skip to Main Content

Q3 2019 Cryptocurrency Anti-Money Laundering Report

Executive Summary
Q3 Highlights
Major Trends and Developments
CipherTrace Research: Two-thirds of the 120 Most Popular Crypto Have Porous or Weak KYC
The FATF and FinCEN Bring a Harsh New Reality to the Crypto Space—Funds “Travel Rules”
Travel Rule Reality Has Arrived – Nine Months Left for Nations to Pass Laws and for VASPs to Comply
The BSA Travel Rule – FinCEN Says It Has Been and Obligation for Crypto Asset Businesses Since 2011
How New FATF Rule Compares with Existing BSA Rule for US Banks
Will the Travel Rules Comprise a Needed Catalyst to Mature the Crypto Asset Sector?
FATF and FinCEN on Anonymizing Services and Anonymity-Enhanced Products
Recent Reports of the Death of Privacy Coins have been Greatly Exaggerated
Can Exchanges List Privacy Coins and Still Comply with the Travel Rules?
FATF Guidance May Have Caused Privacy Coin Valuations to Take a Major Hit
Will Privacy Coins Have a Place in a Post Travel Rule World?
Not All Exchanges Are Jettisoning Privacy Coins
65% of Exchange that Trade Privacy Coins Have Weak or Porous KYC
Lowest Quarterly Thefts and Scams in Two Years
Trends Involving Virtual Assets by Terrorists and Rogue Nations
OFAC Sanctions Crypto Addresses
Terrorist Use of Cryptocurrencies
Non-Compliant Networks Won’t Survive the War on Terror
Crypto Crime Trends
Researchers Warn of Extremely Dangerous Bitcoin QR Code Scams
New Malware Swaps Out Crypto Wallet Addresses as You Type Them
Ryuk Ransomware Targeting Cities Globally
Legal Actions
Crypto Capital Arrest
Bitcoin ATM Operator May Face Life in Federal Prison for Operating an Illegal Money Transmitter
SEC Halts Telegram’s $1.7 Billion Unregistered Digital Token Offering to Pay $24M Penalty for Unregistered ICO
The SEC Order Disapproves Rules Change Proposed by NYSE Arca
Kik Sold to Media Lab
Two Suspects in EtherDelta Hack Indicted by U.S. Authorities
SEC Sues Cryptocurrency Startup ICOBox for Selling $14.6M Worth of Unregistered Tokens
Principal of Cryptocurrency Escrow Company Volantis Indicted For $7 Million Fraudulent Scheme
Thefts, Scams, and Frauds
Fusion Network Hacked for $6.4 million
ETH Smart Contract FairWin Loses $8M
Nigeria-Based Satowallet Disappears with $1M of User Funds
PayFair Cold Wallet Hacked
Changes in the Regulatory Environment
Japan—Crypto Donations in Elections Are Legal
UK—FCA Provides Clarity on Current Cryptoassets Regulation
South Korea—Court Orders Exchange to Cover User’s Stolen Cryptocurrency
Sanctioned Countries
Venezuela Wants Central Bank to Hold BTC and ETH in Reserves, Considers Moving its Bitcoin and Ethereum Holdings
Maduro: citizen can soon use cryptocurrencies as a “method for free national and international payments”
North Korea
New UN Report: North Korea Hacked $2 Billion from Banks and Cryptocurrency Exchanges to Fund WMD Production
UN Accuses North Korea of Laundering Money Through Blockchain Firm
Crypto Mining Now Legal, Trading—Illegal
Iran Crypto Developers Launch Platform to Bypass Sanctions for Flood Victim Aid
Will Privacy Coins Have a Place in a Post Travel Rule World?
Privacy Coins Have Well Developed Plans for Travel Rule Compliance
The Privacy Coin Compliance Debate
Show Complete Table of Contents

Executive Summary

Several major trends in Q3 2019 impacted the crypto asset community and financial institutions that deal in virtual assets. CipherTrace research also revealed important trends and issues around the status of anti-money laundering (AML) and counter terrorism funding (CTF) regulation and compliance.

