Illicit Crypto Ecosystem
A Comprehensive Guide to Illicit Finance Risks in Crypto
Confounding expectations, the collapse in cryptocurrency prices since 2021 had no meaningful impact on the dollar value of crypto-related crime in 2022. Indeed, TRM data reveals at least USD 7.8 billion paid into Ponzi or pyramid schemes, USD 1.5 billion spent on darknet markets specializing in illegal drugs, and USD 3.7 billion stolen through hacks and exploits, based on TRM Labs data.
Among the possible reasons behind this resilience is crypto’s qualitative leap away from Bitcoin domination towards a new multi-chain reality that has given rise to novel threats.
For example, in 2022, approximately USD 2 billion was stolen through attacks on cross-chain bridges, which enable cryptocurrency to pass from one blockchain to another. Criminals also increasingly rely on chain-hopping, or moving funds through various blockchain networks, as part of their money laundering strategies to obscure the source and destination of ill-gotten gains.
The multi-chain era has had a sweeping impact on the distribution of illicit crypto volume as a whole, where Bitcoin’s share plummeted from 97% in 2016 to 19% in 2022. In 2016, two thirds of crypto hack volume was on Bitcoin; in 2022, it accounted for just under 3%, with Ethereum (68%) and Binance Smart Chain (19%) dominating the field. And while Bitcoin was the exclusive currency for terrorist financing in 2016, by 2022 it was all but replaced by assets on the TRON blockchain, with 92%.
Yet until now, there has been no systematic attempt to create a holistic overview of this new illicit crypto ecosystem. In the first guide of its kind, TRM Labs has identified, studied and classified over 40 types of criminal activity, from espionage to SIM swapping and pump and dump schemes.
This landmark report spans over 20 blockchains and covers all major known forms of crypto-mediated illicit finance, as well as the use of cryptocurrency to launder the proceeds of crime.
The first section maps out criminal activities that generate crypto proceeds of crime including illicit commerce, illicit payments, fraud, and theft. The second section catalogs the way the crypto ecosystem is used in laundering proceeds of crime, whether fiat or crypto.
Through original research, case studies and an analysis of specific risks, this report offers insights into the complex dynamics of the illicit crypto ecosystem and contributes to a better understanding of the challenges faced by regulators, law enforcement agencies and industry stakeholders.
Understanding these risks is crucial for law enforcement to combat wrongdoing, for financial institutions and businesses to ensure that their platforms are not used to launder illicit funds, and for policy makers and regulators to assess, respond to, mitigate and prevent the full gamut of blockchain-mediated illicit activity.
Illicit Crypto Ecosystem Report
This section presents an analysis of criminal activities that may generate cryptocurrency proceeds. While fiat currencies, particularly the US dollar, dominate illicit transactions, the utilization of crypto in illicit activity offers critical benefits in the fight against financial crime. The transparent and traceable nature of crypto transactions facilitates two unique benefits: (1) the systematic measurement of illicit activity, leading to insights into criminal networks and typologies, (2) an ability to "follow the money" in criminal investigations that is faster and more effective than following the money in cash. By leveraging the transparency and traceability of crypto transactions, we not only gain valuable tools for measuring illicit activity and understanding criminal networks but also contribute to the development of a more resilient and secure financial ecosystem.
1. Illicit Commerce
Illicit commerce involves the trade in illegal goods and services. While the vast majority of illicit commerce continues to use fiat currency such as the US dollar, cryptocurrency is the preferred medium of exchange on darknet marketplaces, cybercrime forums, and on CSAM sites. Darknet markets (DNMs), which specialize in selling drugs and also offer personally identifiable information (PII), are the biggest drivers of illicit commerce using cryptocurrency. A smaller and more elusive subset of illicit commerce concerns child sexual abuse materials (CSAM).
Illicit Drug Trafficking
The crypto-mediated illicit drugs trade mostly takes place on DNMs - multi-vendor online illicit global commerce platforms located on the “darknet”, an encrypted section of the internet neither accessible from standard internet browsers nor indexed by search engines.
