skip to Main Content
CipherTrace is hiring! See our current job openings.

Virtual Asset Red Flag Indicators of Money Laundering and Terrorist Financing

Virtual assets can transfer value around the world faster and cheaper than traditional financial institutions. But the pseudo-anonymity associated with them also attracts criminals seeking to take advantage of these same benefits when laundering their funds.

On September 14, 2020, the Financial Action Task Force (FATF) released a report on Virtual Assets Red Flag Indicators to assist reporting entities, such as financial institutions (FIs), designated non-financial businesses and professions (DNFBPs), and VASPs detect whether virtual assets are being used for criminal activity. The FATF Report lists the virtual asset-related red flags for money laundering and terrorist financing in the following categories:

  • Red Flag Indicators Related to Transactions
    • Size and frequency of transactions
  • Red Flag Indicators Related to Transaction Patterns
    • Transactions concerning new users
    • Transactions concerning all users
  • Red Flag Indicators Related to Anonymity
  • Red Flag Indicators about Senders or Recipients
    • Irregularities observed during account creation
    • Irregularities observed during CDD process
    • Profile of potential money mule or scam victims
    • Other unusual behavior
  • Red Flag Indicators in the Source of Funds or Wealth
  • Red Flag Indicators Related to Geographical Risks

Virtual assets can transfer value around the world faster and cheaper than traditional financial institutions. But the pseudo-anonymity associated with them also attracts criminals seeking to take advantage of these same benefits when laundering their funds.

On September 14, 2020, the Financial Action Task Force (FATF) released a report on Virtual Assets Red Flag Indicators to assist reporting entities, such as financial institutions (FIs), designated non-financial businesses and professions (DNFBPs), and VASPs detect whether virtual assets are being used for criminal activity. The FATF Report lists the virtual asset-related red flags for money laundering and terrorist financing in the following categories:

Red Flag Indicators Related to Transactions

While Virtual Assets (VAs) are still not widely used by the public, their use has caught-on among criminals. The use of VAs for Money-Laundering purposes first emerged over a decade ago, but VAs are becoming increasingly mainstream for criminal activity more broadly. This set of indicators demonstrates how red flags traditionally associated with involving more conventional means of payment remain relevant to detecting potential illicit activity related to VAs.

Size and frequency of transactions

Structuring VA transactions in small amounts, or in amounts under record-keeping or reporting thresholds (similar to structuring cash transactions)

Solution: CipherTrace Sentry APIs return data that can be used to write rules to alert on transactions meeting specified conditions.

Solution: CipherTrace Inspector can be used to analyze an address that may be part of a series of transactions that are easily identifiable as a pattern of structuring (also referred to as “peel chaining” in crypto) when viewed in graph explorer.

Making multiple high-value transactions:

  • in short succession (like within 24 hours)
  • in a staggered and regular pattern, with no further transactions recorded during a long period afterwards, which is particularly common in ransomware-related cases
  • to a newly created or previously inactive account

Solution: CipherTrace Sentry APIs return data that can be used to write rules to alert on transactions recurring with the same deposit address and can be sorted by value.

Solution: CipherTrace Inspector can be used to easily review an address for transactional history, including periods of dormancy or a newly created address.

Transferring VAs immediately to multiple VASPs, especially to VASPs registered or operated in another jurisdiction where:

  • there is no relation to where the customer lives or conducts business
  • there is non-existent or weak AML/CFT regulation

Solution: CipherTrace Sentry APIs return data that can be used to write rules to alert on transactions that transfer crypto (VAs) immediately to multiple VASPs.

Solution: CipherTrace Armada VASP Risk Monitor can be used by compliance analysts to understand the operational (KYC) and transactional (AML) risk associated with VASPs. VASPs with higher KYC risk can often be found operating in jurisdictions with weak or non-existent AML/CFT regulation. Armada also includes information on a VASP’s domiciled jurisdiction.

