projects may be susceptible to attack.However, Bitcoin has never been successfully hacked and, with around 15,000 full nodes, (Bailey and Warmke 2023) is a permissionless and trustless network.It is said to be permissionless in that anyone who holds Bitcoin can transfer it and create new wallets (like accounts) without the need for a bank or any other intermediary, and trustless in that the code is open source and the ledger is distributed so no one can make unauthorised changes to the ledger (Arote and Kuri 2022).
A new Bitcoin block is created approximately every 10 min, and the chain goes back to 2009, when Bitcoin was first created in response to irresponsible banking behavior causing the 2008 financial crisis (Aboura 2022).At the time of writing this article, there are 777,949 blocks on the Bitcoin blockchain (Blockchain.com2023).Although Bitcoin is good for international transfers, it is not ideal for most retail purchases due to the 10 min delay.As such, a second layer has been added, known as the lightning network (Divakaruni and Zimmerman 2023;Liu and Au 2022;van Dam and Kadir 2022).The lightning network facilitates nearly instant Bitcoin transactions at a fraction of a cent (Dylan LeClair 2022).In El Salvador, where Bitcoin was adopted as an official currency (Taylor 2022), the lightning network was used by the government to transfer Bitcoin to its citizens.
Bitcoin uses a distributed consensus mechanism commonly referred to as "mining" to confirm transactions and update the blockchain.Encrypted numbers with 64 digits act as digital fingerprints, called hashes, which are used to secure the system (Allenotor and Oyemade 2021).Miners use the hash from the previous block and try to calculate the next hash.This connection of the hashes is what creates the chain between blocks, preventing someone from altering the ledger (Wezza et al. 2022).Proof of work, where miners use large amounts of computing power to secure the blockchain, is a useful tool for securing the blockchain and has been proposed for other things, including preventing denial of service attacks on email servers (Soria Ruiz-Ogarrio 2022).However, it has been criticised for its high degree of energy consumption (Wendl et al. 2023), largely within the context of ESG (Rudd 2023).As such, many other projects have opted for a consensus mechanism called proof of stake.In proof of stake, holders of a cryptocurrency can "stake" their currency to give a validator the authority to confirm transactions (Ibañez and Rua 2023).The theory is that those who own the currency have a stake in ensuring the security and accuracy of the system.In some cryptocurrencies, the stakers will lose their staked currency if the validator where they stake misbehaves.
In order to transact on the blockchain, users have two items, a public key and a private key (Liu et al. 2017).The public key is like an email address on the blockchain, and others can use it to send cryptocurrency to that address.The private key is like a password and allows the user to send from any address to which they have the private key.Therefore, only the person with a private key can move funds on the blockchain.This both ensures the security of the blockchain and means that if a user loses their private key, they lose access to their cryptocurrency.To simplify the process, digital wallets are used to store the private key and streamline transactions (Suratkar et al. 2020).These wallets are said to "hold" the cryptocurrency, but they only display the user's account balance (which is public on the blockchain) and hold the private key.All cryptocurrency is on the decentralized blockchain, not on the wallet or any one device.
Aside from assets like Bitcoin that are meant as a permissionless and decentralised medium of exchange, digital assets can be divided into multiple asset classes, including: 1. Stable coins, which are pegged to the value of a specific asset, often the US dollar (Ante et al. 2023); 2. Governance tokens, which allow the holder to vote on decisions for a decentralised project (Fan et al. 2022;Makridis et al. 2023); and 3. Smart contract-capable digital assets, an important part of web3, can be used for a variety of purposes including securing patient records in healthcare (Aloini et al. 2023;Ghosh et al. 2023;Kaur et al. 2023;Wenhua et al. 2023) and increasing efficiency in the energy sector (Mololoth et al. 2023;Zanghi et al. 2023;Khezami et al. 2022).
While these are important, this article focuses on the use of these digital assets as a currency.