An established form of transnational organized crime, DNMs combine anonymization networks and cryptocurrencies with encryption technologies. They are distinct from independent single-vendor shops that also sell illicit drugs, and from other types of fraud stores.
As much as USD 1.49 billion was spent on DNMs in 2022, according to TRM Labs research. Over 80% of this was spent on Russian-language DNMs. By contrast, the largest Western Bitcoin DNM currently in existence – ASAP Market – accounted for less than 10% of global DNM market share. Most Russian-language DNMs only support Bitcoin, with no privacy coin options available. This may reflect their lower perceived risk of being taken down by the authorities. By contrast, Western DNMs employ more on-chain operational security measures and either offer Monero only or Monero alongside Bitcoin.
Forms of illicit commerce described in section 1 are often facilitated by cybercrime forums. Also known as dark web or darknet forums, these are platforms where cybercriminals discuss, sell, and promote illicit activity anonymously. In doing so, these forums play a significant role in connecting and driving cybercrime. Cybercrime forums derive their income from registration fees, advertisements, escrow services and account status upgrades.
Two prominent examples of such forums studied by TRM Labs are Exploit.in and Cracked.io. Exploit is a Russian cybercrime forum established in 2005. Discussions on the forum focus on sharing exploits and vulnerabilities of various computer systems. Exploit is also a marketplace for initial accesses, digital goods, malware and so-called zero-day vulnerabilities – security flaws in a software application or system that are unknown to the vendor or developer and for which no patch or fix has been released.
Cracked is a well-known English-language hacking forum, with more than 3.5 million users and 22.6 million posts on hacking, cracking, leaks and related topics. Cracked also includes a marketplace for illicit products. This platform periodically changes its cryptocurrency wallets.
Credit Card (CC) Checkers
Illicit Trafficking of Stolen Goods
Cryptocurrency has long been linked to the receipt and trafficking of stolen goods. The darkweb is replete with illicit marketplaces that accept cryptocurrency in exchange for stolen credit card details, personally identifiable information (PII), counterfeit goods and other products. There have also been reports of darknet-enabled illicit commerce involving antiquities and other significant cultural artifacts.
Carding and Personally Identifiable Information (PII)
Intellectual Property Crime
Human Trafficking and Migrant Smuggling
Despite claims that crypto is used as a means of payment for human trafficking, TRM research suggests that the most prominent nexus between crypto and human trafficking is the use of human trafficking to prop up cryptocurrency scams and frauds.
For example, human trafficking victims have been found to be working in illegal call centers run by Chinese criminal syndicates operating cryptocurrency pig butchering scams. These scams rely on psychological manipulation to wipe out victims’ life savings on the promise of making large returns on their investments. According to the FBI, people lured by false job advertisements offering lucrative pay later have their passports confiscated and are coerced into committing crypto fraud. More recently, authorities in the Philippines reportedly rescued victims who had allegedly been trafficked to work in a crypto scam call center based in Cambodia.
Child Sexual Abuse and Exploitation Material (CSAM)
CSAM includes imagery or videos that show a child engaged in or depicted as being engaged in explicit sexual activity.
TRM has analyzed over USD 3 million sent to cryptocurrency addresses involved in CSAM activities online in 2022. More than two thirds of those payments appear to have been made to CSAM scammers, who attempt to convince would-be buyers of CSAM images to pay for images or VIP access to galleries that turn out not to exist.
The disproportionate share of funds received by CSAM scammers, who advertise widely on the darknet and deal almost exclusively in cryptocurrency, can be explained at least in part by the fact that true CSAM vendors seldom publicly promote their activity and continue to favor traditional finance channels.
By studying the properties and behaviors of CSAM actors, blockchain intelligence can allow investigators to identify international CSAM networks, profile persistent CSAM customers, and expose vendors that impersonate scammers in order to evade law enforcement attention by hiding in plain sight.