Depositing VAs at an exchange and then often immediately:

  • Withdrawing the VAs without additional exchange activity to other VAs, which is an unnecessary step and incurs transaction fees
  • Converting the VAs to multiple types of VAs, again incurring additional transaction fees, but without logical business explanation (e.g., portfolio diversification)
  • Withdrawing the VAs from a VASP immediately to a private wallet. This effectively turns the exchange/VASP into an ML mixer.

Solution: CipherTrace Sentry APIs return data that can be used to write rules to alert on transactions that withdraw crypto (VAs) immediately without additional exchange activity, or immediately withdrawing to a wallet with no discernable attribution which could be a private wallet.

Solution: Converting VAs to multiple types of VAs should be addressed by a VASP’s internal controls and/or core operating system. This cannot be done by an external system.

Accepting funds suspected as stolen or fraudulent:

  • Depositing funds from VA addresses that have been identified as holding stolen funds, or VA addresses linked to the holders of stolen funds.

Solution: CipherTrace Sentry APIs return high risk scores for incoming transactions from addresses identified holding stolen funds.

Solution: CipherTrace Armada VASP Risk Monitor can be used by compliance analysts to understand the operational (KYC) and transactional (AML) risk associated with VASPs that may be used more frequently to facilitate the transfer of stolen VAs because of weaker AML/CFT practices.

Red Flag Indicators Related to Transaction Patterns

Similar to the above section, the red flags below illustrate how the misuse of VAs for ML/TF purposes could be identified through irregular, unusual, or uncommon patterns of transactions.

Transactions concerning new users

Conducting a large initial deposit to open a new relationship with a VASP, while the amount funded is inconsistent with the customer profile.

Solution: The institution’s CDD and KYC controls should be used to identify funding inconsistent with the customer profile or expected behavior.

Solution: CipherTrace Inspector can be used for a deeper analysis of the source of the VAs used for funding to determine if the funds are consistent with the customer profile.

Conducting a large initial deposit to open a new relationship with a VASP and funding the entire deposit the first day it is opened, and that the customer starts to trade the total amount or a large portion of the amount on that same day or the day after, or if the customer withdraws the whole amount the day after. As most VAs have a transactional limit for deposits, laundering in large amounts could also be done through over-the-counter trading.

Solution: The institution’s CDD and KYC controls should be used to identify funding inconsistent with the customer profile or expected behavior.

Solution: CipherTrace Sentry APIs return data that can be used to write rules to alert on large initial deposits followed by trading or withdrawal of the same, or nearly the same, amount.

Solution: CipherTrace Inspector can be used for a deeper analysis of the source of the VAs used for funding to determine if the funds are consistent with the customer profile.

A new user attempts to trade the entire balance of VAs or withdraws the VAs and attempts to send the entire balance off the platform.

Solution: The institution’s core operating system should be able to flag a new user’s attempt to trade or transfer an entire balance.

Transactions concerning all users

Transactions involving the use of multiple VAs, or multiple accounts, with no logical business explanation.

Solution: The institution’s CDD and KYC controls should be used to identify funding inconsistent with the customer profile.

Solution: CipherTrace Inspector can be used for a deeper analysis of the source of the VAs used for funding to determine if the funds are consistent with the customer profile.

Making frequent transfers in a certain period of time (e.g., a day, a week, a month, etc.) to the same VA account:

  • by more than one person
  • from the same IP address by one or more persons
  • concerning large amounts

Solution: The institution’s core operating system can identify the timing and frequency of transactions, account logins from differing IP addresses, and alert to large amounts.

Solution: CipherTrace Inspector can be used for a deeper analysis of suspect VA addresses.

Incoming transactions from many unrelated wallets in relatively small amounts (accumulation of funds) with subsequent transfer to another wallet or full exchange for fiat currency. Such transactions by a number of related accumulating accounts may initially use VAs instead of fiat currency.

Solution: CipherTrace Sentry APIs return data that can be used to write rules to alert on a high number of deposits in a single address (accumulation).

Solution: CipherTrace Inspector allows for visualization of consolidating transactions (accumulation) through funnel accounts.

Solution: The institution’s core operating system can identify a full exchange for fiat currency.

