Understanding Parasite Exchanges: Backdoors of Illicit Finance in Crypto

TRM InsightsInsights
Understanding Parasite Exchanges: Backdoors of Illicit Finance in Crypto

TRM research shows that a majority of high-risk exchanges – those with weak or non-existent KYC and AML requirements – operate as “Parasite Exchanges.” Parasite exchanges rely on the architecture of a larger exchange to provide digital assets trading services to users, usually without the knowledge or consent of the host exchange.

TRM Labs also found that because almost two thirds are based in Russia and Iran, parasite exchanges are highly exposed to funds linked to sanctioned and other high-risk entities. This exposure partly explains why, although parasite exchanges facilitate just a fraction of the total volume of host exchanges, a much higher proportion of this volume is illicit compared to that of their mainstream hosts – about 100 times higher, TRM analysis shows.

Given the regulatory and reputational pitfalls of potentially facilitating illicit transactions, regulated host exchanges are highly susceptible to the risk posed by parasite exchanges. Yet, there are a number of ways digital asset service providers can identify and protect themselves against parasite exchanges that may be using their infrastructure.

How Parasite Exchanges Work

Parasite exchanges tap into the higher liquidity and lower transaction fees of the host exchange, while charging their users a marginally higher but still minimal fee. 

They are distinct from other nested crypto service providers and non-custodial exchanges, which establish official partnerships with well known globally recognized exchanges. Under these partnerships, when a user initiates a trade on their platform, the user’s request is routed to the most suitable exchange partner based on factors such as price, liquidity, and network fees. 

By contrast, parasite exchanges do not have contractual relationships with the host exchanges they exploit, instead operating without their host’s permission or knowledge. Multiple accounts, registered under fake or stolen identities or using shell companies, are often created using different credentials to make it harder for the host exchange to link them by effectively distributing the trading volume across multiple accounts.

How Exposure to Russia and Iran Elevates the Risk Profile of Parasite Exchanges

Nearly two-thirds of parasite exchanges appear to be based in Russia and Iran. This gives them significant exposure to sanctioned entities and other high-risk exchanges in these jurisdictions, to whom they often provide services, increasing their overall risk profile. As a result, the percentage of illicit volume processed by parasite exchanges is significantly – around 100 times – higher than that of their host exchanges. And yet parasite exchanges account for a negligible proportion of the overall volumes of their hosts, and represent only a thin slice of the total illicit volume on exchanges.

In Iran, the sanctions exposure of parasite exchanges stems from the fact that exchanges are subject to sanctions on account of their jurisdiction. 

Russia meanwhile is home to a number of high-risk exchanges, some of which have been sanctioned in recent years because of their illicit activities. A notable example was the Czechia-incorporated, Russia-based parasite exchange Suex, which was complicit in laundering millions of dollars for Russian ransomware groups. As TRM previously reported, in September 2021 Suex became the first cryptocurrency exchange to be sanctioned by OFAC. Other Russian high-risk exchanges Chatex and Garantex have since followed suit, becoming subject to OFAC sanctions on account of their involvement in money laundering in November 2021 and April 2022, respectively.

Other risks in Russia come from the role parasite exchanges play in the country’s darknet market (DNM) ecosystem, resulting in significant exposure to Hydra – the world’s largest DNM until it was sanctioned by OFAC in April 2022. 

How Parasite Exchanges Present Risks for Their Regulated Hosts  

Users may be drawn to parasite exchanges for a combination of reasons, including their instant and anonymous trading services, minimal fees and their tendency to support a wide range of cryptocurrencies and payment methods. 

Yet it is the regulated exchanges unwittingly sharing their infrastructure that bear the greatest risk burden from parasite exchanges. Hosting parasite exchanges and thereby potentially violating the terms of service and facilitating illicit transactions – including with sanctioned entities or jurisdictions – carries enormous regulatory, compliance and reputational risk.

The graph on the left shows an exchange that primarily hosts multi-use, high volume addresses, used by parasite exchanges to facilitate withdrawals, while the graph on the right shows an exchange that primarily hosts multiple single use, low volume deposit addresses, used by parasite exchanges to collect user deposits.

How Digital Asset Services Can Detect Parasite Exchanges

Digital asset services can detect parasite exchanges that may be operating on their infrastructure through a combination of the following methods and tools:

  • Transaction monitoring: Examining the movement of funds in and out of wallets on the platform enables host exchanges to spot patterns, such as high transaction volumes and repetitive deposit and withdrawals, which may signal the existence of a parasite exchange. 
  • Risk scoring: Host exchanges can assess user behavior through risk scoring systems. As our analysis shows, high risk scores resulting from large or frequent transactions with illicit counterparties can reveal the presence of a parasite exchange.
  • Compliance checks: Periodic audits of both business and personal accounts can allow host exchanges to identify users who appear to operate businesses via their personal accounts. Compliance teams can delve deeper into these accounts to ascertain whether a parasite exchange is involved.
  • Blockchain Intelligence: Sophisticated blockchain intelligence technology can help host exchanges identify nested services within their ecosystem. Proprietary features like TRM Ownership Analytics  examine on-chain transactions to detect patterns indicative of parasite exchanges, such as address collisions with exchanges that employ poor compliance standards, the reuse of wallets or the routing of funds through multiple wallets before reaching the host exchange. 
  • Information sharing: Collaborating with other exchanges and law enforcement agencies can yield valuable insights. In developing an understanding of parasite exchange activities, regulated exchanges can take appropriate measures by sharing data about suspicious accounts.

By employing the above strategies, regulated exchanges can uncover parasite exchanges and prevent them from abusing their platforms. This bolsters their security and reduces risks associated with money laundering and other illicit activities. 

TRM Labs’ risk management platform enables exchanges, custodians and other digital asset service providers to identify parasite exchanges within their infrastructure. Ownership Analytics – a feature of blockchain intelligence introduced by TRM Labs in 2020 – uniquely enables crypto businesses to detect parasite exchanges and other nested entities operating on their platforms.

This is some text inside of a div block.
Subscribe and stay up to date with our insights

Access our coverage of TRON, Solana and 23 other blockchains

Fill out the form to speak with our team about investigative professional services.

Services of interest
Transaction Monitoring/Wallet Screening
Training Services
Training Services
By clicking the button below, you agree to the TRM Labs Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.