Despite the many benefits of the technology, cryptocurrency has been criticised for energy usage1 (Truby 2018;Rudd 2023) and the perceived risk of money laundering (Mahalaxmi and Srinivas 2022;Sun et al. 2022;Anthony 2022b;Hossain 2023), fraud (Scharfman 2023b;Sanz-Bas et al. 2021), tax evasion (Mezquita et al. 2023;Noked 2018), and use in the drug trade (Mezquita et al. 2023). 2 Some jurisdictions banned or heavily regulated cryptocurrencies while others have sought to embrace digital assets as a source of innovation (Novak 2020).At the time of writing this article, El Salvador (Alvarez et al. 2022;Analytica 2021;Kshetri 2022b;Sparkes 2022) and the Central African Republic (Katterbauer et al. 2022;Kshetri 2022a;Neti 2022) have even adopted Bitcoin as legal tender within the countries.
Decentralised digital assets lack a clear regulatory framework in most countries.To address this and in response to Executive Order 14067, the US Department of Justice (DOJ) issued a report on crimes related to digital assets (DOJ 2022).In this report, the DOJ expresses concerns over the use of cryptocurrency in crimes including sanctions evasions.The report calls for greater cooperation, both internationally and between government departments, and discusses the current state of the law, which lacks a comprehensive regulatory framework specific to decentralised digital assets, but where enforcement actions have nevertheless been taken.In spite of the fact that the US does not recognise cryptocurrency as legal tender, 18 U.S.C. § 1960, which prohibits "unlicensed money transmitting businesses" has been held to apply to cryptocurrency transmitting businesses.
On the regulatory front, the Financial Action Task Force (FATF), a 39-member body that establishes standards aimed at preventing money laundering, identifying funds related to the illicit drug trade, and terrorist financing, issued its recommendations on regulating digital assets (FATF 2021;de Koker et al. 2022).The FATF adopts the terms "virtual assets" (VAs) and "virtual asset service providers" (VASPs) in their recommendations.As a developing technology, whether something is considered a VASP under the recommendations may not always be clear.The focus of the recommendations is information collection and monitoring, with mandatory disclosure requirements, such as the 'travel rule' and information sharing central to these recommendations.Although the recommendations are not law, FATF recommendations set global standards that usually lead to broad adoption.

Crimes Involving Digital Assets
Many of the laws surrounding cryptocurrency are vague and require clarification (Náñez Alonso 2019).Cryptocurrency, like any other tool, can be used for positive or nefarious purposes.Most crimes where cryptocurrency is used involve fraud or theft, in the form of crypto wallets being hacked.In the early days of Bitcoin, it was associated with criminal activity, largely due to its use in the Silk Road, a dark web marketplace that facilitated trade in drugs and other illicit material.At the time, Bitcoin lacked wide-spread adoption and it was believed that it provided anonymity to users (Christin 2013;Phelps and Watt 2014).While cryptocurrency, as with any currency, can be used in transactions for illicit goods or money laundering, most of the crimes involving cryptocurrency today are fraud or hacks, often where a victim's lack of knowledge of the industry is exploited by criminals to steal cryptocurrency (Nickerson 2019).This section will provide four examples of crimes or alleged criminal activity involving cryptocurrency, including the jurisdictional challenges.

ICO Frauds
When companies need to raise funds, they can issue stock.Crypto projects selling tokens to raise money is known as initial coin offerings (ICO) (Tao et al. 2023).Not all projects have an ICO, but they are common for projects that will require a substantial amount of development over time.This makes the projects centralised in their reliance on the development team and in that a small group initially holds all the coins.Centralised projects are more likely to be considered securities and thus fall under the jurisdiction of securities regulators like the US Securities and Exchange Commission.Not all cryptocurrencies have used an ICO.For example, Bitcoin did not have an ICO and therefore began in a substantially decentralised manner.