Conducting VA-fiat currency exchange at a potential loss (e.g., when the value of VA is fluctuating, or regardless of abnormally high commission fees as compared to industry standards, and especially when the transactions have no logical business explanation).

Solution: The institution’s core operating system can identify cash-outs with potential losses.

Solution: CipherTrace Sentry APIs can be used to alert on a transaction for an address.

Converting a large amount of fiat currency into VAs, or a large amount of one type of VA into other types of VAs, with no logical business explanation.

Solution: CipherTrace Sentry APIs can be used to alert on a transaction for an address.

Solution: The compliance team’s core operating system can provide details on large transactions without a logical business explanation.

Red Flag Indicators Related to Anonymity

This set of indicators draws from the inherent characteristics and vulnerabilities associated with the underlying technology of VAs. The various technological features below increase anonymity and add hurdles to the detection of criminal activity by Law Enforcement Agencies (LEAs).

These factors make VAs attractive to criminals looking to disguise or store their funds. Nevertheless, the mere presence or these features in an activity does not automatically suggest an illicit transaction. For example, the use of a hardware or paper wallet may be legitimate as a way to secure VAs against thefts. Again, the presence of these indicators should be considered in the context of other characteristics about the customer and relationship, or a logical business explanation.

Transactions by a customer involving more than one type of VA, despite additional transaction fees, and especially those VAs that provide higher anonymity, such as anonymity-enhanced Virtual Asset (AEC), also known as privacy coins.
Solution: The institution’s core operating system should be able to provide a cross section of the client’s portfolio.
Moving a VA that operates on a public, transparent blockchain, such at Bitcoin, to a centralized exchange, and then immediately trading it for an AEC/privacy coin.

Solution: CipherTrace Sentry API information can be used to identify all centralized exchanges.Solution: CipherTrace Armada should be used to identify VASPs that support the use of AEC/privacy coins, which could be considered an indicator of risk.

Solution: The institution’s core operating system should be able to provide a cross section of the client’s portfolio.

Customers that operate as an unregistered/unlicensed VASP on peer-to-peer (P2P) exchange websites particularly when there are concerns that the customers handle huge amounts of VA transfers on its customer’s behalf and charge higher fees to its customer than transmission services offered by other exchanges and use bank accounts to facilitate these P2P transactions.

Solution: CipherTrace Sentry API information can be used to identify transactions coming from or going to P2P exchanges like LocalBitcoins, Paxful, and others.

Solution: CipherTrace Armada Virtual Asset Entity Feed (VAEF) data should be ingested by the bank’s AML platform to identify VASP activity in the bank’s network.

Solution: CipherTrace Armada P2P Exchanger data can be used to identify potentially illicit peer-to-peer activity using the bank’s network.

Solution: The institution’s (VASP’s) core operating system should be able to identify fiat transfers coming to and from various identified accounts.

Abnormal transactional activity (level and volume) of VAs cashed out at exchanges from P2P platform-associated wallets with no logical business explanation.

Solution: CipherTrace Sentry API information can be used to identify transactions coming from or going to P2P exchanges like LocalBitcoins, Paxful, and others.

Solution: CipherTrace Armada VASP Risk Monitor can be used by compliance analysts to better understand operational and transactional risk associated with exchanges used for cash out. High operational and/or transactional risk may be an indicator of high-risk exchange frequently used by bad actors to facilitate money laundering.

Solution: CipherTrace Inspector can be used to provide additional insight into the source of VAs for the customer.

VAs transferred to or from wallets that show previous patterns of activity associated with the use of VASPs that operate mixing or tumbling services or P2P platforms.

Solution: CipherTrace Sentry APIs identify transactions to or from mixing/tumbling services, as well as P2P platforms.

Solution: CipherTrace Inspector can be used to provide additional insight into the source or destination of VAs for the customer.

Transactions making use of mixing and tumbling services, suggesting an intent to obscure the flow of illicit funds between known wallet addresses and darknet marketplaces.

Solution: CipherTrace Sentry APIs identify transactions to or from mixing/tumbling services, as well as addresses associated with darknet marketplaces and vendors.

