The Financial Action Task Force (FATF) has identified a wide variety of cryptocurrency red flag indicators to help detect whether virtual assets are being used for criminal activity. Their list is based on case studies and research.
FATF explains that Virtual assets (VA) and related services have the potential to spur financial innovation and efficiency, but their distinct features also create new opportunities for money launderers, terrorist financiers, and other criminals to launder their proceeds or finance their illicit activities.
The ability to quickly and easily transact across borders allows criminals to acquire, move, and store assets digitally often outside the regulated financial system. However, it also serves to obscure the origin or destination of the funds. That makes it harder for financial institutions to identify suspicious activity. These factors add hurdles to the detection and investigation of criminal activity by national authorities.
FATF recently updated its standards to apply them to VA activities and Virtual Asset Service Providers (VASPs). This is to help jurisdictions mitigate money laundering (ML) and terrorist financing (TF) risks associated with VA activities and protect the global financial system. These indicators are based on more than 100 case studies collected by members of the FATF Global Network. Read the entire document and download it here.
Cryptocurrency Red Flag Indicators
The following sections contain a collection of red flag indicators of suspicious VA activities or possible attempts to evade law enforcement detection, as identified through more than one hundred case studies collected since 2017 from across the FATF Global Network, literature reviews, and open source research.
Keep in mind that the existence of a single indicator does not necessarily indicate criminal activity. But the presence of a number of indicators in a transaction should raise suspicion of possible criminal activity – especially if there is no logical business explanation.
FATF says the presence of indicators should encourage further monitoring, examination, and reporting where appropriate.
While VAs are still not widely used by the public, their use has caught on among criminals. The use of VAs for ML purposes first emerged over a decade ago, but VAs are becoming increasingly mainstream for criminal activity more broadly.
This set of indicators demonstrates how red flags traditionally associated with transactions involving more conventional means of payment remain relevant to detecting potential illicit activity related to VAs.
Size and Frequency of Transactions
- Structuring VA transactions (e.g. exchange or transfer) in small amounts, or in amounts under record-keeping or reporting thresholds, similar to structuring cash transactions.
- Making multiple high-value transactions in short succession, such as within a 24-hour period; in a staggered and regular pattern, with no further transactions recorded during a long period afterwards, which is particularly common in ransomware-related cases; or to a newly created or to a previously inactive account.
- Transferring VAs immediately to multiple VASPs, especially to VASPs registered or operated in another jurisdiction where there is no relation to where the customer lives or conducts business; or there is non-existent or weak AML/CFT regulation.
- Depositing VAs at an exchange and then often immediately – withdrawing the VAs without additional exchange activity to other VAs, which is an unnecessary step and incurs transaction fees; converting the VAs to multiple types of VAs, again incurring additional transaction fees, but without logical business explanation; withdrawing the VAs from a VASP immediately to a private wallet. This effectively turns the exchange/VASP into an ML mixer.
- Accepting funds suspected as stolen or fraudulent – depositing funds from VA addresses that have been identified as holding stolen funds, or VA addresses linked to the holders of stolen funds.
The red flags listed here illustrate how the misuse of VAs for ML/TF purposes could be identified through irregular, unusual, or uncommon patterns of transactions.
Transactions Concerning New Users
- Conducting a large initial deposit to open a new relationship with a VASP, while the amount funded is inconsistent with the customer profile.
- Conducting a large initial deposit to open a new relationship with a VASP and funding the entire deposit the first day it is opened, and that the customer starts to trade the total amount or a large portion of the amount on that same day or the day after, or if the customer withdraws the whole amount the day after. As most VAs have a transactional limit for deposits, laundering in large amounts could also be done through over-the-counter-trading.
- A new user attempts to trade the entire balance of VAs, or withdraws the VAs and attempts to send the entire balance off the platform.
Transactions Concerning All Users
- Transactions involving the use of multiple VAs, or multiple accounts, with no logical business explanation.