Investors in coins being offered through ICOs pay a premium based on the belief that those offering the coins will continue to develop the project.Many fraudulent actors have taken advantage of this trust through what the industry terms a "rug pull" (Kerr et al. 2023;Wronka 2023).In this type of fraud, a group creates a basic crypto token and publishes a document known as a white paper that details the long-term development plans for the project based on that token.Once the money is received, the scammers cease development and move on with the money (Scharfman 2023a;Alshater et al. 2023;Cong et al. 2023).These scams were extremely common in 2017 when the cryptocurrency market capitalisation surged to what, at the time, were all-time highs.Fraudulent ICOs both harm investors and undercut legitimate projects' ability to raise capital.
In the case of OneCoin, the founders advertised and sold packages to assist investors in mining OneCoin tokens-a fake cryptocurrency that was never actually created (Scharfman 2023c).This resulted in victims being defrauded of over USD 4 billion, the conviction of an affiliated attorney for conspiracy to commit money laundering and bank fraud (DOJ 2019), and the indictment of OneCoin's Bulgarian founder, Ruja Ignatova, in the United States for conspiracy and securities fraud charges (United States v Ruja Ignatova 2018).This indictment, from the Southern District of New York, connects Ms. Ignatova to the jurisdictions by stating that she and her employees "caused to be made false statements and misrepresentations soliciting individuals throughout the world, including the Southern District of New York, to invest in 'OneCoin'".Whether prosecutors can assert jurisdiction over global activities or only those that specifically and intentionally targeted people in the United States remains to be seen as Ms. Ignatova disappeared with much of the stolen money in 2017, earning her a spot on the FBI's most wanted list.However, advertisements and something likened to rallies where potential investors were motivated to invest took place around the world, and the founders of OneCoin were physically present and proactively advertised in many jurisdictions, suggesting that the founders submitted to the personal jurisdiction in those locations.

FTX Fraud
The FTX fraud is not an example of a problem with cryptocurrency but with criminal activity at a centralised exchange (Chohan 2023;Kerr et al. 2023).The collapse of FTX caused users to lose billions of dollars, but anyone who had removed their assets to a private wallet was largely unaffected.Rather than hold the assets of customers on their behalf like a storage company, customers of banks are creditors, and banks are not required to keep enough money to pay all accounts on demand.Most crypto exchanges work the same way, but unlike banks, exchanges are not government-insured.If a customer transfers money onto an exchange and purchases a Bitcoin, the account may state that the customer holds a Bitcoin.However, the exchange may not have purchased sufficient Bitcoin to provide all their customers.It is only once the customer transfers the Bitcoin off the exchange into their own non-custodial wallet that the Bitcoin is truly theirs.In the case of FTX, the exchange loaned substantial amounts of customer funds to an affiliated investment firm named Alameda Research.When the value of one of the assets FTX held dropped substantially, the exchange became insolvent and did not have sufficient funds to purchase the crypto owed to customers.The FTX fraud, namely taking customer funds and transferring them to a related company to make risky investments, is a crime involving cryptocurrency but is the failure of a centralised exchange.
Aside from the leadership of FTX and Alameda Research being US citizens, being regulated in a jurisdiction, as was the case with FTX US, may signify an intent to come within the jurisdiction's laws.FTX actively advertised to US customers, including naming a stadium and advertising during the Super Bowl.Although FTX was managed from the Bahamas, its management carried out business in the US and personal jurisdiction would be established by both objective and subjective personal jurisdiction.However, what about all the other countries where account holders are located?The extent of non-territorial personal jurisdiction will be discussed in the next section.

Hacking/Theft-Mt Gox
Perhaps the most significant hack to date is that of the Mt Gox cryptocurrency exchange in 2014.Mt Gox was based in Tokyo and began in 2007 as an online trading platform for the card game Magic the Gathering (Linton et al. 2017).The name itself means Magic the Gathering Online Exchange (Ma 2017).Over time, the exchange began trading Bitcoin until it was responsible for around seventy percent of Bitcoin's global trading volume.The exchange stopped trading in 2014, reporting that hackers stole approximately 850,000 Bitcoin from the exchange.At the time of writing, Bitcoin is trading at USD 23,200, meaning this Bitcoin would be worth USD 19.7 billion.The exchange filed for bankruptcy in the Tokyo district Court in 2014 and was ordered to liquidate that same year.The process, however, is still not complete, and creditors are waiting to receive some of the Bitcoin they are owed from the bankrupt exchange.