First, the third quarter saw growing awareness of perhaps the biggest clampdown on virtual asset transactions to ever impact crypto exchanges as well as banks and other financial institutions. After months to absorb its implications, these businesses are coming to grips with the fact that in just seven months they will need to comply with the so-called FATF funds Travel Rule. In a major challenge to business models and user privacy, among other changes this rule requires virtual asset service providers (VASPs) to securely transmit (and store) sender and receiver information whenever cryptocurrency moves. At the same time, US regulators emphasized that a similar Travel Rule which has long applied to fiat funds transfers—also applies to cryptocurrency transactions. This has left firms struggling to find a technical solution in time to avoid potentially severe penalties or blacklisting. It will no doubt have implications as regulators seek to have KYC information shared globally.

“(The Travel Rule) is the most commonly cited violation with regard to money service businesses engaged in virtual currencies.”

Kenneth Blanco, FinCEN Director

Next, CipherTrace researchers found that two-thirds of the 120 most popular cryptocurrency exchanges have weak or porous know your customer (KYC) practices. The results of this large-scale study constitute the first-ever comprehensive data on KYC policies at cryptocurrency exchanges around the globe.

CipherTrace research further found that 63% of exchanges that trade privacy coins have weak or porous KYC. This suggests privacy coins will find it harder to survive in a post FATF Travel Rule world if exchanges do not develop the proper KYC procedures necessary to mitigate the AML/CTF compliance risks that come with their anonymity-enhancing features.

Speculation has also abounded that new crypto AML regulations such as those from the FATF would spell the end of privacy coins. Although the FATF announcement in June initially caused a drop in the market value of privacy coins, many major privacy coin developers have well developed plans for compliance using various techniques. Nonetheless, most crypto exchanges do not yet have a technical solution for complying with the FATF guidance. This is why CipherTrace developed an off-chain solution, and has given it to the community as open source.

Also, after two years of large, high-profile exchange hacks and exit scams, Q3 2019 witnessed a significant reduction in total cryptocurrency crimes from previous quarters. In fact, Q3 witnessed the lowest quarterly thefts and scams in two years. This sharp drop owes in part to the outsize influence of two enormous and still mysterious exits scams—QuadrigaCX (US$192 million) and PlusToken (US$2.9 billion). So far this year, the total of cryptocurrency -related frauds and thefts stands at US$4.4 billion.

Another disturbing trend is that while the use of cryptocurrency by terrorists is not new, they are developing new, more sophisticated ways to obfuscate the flow of funds.

Q3 Highlights

  • Research: Vast majority of popular exchanges have poor or porous KYC.
  • Research: 32% of popular exchanges trade privacy coins.
  • VASPs and financial institutions need immediate technical solution for complying with the FATF and BSA funds Travel Rules to avoid major penalties.
  • FinCEN director says Travel Rule is most often cited violation and banks and MSBs must comply with their obligations under the BSA.
  • SoCal man faces potential life in prison for operating bitcoin ATM without adequate AML/CTF/KYC and for money laundering.
  • FinCEN director says crypto related companies can help in the war on opioids by alerting of suspicious crypto transactions.
  • While thefts and frauds fell in Q3, annual total so far in 2019 stands US$4 billion.
  • OFAC sanctions web addresses of three Chinese nationals involved in drug trafficking.
  • New UN report says North Korea hacked $2 billion from banks and cryptocurrency exchanges to fund WMD production.

Crypto Crime Trends

Researchers Warn of Extremely Dangerous Bitcoin QR Code Scams

Cryptocurrency users face a new and pervasive danger of fraud related to QR codes. Researchers from cryptocurrency wallet provider ZenGo have found that four of the first five Google search results for “bitcoin QR generator” led to scam websites. When an unsuspecting crypto user tries to create a QR code for their own bitcoin address, the bogus site will instead create a QR code for the scammer’s wallet.

