Cryptocurrency Exchanges AML Red Flags

Customer provides a government-issued ID that fails automated verification checks, with the photo showing signs of AI-generated manipulation or deepfake alteration.

Customer passes initial KYC with a real SSN but fabricated supporting documents, creating a synthetic identity that only fails when cross-referenced with credit bureau or tax records.

Customer’s account is accessed after credential stuffing attack, with login from a new device and immediate withdrawal of all funds to an external wallet not previously associated with the account.

Customer deposits virtual currency and immediately sends it to a mixing service, tumbler, or privacy-enhancing wallet that obscures the transaction trail on the blockchain.

Customer repeatedly conducts transactions just below the exchange’s reporting or recordkeeping thresholds, suggesting intentional structuring to avoid compliance detection.

Customer deposits virtual currency traced to a known darknet marketplace, ransomware wallet, or sanctioned address, and attempts to trade or withdraw the funds immediately.

Customer uses a privacy coin (e.g., Monero, Zcash) to convert from a transparent blockchain to an obfuscated one, with the original funds traceable to a sanctioned jurisdiction or SDN-listed entity.

Business customer routes cross-border payments through multiple cryptocurrency exchanges in different jurisdictions to avoid sanctions screening and regulatory reporting in their home country.

Exchange customer sends funds to a smart contract address linked to a decentralized mixer or cross-chain bridge known to be used by sanctioned entities to obfuscate transaction origins.

Customer’s account receives a large deposit of virtual currency shortly after a known exchange hack, with the incoming funds traceable to the hacker’s wallet address published in breach disclosures.

Business customer receives virtual currency from a ransomware payment wallet and immediately converts it to fiat, with no prior history of providing cybersecurity or incident response services.

Customer’s 2FA is bypassed through SIM swap or phishing, resulting in unauthorized withdrawal of all virtual currency holdings to an external wallet with no transaction history.

Multiple individuals receive cryptocurrency payments from the same wallet associated with an online escort platform or adult content site, with payments occurring at regular intervals inconsistent with independent work.

Charity or nonprofit customer receives cryptocurrency donations and immediately forwards them to wallets linked to designated terrorist organizations or individuals on the OFAC SDN list.

Customer uses a chain-hopping technique, moving funds across multiple blockchains (e.g., Bitcoin to Ethereum to Solana) through decentralized bridges to obscure the audit trail before cashing out.

PEP uses an exchange to acquire large amounts of stablecoins funded by wires from a government-owned bank, with no verifiable connection to salary, business income, or documented gifts.

Customer uses a deepfake-generated video call to bypass the exchange’s enhanced due diligence process for high-value withdrawals, with the synthetic persona cloned from social media content.

Multiple exchange accounts are opened using the same device fingerprint, IP address, or email domain with slight name variations to evade duplicate detection systems.

Corporate customer onboarding documents show a registered address that is a virtual office or mailbox service, with no verifiable physical presence or employees at the location.

Foreign national customer provides a passport from a jurisdiction with weak identity verification infrastructure and no supporting U.S. visa, residency permit, or tax identification.

Customer receives virtual currency from multiple unrelated wallets and immediately consolidates and forwards the funds to a single external address with no apparent trading or investment rationale.

Business customer’s account shows rapid inflows and outflows of stablecoins with no corresponding commercial activity, invoice documentation, or verifiable business purpose.

Customer engages in frequent peer-to-peer trades off the exchange platform, settling via external wallets, to avoid the exchange’s transaction monitoring and KYC requirements.

Decentralized finance (DeFi) protocol interaction shows a user receiving governance tokens and immediately dumping them for stablecoins, with no participation in protocol governance.

Customer uses automated trading bots or smart contracts to execute thousands of small transactions to artificially inflate trading volume and manipulate token prices.

Customer receives virtual currency from a wallet associated with a sanctioned individual and immediately converts it to fiat through an offshore exchange with weak AML controls.

Foreign national from a comprehensively sanctioned country uses a VPN and synthetic identity to open a U.S.-based exchange account and access the U.S. financial system via cryptocurrency.

Customer participates in an initial coin offering (ICO) or token sale where the project team disappears after raising funds, and the customer attempts to launder the worthless tokens through the exchange.

Customer deposits funds into a smart contract that executes an arbitrage trade exploiting a protocol vulnerability, draining liquidity from other users, and then withdraws the proceeds to a new wallet.

Elderly customer’s exchange account shows sudden large purchases of volatile cryptocurrencies after interacting with a “investment advisor” on social media who provided no licensed credentials.

DAO or blockchain-based organization raises funds through a token sale but conceals the identity of the core developers and beneficial owners behind pseudonymous wallet addresses.

Corporate customer operating a cryptocurrency fund refuses to disclose the beneficial owners of the underlying limited partners, many of whom are foreign nationals from high-risk jurisdictions.

Customer accesses the exchange exclusively through IP addresses associated with high-risk jurisdictions or known Tor exit nodes, with no legitimate reason for the obfuscated connection.

Customer rushes to complete high-value trades or withdrawals when notified of an upcoming account review, KYC update, or compliance verification request.

Business customer claims to be a commodities trader but the blockchain shows the “trade” involves NFTs or tokenized assets with pricing completely disconnected from underlying commodity markets.

Customer deposits funds from a non-custodial wallet into the exchange, trades through multiple altcoin pairs with no apparent investment strategy, and withdraws to a different wallet in a different jurisdiction.

OTC desk customer requests execution of a large block trade with explicit instructions to break the order into smaller pieces across multiple time windows to avoid price impact and detection.

Elderly customer withdraws retirement savings and deposits the full amount into a cryptocurrency exchange at the direction of a newly acquainted “financial guru” promising guaranteed returns.

Customer registers with an address in a low-risk country but all blockchain transactions originate from or interact with wallets in a jurisdiction under FATF enhanced monitoring.

Customer repeatedly asks customer support about the exchange’s AML policies, SAR filing thresholds, or how to avoid triggering transaction monitoring alerts.

Cross-border stablecoin transfers are justified by invoices for goods that do not match the customer’s business profile, with no corresponding shipping or customs documentation.