Hacking and the theft of cryptocurrency are closely related because hackers may target those with cryptocurrency in hopes of obtaining their private key.If a holder of cryptocurrency "stores"3 their currency in a digital wallet that is on a device connected to the Internet (hot wallet) then a hacker could steal the owner's cryptocurrency if that device is compromised by the hacker.Therefore, users are advised not to carry large amounts of cryptocurrency in a hot wallet, just as someone should not carry large amounts of cash.Similarly, users that save a copy of their private key in digital form risk it being found and used to steal funds.Hackers can create software that searches for private keys in compromised devices.Thus, users saving a private key to a digital device or in a cloud server place themselves at significant risk of losing their cryptocurrency.
While gaining unauthorised access to a computer system, commonly referred to as hacking, is covered by specific statutes, such as the Computer Fraud and Abuse Act, it is unclear whether using otherwise legally obtained private keys to steal cryptocurrency would constitute hacking (Thomas 2023).If not, it may limit the jurisdiction of courts.This is because the system is designed to be permissionless and facilitate anyone with the private key to make transactions.The user would be accessing the network as intended and not otherwise gaining access to another computer.However, in jurisdictions where cryptocurrency is recognised as property, this would constitute larceny.In establishing jurisdiction, the larceny would take place in the physical location of the bad actor.However, it is difficult to also apply the jurisdiction of the victim as the nodes are located globally and the individual committing larceny may not know the location of the victim.

Tornado Cash and Allegations of Money Laundering
The belief that most major cryptocurrencies, including Bitcoin, are anonymous is a common misconception.All transactions are permanently recorded on the blockchain and can be downloaded or viewed online using a blockchain explorer.The fact that anyone can create a crypto wallet, one of the benefits of cryptocurrency as it provides a secure means to store funds for many in developing countries that do not have access to bank accounts, has caused currencies like Bitcoin to be described as pseudo-anonymous (Kerr et al. 2023).This is because all transactions are recorded but the general public may not know who controls each wallet (Shovkhalov and Idrisov 2021).Nevertheless, there remains significant privacy concerns because once an individual is tied to a wallet, all past and future transactions are connected to the person.Most exchanges also require customers to provide identification in compliance with know your customer (KYC) laws (Brasse and Hyun 2023).This acts as a double-edged sword in that it allows governments to know who controls cryptocurrency wallets and thereby identify and arrest those engaged in illegal activity, but it also poses a risk of data leaks that would expose transaction histories of individuals using exchanges.For many transactions, such as buying food at the local store, this may not appear a concern, but there are many circumstances where privacy is important, including issues related to safety, medical conditions, and political affiliations.For example, a stigma remains for people with some medical conditions, such as HIV, and those with such conditions should be able to pay for treatment without the payments being viewed by others.Similarly, removing anonymity could put victims of abuse at risk as abusers could identify their location.In order to provide this privacy, programmers developed privacy tools, including one commonly referred to as a mixer (Nadler and Schär 2023).
