Key takeaways

• Unregistered VASPs pose significant illicit finance risks, often operating without required AML/CFT controls or oversight, making them attractive to threat actors.
• Blockchain intelligence tools can help regulators detect unregistered VASPs by analyzing location metadata, fiat currency support, and on-chain relationships with other entities.
• Nested VASPs, or parasite exchanges, may operate through compliant platforms without their knowledge. These entities are often 100x more exposed to illicit activity.
• Investigative techniques include identifying liquidity providers, third-party counterparties, and time-based transaction patterns, all of which help verify jurisdictional presence.
• TRM enables regulators to trace transaction flows, prioritize enforcement targets, and request KYC data from licensed counterparties, strengthening investigations against noncompliant actors.

{{premium-content_chapter-divider}}

Introduction

As digital asset anti-money laundering (AML) regimes proliferate, regulators are focusing more than ever on the risks posed by unregistered virtual asset service providers (VASPs). This practical guide outlines methods to detect and investigate these services using blockchain intelligence tools, ultimately supporting an enforcement action against the unregistered VASP and its responsible individuals.

Regulators are generally concerned with identifying VASPs that are operating without the required license or registration in their jurisdiction, in direct contravention of local requirements. Often, these VASPs, especially those who wilfully contravene requirements, are operating without any form of licensing or registration, meaning that they are subject to little or no oversight and AML/CFT requirements, heightening their illicit finance risks.

{{how-regulators-can-detect-and-investigate-unregistered-vasps-call-out-1}}

{{premium-content_chapter-divider}}

Defining unregistered VASPs

Unregistered VASPs generally fall into four categories:

• Unintentional: Ignorance, misunderstanding, or misinterpretation of the regulations by a business regarding regulated activities they are undertaking.
• Intentional: Wilful rejection of registration requirements as a unique selling point, for example offering “No KYC” services.
• Unsuccessful application: VASPs that applied and moved through a licensing process with a regulator, but were not successful.
• License revoked: VASPs that previously operated with a license but later had it revoked.

Unregistered VASPs may operate in the open in a seemingly compliant manner, or in hiding, potentially as so-called parasite exchanges, which use the architecture and liquidity of larger, compliant services without being transparent with the compliant service about the reasons for holding accounts.

{{premium-content_chapter-divider}}

Detecting unregistered VASPs using blockchain intelligence

Here are three key ways regulators can use blockchain intelligence tools to identify unregistered VASPs that are operating in their jurisdiction:

1. Review location data

Blockchain intelligence tools provide regulators with access to a vast database of on-chain entities, including VASPs. Many of these entity profiles are enriched with open source information, including location data, which allows regulators to identify VASPs that may be operating in their jurisdictions without the required registration.

TRM sources location data according to definitions provided in FATF guidance.

2. Review fiat currency data

Another helpful data point to consult is the fiat currencies supported by VASPs, which provides a useful indicator of the jurisdictions a VASP serves. In some jurisdictions, this information may allow authorities to open an investigation on that VASP.

3. Identify nested services

Nesting refers to the practice of relying on the liquidity and architecture of another larger exchange to provide digital assets trading services to end users. In some cases, this activity reflects an intentional, legitimate commercial arrangement between two services However, there is also a subset of nested services that operate as so-called parasite exchanges.

Parasite exchanges often operate without the knowledge or consent of the host exchange and can be up to 100 times more exposed to illicit funds, according to TRM research.

In this example, when we view the list of Risk Indicators for a large, regulated, multi-jurisdictional exchange, we see that one of the risks present is High-Risk Exchange, and that the risk type is Ownership. Ownership risk indicates that the entity has addresses belonging to it that are tagged with that particular type of risk. It is distinct from Counterparty Risk or Indirect Risk, which indicate that it has transacted with an address one or more hops away that are tagged with risk. The High-Risk Exchange category as presented as Ownership risk is a key indicator that a high-risk exchange may be nested within the parent exchange.

{{how-regulators-can-detect-and-investigate-unregistered-vasps-call-out-2}}

{{premium-content_chapter-divider}}

Investigating unregistered VASPs

Having identified an unregistered VASP, here are three methods for conducting further investigations using blockchain intelligence tools.

1. Identify liquidity providers

Many VASP business models such as exchanges, cash-to-crypto and P2P services source cryptocurrency liquidity from third parties. This allows them to offer services such as converting cryptocurrency to fiat, and vice versa.

