The concept of the ‘metaverse’, a virtual world, isn’t new.

The 1992 science fiction novel, Snow Crash, by Neal Stephenson introduced the term “metaverse” and those who remember the 1982 movie Tron will recall the concept of a metaverse in film.

Today, the popularity of NFTs (Non-Fungible Tokens) and Facebook’s name change to Meta (with its pivot towards bringing “the metaverse to life and help people connect, find communities and grow businesses”) has helped propel all things metaverse-related.

But Meta is just one of many online worlds today, others include Decentraland, The Sandbox, and Roblox – to name but a few. A recent report by Citigroup, which described what it calls the ‘Open Metaverse’ (the next iteration of the internet or Web3), estimates the market value of the metaverse could be worth between $8 trillion – $30 trillion by 2030.

In anti-money laundering (AML) and law enforcement circles they say, “follow the money”, so if there is money being invested or spent in the metaverse, illicit funds are most likely to follow.

A unique insight

Today, the world is filled with many dedicated people trying to tackle financial crime, but over 10 years ago it was much less so, with even fewer focussing on financial crime in the virtual world.

I count myself amongst the few that were looking into risks and financial crime in the virtual world over 15 years ago – in my case, specifically in one called Second Life.

Many of the aspirations of today’s metaverses have previously been played out in Second Life – making millionaires of people, users earning a living in the metaverse, gambling, virtual land sales, and even ‘virtual’ currency (not to be confused with cryptocurrency) and much more.

So I decided to compare what I saw back then, to what I am seeing now. It may provide an idea of existing and emerging risks in the metaverse of today, that many are putting themselves and their money into, and how to manage potential risk.

Gambling in a virtual world

Second Life had its own virtual currency called Linden Dollars (L$), which was not a cryptocurrency, and was traded on its exchange known as the LindeX.

One of the first issues I came across at the time was the legality of gambling in Second Life – users could trade US dollars for Linden Dollars and then gamble in virtual casinos.

Although the overall amount of funds passing through Second Life casinos at the time would have been smaller than online casinos today, it raised questions on the legality of such operations and potential for illicit funds to pass through, “Is it legal to gamble in the virtual world?”, “How do I know where the user’s money has come from?” and “Who is monitoring the gambling activity? (If anybody)”. 

Before Linden Lab (the creators of Second Life) banned gambling on its platform, these were questions being asked not only by me, but by legal professionals and likely the FBI (Federal Bureau of Investigations), which visited Second Life’s virtual casinos at the invitation of Linden Lab.

Fast forward to today

Decentraland’s ICE Poker virtual casino is understood to host over one third of Decentraland’s users and the casino was said to have never been busier than in the three months to February 2022, generating over $7.5million in revenue.

Because Decentraland doesn’t hold a gambling license its Terms of Use state, “If you reside in a jurisdiction where online gambling is banned (such as the United States of America, China, and South Korea) you must refrain from accessing content which includes online gambling”.  This seems to be because players need to buy an NFT of virtual ‘wearable’ clothing that unlocks tokens to take part, in a play-to-earn fashion. As the popularity of the metaverse increases, so might the focus on gambling regulations.

Gambling in the metaverse may not only pose regulatory risks but also the risk of fraud. Recently, the US states of Alabama, New Jersey, Texas, Kentucky, and Wisconsin issued emergency Cease and Desist Orders against a metaverse casino called Flamingo Casino Club. It was alleged to fraudulently claim to be associated with the legitimate Flamingo Las Vegas Hotel and Casino, when in reality it had no affiliation or association whatsoever.

The metaverse casino was alleged to have had ties to Russia and the Orders meant the casino had to stop the sale of securitised NFTs, which the Orders called “simply a high-tech scam”. The operators took steps to conceal ties to Russia and the securitised NFTs were claimed by the operators to give investors part ownership and part profits in the virtual casino, that was set to be built in the virtual world known as The Sandbox.

Fraud – as in physical, so in digital

Although I didn’t see it first-hand all those years ago in Second Life, I did come across reports of fraud.

One was where fraudsters would get users to test virtual slot machines, only once the user put money in the slot machine the fraudster made off with the funds.  In Second Life, ‘terminals’ allowed users to deposit funds into their online accounts, so fraudsters would place fake terminals over real ones (similar to how criminals do this in the real world with ATMs). Unsuspecting users would use the fake element of the terminals, which allowed the fraudster to collect the deposits. This was not dissimilar to phishing attacks and the use of social engineering today, fraudsters were said to have used these techniques many years ago to steal Second Life avatars, along with user funds from accounts.

One of the most interesting cases I came across, was the case of an unregulated virtual bank in Second Life called Ginko Financial. In an interview conducted online with Reuters through instant messages, when asked how the bank works and if it is lending out money and charging interest rates to their loan customers, Ginko Financial’s CEO Nicholas Portocarrero (probably not his real name) replied “No, the bank is essentially loaning the money to itself right now”. When Reuters put it to Portocarrero that his bank had been accused of being a pyramid scheme (for which a clear rebuttal was never given) this lack of response, raised my suspicions that all wasn’t quite right with this virtual bank.

My initial doubts about Ginko Financial were later confirmed when it collapsed, taking with it investor funds, and many labelling it a Ponzi scheme.  Following the clamp down on gambling, Second Life went on to ban virtual banks as well. With the evident risks of scams, investor protection concerns, and lack of regulation, it was the correct call.

Child safety and human trafficking

One of the areas I focussed heavily on in my days of looking into Second Life was child safety.

Although Second Life was not generally aimed at children, there was nothing stopping them accessing it. At the time, there were reports of adult users creating avatars of children in order for other users to have sex with them, in what was termed ‘Age Play’, something that was criticised as encouraging players posing as children to make money this way. One report I came across stated German law enforcement were investigating users involved in such activity – worryingly this also included offering child sexual abuse material (CSAM) for sale.

In a recent investigation by the BBC, a researcher posed as a 13-year old girl and using an Oculus Quest VR (Virtual Reality) headset, “witnessed grooming, sexual material, racist insults and a rape threat”. Furthermore, the introduction of ‘haptic gloves’, which create a real sensation for the wearer when interacting with other users in the metaverse, may be an element that can add a new and disturbing dimension to harassment and abuse.

Risks in the metaverse can transpose into the real world. This was specifically the case when a 13-year-old girl was returned home safely after being convinced by a man she met on Roblox to meet up. The 33-year-old man in question was charged with sex trafficking, kidnapping, and rape. In another incident, described as the first such case involving the Oculus headset technology, a man was arrested for kidnapping a girl after she was found to have been communicating with him using the Oculus headset.

By providing criminals yet another way to communicate with and control their victims through the virtual world, it exposes children and adults alike to real harm and opens up the risk of human trafficking.

A look into the future

Drug lords and organised crime groups (OCGs) may not be rushing to the metaverse to launder millions or billions in illicit funds just yet. But there are plenty of other criminals looking to obtain, retain, and spend their funds if a new avenue for them to do so opens itself up via the metaverse – such as cybercriminals, terrorists, and sanctioned state actors, to name a few.

Unlike previously, there are now more users, more money, and more attention, mixed up with blockchain technology interacting with the metaverse – all bringing with them risks.

When it comes to financial crime, if we are not careful in the new metaverses, we will repeat the mistakes I saw many years ago and even go on to make new and bigger ones.

Rather than waiting for risks to materialise before taking action, a better course would be to understand them in the first instance and then put in place the controls to mitigate and manage them before they become a problem.