Cryptocurrency: Risks and red flags
Written by Jon Prentice on Tuesday May 2, 2023
Last year saw multiple crypto firms collapse, investors suffer large losses and the number of overall cryptocurrency transactions fall; at the same time, illicit use of cryptocurrencies hit a record high with an estimated $20.1 billion worth of transactions. Behind the increase was a rise in illicit transactions involving companies targeted by US sanctions. Moreover, transactions associated with sanctioned entities increased more than 100,000-fold in 2022 and made up 44% of illicit activity that year. 
In light of these figures, it is imperative that compliance professionals are able to identify red flags that might highlight potential crypto money laundering risks. While these risks share many features with traditional money laundering red flags, compliance professionals must understand the red flags specific to cryptocurrencies.
Risks and red-flag indicators
In September 2020, the Financial Action Task Force (FATF) released a report highlighting red flag indicators of money laundering and terrorist financing specifically aimed at virtual assets. 
These indicators are grouped into six categories:
- transaction patterns
- senders or recipients
- source of funds or wealth, and
- geographical risks.
Let’s take a look at each of these red flag indicators in more detail, focusing on what they include and the standout contributors for each.
Despite the nature of cryptocurrencies being very different to traditional fiat currency, the strategies employed by fraudulent users to launder money often resembles traditional methods. FATF highlighted several types of cryptocurrency transaction that could indicate money laundering may be taking place.
- Structuring transactions in small amounts or in amounts just under reporting thresholds.
- Making high-value transactions in a short period, or in staggered or regular patterns.
- Depositing funds suspected as stolen or fraudulent into crypto wallets.
- Transferring virtual assets to jurisdictions that have non-existent or weak AML/CFT regulation, or a jurisdiction that has no plausible relation to where the customer lives or conducts business.
- Withdrawing virtual funds without any in-between transactions, especially if the withdrawals incur fees, or converting the assets into multiple different assets that incur fees, especially if there is no logical business explanation.
Money laundering through virtual assets can often be identified through irregular, unusual, or uncommon transaction patterns, such as:
- new accounts opened with large initial deposits that are traded away shortly afterwards
- new accounts funded with amounts that do not appear consistent with the user’s profile
- transactions involving multiple assets or accounts with no logical business explanation
- a number of crypto transactions which result in a loss of money due to account fees
- repeated exchanges of fiat money to cryptocurrency without logical business explanation, and
- small amounts from numerous virtual wallets that are instantly relocated or removed.
These red flag indicators draw from the vulnerabilities of the underlying technology surrounding virtual assets, more specifically the anonymous exchanges that occur between cryptocurrency consumers.
Money laundering behaviour that takes advantage of the anonymous nature of cryptocurrencies may show the following characteristics.
- Moving assets from a public, transparent blockchain, such as Bitcoin, to a centralised cryptocurrency exchange and then on to a private or anonymous coin.
- Transactions by customers that involve multiple cryptocurrency type, in particular those that involve highly anonymous currencies that incur additional, unjustifiable fees.
- A significant volume of peer-to-peer transactions that involve mixing services without justification.
- Customers that operate as unregistered or unlicensed service providers for other users on peer-to-peer cryptocurrency sites, who may charge higher fees to their customers than traditional, licensed exchanges.
- The use of decentralised exchanges to transfer assets across borders.
- Funds entering cryptocurrency wallets from IP addresses associated with darknet or similar software, that allows for anonymity and encryption.
- Multiple, unrelated virtual wallets controlled from the same IP address.
- Sending funds to or receiving funds from service providers with weak or non-existent CDD/KYC processes.
- The use of virtual currency ATMs/kiosks in high-risk locations where increased criminal activity frequently takes place.
Senders or recipients
These red flag indicators focus on the behaviours from either the sender or recipient of illicit transactions. The indicators can be further categorised as outlined below.
During account creation
- Creating multiple accounts under different names to circumvent restrictions.
- Transactions from non-trusted IP addresses, or IP addresses from sanctioned jurisdictions.
- Users whose internet domain registrations are in different jurisdictions to the one in which they reside, or a jurisdiction with weak controls.
During customer due diligence
- Incomplete or insufficient KYC information, or the customer declines to provide documents upon request or information regarding the source of funds.
- Customers supplying forged documents as part of the onboarding process.
- The sender/recipient lacking knowledge about the transaction, source of funds or client relationship.
- Customer credentials are shared by another account.
- Discrepancies between the customer’s IP address and the IP from which transactions are initiated.
- Customer’s details appear on public forums associated with illegal activity.
- A customer is known via public information to law enforcement for criminal activity.
Potential money mules or scam victims
- Senders seem unfamiliar with crypto technology.
- A customer is significantly older than the average user and is engaging in a large number of transactions.
- Potentially vulnerable customers dealing in high-risk transactions.
- A customer purchasing a large amount of assets which is inconsistent with their financial profile.
Other unusual behaviour
- A customer regularly changes their personal details.
- A customer tries to enter a platform from multiple different IP addresses in a short period of time.
- The language used in transaction message fields indicates illicit activity could be present.
- A customer repeatedly conducts transactions with certain individuals at a significant profit or loss.
Source of funds or wealth
These are red flags that relate to the source of funds or wealth potentially being linked to criminal activity.
- Transactions originating from or sent to online gambling services.
- Transactions with accounts known to be linked to fraud, extortion, ransomware schemes, darknet marketplaces, illicit websites or sanctioned addresses.
- Significant deposits that are out of profile with an unknown source of funds.
- Large deposits into virtual wallets that are immediately withdrawn as fiat currency.
- A virtual wallet linked to multiple credit/debit cards that are known to frequently withdraw large amounts of fiat currency.
- The majority of a customer’s wealth derived from crypto investments or initial coin offerings (legitimate or fraudulent).
- Funds received directly from mixing services or wallet tumblers.
Criminals will often move funds across borders, typically to jurisdictions with weak or no AML/CFT regimes or cryptocurrency guidelines. Red flag indicators related to this activity include:
- customer funds deriving from or that are sent to a different jurisdiction to the one in which the user is located
- customers using cryptocurrency services located in high-risk jurisdictions with limited or no AML regulations in place, and
- a customer relocating their workplace to a high-risk jurisdictions with limited or no AML regulations in place.
The cryptocurrency landscape is unpredictable, and the red flag indicators identified by FATF are constantly evolving. It is vital that compliance professionals consider the recommendations, indicators, information, advisories or circulars from local regulator bodies or law enforcement, as well as always bear in mind the following.
- A risk assessment should be conducted to establish a firm’s needs and threats.
- A robust CDD process should be in place to verify a customer’s identity and any potential risks associated with that customer.
- Customers should be screened against sanctions lists.
- Ongoing monitoring is vital for ensuring a customer’s risk profile has not changed.
- Individuals and firms should regularly review guidance and updates surrounding the red flags associated with cryptocurrencies.
 Chainalysis, The 2023 Crypto Crime Report, February 2023: https://go.chainalysis.com/rs/503-FAP-074/images/Crypto_Crime_Report_2023.pdf – accessed April 2023
 Financial Action Task Force, ‘Virtual Asset Red Flag Indicators of Money Laundering and Terrorist Financing’, September 2020: https://www.fatf-gafi.org/en/publications/Methodsandtrends/Virtual-assets-red-flag-indicators.html – accessed April 2023