According to Forbes, ZenGo’s co-founder, Tal Be’ery, wrote in a blog post, “Scammers do not even bother with generating their fake QR themselves, instead they shamelessly call a blockchain explorer API to generate the QR for their address.”

ZenGo’s researchers calculate that some $20,000 has recently been lost to QR code scams, calling their findings “just the tip of the iceberg,” as thieves likely regularly change their bitcoin and crypto addresses to avoid detection and blacklisting.

New Malware Swaps Out Crypto Wallet Addresses as You Type Them

Masad Stealer, a new strain of malware, has the ability to replace wallet addresses as users type them into an infected web browser. In addition to wallet addresses, the malicious code can also steal credit card numbers and user information such as passwords and files, and can even take a screenshot of the victim’s desktop.

From there, the sensitive stolen data is stored in the malware command and control—a Telegram account. It is important to note that the malware can change Monero, Litecoin, Zcash, Dash and Ethereum addresses automatically. It can also intercept legitimate crypto transactions once the address swap is complete.

Bad actors can purchase Masad Stealer for $40 on the dark web and custom-configure it. This malware is believed to be an active and ongoing threat.

Ryuk Ransomware Targeting Cities Globally

On October 2, the FBI issued a new “high-impact” warning regarding ransomware attacks—which lock access to computers and networks until victims pay a ransom—claiming they are an ongoing cyber threat facing U.S. businesses and organizations. These attacks often ask victims to pay the ransom in cryptocurrency.

According to the alert, these attacks are becoming more targeted, sophisticated, and costly, and are more frequently targeting health care organizations, industrial companies, and the transportation sector.

One ransomware in particular is especially prevalent—Ryuk. On October 1st, the day before the FBI’s release, three hospitals owned by Alabama-based DCH Health Systems were struck by the Ryuk ransomware, infecting all 1,500 of the hospitals’ computers. As a result, the facilities were forced to turn away nonemergency patients as they were locked out of their systems. In order to regain control the hospitals chose to pay the bitcoin ransom demands despite the FBI warning that paying the ransom only encourages more attacks and attackers don’t always deliver decryption keys.

Ransomware like Ryuk is frequently used to target organizations such as hospitals, public utilities, and municipal governments because they require quick access to their networks, making them more likely to pay the ransom. In June 2019 alone, the hackers using the Ryuk ransomware collected over $1M from Florida municipalities. Lake City, Florida, authorized its insurer to send hackers 42 BTC—worth roughly $500,000—after Ryuk disabled city servers, phones, and email. A few weeks earlier, the Riviera Beach City Council authorized its insurer to pay a 65 BTC ransom—worth about $600,000 at the time—after the Ryuk ransomware encryption took most of the city’s IT systems offline.

But Ryuk is not just impacting organizations in the US. On June 22, 2019, the UK’s National Cyber Security Centre (NCSC) released a detailed security advisory on the threat and how the ransomware is targeting organizations globally. To defend against or mitigate the damage done by Ryuk, the NCSC recommends:

  • Keeping backups of important files
  • Protecting devices and networks by keeping software up to date
  • Whitelisting applications
  • Installing antivirus software
  • Using URI reputation services
  • Employing multi-factor authentication to reduce the impact of password compromises

Thefts, Scams and Fraud

Fusion Network Hacked for $6.4 million

On September 28, Fusion Network announced that one of its wallets containing 10 million of native FSN tokens and 3.5 million ERC-20 FSN tokens had been emptied, resulting in the loss of US$6.4 million. They traced the cause of the compromise to the theft of the wallet’s Private Key and suggested an insider may have been behind the theft. To close the hacker’s potential off-ramps, exchanges OKEX, Huobi, Bitmax, Citex, Hotbit have since suspended deposit and withdrawal of FSN tokens and all remaining funds have been transferred to a cold wallet.

Since the hack occurred, of the 13.5 million tokens stolen, 7.52 million were sent to exchanges and 5.98 million remain in the criminal’s accounts according to the October 3rd “Fusion Foundation Wallet Theft Update.” Since November 12, 2019, the theft has been officially classified as a crime in China. The company plans to issue a new ERC20 FSN smart contract address as a way of removing the ERC20 FSN tokens still in the hacker(s)’ possession.

