AML Red Flags in Crypto Exchanges and Wallets

crypto red flags

As the use of cryptocurrency grows, cryptocurrency service providers must deal with a growing number of threats from money launderers who take advantage of the speed and secrecy involved with trading virtual assets online.

Users must have access to online wallets and exchanges to buy and sell cryptocurrencies or virtual assets. These services make high-volume crypto transactions possible, allowing for the quick transfer of assets and payments around the world outside of traditional banking and finance systems. Money launderers want to shift illegal funds into cryptocurrencies to circumvent AML checks imposed by traditional financial institutions because of the absence of regulatory oversight. The issue is becoming more serious: according to research, about $1 billion was laundered in crypto exchanges in 2018, and around $2.8 billion in 2019.

FATF’s report on Virtual Assets Red Flags

The Financial Action Task Force (FATF) conducted research into the features of bitcoin money laundering in response to the risks posed by cryptocurrency. The study was based on prior FATF investigations into crimes employing virtual assets, as well as more than 100 case studies submitted by governments within the FATF Global Network since 2017.

The FATF published a report titled Virtual Assets Red Flag Indicators of Money Laundering and Terrorist Financing in 2020, detailing its conclusions. The research outlined the following virtual asset red flag signs of money laundering behavior in order to assist both financial regulators and cryptocurrency wallet and exchange firms in developing and implementing their AML programs:

  • Transaction Type
  • Transaction Pattern
  • Anonymity
  • Senders and Recipients
  • Source of Funds
  • Geographical Risks

Transaction Types

Traditional criminal techniques remain important, even as bitcoins offer a new frontier in the money laundering scene.
The FATF discovered that the following forms of transactional behavior employing traditional payment methods frequently indicated an intent to launder money:

  • To avoid reporting thresholds, cryptocurrency transactions should be structured in small amounts.
  • Performing a large number of high-value cryptocurrency transactions in a short period of time.
  • Transferring cryptocurrency deposits as soon as possible to a service provider in a low-regulatory jurisdiction.
  • Withdrawing cryptocurrency deposits without completing a transaction or converting deposits to many types of cryptocurrency while incurring fees.
  • Depositing funds that have been identified as stolen into cryptocurrency wallets.

FATF case study example: A securities firm discovered a foreign national making two separate transactions totaling $4.8 million between cryptocurrency accounts from a Cayman Islands-based wallet within six minutes of each other. The accounts were frozen after a suspicious transaction report was filed, and the funds were discovered to have been obtained illegally.


The technology that protects cryptocurrency wallets and exchanges from attacks also increases the anonymity of customers who use the services to trade, making it more difficult for authorities to track them. Money laundering that takes advantage of the anonymity of cryptocurrency services may display the following red flags:

  • Transactions involving many types of cryptocurrency, particularly those with high levels of anonymity, are subject to extra fees.
  • A customer transfers funds from a public blockchain to a centralized cryptocurrency exchange, where they are immediately exchanged for an AEC or privacy coin.
  • Customers who work on unlicensed P2P crypto exchange sites as unlicensed service providers for other users. These customers may handle large cryptocurrency transfers on behalf of their customers and charge higher fees than licensed exchanges for their own services.
  • An unusually high volume or frequency of transactional activity on P2P platforms or platforms that use mixing and tumbling services, with no logical business explanation.
  • Funds deposited into a cryptocurrency wallet from an untrustworthy source, such as darknet marketplaces, gambling sites, or other illegal websites.
  • Users entering a cryptocurrency exchange from IP addresses linked to suspicious sources or using encryption software to conduct transactions with partners.
  • When registering for a cryptocurrency exchange, users can use proxies or domain name registrars (DNS) to hide their domain names.
  • The use of unregistered cryptocurrencies that have been linked to Ponzi schemes and fraud.

FATF case study example: AlphaBay, a darknet peer-to-peer marketplace, was used to acquire and sell a wide variety of illegal items, including drugs, fraudulent documents, and guns. Between 2015 and 2017, around 200,000 customers and 40,000 suppliers transacted over $1 billion in cryptocurrency transactions until the US government shut down the AlphaBay servers.

