June 5, 2020

Cryptocurrencies are increasingly becoming part of modern day society. However, the characteristics of cryptocurrencies offer a level of anonymity that makes them particularly attractive to criminals. Sanctioned actors are known to be using crypto-assets to evade and by-pass sanctions.

As yet, there are not many ways of spending crypto-assets, so criminals are most likely to want to exchange them back into regular currencies. Financial institutions are integral to the cash-out process. Many banks are unknowingly and unwittingly facilitating money laundering using cryptocurrencies. To prevent this, banks need to implement processes to detect their exposure to crypto exchanges and crypto assets and to assess the risk that this poses.

AML Compliance for Cryptoasset Service Providers

Comply with money laundering regulation and minimise the impact on your customers

Learn More

Estimates suggest that there is already some $200 billion of bitcoin being moved through exchanges today

By the end of 2017, enterprises had raised billions of dollars in cryptocurrencies through token sales (ICOs). According to crypto experts, the “market capitalisation of cryptocurrencies could explode”, rising to $5-10 trillion by the end of 2023.

However, the very nature of cryptocurrencies makes them susceptible to being used by criminals to launder money.

Cryptocurrencies have become a key tool used to monetise cybercriminal activities

Sanctioned actors are using crypto-assets in combination with the traditional financial system to evade sanctions.

There are a number of characteristics of cryptocurrencies that make them attractive to criminals. They’re easy to conceal and transfer across boundaries. They’re anonymous – you don’t need to disclose your identity to use cryptocurrencies, which makes them harder to trace and to seize. They’re hard to block, as there’s no central authority that can freeze transactions. And although regulators around the world are working hard to enact legislation to control the risk associated with cryptocurrency businesses, there are still crypto exchanges that are unregulated.

Although the majority of over the counter brokers are operating legally, nevertheless there are some that have lower KYC requirements. Many take advantage of unregulated exchanges to help launderers move the cash. Unregulated exchanges are not obliged to help foreign authorities with investigations into illicit money movements. Even if they do have a KYC process in place, they’re not required to share data with governments.

It’s estimated that $2-3bn of bitcoin being moved through exchanges is associated with illicit money movements, having being acquired by criminals through dark markets (51%), scams and ponzi schemes (36%), credit card vendors (9%) and theft (4%).

The former head of Europol, Rob Wainwright, said that 3-4% of Europe’s annual criminal takings ($4.2bn-5.6bn), are crypto-laundered.

Top cyber-threat groups associated with governments and their intelligence units

Some of the most active cyber-threat groups across the globe today are actually known to be associated with governments and their intelligence agencies. One of the most advanced and effective cyber-threat groups is the Lazarus Group, which is strongly suspected to be a wing of a government intelligence agency.

The UN estimates that Lazarus Group has raised over $2bn for one sovereign state. US Law Enforcement traced the Wannacry ransomware attack of 2017, which hit literally hundreds of thousands of computer systems around the world, back to Lazarus Group. Lazarus Group is also believed to have raised funds by stealing cryptocurrencies from crypto exchanges. In the period from 2017-18 around $880m was stolen from crypto exchanges around the world. The UN believes this Lazarus Group is responsible for stealing over $570m of this.

The need to launder the illicit funds is common to all types of crypto crimes

Crypto crimes follow the traditional steps for money laundering: placement, layering, integration. Traditional banks are key to this process.

The inherent transparency of bitcoin can help us understand some of these money movements. With blockchain, every transaction is recorded and is publicly visible to everybody. No actual identities are recorded, however you can see the movement of funds between addresses and specialist companies can link these addresses to real world identities.

However, bitcoin is generally only traceable as far as the crypto exchange. If bitcoin funds are transferred to a non-compliant exchange, this can be a bit of a dead end for tracing. Regulation isn’t completely widespread so there is still an opportunity for criminals to use those unregulated services to hide their trails.

To really understand how crypto-assets can be misused to launder funds, it’s helpful to consider a real-life example of how $100m of crypto-assets were stolen and laundered, allegedly by members of the Lazarus Group.

$100m heist from Hong Kong-based crypto exchange bears the hallmarks of the Lazarus Group

In 2018, $100m of funds were stolen from a Hong Kong-based crypto exchange. It is believed that this was the work of the Lazarus group. Reportedly, at the end of 2018, a member of the Lazarus Group posed as a customer and targeted an employee within the exchange, starting to build a relationship, using a fake persona and fabricated social media profile. It is thought that having gained trust with the target individual, the ‘customer’ started sending emails with attachments containing malware. This malware quickly infected the computer systems at the exchange and made it easy for the perpetrators to then steal money from the exchange.

Placement: The stolen crypto-assets are transferred to professional launderers

The stolen cryptocurrency needed to be transferred across to someone who could then launder the funds.