Solution: CipherTrace Inspector can be used to provide additional insight into the source or destination of VAs passing thru mixing/tumbling services.

Funds deposited or withdrawn from a VA address or wallet with direct and indirect exposure links to known suspicious sources, including darknet marketplaces, mixing/tumbling services, questionable gambling sites, illegal activities (e.g. ransomware) and/or theft reports.

Solution: CipherTrace Sentry APIs identify transactions to or from high-risk sources, including dark markets, mixers/tumblers, ransomware, etc. If exposure is indirect, the intermediary address will be identified as high-risk.

Solution: CipherTrace Inspector can be used to provide additional insight into the source or destination of VAs passing thru subject address or wallet, including information on indirect exposure 2+ hops away.

The use of decentralized/un-hosted, hardware or paper wallets to transport VAs across borders.

Solution: This use-case requires direct access to the hardware or paper wallets.

Solution: CipherTrace Inspector can be used to trace hardware or paper wallet addresses that are used for transporting VAs across borders. This lookup can provide additional insight into the transactional history of the subject addresses.

Users entering the VASP platform having registered their Internet domain names through proxies or using domain name registrars (DNS) that suppress or redact the owners of the domain names.

Solution: The institution’s core operating system can identify suspicious login activity.

Users entering the VASP platform using an IP address associated with a darknet or other similar software that allows anonymous communication, including encrypted emails and VPNs. Transactions between partners using various anonymous encrypted communication means (e.g. forums, chats, mobile applications, online games, etc.) instead of a VASP.

Solution: The institution’s core operating system can identify suspicious login activity.

A large number of seemingly unrelated VA wallets controlled from the same IP address (or MAC address), which may involve the use of shell wallets registered to different users to conceal their relation to each other.

Solution: The institution’s core operating system can identify suspicious login activity.

Solution: CipherTrace Inspector can be checked for IP address activity across multiple BTC addresses.

Use of VAs whose design is not adequately documented, or that are linked to possible fraud or other tools aimed at implementing fraudulent schemes, such as Ponzi schemes.

Solution: VASP support of anonymity-enhanced Virtual Asset (AEC), also known as privacy coins, increases the risk for money laundering and terrorist financing activity. A VASP may wish to consider not supporting privacy coins.

Solution: CipherTrace Armada VASP Risk Monitor identifies VASPs that support privacy coins and provides additional risk intelligence that can be used to help profile customer activity.

Receiving funds from or sending funds to VASPs whose CDD or know-you-customer (KYC) processes are demonstrably weak or non-existent.

Solution: CipherTrace Sentry API identifies the VASP sending or receiving funds.

Solution: CipherTrace Armada VASP Risk Monitor identifies VASPs that demonstrate weak or non-existent KYC processes. Nearly 1,000 VASPs have been operationally (KYC) risk-rated (Red, Yellow, Green) and are periodically re-evaluated.

Using VA ATMs/Kiosks:

  • despite the higher transaction fees and including those commonly used by mules or scam victims; or
  • in high-risk locations where increased criminal activities occur (a single use of an ATM/kiosk is not enough in and of itself to constitute a red flag but would if it was coupled with the machine being in a high-risk area or was used for repeated small transactions or other factors).

Solution: CipherTrace Sentry APIs identify ATM operators.

Red Flag Indicators about Senders or Recipients

This set of indicators is relevant to the profile and unusual behavior of either the sender or the recipient of the illicit transactions.

Irregularities observed during account creation

Creating separate accounts under different names to circumvent restrictions on trading or withdrawal limits imposed by VASPs.

Solution: The institution’s existing KYC system should provide the necessary insight to determine if there is a relationship between multiple accounts.

Solution: CipherTrace Inspector can be used to further identify potential relationships by performing a trace analysis to spot the consolidation of funds as they move in and out of suspect accounts at the VASP and reconsolidate in another wallet.

Transactions initiated from non-trusted IP addresses, IP addresses from sanctioned jurisdictions, or IP addresses previously flagged as suspicious.

Solution: The institution’s core operating system can identify suspicious login activity.