Mixers allow individuals to "deposit" pre-defined units of cryptocurrency and then withdraw them later into a new wallet.Because deposits and withdrawals are restricted to specific denominations and many people interact with the mixer, it theoretically becomes impossible to determine which user is withdrawing funds.One of the most popular mixers, known as Tornado Cash, was placed on the sanctioned entities list by the US Department of Treasury (Anthony 2022a) as it is alleged that North Korean hackers used the mixer to launder hacked funds.There is still an important legal question on whether software can be sanctioned, as Tornado Cash is not an entity but rather open-source software.Shortly after this, one of the Etherium founders, Vitalik Buterin, admitted to using Tornado Cash to donate anonymously to Ukraine in 2022.The mixture of bad actors and privacyfocused individuals has made mixers a controversial topic.In the wake of this, one of the developers of Tornado Cash, Alexey Pertsev, was arrested in the Netherlands where he is a resident (Schickler 2022a(Schickler , 2022b)).Although at the time of writing, the investigation by prosecutors is ongoing, it is reported that he is being held on allegations of facilitating money laundering and concealing criminal financial flows stemming from his role as a developer of Tornado Cash.Whether developers should be held accountable for the actions of others using their open-source software is beyond the scope of this article.However, if a crime were to be committed, the Netherlands would be an appropriate jurisdiction as it is the alleged place of the criminal act and the residence of the accused.Establishing extraterritorial jurisdiction in such cases would pose a problem as it could subject developers of decentralised applications to the laws in every country around the world.This is because nodes exist around the world and the software can be used by anyone.This creates a risk of developers needing to comply with inconsistent laws and would require knowledge of the laws in every jurisdiction.
As can be seen from these examples, crimes involving cryptocurrency commonly involve fraud and hacking.Although a much smaller portion of the criminal activity, they can also involve the use of cryptocurrency in illicit transactions and money laundering.The next section discusses the traditional approaches to extra-territorial jurisdiction and their application to cryptocurrency-related crimes.As there is limited jurisprudence or literature addressing personal jurisdiction for cross-border crimes involving cryptocurrency, this section looks to cybercrimes generally for guidance on how courts are likely to rule on jurisdictional issues.

The Extent of Extra-Territorial Jurisdiction
The two primary traditional bases for jurisdiction are territoriality and nationality, (Zajac 2019) each of which can be divided into categories, with these also joined by universal jurisdiction.
The fundamental principle of criminal law that no crime can exist without law (nullum crimen sine lege) requires the ex ante establishment of standards of behavior.This stands in contrast to international law, which often exists as an ex post standard flowing from political realities that is used to justify state actors while also having an ex ante role of establishing customs for future interactions between states.Traditional concepts of jurisdiction were established as customs for relations between sovereigns without regard to individual rights and in an era where human rights were not recognised (Zajac 2019).Nevertheless, jurisdiction requires "a genuine link that comes either in the form of a geographic territory or citizenship" (Saghir and Kafteranis 2022).While this restriction stems from the need for countries to avoid interreference in each other's sovereignty, it also can offer some protection to individuals by restricting the ability of countries to extend jurisdiction over individuals with whom the country has no connection.

Territorial Jurisdiction
The most obvious form of jurisdiction is territorial (Osmanollaj 2023).This stems both from the concept that states can regulate the behavior within their own territory and the reality that states cannot set a standard of behavior outside their territory without infringing on the sovereignty of other states.Territorial jurisdiction can be further divided into objective and subjective jurisdiction (Foysal 2023).Objective territorial jurisdiction is the exercising of jurisdiction over the defendant because they were present in the state at the time of the alleged crime.As their presence in the state is an objective fact, this is the simplest form of territorial jurisdiction to establish.
Subjective territorial jurisdiction is based on the subjective intent of the actor to direct their activity towards the foreign state, thereby subjecting themselves to the state's jurisdiction.The traditional law school example is the person standing on the border between two countries that then shoots someone on the other side of the border.The state where he is standing has objective territorial jurisdiction, but because he intended to harm someone that he knew was in the other state, his subjective intent to impact that state subjects him to its jurisdiction.For cryptocurrency-related crimes, cross-border fraud will often fit in this category as the perpetrator will know the location of the victims.However, theft of crypto assets can be more complicated because the assets sit on nodes around the world.As such, the subjective intent of a defendant to submit to the laws of a foreign jurisdiction is less clear than the shooting example.Certainly, the argument for extra-territorial jurisdictions is strengthened if the bad actor knew the location of the victim.However, this may be difficult to establish.When expanding jurisdiction to states that might be affected, it is important to place strict limitations as, without clear restraints, the approach may be the "beginning of the end to meaningful territorial limits on legislative jurisdiction" (Parrish 2008).