Using sophisticated blockchain analytics software, we can see that the funds were sent to hundreds of ‘single use’ wallets, before being sent on to another currency exchange. The $100m was split up into multiple smaller transactions in order to hide the source of funds and reduce the likelihood of raising suspicion.

Two Chinese individuals, thought to be professional money launderers, held accounts at the second exchange. These individuals didn’t use their real identities when setting up accounts for this exchange, but instead faked identity documents to get through the exchange’s KYC process.

Layering: The stolen crypto-assets are transferred between numerous wallets

The stolen funds left the second exchange and were sent through a large number of complex transactions and many intermediary wallets before being sent to wallets controlled by one of the two professional money launderers.

Integration: The stolen crypto-assets are cashed out through multiple banks

This is where the launderers transferred from the crypto economy back to the traditional financial system. The bank account held at the crypto exchange was used to transfer the proceeds of crime to numerous other banks where the two individuals held accounts.

In this way, traditional banks were facilitating sanctions evasion through cryptocurrency, although they were probably completely unaware. This will be a growing trend that banks need to be cognisant of.

How can banks prevent the laundering of crypto-assets through their operations?

Banks need to have a number of checks in place to ensure that they’re not unknowingly facilitating crypto crime. These checks include:

1. Identifying whether their customers are receiving funds from crypto currency exchanges.

This can be done through keyword searches in transaction data, including terms like bitcoin that are related to crypto-assets. Other more specific keywords and identifiers may include bank account numbers associated with crypto exchanges, legal entity names and so on.

2. Once a bank has identified that one of its customers has received funds from a cryptocurrency exchange, the next step is to assess the risk posed by that specific exchange.

There are hundreds of exchanges all around the world and some present a far higher risk than others.

Indicators of a low risk crypto exchange might include:

  • An exchange which is regulated in its home jurisdiction;
  • An exchange known to have strong AML, sanctions and KYC policies in place, which are actually being implemented;
  • The banking partner can say something about how risky the exchange is. Banks often do their own due diligence on the cryptocurrency exchanges they work with;
  • Using blockchain analytics to see whether a given exchange has been transacting with high-risk entities, such as sanctioned entities, dark markets and so on.

On the other hand, indicators of a high risk exchange might include:

  • No local regulatory requirement for crypto businesses;
  • Little or no KYC required to sign up for a crypto exchange (some exchanges only require an email address);
  • Whether the exchange supports privacy coins such as Monero, which are much less transparent and far harder to trace (and seems to be more highly linked to illicit activity, with 1 in 3 dark listings accepting monero as payment).

Financial institutions should identify effective systems to enable them to carry out a risk based approach for digital currencies as well as fiat currencies. They also need to make sure that they’re closely monitoring transactions and are keeping an audit trail in the event that they’re required to produce evidence to support an investigation by a regulator or enforcement agency.

How is regulation supporting banks in preventing crypto crime?

Crypto-asset transactions are instant, non-face to face and cross jurisdictional. They’re also largely anonymous, so it’s imperative that they are brought within the scope of regulation.

The Financial Action Task Force (FATF), the international body that sets standards for AML and CFT, says there is an urgent need for all countries to take coordinated action to prevent the use of cryptocurrencies, which it refers to as virtual assets, for the purposes of crime.

Ultimate responsibility on how the FATF guidance is implemented lies with national regulators, who have the right to interpret this in whatever way they want. This inevitably leads to differences in approach, but at least it means that the majority of countries will be taking action.

There is certainly greater awareness of crypto crime now and there are visible changes taking place: Austria has introduced an on-site inspection plan as part of its AML supervision. We’ve seen an exchange being ordered to freeze bitcoin in order to identify suspected hackers. We’ve seen international Financial Intelligence Units meeting together to discuss virtual assets and what action needs to be taken to prevent them being misused. We’ve seen the first enforcement action against a crypto exchange.

The US Department of Justice charged the two Chinese money launderers involved in the suspected Lazarus Group case.

All of these are small steps in themselves but are, nonetheless, very important in determining how the regulators and financial institutions can work together to prevent sanctioned actors from taking advantage of virtual assets moving forward.

Subscribe today to Financial Crime in Focus to receive regular email updates.


Elliptic offers solutions to help financial institutions manage the risks posed by cryptoassets. Elliptic Discovery provides keywords and other identifiers to help banks to identify which of their customers are interacting with cryptocurrencies. It also provides risk profiles on over 200 global crypto businesses, enabling financial institutions to assess the risk posed by their customers’ crypto activity. The tools are already helping a number of global financial institutions to identify and manage their exposure to cryptoasset risk. Learn more at www.elliptic.co

AML Compliance for Cryptoasset Service Providers

Comply with money laundering regulation and minimise the impact on your customers

Learn More