Solution: CipherTrace Inspector can be used to further investigate IP address activity (caveat: a large percentage of crypto transaction activity is channeled thru TOR and/or VPNs).

Trying to open an account frequently within the same VASP from the same IP address.

Solution: The institution’s core operating system can identify suspicious login activity.

Solution: CipherTrace Inspector can be used to further investigate IP address activity (caveat: a large percentage of crypto transaction activity is channeled thru TOR and/or VPNs).

Regarding merchants/corporate users, their internet domain registrations are in a different jurisdiction than their jurisdiction of establishment or in a jurisdiction with a weak process for domain registration.

Solution: The institution’s core operating system can identify suspicious login activity.

Irregularities observed during CDD process

Incomplete or insufficient KYC information, or a customer declines requests for KYC documents or inquiries regarding source of funds.

Solution: The institution’s KYC system should provide the necessary insight to determine if the accounts have similarities.

Solution: CipherTrace Inspector can be used to perform additional due diligence on Virtual Asset addresses furnished by the customer. Trace analysis may reveal further risk related to source of VAs.

Solution: CipherTrace Armada VASP Risk Monitor data can be used to further profile operational (KYC) and transactional (AML) risk associated with a VASP opening an account.

Sender/recipient lacking knowledge or providing inaccurate information about the transaction, the source of funds, or the relationship with the counterparty.

Solution: The institution’s core operating system may provide additional insight to suspicious sender/recipient activity.

Solution: CipherTrace Inspector can be used to perform additional due diligence on Virtual Asset addresses furnished by the customer. Trace analysis may reveal further risk related to source of VAs.

Customer has provided forged documents or has edited photographs and/or identification documents as part of the on-boarding process.

Solution: The institution’s KYC system should provide the necessary insight to determine customer due diligence (CDD) irregularities.

Customer Profiles

A customer provides identification or account credentials (e.g., a non-standard IP address, or flash cookies) shared by another account.

Solution: The institution’s core operating system can cross reference shared credentials.

Solution: CipherTrace Inspector can be used to check IP address information (as available) for pattern use of TOR or a VPN.

Discrepancies arise between IP addresses associated with the customer’s profile and the IP addresses from which transactions are being initiated.

Solution: The institution’s core operating system can identify suspicious login activity.

Solution: CipherTrace Inspector can be used to check IP address information (as available) for pattern use of TOR or a VPN.

A customer’s VA address appears on public forums associated with illegal activity.

Solution: CipherTrace Sentry APIs identifies addresses associated with illegal activity. CipherTrace collects millions of pieces of attribution each month, including OSINT, darknet and public forum postings.

Solution: CipherTrace Inspector identifies addresses associated with illegal activity. CipherTrace collects millions of pieces of attribution each month, including OSINT, darknet and public forum postings.

A customer is known via publicly available information to law enforcement due to previous criminal association.

Solution: The institution’s CDD and KYC controls should flag the customer.

Solution: CipherTrace Sentry APIs identifies addresses associated with criminal activity. CipherTrace collects millions of pieces of attribution each month, including sanction list data.

Solution: CipherTrace Inspector identifies addresses associated with criminal activity. CipherTrace collects millions of pieces of attribution each month, including sanction list data.

Sender does not appear to be familiar with VA technology or online custodial wallet solutions. Such persons could be money mules recruited by professional money launderers, or scam victims turned mules who are deceived into transferring illicit proceeds without knowledge or their origins.

Solution: compliance team’s core operating and KYC systems may flag the unusual customer activity.

Solution: CipherTrace Inspector can be used to trace source of VA for illicit activity.

Profile of potential money mule or scam victims

A customer significantly older than the average age of platform users opens an account and engages in large numbers of transactions, suggesting their potential role as a VA money mule or victim of elder financial exploitation.

Solution: The institution’s core operating and KYC systems may flag the unusual customer activity.

Solution: CipherTrace Inspector can be used to trace source or destination of VA for illicit activity.

A customer being a financially vulnerable person, who is often used by drug dealers to assist them in their trafficking business.

Solution: The institution’s core operating and KYC systems may flag the unusual customer activity.