Nationality
Nationality-based jurisdiction asserts that states have jurisdiction over the actions of their nationals, even if that action takes place outside the state's territory (Gerber 1984).
States have gradually increased this power to cover not only citizens but residents.Nationality as a basis of jurisdiction has its basis in European history, where the sovereign was deemed to have divine authority over their subjects, irrespective of where these subjects may travel.The term "subject of the king" was used in England in reference to nationality and, at the time of US independence in 1776, the US was the only country to use the term citizen to reference something similar to a national (McGovney 1911).The top-down notion that the state, through divine authority, has global authority over its subjects is antithetical to the bottom-up Western democratic view that government authority flows from the people and that democracy allows laws to reflect local standards.Regardless, states continue to use nationality as a basis to extend jurisdiction beyond their borders.There is, however, a presumption that laws are limited to a state's territory unless explicitly stated otherwise by the legislature. 4n addition to asserting extra-territorial jurisdiction over nationals, known as active jurisdiction, countries sometimes assert jurisdiction over crimes conducted abroad against their nationals.Known as passive-nationality jurisdiction, this form of jurisdiction is particularly controversial and often contested (Chehtman 2010).The primary purpose of criminal law is to protect members of society, both through creating clear standards of conduct and through removing particularly dangerous actors from society.In the case of passive nationality, these goals are not met, as the bad actor is a member of a different society.As such, for ordinary crimes, use of the passive nationality principle is largely limited to cases where the state is merely seeking retribution.However, in the case of cybercrimes, incentives change.Whereas a state is motived to prevent violent crime and protect its citizens, a state may not be motivated to arrest those engaged in online fraud or hacking if the targets are in another jurisdiction.Indeed, the state may benefit from the proceeds of these crimes, increasing the wealth of the local population.As such, to the extent that a state can obtain custody of a criminal actor, passive nationality jurisdiction may have an important role in fighting cryptocurrency theft, fraud, and other related cybercrimes in jurisdictions where governments are unable or unwilling to stop bad actors.
The territorial and nationality approaches to establishing jurisdiction also protect the rights of defendants against improper extra-territorial expansion of power by requiring that defendants have sufficient "minimum contacts" with the state.Individuals are seen as either benefiting from the protection of the state or, if traveling into another state, having voluntarily submitted to that state's jurisdiction, thereby justifying the application of the foreign state's laws.Similarly, if a person intentionally directs an act at another jurisdiction, then they can be viewed as having voluntarily submitted to the laws of the place toward which the harm was aimed.In the case of cryptocurrency, this is complicated because the currency is simply a record on a digital ledger that is stored on computers around the world.Therefore, the assertion of jurisdiction based on the server being within a state's borders is no longer a reasonable approach, as it would grant every state jurisdiction over an individual's actions with decentralised digital assets.Not only would it be impossible for individuals to research laws in every jurisdiction, but laws in different countries could create inconsistent obligations.For example, one country may require disclosure of a counter party's information as part of anti-money laundering laws while another country may require that information to be kept confidential as part of privacy laws.Therefore, an individual attempting to comply with the laws in one jurisdiction may find themselves criminally charged in another.This complexity could also destroy the crypto industry and continued technological development as developers may be afraid to innovate, not knowing if they risk breaking a law in some foreign jurisdiction.