ETH Smart Contract FairWin Loses $8M

On October 1, someone emptied the smart contract for the Ethereum based gambling platform FairWin, which was recently accused of being the fastest-growing Ponzi scheme on Ethereum. This occurred only a few days after smart contract researcher Philippe Castonguayit and his team publicly disclosed the presence of vulnerabilities in the smart contract that could allow the admins to steal all users’ deposits. At the time of the disclosure, the contract held roughly 50,000 ETH (US$8M). Four days later, it held zero ETH.

The team found that the Ethereum contract was filled with typos and bugs and the website contained red flags such as the use of famous artists and Instagram stars’ photos to represent their executive team. A look at the website (Figure 9) now shows that these have been replaced with cartoons.

Figure 9.

At the time of this report, FairWin’s balance remains at zero ETH, and there is no news on what has happened to the management team responsible for the loss. While the website is still up, the company has not responded to inquiries regarding the incident or accusations of foul play. Castonguayit’s team has found no concrete evidence to suggest that the contract vulnerability was exploited.

Nigeria-Based Satowallet Disappears with $1M of User Funds

In September, Satowallet, a Nigerian crypto wallet, allegedly pulled off an exit scam, disappearing with an estimated US$1 million worth of users’ funds. In a since-removed Medium post, the CEO described how purported server issues took down its site and app. Ben claimed that after restoring the server data he “noticed that the coins were no longer there from the backups and private keys.” He accused Satowallet’s hosting provider, OVH, of fraud and trying to steal their user’s funds from its wallet servers.

Affected users have been quick to point out the flaws in Ben’s story on Twitter, as the hosting providers shouldn’t have access to the private keys, meaning the cryptocurrency should be recoverable if Satowallet was a legitimate operation. Satowallet’s Twitter account has since been suspended and their website still appears to be offline.

PayFair Cold Wallet Hacked

Figure 10.
Figure 11.

On October 2, PayFair—a decentralized escrow and P2P exchange—closed its website because one of its main cold wallets was emptied, leading many to speculate about a possible exit scam. On September 29, Payfair disclosed on its Telegram channel that the private key to one of its cold wallets was compromised, which led to a hack. Their team says it is still unsure of how the private key was compromised but is conducting an internal investigation into the matter. While user funds have since been transferred to backup wallets, part of the ETH that was stolen has not been recovered. Despite announcing that the platform would only be down “until the end of the week,” the website still appears to be down and they have not updated their social media since July 29.

Changes in the Global Regulatory Environment


Japan—Crypto Donations in Elections Are Legal

On October 5, the Internal Affairs and Communications Minister of Japan, Sanae Takaichi clarified the legality of cryptocurrency donations, especially in regard to election laws. According to Takaichi, because virtual currency is not legally equivalent to money in Japan, crypto contributions do not face the same restrictions as fiat contributions under the Political Funds Control Act (PFCA). Under the PFCA, it is prohibited to make anonymous contribution in connection with elections or other political activities and there are limits to the amount any one person or entity can contribute per year. This loophole, however, allows individuals to make crypto donations to political parties without having to adhere to any of these regulations. The use of privacy coins would completely obfuscate from whom or how much a politician is receiving in campaign funds.

UK—FCA Provides Clarity on Current Crypto-assets Regulation

On July 31, the UK’s Financial Conduct Authority (FCA) published its Final Guidance (PS19/22) which sets out the specific crypto-asset activities it regulates. Similar to FinCEN’s May 9 guidance, this guidance will help firms understand whether their crypto-asset activities fall under FCA regulation or not. This guidance will help firms have a better understanding of what they need to do to ensure they are compliant.