- Making frequent transfers in a certain period of time (e.g. a day, a week, a month, etc.) to the same VA account – by more than one person; from the same IP address by one or more persons; or concerning large amounts.
- Incoming transactions from many unrelated wallets in relatively small amounts (accumulation of funds) with subsequent transfer to another wallet or full exchange for fiat currency. Such transactions by a number of related accumulating accounts may initially use VAs instead of fiat currency.
- Conducting VA-fiat currency exchange at a potential loss (e.g. when the value of VA is fluctuating, or regardless of abnormally high commission fees as compared to industry standards, and especially when the transactions have no logical business explanation).
- Converting a large amount of fiat currency into VAs, or a large amount of one type of VA into other types of VAs, with no logical business explanation.
This set of indicators draws from the characteristics and vulnerabilities associated with the underlying technology of VAs. The various technological features increase anonymity and add hurdles to the detection of criminal activity by law enforcement.
These factors make VAs attractive to criminals looking to disguise or store their funds. The mere presence of these features in an activity does not automatically suggest an illicit transaction. But, the their presence should be considered in the context of other characteristics about the customer and relationship, or a logical business explanation.
- Transactions by a customer involving more than one type of VA, despite additional transaction fees, and especially those VAs that provide higher anonymity, such as anonymity-enhanced cryptocurrency or privacy coins.
- Moving a VA that operates on a public, transparent blockchain, such as Bitcoin, to a centralized exchange and then immediately trading it for an AEC or privacy coin.
- Customers that operate as an unregistered/unlicensed VASP on peer-to-peer (P2P) exchange websites, particularly when there are concerns that the customers handle huge amount of VA transfers on a customer’s behalf, and charge higher fees to its customer than transmission services offered by other exchanges. Use of bank accounts to facilitate these P2P transactions.
- Abnormal transactional activity (level and volume) of VAs cashed out at exchanges from P2P platform-associated wallets with no logical business explanation.
- VAs transferred to or from wallets that show previous patterns of activity associated with the use of VASPs that operate mixing or tumbling services or P2P platforms.
- Transactions making use of mixing and tumbling services, suggesting an intent to obscure the flow of illicit funds between known wallet addresses and darknet marketplaces.
- Funds deposited or withdrawn from a VA address or wallet with direct and indirect exposure links to known suspicious sources, including darknet marketplaces, mixing/tumbling services, questionable gambling sites, illegal activities (e.g. ransomware) and/or theft reports.
- The use of decentralised/unhosted, hardware or paper wallets to transport VAs across borders.
- Users entering the VASP platform having registered their Internet domain names through proxies or using domain name registrars (DNS) that suppress or redact the owners of the domains.
- Users entering the VASP platform using an IP address associated with a darknet or other similar software that allows anonymous communication, including encrypted emails and VPNs. Transactions between partners using various anonymous encrypted communication means (e.g. forums, chats, mobile applications, online games, etc.) instead of a VASP.
- A large number of seemingly unrelated VA wallets controlled from the same IP-address (or MAC-address), which may involve the use of shell wallets registered to different users to conceal their relation to each other.
- Use of VAs whose design is not adequately documented, or that are linked to possible fraud or other tools aimed at implementing fraudulent schemes, such as Ponzi schemes.
- Receiving funds from or sending funds to VASPs whose CDD or know-your-customer (KYC) processes are demonstrably weak or non-existent.
- Using VA ATMs/kiosks – despite the higher transaction fees and including those commonly used by mules or scam victims; or in high-risk locations where increased criminal activities occur. A single use of an ATM/kiosk is not enough in and of itself to constitute a red flag, but would if it was coupled with the machine being in a high-risk area, or was used for repeated small transactions (or other additional factors).
Senders or Recipients
This set of indicators is relevant to the profile and unusual behavior of either the sender or the recipient of the illicit transactions.
Irregularities observed during account creation:
- Creating separate accounts under different names to circumvent restrictions on trading or withdrawal limits imposed by VASPs.
- Transactions initiated from non-trusted IP addresses, IP addresses from sanctioned jurisdictions, or IP addresses previously flagged as suspicious.