Universal Jurisdiction
Universal jurisdiction is the right to assert global jurisdiction in the absence of any ordinary links between the defendant and the state.This is done under the theory that "some crimes are so troublesome as to constitute a threat to international peace and security" (Ireland-Piper 2012).In principle, universal jurisdiction should be limited to crimes that are a global threat, such as piracy, genocide, and other war crimes.Universal jurisdiction comes largely out of necessity.Even egregious crimes, such as murder, can be dealt with within the jurisdiction of the act and, therefore, would not warrant universal jurisdiction.However, crimes such as genocide are conducted by people using either the power of the state or in a location where the state is too weak to prevent the crimes.These crimes constitute a threat to international peace and, therefore, out of necessity, other states are empowered to assert jurisdiction.Crimes that fit in this category are ordinarily viewed as crimes against humanity generally as opposed to any one individual and are, therefore, larger in scope.One of the dangers of universal jurisdiction is the tendency for courts to increase the scope of their authority over time.When faced with the choice between releasing a defendant the court believes committed a reprehensible act and extending the court's authority beyond its legal limits, courts are often tempted to extend their jurisdiction.In an individual circumstance, many people would view this as a moral approach.However, over time, jurisdiction can be improperly increased to the extent that it undermines the law by violating the rights of defendants and the principle that there is no crime without law-a principle that protects individuals by ensuring they are held to a specific legal standard and not to the laws of any court in the world that decides to assert jurisdiction.
The difficulty in establishing the location of a criminal carrying out a cybercrime is often cited as a hindrance to determining applicable law and jurisdiction (Saghir and Kafteranis 2022).The use of virtual privacy networks and other technologies may make a criminal's location difficult to determine.However, this issue applies primarily to the investigation stage and not the jurisdiction to prosecute.If authorities can determine who has committed a crime, then absent the rare case of the cybercriminal that was travelling across borders around the time of the criminal acts, the physical location of the defendant when committing the crime should be easy to identify.As identify theft is a common element in cybercrimes, the inability to identify the physical location of the criminal activity and connect it with the defendant will, in most cases, imply that authorities have insufficient proof to convict the defendant.As such, granting jurisdiction to any state where the defendant is not physically located, and potentially any state outside the defendant's domicile, creates a high risk of extradition and detainment of innocent parties.Jurisdiction may be difficult to determine at the beginning of an investigation.However, once law enforcement has sufficient evidence to charge a defendant, the location of the defendant's actions and, therefore, a territorial jurisdiction5 , should ordinarily be clear.

Establishing Inherent Harm as a Requirement for Extra-Territorial Jurisdiction
Crimes have historically been divided into two categories: inherently wrong actions and actions that are prohibited but not otherwise immoral (Velasco 2015).Inherently wrong actions include crimes such as murder, theft, and assault.Fraud, including those committed using cryptocurrency, would also fall into this category.Other actions, such as jaywalking or possessing marijuana may have been banned by society but are not inherently wrong.Money laundering would also fall into this category (Young 2009;Dimock 2016), as the laundering itself does not create harm.One problem with this distinction is that moral standards vary across jurisdictions, and states have thus incorporated a degree of subjectivity into the analysis.For example, possession of cocaine or methamphetamine, because it does not pose a direct harm to others, may be viewed as merely prohibited in some jurisdictions but inherently wrong in others.Similarly, prostitution is viewed as a prohibited activity in some jurisdictions but viewed as immoral and, therefore, inherently wrong in others.Yet still, it is legal in some jurisdictions.In the international context, for the distinction to have significance, the test should be whether a particular crime necessarily creates a direct harm to an identifiable person or persons.The claim that something harms society generally is insufficient to meet this requirement as the standard is too subjective to account for differences in cultures and standards around the world.For example, it is impossible for a person to commit murder or fraud without harming someone.However, while the possession or sale of drugs may lead to harm, the harm is not certain.
To protect the rights of individuals while ensuring states can protect their citizens, this distinction could also be applied so that, aside from territorial-based jurisdiction, countries only extend extra-territorial jurisdiction where it is impossible to commit the crime without directly harming someone.To ensure respect for other countries and remove the risk of countries imposing their beliefs on other cultures, this test should have a further restriction that if an activity is legal in any country, then it is deemed as being only prohibited and not inherently immoral (harmful).Under this approach, individuals would still be subject to the laws where they are located but would not need to worry about running afoul of foreign laws, so long as their actions were not harmful.
The use of cryptocurrency in extortion or fraud is inherently wrong, and the defendant's state of nationality, the jurisdiction where the defendant was located at the time they committed the crime, and, if the harm was aimed at a specific state, the target state may all have jurisdiction over the crime.However, if the crime is failure to meet some reporting requirement, the defendant should only be liable within territory they are located.