The Final Guidance sets out instances where tokens are likely to be:

  • Specified investments under the Regulated Activities Order
  • Considered E-Money under the E-Money Regulations
  • Captured under the Payment Services Regulations
  • Outside of regulation

South Korea—Court Orders Exchange to Cover User’s Stolen Cryptocurrency

On September 25, a South Korean court ruled that cryptocurrency exchange CoinOne must reimburse 25 million won ($20,800 USD) to a user after he was hacked. While the thief used the victim’s personal login credentials to steal 45 million won ($37,600 USD), a daily withdrawal limit of 20 million won was supposed to be in place and could have prevented the full amount from being taken. The victim also argued that the exchange should have blocked the foreign IP address the hacker was using to access his account because it was different than his normal access point. However, the judge in the case found that the exchange was not liable for this type of safeguard—just for the failure of the withdrawal limit.

CoinOne is therefore responsible for covering the additional losses over the 20-million-won limit.

Sanctioned Countries


Venezuela Wants Central Bank to Hold BTC and ETH in Reserves, Considers Moving its Bitcoin and Ethereum Holdings

Despite having its own national cryptocurrency, it is very likely that Venezuela is also using Bitcoin and Ether to evade international sanctions. According to Bloomberg, tipsters say the country’s central bank is testing the possibility of holding cryptocurrencies in an effort to help the state-controlled oil company Petroleos de Venezuela SA (PDVSA). The oil firm supposedly has troves of Bitcoin and Ether, resulting from its attempt to bypass economic sanctions that are designed to limit international trade with the company. However, without the help of the central bank, converting its reserves to fiat to pay its suppliers may prove to be difficult. The central bank is also incentivized to start counting the cryptocurrencies towards its international reserves as what it currently holds has plummeted in recent years due to economic sanctions.

Reports indicate that Venezuela central banking officials are in the process of running internal tests regarding the potential to incorporate Bitcoin and Ethereum into national banking operations. PDVSA represents the state-owned oil and natural gas company, whose operations include conducting international trade in Venezuelan oil.

As for the PDVSA, their requests towards the Venezuelan central bank to integrate cryptocurrency is likely far more pragmatic: a cooperative central bank means not having to communicate financial records to third party exchanges.

Maduro: Citizens Can Soon Use Cryptocurrencies as a “Method for Free National And  International Payments”

Due to the hyperinflation of the bolivar, Venezuela’s national currency, Venezuelans are no strangers to cryptocurrencies—and this was true before the country’s developed its homegrown cryptocurrency—the Petro. It’s not uncommon for citizens to use virtual assets such as bitcoin to protect their wealth or build their savings. However, to use these funds Venezuelans must often look to peer-to-peer exchanges that facilitate trades between buyers and sellers, such as LocalBitcoins, or even Telegram groups.

Maduro tried to minimize the effects of sanctions with the Petro— a state-issued cryptocurrency pegged 1:1 against barrels of Venezuelan oil—believing it would flow independently across borders like other blockchain protocols. However, the Petro’s lack of success as a means of cross-border payment has led the country to explore other solutions. One of them is globally used, decentralized cryptocurrencies such as Bitcoin. In an October 10 press conference, Maduro stated that “within a short time” everyone in the country, including the public and private sectors, will be able to use cryptocurrencies as a method of “free national and international payments.”

North Korea

New U.N. Report: North Korea Hacked $2 Billion from Banks and Cryptocurrency Exchanges to Fund WMD Production

A new confidential UN report is said to reveal that the Democratic People’s Republic of Korea (DPRK) has generated an estimated $2 billion for its weapons of mass destruction (WMD) programs by hacking banks and cryptocurrency exchanges. UN experts said North Korea “used cyberspace to launch increasingly sophisticated attacks to steal funds from financial institutions and cryptocurrency exchanges to generate income.” The report also said the Pyongyang regime used cyberspace to launder the stolen money.

According to Reuters, which claims to have seen the report, the U.N. experts said North Korea’s attacks against cryptocurrency exchanges allowed it “to generate income in ways that are harder to trace and subject to less government oversight and regulation than the traditional banking sector.” There were at least 35 cases of North Korean state actors executing cyberattacks on financial institutions and cryptocurrency exchanges. Crypto mining has also been used to earn foreign currency to finance the DPRK’s WMD and ballistic missile programs.