Solution: CipherTrace Inspector can be used to trace source or destination of VAs for illicit activity.

Customer purchases large amounts of VA not substantiated by available wealth or consistent with his or her historical financial profile, which may indicate money laundering, a money mule, or a scam victim.

Solution: The institution’s core operating and KYC systems may flag the unusual customer activity.

Solution: CipherTrace Inspector can be used to trace source or destination of VAs to provide further insight if the funds are consistent with the customer profile/behavior.

Other unusual behavior

A customer frequently changes his or her identification information, including email addresses, IP addresses, or financial information, which may also indicate account takeover against a customer.

Solution: The institution’s core operating and KYC systems should provide the necessary insight to flag the unusual customer account activity.

Solution: CipherTrace Inspector can be used to trace source or destination of VAs to provide further insight if the funds are consistent with the customer profile/behavior.

A customer tries to enter into one or more VASPs from different IP addresses frequently over the course of a day.

Solution: The institution’s core operating system can identify suspicious login activity.

Use of language in VA message fields indicative of the transactions being conducted in support of illicit activity or in the purchase of illicit goods, such as drugs or stolen credit card information.

Solution: The institution’s core operating system to read messages like Op_Returns, etc.

Solution: CipherTrace Sentry APIs identifies transaction addresses associated with illicit activity, including dark markets where illicit goods including drugs and stolen credit cards can be bought and sold.

Solution: CipherTrace Inspector identifies transaction addresses associated with illicit activity, including dark markets where illicit goods including drugs and stolen credit cards can be bought and sold.

A customer repeatedly conducts transactions with a subset of individuals at significant profit or loss. This could indicate potential account takeover and attempted extraction of victim balances via trade, or ML scheme to obfuscate funds flow with a VASP infrastructure.

Solution: The institution’s core operating and KYC systems should provide the necessary insight to flag the unusual customer account activity.

Solution: CipherTrace Inspector can be used to trace source or destination of VAs to provide further insight if the funds are consistent with the customer profile/behavior.

Red Flag Indicators in the Source of Funds or Wealth

As demonstrated by cases submitted by jurisdictions, the misuse of VAs often relates to criminal activities, such as illicit trafficking in narcotics and psychotropic substances, fraud, theft and extortion (including cyber-enabled crimes). Below are common red flags related to the source of funds or wealth linked to such criminal activities:

Transacting with VA addresses or bank cards that are connected to known fraud, extortion, or ransomware schemes, sanctioned addresses, darknet marketplaces, or other illicit websites.

Solution: CipherTrace Sentry APIs identifies transaction addresses associated with the aforementioned activities.

Solution: CipherTrace Inspector allows compliance analysts to perform further analysis on transactions that involve the aforementioned activities. CipherTrace collects millions of pieces of attribution each month related to these illicit activities.

VA transactions originating from or destined to online gambling services.

Solution: CipherTrace Sentry APIs identifies online gambling services sending or receiving VA transactions.

The use of one or multiple credit and/or debit cards that are linked to a VA wallet to withdraw large amounts of fiat currency (crypto-to-plastic), or funds for purchasing VAs are sourced from cash deposits into credit cards.

Solution: The institution’s core operating system should provide the necessary insight to flag the withdrawal of large amounts of fiat to purchase VAs.

Deposits into an account or a VA address are significantly higher than ordinary with an unknown source of funds, followed by a conversion to fiat currency, which may indicate theft of funds.

Solution: The institution’s core operating and KYC systems should provide the necessary insight to determine if the login and account activity and funds are consistent with the customer profile/behavior.

Solution: CipherTrace Inspector allows compliance analysts to perform further analysis on the destination of the funds if not immediately converted to fiat or sent to another exchange to convert to fiat.

Lack of transparency or insufficient information on the origin and owners of the funds, such as those involving the use of shell companies or those funds placed in an Initial Coin Offering (ICO) where personal data of investors may not be available or incoming transactions from online payments system through credit/pre-paid cards followed by instant withdrawal.