One of the greatest risks in international criminal law is the erosion of individual rights against the goal of comity between states.When it comes to establishing jurisdiction, "[c]onsiderations of international human rights law are usually lost in the shuffle" (Drake 1992).In upholding the presumption of innocence, disruption to the defendant's life should be minimised prior to conviction.Arrest and extradition will have a detrimental physical, phycological, and economic impact on a defendant.In establishing jurisdictional rules, courts and legislatures must recognise that law enforcement will not accurately identify the criminal actor in every circumstance and therefore create systems that are minimally harmful and disruptive to the accused.Fortunately, the domicile of the defendant will often also be the location where most evidence is located, another important factor in determining where a trial should take place (Maillart 2019).
The more morally egregious a crime, the higher the risk of false conviction as society demands "justice" in the form of a conviction and punishment.For example, a combination of moral outrage and prejudice have historically resulted in some African Americans being falsely convicted of serious crimes.Further, statutes of limitations are often increased or removed for particularly egregious crimes, increasing the risk of false convictions as the falsely accused are unable to explain evidence that suggests their guilt or refute testimony as exculpatory evidence is lost and alibies are difficult to find years after an alleged crime takes place, especially for the falsely accused.
Another fundamental principle of the law states that if the law is ambiguous, it should be decided in favour of the accused (Lin and Watters 2018).In dubio pro reo, or 'in doubt for the accused', has been weakened over the years by court decisions and statutes stating that courts should apply the law as the legislature intended.Courts then apply statutes to prevent the perceived bad acts as opposed to applying the text and granting the defendant the benefit of the doubt.This trend undermines the rule of law and human rights and is paralleled by the extra-territorial extension of jurisdiction where defendants have not submitted to the jurisdiction and cannot reasonably be expected to comply with foreign law.The risk is compounded with increased international travel as countries around the world may have different cultures and customs and interpret law differently (Campanini and Arafa 2020;Bertotti et al. 2021;Arafa and Burns 2015).Additionally, decentralised technology like cryptocurrency does not fit well within the traditional framework for establishing extra-territorial jurisdiction.States claiming jurisdiction any time a node is within their territory will undermine the need for certainty and the rule of law.Absent an international convention that would provide certainty and establish clear jurisdictional standards, requiring a criminal act to necessarily create direct harm will protect the rights of individuals by reducing the risk of defendants being charged without knowingly engaging in harmful behaviour or that they know to be illegal, and will still facilitate prosecution of those involved in cross-border fraud or the theft of cryptocurrency.

Conclusions
Cryptocurrency and other blockchain-based digital assets are an important technology that is becoming increasingly popular, with Bitcoin adopted as an official currency in El Salvador and the Central African Republic.However, the decentralised nature of the technology makes it impossible to connect a coin to a specific location as the ledger is hosted on nodes around the world.This makes territorial jurisdiction difficult to establish in many crypto-related transnational crimes, including hacking and fraud.However, if those engaging in fraud or hacking only target people in foreign jurisdictions, the local government may not be motivated to expend the cost of investigating, prosecuting, and incarcerating those responsible.In fact, the local government may benefit from the additional resources brought into the local economy by the criminals.As such, a balance must be struck when a country applies nationality-based jurisdiction to protect its citizens to ensure the individual rights of defendants are protected.Not only is the protection of individual human rights and establishing clear legal standards essential to maintain the rule of law, but at least some of those suspected of engaging in illegal activity will be innocent.As one restriction to help strike this balance, this article suggests that non-territorial-based jurisdiction, including nationality-based jurisdiction, only be extended if a crime would necessarily create direct harm to a person or persons.This objective standard will facilitate establishing extra-territorial jurisdiction where bad actors engage in fraud or steal crypto assets, acts that the perpetrator will know are wrong.Simultaneously, it will protect anyone who unintentionally violates a foreign regulation, thereby reducing compliance costs and supporting the development of the industry.