U.N. Accuses North Korea of Laundering Money Through Blockchain Firm

An August 30 report by the United Nations Security Council’s Sanctions Committee on North Korea accused the country of using a Hong Kong-based blockchain firm as a front to launder money. The Sanctions Committee conducted an investigation into North Korea’s various strategies to evade sanctions through the use of cryptocurrencies and found that “Marine China platform Limited”—a Hong Kong based, blockchain-focused shipping and logistics firm—was created by North Korean state actors to use as a shell company for money laundering efforts. The report indicates that the shell company’s start-up funds likely came from online extortion campaigns that required payment in cybercurrencies.

The UN report also alleges that North Korean intelligence services groom cyber agents from “a very young age” for future careers as hackers skilled at stealing cryptocurrency and targeting financial institutions.

To obfuscate it cryptocurrencies money laundering activities, North Korean attackers use a digital version of layering that creates thousands of transactions through one-time-use cryptocurrency wallets. According to the report, “stolen funds following one attack in 2018 were transferred through at least 5,000 separate transactions and further routed to multiple countries before eventual conversion to fiat currency, making it highly difficult to track the funds.”

The UN report also alleges that North Korean intelligence services groom cyber agents from “a very young age” for future careers as hackers skilled at stealing cryptocurrency and targeting financial institutions.

Regarding cryptocurrencies, the UN’s Sanctions Committee panel recommends that member states ensure:

  • Regulation of cryptocurrency exchanges
  • Financial institutions—including cryptocurrency exchanges—take independent steps to protect against North Korean cyber activities
  • Cryptocurrency exchanges share the same AML obligations as banks, such as monitoring suspicious transactions, providing governments with information on accounts after attacks, freezing assets of sanctioned entities under their control and blocking malicious transactions


Crypto Mining Now Legal, But Trading—Illegal

Long gone are the days when crypto miners could use Iran’s highly subsidized energy to their advantage. After Iran’s power grid was hit by a massive, crypto mining induced power surge in June, the Iran Ministry of Energy declared that the power that once fed the country’s cryptocurrency miners would be cut off.

While it appeared Iran was planning to ban crypto mining in the country, Iran officially recognizing cryptocurrency mining as a legal industry on July 21. Officials are currently working on a new pricing arrangement for miners that had previously taken advantage of the country’s energy prices, which are among the world’s lowest. In addition to new energy pricing, the most recent draft of the bill calls for all miners to register with the government to receive an annual mining license. To receive a license, miners will be required to disclose their business practices, the value of their investments and assets, their employment status, the lease for their mining space, and the length of the mining project.

However, crypto holders in Iran may find it difficult to trade their bitcoin for fiat. In July, Nasser Hakimi, a technology official for Iran’s central bank, announced that trading Bitcoin in Iran is illegal. This was shortly before Iranian authorities confiscated one thousand mining rigs from Iranian mining farms. To read more on this, check out CipherTrace’s Q2 2019 Cryptocurrency AML Report.

Recent reporting by Chainbulletin claims that the government has the government has already confiscated about 80,000 devices over the last quarter.

Iran Crypto Developers Launch Platform to Bypass Sanctions for Flood Victim Aid

Volunteer cryptocurrency developers in Iran have created the blockchain platform IranRescueBit, on which people can make charitable donations to flood victims using a variety of cryptocurrencies, including:

Bitcoin (BTC), Bitcoin Cash (BCH), Bitcoin SV, Ether (ETH) and Litecoin (LTC), Zcoin, Verg, and Tron.

The government is reportedly not involved in this project.

By using cryptocurrencies, donors from anywhere in the world are able to circumvent US sanctions that have thus far prohibited international donations to the Iranian Red Crescent Society (IRCS)—a humanitarian NGO in Iran. According to the IRCS, US sanctions had been impeding relief efforts such as receiving foreign financial aid, preventing them from helping flood victims.