Senders and Recipients

Account creation: Users who use multiple accounts under different names to circumvent the exchange’s trading and withdrawal limits, or that attempt to open accounts using the same IP address. Transactions that originate from untrustworthy or suspicious IP addresses or high-risk jurisdictions. Businesses with internet domain registrations in different jurisdictions than their country of establishment.

CDD irregularities: Senders and recipients that lack knowledge of the source of their transactions or the relationship with their counter-parties are at risk of fraud, according to the Bank of England. Customers who have insufficient KYC information may also be at risk if they refuse requests for this information or forge their identification materials.

Customer profiles: Users who make significant profits or losses by transacting with the same subset of individuals. Customers using identification credentials shared by another account or associated with illegal activity. Discrepancies between customer account IP addresses and IP addresses of initiated transactions. The same customer attempting to access a cryptocurrency platform using different IP addresses in a single day.

Money mule behaviors: Elderly or financially vulnerable customers engaging in high-volume cryptocurrency transactions and those who buy large amounts of the virtual currency in a manner inconsistent with their financial profile could be at risk. Senders that are unfamiliar with cryptocurrency technology could also pose a risk to their accounts.

FATF case study example: A bank acquired cryptocurrency assets from a local company, which were placed by both natural and legal persons, but it was unable to gather information on the monies’ origin. The bank discovered that the bitcoin funds were tied to organized crime after extra investigation.

Source of Funds

Cryptocurrency accounts with known links to illegal activities, such as fraud, extortion, ransomware or darknet marketplaces, or transactions to or from online gambling sites. Funds sourced from investments in cryptocurrency assets or initial coin offerings (ICOs), from platforms with insufficient AML/CFT controls or from third-party mixing or tumbling services.

FATF case study example: The owners of the DeepDotWeb website were discovered to be getting crypto kickbacks for sending visitors to illicit darknet marketplaces in 2019. The kickbacks, totaling more than $15 million, were moved by DeepDotWeb’s proprietors through a succession of Bitcoin wallets in an attempt to obscure their source.

Geographical Risks

Criminals who transport unlawful funds throughout the world sometimes seek out areas with cryptocurrency regulatory gaps or shortcomings. Money laundering red flag signs by location are as follows:

  • Cryptocurrency funds that originate in or are remitted to an exchange that is registered in a nation other than the customer’s or the exchange’s home country.
  • Customers who use crypto exchanges or service providers that are based in high-risk areas or are known to have insufficient anti-money laundering and counter-terrorism procedures.
  • Customers who open physical offices in jurisdictions where cryptocurrency rules are known to be insufficient or non-existent, while having no logical business need to do so.

FATF case study example: After using a US-based exchange to handle crypto sales for over $800,000 in premiums, an illegal Bitcoin dealer was shut down by US authorities in 2019. The dealer then shifted his operations to an Asian exchange, buying $3.29 million in Bitcoin between 2015 and 2017 and remitting his proceeds in modest sums back to the United States to circumvent reporting requirements.

What Should You Do If You See AML Red Flags in Crypto?

Crypto exchange AML systems should adopt a risk-based model that matches their threat landscape and regulatory context, according to FATF advice and local legislation. In reality, this involves putting in place safeguards to combat traditional money laundering methods in conjunction with, and where applicable, the FATF’s particular virtual asset red flag indicators. As a result, a cryptocurrency anti-money laundering program should include:

  • Proper CDD techniques can identify customers and state higher-risk customers for increased due diligence (EDD).
  • Measures for detecting questionable cryptocurrency transactions and reporting them to financial authorities on time.
  • Customers’ crypto addresses are checked against relevant international sanctions lists to see if they are politically exposed (PEPs).

If you want to see how OMNIO’s solutions can help your organization with handling such threats, you can schedule a demo.

More Articles

3 Stages of Money Laundering

Top Features to Look for in AML Software: Everything You Need to Know

Reputational Risk in Financial Compliance

Sanction Screening Quick Guide