- Trying to open an account frequently within the same VASP from the same IP address.
- Regarding merchants/corporate users, their Internet domain registrations are in a different jurisdiction than their jurisdiction of establishment or in a jurisdiction with a weak process for domain registration. Irregularities observed during CDD process
- Incomplete or insufficient KYC information, or a customer declines requests for KYC documents or inquiries regarding source of funds.
- Sender / recipient lacking knowledge or providing inaccurate information about the transaction, the source of funds, or the relationship with the counterparty. · Customer has provided forged documents or has edited photographs and/or identification documents as part of the on-boarding process.
- A customer provides identification or account credentials (e.g. a non-standard IP address, or flash cookies) shared by another account.
- Discrepancies arise between IP addresses associated with the customer’s profile and the IP addresses from which transactions are being initiated.
- A customer’s VA address appears on public forums associated with illegal activity.
- A customer is known via publicly available information to law enforcement due to previous criminal association.
Profile of potential money mule or scam victims
- Sender does not appear to be familiar with VA technology or online custodial wallet solutions. Such persons could be money mules recruited by professional money launderers, or scam victims turned mules who are deceived into transferring illicit proceeds without knowledge of their origins.
- A customer significantly older than the average age of platform users opens an account and engages in large numbers of transactions, suggesting their potential role as a VA money mule or a victim of elder financial exploitation.
- A customer being a financially vulnerable person, who is often used by drug dealers to assist them in their trafficking business.
- Customer purchases large amounts of VA not substantiated by available wealth or consistent with his or her historical financial profile, which may indicate money laundering, a money mule, or a scam victim.
Source of Funds or Wealth
As demonstrated by cases submitted by jurisdictions, the misuse of VAs often relates to criminal activities, such as illicit trafficking in narcotics and psychotropic substances, fraud, theft and extortion (including cyber-enabled crimes).
Below are common red flags related to the source of funds or wealth linked to such criminal activities:
- Transacting with VA addresses or bank cards that are connected to known fraud, extortion, or ransomware schemes, sanctioned addresses, darknet marketplaces, or other illicit websites.
- VA transactions originating from or destined to online gambling services.
- The use of one or multiple credit and/or debit cards that are linked to a VA wallet to withdraw large amounts of fiat currency (crypto-to-plastic), or funds for purchasing VAs are sourced from cash deposits into credit cards.
- Deposits into an account or a VA address are significantly higher than ordinary with an unknown source of funds, followed by conversion to fiat currency, which may indicate theft of funds.
- Lack of transparency or insufficient information on the origin and owners of the funds, such as those involving the use of shell companies or those funds placed in an Initial Coin Offering (ICO) where personal data of investors may not be available or incoming transactions from online payments system through credit/pre-paid cards followed by instant withdrawal.
- A customer’s funds which are sourced directly from third-party mixing services or wallet tumblers.
- Bulk of a customer’s source of wealth is derived from investments in VAs, ICOs, or fraudulent ICOs, etc.
- A customer’s source of wealth is disproportionately drawn from VAs originating from other VASPs that lack AML/CFT controls.
Detecting Cryptocurrency Red Flags
A risk-based approach implemented with a regular and dynamic two-way dialogue between the public and private sectors would no doubt enhance the effectiveness of the FATF report. Competent authorities are therefore encouraged to disseminate the information to reporting entities, and to conduct engagement and awareness-raising sessions with them to promote their understanding of this report.
While the indicators identified are constantly evolving, they are best used when applying other contextual information from domestic law enforcement and public sources. Competent authorities may also provide private sectors with the indicators and information most relevant for that jurisdiction.
Alessa recently integrated CipherTrace’s crypto intelligence data to it’s core capabilities. The addition of CipherTrace’s data will allow financial institutions to more effectively track the accounts associated with peer-to-peer crypto exchanges and smaller virtual currency kiosks. It will also allow banks to cross-reference the contact information of small virtual asset service providers (VASPs) with customer records to detect cryptocurrency red flags.