IranRescueBit executive director Hamed Salehi told news organization Al Jazeera that once the platform’s campaign is finished, crypto donations will be converted to fi at using local exchanges. The fi at would then be sent to a local IRCS bank account.

According to their public transaction history, the organization has raised over $3000 so far, with over half of the donations coming from Bitcoin users. A CipherTrace analysis of the bitcoin address (35wGf6WkJVdhGzRr3WPzedFybaV9uziocr) reveals that at one hop away most of the donations received are from personal wallets, with only one donation coming directly from an exchange. Of the 29 bitcoin transactions received, nine are from addresses CipherTrace has deemed high risk based on their transaction histories. A deeper look into these transactions reveals the source of the funds from these high-risk wallets all originate from one of the largest Chinese mining pools—Antpool. In April it was reported that Chinese miners were exploiting Iran’s low energy prices for mining after a proposed mining ban in China. In July, Iran’s Information and Communication Technology Minister Mohammad Javad Azari Jahromi told Islamic Republic News Agency that they “do not have any evidence of Chinese activities in Iran” but have heard about the issue.

Figure 12.

Appendix A

Privacy Coins Have Well-Developed Plans for Travel Rule Compliance

The Travel Rule requirements to transmit originator and beneficiary information with cryptocurrency transactions obviously defeats the purpose of privacy coins. Nonetheless, many of the top coin developers have already released statements on how they could comply.


According to a September 19 Bloomberg interview, developer teams behind Monero claim they can be in full compliance with the FATF Travel Rule. While it was never explained what compliance would look like for Monero, it was hinted that the “view keys” feature, which lets coin owners monitor transactions, could play a role.

However, this open source cryptocurrency uses an obfuscated public ledger, which means wallet addresses don’t appear on the blockchain. Although anyone can broadcast or send transactions, outside observers cannot discern the source, amount or destination of transactions. Additionally, Monero has many privacy features such as always-on privacy; ring signatures that produce multiple signatures for any one given transaction to obscure the true sender; stealth addresses that hide the receiver; and ring confidential transactions that hide the amounts being sent. Unless changed, these characteristics could prevent Monero from demonstrating compliance in order to remain on exchanges.


Although Zcash has the option of transacting in a “transparent” or “shielded” pool, both pools use protocols developed specifically to comply with the FATF Travel Rule through encrypted memos attached to transactions. Unlike Monero’s enforced privacy features, Zcash allows for “selective disclosure”—i.e., private users can choose whether to comply with AML regulations or not. However, as UpBit’s recent delisting has shown, some exchanges are not willing to accept the risks associated with any privacy coins, even if privacy is a choice and not a mandatory feature.

According to an April 2019 Zcash Regulatory and Compliance Brief, “The fact that a VASP supports Zcash or that a customer intends to trade Zcash does not impact the VASP’s ability to carry out CDD checks… Zcash was designed to be compliant with the Travel Rule. The required originator and beneficiary information can be attached directly to a shielded transaction using the encrypted memo field. As the name implies, the contents of this field are encrypted when the transaction is added to the blockchain, thus preventing inappropriate or unauthorized disclosure of personal information.” Furthermore, the Zcash protocol was also designed to support the disclosure of shielded transaction information to third parties, if necessary.


Dash was created from a fork in the Bitcoin Protocol. Formerly known as Xcoin and Darkcoin, it was rebranded as Dash in 2015 after Darkcoin became known for popularity as a payment rail in dark marketplaces. Dash gives users the option to make either normal or “untraceable” transactions. Normal transactions can be sent through InstantSend, which bypasses mining and requires a consensus of masternodes to validate a transaction. This approach increases transaction speed. PrivateSend, on the other hand, makes transactions “untraceable” by mixing participating users’ unspent Dash before executing a transaction.