Solution: The institution’s core operating and KYC systems should provide the necessary insight to determine if the account activity and funds are consistent with the customer profile/behavior and provident of credit or pre-paid cards.

Solution: CipherTrace Inspector allows compliance analysts to perform further analysis on the source of funds used for the initial deposit to determine if the funds are consistent with the customer profile and/or business.

A customer’s funds which are sourced directly from third-party mixing services or wallet tumblers.

Solution: CipherTrace Sentry APIs return data that identify incoming and outgoing transaction data from third-party mixing services or wallet tumblers.

Solution: CipherTrace Inspector allows for deeper analysis of the source of customer funds.

Bulk of a customer’s source of wealth is derived from investments in VAs, ICOs, or fraudulent ICOs, etc.

Solution: CipherTrace Inspector allows for deeper analysis of the source of customer funds used for the initial deposit to determine if the funds are consistent with the customer profile and/or business.

Solution: CipherTrace Quarterly AML reports and other customer communications regularly profile fraudulent ICO activity.

Solution: OSINT, SEC and other publicly data available sources.

A customer’s source of wealth is disproportionately drawn from VAs originating from other VASPs that lack AML/CFT controls.

Solution: CipherTrace Sentry APIs return data that identifies the sending or receiving VASP, including the identification of a High Risk VASP.

Solution: CipherTrace Armada VASP Risk Monitor provides compliance analysts with risk data on operational (KYC) and transactional (AML) practices for each VASP. VASPs that lack AML/CFT controls quickly stand out.

Red Flag Indicators Related to Geographical Risks

This set of indicators emphasizes how criminals, when moving their illicit funds, have taken advantage of the varying stages of implementation by jurisdictions on the revised FATF Standards on VAs and VASPs. Based on cases reported by jurisdictions, criminals have exploited the gaps in AML/CFT regulations on VAs and VASPs. These jurisdictions may not have a registration or licensing regime or have not extended STR requirements to cover VAs and VASPs or may not have otherwise introduced the full spectrum of preventive measures as required by the FATF Standards.

These risks are associated with source, destination, and transit jurisdictions of a transaction. They are also relevant to risks associated with the originator of a transaction and the beneficiary of funds that may be linked to a high-risk jurisdiction. In addition, they may be applicable to the customer’s nationality, residence, or place of business.

Customer’s funds original from, or are sent to, an exchange that is not registered in the jurisdiction where either the customer or exchange is located.

Solution: CipherTrace Sentry APIs return data that identifies the VASP sending or receiving VAs.

Solution: CipherTrace Armada VASP Risk Monitor provides compliance analysts with jurisdiction information for each VASP.

Solution: CipherTrace Inspector provides compliance analysts with jurisdiction information for each VASP.

Customer utilizes a VA exchange or foreign-located MVTS in a high-risk jurisdiction lacking, or known to have inadequate, AML/CFT regulations for VA entities, including inadequate CDD or KYC measures.

Solution: CipherTrace Sentry APIs return data that identifies the VASP sending or receiving VAs.

Solution: CipherTrace Armada VASP Risk Monitor provides compliance analysts with operational (KYC) and transactional (AML) risk, along with the jurisdiction information, for each VASP.

Customer sends funds to VASPs operating in jurisdictions that have no VA regulation, or have not implemented AML/CFT controls.

Solution: CipherTrace Sentry APIs return data that identifies the VASP sending or receiving VAs.

Solution: CipherTrace Armada VASP Risk Monitor provides compliance analysts with operational (KYC) and transactional (AML) risk, along with the jurisdiction information, for each VASP.

Customer sends funds to VASPs operating in jurisdictions that have no VA regulation, or have not implemented AML/CFT controls.

Solution: CipherTrace Sentry APIs return data that identifies the VASP sending or receiving VAs.

Solution: CipherTrace Armada VASP Risk Monitor provides compliance analysts with operational (KYC) and transactional (AML) risk, along with the jurisdiction information, for each VASP.

Customer sets up offices in or moves offices to jurisdictions that have no regulation or have not implemented regulations governing VAs or sets up new offices in jurisdictions where there is not clear business rational to do so.

