Cryptocurrency has long been pitched as a revolutionary financial tool — but as the shocking kidnapping of NBC's TODAY co-host Savannah Guthrie’s 84-year-old mother, Nancy Guthrie, underscores, it’s also become part of how modern criminals try to operate. Multiple ransom notes demanding payment in bitcoin — including a reported demand for around $6 million and, later, one bitcoin for information on the alleged kidnappers — have been sent to media outlets as part of the ongoing investigation into her abduction from her Arizona home. Authorities and experts continue to investigate whether the notes are credible — and whether the kidnappers are using cryptocurrency to try to obscure their identities and leverage the lack of transparency in digital payments.
To help make sense of what bitcoin is and why it’s increasingly entwined with criminal schemes (from ransomware to ransom notes), we spoke with Woodrow Hartzog, the Andrew R. Randall Professor of Law at Boston University School of Law, whose research focuses on privacy, technology, and the regulation of digital systems. (And who's testified in front of Congress about data protection and AI oversight.) Here, he explains why bitcoin’s design makes it attractive to criminals — and what that means for the rest of us.
For the uninitiated, what is bitcoin, and how does it work?
Hartzog: Bitcoin is the most popular form of what has been called cryptocurrency, which describes a system that allows people to communally share a ledger that keeps debits and credits of a particular unit of transaction, all wrapped up in encryption. That’s where the “crypto” comes from in cryptocurrency. Bitcoin is one of many cryptocurrencies, but it’s the most well known. Depending on who you talk to, bitcoin has been pitched as a currency, a store of value, an investment, or a kind of gambling operation — sometimes all three at once. That uncertainty makes it easier for people to exploit it — and to exploit others using it.
What makes cryptocurrency so ripe for use by criminals and other shady figures?
Cryptocurrency has really profited criminals and fraudsters for several reasons. First, if you can convince people that a cryptocurrency is valuable, there’s enormous incentive to accumulate as much of it as possible — often with little accountability.
Also, transactions are largely de-identified, meaning anyone can see transactions happening, but their identities aren’t necessarily clear. That allows people across borders to exchange value outside traditional systems like credit cards or banks. Those traditional systems have fraud detection and consumer protections built in. Cryptocurrency has virtually none.
That’s helped fuel the rise of ransomware. Hospitals and other institutions have been debilitated by ransomware attacks because cryptocurrency allows criminals to demand payment in a way that’s harder to trace. It’s also attractive for money laundering and pump-and-dump schemes because there’s limited transparency. The incentives are there to exploit bitcoin for harmful ends.
So in the past, governments and authorities could track financial crimes by "following the money" — but with no traceability, there’s fundamentally no way for these transactions to be traced, correct?
Because you don’t know who’s behind the bitcoin transactions, accountability is much harder. Traditional payment systems have guardrails to protect against insider trading and financial exploitation. Those protections don’t broadly exist in cryptocurrency. That’s what makes it dangerous.
Your focus is privacy law: Couldn’t someone argue that, in the interest of individual privacy, having transactions be untraceable is a good thing?
We’ve had a relatively privacy-friendly currency for a long time. It’s called cash.
Cash has built-in protections. You have to physically possess it to use it, and it has physical weight. You can’t lose it by someone hacking your account. We built systems around cash flowing freely, but there was accountability, because you often had to be present to use it — that isn’t true with bitcoin.
When I first taught a payment-systems class in 2011, I asked students whether private cryptocurrency transactions were great. They said "Yeah!" Then I asked, “What about if you’re an arms dealer or a drug dealer?” Suddenly the answer felt different.
The promise of bitcoin doesn’t match the reality. As a currency, it’s expensive in energy and efficiency terms. It’s also cumbersome unless you use intermediaries, which creates new problems. And it’s volatile: No one wants to accept something that might be worth $1,000 one day and 30 cents the next.
As an investment, it’s also problematic. It relies on the “greater fool theory” — it has value only if someone else is willing to pay more for it later. It’s not like investing in something that creates goods or services. It’s closer to a casino. But casinos have rules to prevent powerful players from exploiting everyone else. In cryptocurrency, those protections are minimal. Unless you’re manipulating the system, you risk being the greater fool.
When you look 20 or 30 years ahead — especially with AI voice cloning or AI-generated identities — what do you see as the next phase of criminality?
It depends on whether lawmakers step in with meaningful rules around cryptocurrency and AI. With the current push for deregulation, the problems could worsen.
If lawmakers do nothing, you’ll see deepfakes proliferate. You’ll see more fake calls from “sons” to elderly parents asking for money. Consumer protection challenges will intensify as it becomes harder to separate truth from fiction. That’s a dangerous world.
The only meaningful way to address it is to establish strong rules — and in some cases prohibit certain technologies or practices outright.
What kinds of laws do you think need to be passed?
We need clarity about what cryptocurrency is, and how it should be regulated. Targeting exchanges — where cryptocurrency is converted into real money — is one possible focus. Comprehensive AI regulation is another. The prevailing narrative in Washington is that AI shouldn’t be regulated because we have to “win the race.” That mindset exacerbates harm. Deepfakes need to be taken seriously, and consumer protections need strengthening.
Institutional capacity matters, too. Agencies like the Consumer Financial Protection Bureau and the Federal Trade Commission were designed to protect Americans from financial exploitation. When those agencies are defunded or weakened, accountability suffers.
Ultimately, enforcing existing laws and supporting enforcement agencies would make a significant difference. This is as much a political problem as a legal one.
These issues around cryptocurrency are an extension of the ransomware crises we’ve already seen. When you make it easy for criminals to profit, they will. There’s ongoing debate about how anonymous bitcoin users truly are — in some cases identities can be uncovered — but the broader issue is the structure of the system itself. We need to start with being more critically reflective about the industry as a whole.