During the Cryptocurrency Compliance Conference in San Francisco in November 2019, Ryan Taylor, chief executive officer at DASH Core Group Inc., explained, “Dash is identical to Bitcoin and is 100% capable of meeting the requirements [of FATF’s Travel Rule].” While this is true for the coin’s InstantSend transactions, using the privacy enhancing PrivateSend feature may make it tougher for DASH transactions to be processed by exchanges.  However, ultimately PrivateSend transactions are no different than bitcoin transactions using privacy enhanced overlays such as coinjoin or zerolink. Exchanges may take the same approach to Dash’s opt-in privacy features that they do with the privacy enhanced features available to bitcoin when attempting to mitigate the risk from bad actors.

While it may seem natural for privacy coins to be the go-to for criminal activity, CipherTrace research has found that despite privacy coins like DASH, Zcash and Monero being offered as alternatives to bitcoin on darknet marketplace, bitcoin is still king. In other words, the hard data suggests the perceived dangers of these coins outweighs the reality. To counter this perception, Taylor added “we tend to treat cryptocurrencies very binary… they’re either privacy coins or they’re not. What does that actually mean? In the case of Dash, we were the first to implement a feature that was proposed by Bitcoin at the time called CoinJoin. It’s a wallet level technique that allows any transparent blockchain to enhance the user privacy. Since Dash did it in 2014, Bitcoin did it in 2015. Then they added off-chain transactions with Lightning. Does that now make bitcoin a privacy coin? It should if Dash is one.

“I think we need to go beyond this binary treatment, look at the actual technology, how can we adapt to it, are there ways to deal with it. The answer to Dash is… if you can do it with bitcoin you can do it with Dash. It’s a fully transparent blockchain. Every single transaction reveals the inputs, the outputs, the amounts; it’s all there.”


According to an August 28 Decred blog post, the company has developed new privacy features for its DCR token which implements a variant of CoinShuffle++ in its wallet. This method is prunable, meaning the blockchain can drop historical transactions from their full nodes.

Despite claiming community voting is a key feature in Decred’s governance model, the new privacy feature was not put up to the community but instead secretly funded by Decred Project Lead Jake Yocom-Piatt. On the surface, funding privacy features may appear to conflict with governance espoused by the project, investors close to the project were not surprised and felt it privacy was a feature they expected to be added to Decred.

It is still unclear how this decision will affect DCR in the future.

The Privacy Coin Compliance Debate

Two fundamental questions exist in the privacy coin compliance debate: can exchanges trading privacy coins comply with data travel, and can exchanges demonstrate the privacy coins are not from an illegal source?

Although FATF and FinCEN have both taken stances on privacy coins, the FATF’s recent (June) guidance is less explicit about privacy coins than FinCEN’s. According to the FATF, features that increase anonymity and obfuscation of transaction flows make those transactions “more susceptible to abuse by criminals, money launderers, terrorist financiers, and other illicit actors.” These situations should be deemed high-risk for an exchange, and therefore require enhanced monitoring that extends “beyond the immediate transaction between the VASP or its customer or counterparty.” A broad interpretation of this statement suggests the FATF is not advocating all exchanges should delist privacy coins, but is recommending that exchanges offering privacy coins should have the capability to monitor these transactions beyond existing due diligence. However, the level of scrutiny needs to be based on a specific exchange’s institutional risk assessment and individual customer risk profiles.

Privacy Coin Compliance Strategy
Privacy coin market capitalization and compliance


About CipherTrace
CipherTrace develops cryptocurrency Anti-Money Laundering, bitcoin forensics, and blockchain threat intelligence solutions. Leading exchanges, banks, investigators, regulators and digital asset businesses use CipherTrace to trace transaction flows and comply with regulatory anti-money laundering requirements fostering trust in the crypto economy. Its quarterly CipherTrace Cryptocurrency Anti-Money Laundering Report has become an authoritative industry data source. CipherTrace was founded in 2015 by experienced Silicon Valley entrepreneurs with deep expertise in cybersecurity, eCrime, payments, banking, encryption, and virtual currencies. US Department of Homeland Security Science and Technology (S&T) and DARPA initially funded CipherTrace, and it is backed by leading venture capital investors. For more information visit or follow us on Twitter @ciphertrace.
Back To Top