Solution: CipherTrace Sentry APIs return data that identifies the VASP sending or receiving VAs.

Solution: CipherTrace Armada VASP Risk Monitor provides compliance analysts with operational (KYC) and transactional (AML) risk, along with the jurisdiction information, for each VASP.

FinCEN’s Virtual Asset Red Flag Indicators of Money Laundering and Terrorist Financing

Darknet Marketplaces

  • A customer conducts transactions with CVC addresses that have been linked to darknet marketplaces or other illicit activity.
  • A customer’s CVC address appears on public forums associated with illegal activity.
  • A customer’s transactions are initiated from IP addresses associated with TOR.
  • Blockchain analytics indicate that the wallet transferring CVC to the exchange has suspicious source or sources of funds, such as a darknet marketplace.
  • A transaction makes use of mixing and tumbling services, suggesting an intent to obscure the flow of illicit funds between known wallet addresses and darknet marketplaces.

Unregistered or Illicitly Operating P2P Exchangers

  • Transfers or receives funds, including through traditional banking systems, to or from an unregistered foreign CVC exchange or other MSB with no relation to where the customer lives or conducts business.
  • Utilizes a CVC exchanger or foreign-located MSB in a high-risk jurisdiction lacking, or know to have inadequate AM/CFT regulations for CVC entities, including inadequate KYC or customer due diligence measures.
  • A customer directs large numbers of CVC transactions to CVC entities in jurisdictions with reputations for being tax havens.
  • A customer that has not identified itself to the exchange, or registered with FinCEN, as a money transmitter appears to be using the liquidity provided by the exchange to execute large numbers of offsetting transactions.

Unregistered Foreign MSBs

  • Receives multiple cash deposits or wires from disparate jurisdictions, branches of a financial institution, or persons and shortly thereafter uses such funds to acquire virtual currency.
  • Receives a series of deposits from disparate sources that, in aggregate, amount to nearly identical aggregate funds transfers to a known virtual currency exchange platform within a short period of time.
  • Customer’s phone number or email address is connected to a known CVC P2P exchange platform advertising exchange services.
  • Transfers or receives funds, including through traditional banking systems, to or from
  • Transfers or receives funds, including through traditional banking systems, to or from an unregistered foreign CVC exchange or other MSB with no relation to where the customer lives or conducts business.
  • Utilizes a CVC exchanger or foreign-located MSB in a high-risk jurisdiction lacking, or know to have inadequate AM/CFT regulations for CVC entities, including inadequate KYC or customer due diligence measures.
  • A customer directs large numbers of CVC transactions to CVC entities in jurisdictions with reputations for being tax havens.
  • A customer that has not identified itself to the exchange, or registered with FinCEN, as a money transmitter appears to be using the liquidity provided by the exchange to execute large numbers of offsetting transactions.

Unregistered or Illicitly Operating CVC Kiosks

  • A customer operates multiple CVC kiosks in locations that have a relatively high incidence of criminal activity.
  • Large numbers of transactions from different customers sent to and from the same CVC wallet addresses but not operating as a known CVC exchange.

Illicit Activity Leveraging CVC Kiosks

  • Structuring of transactions just beneath the CTR threshold or the CVC kiosk daily limit to the same wallet address either by using multiple machines or tied to the same phone number.

Conclusion

The red flag indicators included in this report are neither exhaustive nor applicable in every situation. These indicators are often just one of many elements contributing to a bigger overall picture of potential ML or TF risk.

Indicators of ML or TF are constantly evolving, especially in the virtual asset sector. Over $1.3 trillion was transacted in virtual currency last year, and this will double year-on-year. Over $1 billion of this was criminal and laundered through banks.

In order for banks to comply with any of the virtual asset red flags for ML or TF, it is necessary for them to be able to accurately identify and monitor all virtual asset-related transactions flowing through their institutions. CipherTrace enables your financial institution to detect virtual asset-related activity on your credit cards, wire transfers and ACH transactions, and giving your institution the intelligence needed to file Suspicious Activity Reports related to these transactions.

Back To Top