Crypto ATM Payments Linked to Known Scam Addresses

Over $40 million USD was sent in 2022 to known scam addresses via cash-to-crypto services such as crypto ATMs, according to research by TRM Labs. 

While transfers to known scams made up only a small portion of the estimated $1 billion that flowed through the cash-to-crypto industry in 2022, this percentage is likely to be adjusted upward as new schemes become unmasked.

Crypto ATMs Can be Attractive Tools for Scammers

Crypto ATMs are the most common cash-to-crypto service. These terminals allow customers to insert banknotes, buy crypto and send it directly to a wallet without needing an exchange or even a bank account.  

Crypto ATMs are marketed as tools to help individuals convert their money into crypto with maximum privacy and ease, and less friction than at crypto exchanges. Crypto ATMs can be an attractive payment method for elderly people and others who might be otherwise unfamiliar with crypto. These characteristics also make them attractive vehicles for scammers. 

Cash-to-crypto services are not associated with any one particular type of scam. Instead they are used by perpetrators of romance scams, investment scams, impersonation scams and others as neutral platforms enabling payment by victims.

The range of scam warnings displayed prominently on most kiosks suggests that crypto ATM companies are aware of the potential risks of scams. Yet TRM Labs research shows that cash-to-crypto services remain susceptible to illicit activity. 

‍A Common Red Flag for Investigators

An analysis of crypto ATM transaction data from 300 different ATM companies across 56 countries, together with other proprietary sources, revealed a recurring pattern that could be used by authorities and compliance teams to identify suspicious activity: multiple payments sent from different ATM companies – often located in different countries – to a single address. 

One reason this activity raises a red flag is that most ATM companies ask the sender of the funds to be the owner of the destination wallet address. These rules are designed to reinforce the intended use of the machines for personal finance and prevent abuse by unidentified third parties. It’s possible to see when these rules are being violated because a key characteristic of crypto ATM machines is that unlike with a web browser, transaction location data cannot be spoofed by using a VPN. 

Thus, if a device is based in a particular country, the transactions from that device can reliably be said to have occurred in that country. When a single address receives multiple deposits from different ATMs in various locations, often within moments of each other, it suggests that the user(s) are not complying with these rules. 

Research by TRM Labs also showed that addresses associated with such behavior are frequently linked to scams or other illicit activity.

‍

In a recent case shown above, a single exchange address received funds from 40 different cash-to-crypto services ATMs located all over North America. The same address was reported in multiple public reports and investigations as being used by scammers as an aggregator and off-ramp for stolen funds. In this case, the significant number of transfers from multiple cash-to-crypto service locations to the same address served as the trigger for investigators to identify the suspicious destination address. 

Fortunately, one of the strengths of cryptocurrency is the ability to follow the flow of funds on-chain and share information across networks – such as Chainabuse – in near real-time. TRM is also working to hinder the ability of scammers to launder and cash out the proceeds of these exploits by identifying patterns such as the above, and surfacing wallet addresses known to be associated with cash-to-crypto scams in our compliance and forensics tools. These tools are used by crypto platforms, financial institutions and law enforcement agencies to detect and investigate scams and other illicit activity including money laundering, hacks and sanctions evasion.