Regulators can use blockchain intelligence to investigate where their target VASP sources its liquidity. Blockchain intelligence offers a detailed visual picture of the on-chain relationships between the VASP and third-party entities, including transaction values, frequency, and the assets being transacted.

Case study‍

A regulator identifies a cryptocurrency address suspected of belonging to an unregistered VASP in their jurisdiction. Using blockchain intelligence, the investigator identifies two licensed VASPs transacting with the address. Further analysis of transaction flows indicate potential liquidity provider relationships. This enables the regulator to request KYC information from the two VASPs, which are required to collect such due diligence as a condition of their licenses.

2. Third-party counterparty analysis

Customers using an unregistered VASP may use other licensed services within the same jurisdiction. Cross-referencing addresses that transact with an unregistered VASP to see if the same addresses are transacting with licensed VASPs can provide an indication of whether an unregistered VASP is servicing customers in one’s jurisdiction.

Case study

‍A regulator assessing a potential unregistered VASP (Target VASP, below) identifies multiple addresses that also transact with a licensed VASP operating solely within the same jurisdiction. This may help reveal where the target VASP conducts its activities.

3. Time-based transaction analysis

Time-based analysis of transactions can also help to determine whether a VASP actually operates where it claims to, particularly when it comes to over-the-counter brokers, P2P traders or cash-to-crypto services.

Case study

A regulator operating in a jurisdiction the Coordinated Universal Time (UTC-5) timezone is engaging with a VASP, who they understand to be undertaking unregistered activity in their jurisdiction. This VASP informs the regulator that they are, in fact, operating in a different jurisdiction altogether, within the UTC+7 timezone. The regulator conducts a review of the VASP’s addresses and identifies that most transaction activity took place during regular business hours in the UTC-5 timezone. As that would be night-time in the VASP’s reported jurisdiction.

Whilst there may be legitimate reasons for the activity taking place during irregular hours, regulators can take this analysis to develop their investigation.

Depending on the case specifics, blockchain intelligence can be used in numerous other ways to investigate unregistered VASPs. Contact the TRM team to learn how we can support your unregistered VASP investigations.

{{premium-content_chapter-divider}}

Frequently asked questions (FAQs)

1. What is an unregistered VASP?

An unregistered VASP is a virtual asset service provider operating without the required licensing or registration in a specific jurisdiction, often violating AML/CFT laws.

2. Why are unregistered VASPs a concern for regulators?

They are more vulnerable to abuse by illicit actors, lack transparency, and undermine national and international AML enforcement efforts.

3. How can regulators detect unregistered VASPs using blockchain intelligence?

They can analyze entity location data, fiat currency usage, and connections to larger exchanges to spot unlicensed operations.

4. What is a parasite exchange?

A parasite exchange is a type of nested service that leverages another exchange's infrastructure without disclosure or authorization, often increasing exposure to illicit flows.

5. How does TRM help regulators investigate VASPs?

TRM tools help regulators identify wallet owners, assess risk exposure, map transactional relationships, and generate evidence for enforcement.

6. What is third-party counterparty analysis in crypto investigations?

It involves cross-referencing wallet addresses across multiple platforms to assess whether an unregistered VASP is serving users in a given jurisdiction.

7. How does transaction timing help identify jurisdiction?

Time-based analysis can reveal operational hours that contradict a VASP’s claimed location — a red flag for local activity under false pretenses.

8. What role do liquidity providers play in tracing unregistered VASPs?

By tracking the crypto sources and destinations of a VASP’s funds, regulators can identify relationships with regulated liquidity providers and request KYC data.

9. Can blockchain intelligence distinguish between direct and indirect exposure to risk?

Yes. Ownership risk shows the VASP controls risky addresses, while counterparty or indirect risk reflects transactional proximity to flagged entities.

10. What should regulators prioritize when reviewing potential cases?

Focus on VASPs with weak KYC, high transaction volume, or exposure to high-risk entities. TRM’s tools support this prioritization with layered risk indicators.

{{premium-content_chapter-divider}}

About TRM Labs

TRM Labs provides blockchain analytics solutions to help law enforcement and national security agencies, financial institutions, and cryptocurrency businesses detect, investigate, and disrupt crypto-related fraud and financial crime. TRM’s blockchain intelligence platform includes solutions to trace the source and destination of funds, identify illicit activity, build cases, and construct an operating picture of threats. TRM is trusted by leading agencies and businesses worldwide who rely on TRM to enable a safer, more secure crypto ecosystem.

TRM is based in San Francisco, CA, and is hiring across engineering, product, sales, and data science. To learn more, visit www.trmlabs.com.