Murder for Hire
The past few years have witnessed a rise in the attempted use of cryptocurrency to pay for contract killings. It should be noted that there have been no publicly documented examples of a completed murder-for-hire scheme paid for in cryptocurrency at the time of publication. However, there is evidence of demand for such services, as shown by the prosecution of several individuals who have attempted to pay for contract killings with cryptocurrency.
In 2022, a Los Angeles man pleaded guilty to a federal murder-for-hire charge after sending USD 13,000 worth of bitcoin to a darknet website to hire a hitman to kill a woman who had rebuffed his advances.
Other instances of people accused of using cryptocurrency to pay hitmen have been reported elsewhere. In 2022, a Mississippi resident received a 10-year prison sentence for attempting to have her husband killed for a USD 10,000 fee in bitcoin.
Such events have not been confined to the US. In 2021, Europol and the Italian police collaborated to arrest a man suspected of paying EUR 10,000 in bitcoin to hire an assassin to kill his ex-girlfriend. In that instance, the virtual asset service provider (VASP) involved in the transfer of the bitcoin to the would-be killer cooperated with authorities in providing details of the suspect.
2. Illicit Payments
Cryptocurrency has been used to evade capital controls and make illicit payments to terrorist groups, corrupt officials or sanctioned jurisdictions and individuals. “More crypto usage is empirically associated with higher perceived corruption and more intensive capital controls,” stated a 2022 working paper from the International Monetary Fund. It found that “countries with weaker control of corruption (more corruption) and lower degree of capital openness (more capital controls) tend to have a larger share of crypto adoption, suggesting that crypto assets may be used to transfer corruption proceeds or circumvent capital controls.”
Terrorist financing refers to the provision of financial support to terrorist organizations and individuals involved in terrorist activities. Cryptocurrency has been used for terrorist financing due in part to its perceived anonymity and ease of cross-border transfers.
Fundraising campaigns for ISIS families held in internment camps in northeastern Syria has been a significant driver of cryptocurrency usage among ISIS and its supporters. TRM Labs identified dozens of fundraising campaigns that accepted cryptocurrency in 2022, raising between a few dollars to tens of thousands.
TRM Labs also identified multiple pro-ISIS groups in Pakistan and Tajikistan raising tens of thousands of dollars in cryptocurrency to spread propaganda and recruit fighters. Over the course of 2022, TRM Labs has observed a significant increase in the use of the TRON blockchain among terrorist groups and associated fundraising campaigns, with some using it exclusively. The overwhelming majority of those actors collected donations in the stablecoin Tether (USDT). Among the terror financing entities tracked by TRM Labs in 2022, there was a 240% year-on-year increase in the use of Tether - against a mere 78% rise in Bitcoin use.
In 2022, multiple terror financing entities, including Syria-based cryptocurrency exchanges involved in terror financing campaigns, began experimenting with decentralized exchanges. Decentralized exchanges (DEXs) are peer-to-peer marketplaces where individuals can trade cryptocurrencies in a non-custodial manner.
Bribery and Corruption
There have been several high-profile cases of proven or alleged bribery involving crypto. In 2021, FTX founder Sam Bankman-Fried allegedly gave a USD 40 million cryptocurrency bribe to Chinese officials in exchange for unfreezing company accounts containing over USD 1 billion worth of cryptocurrency.
In 2022, the US Department of Justice accused two Chinese intelligence officers of allegedly attempting to bribe a US government employee with USD 61,000 in bitcoin to steal documents related to an investigation into Chinese tech giant Huawei.
Cryptocurrencies can also be used to influence voters during election campaigns. In 2019, a gubernatorial candidate in St Petersburg, Russia, handed out crypto tokens to voters on the campaign trail.
Espionage activities can involve the covert transfer of funds to support intelligence gathering or other covert operations. Cryptocurrencies can provide a discreet and secure means of transferring funds, making them an attractive option for state or non-state actors engaged in espionage.
In November 2022, US nuclear engineer Jonathan Toebbe and his wife Diana were sentenced to 18 and 21 years in prison respectively for attempting to pass secret nuclear propulsion technology to a third country. In their exchanges with FBI agents posing as foreign officials, the couple requested payment in the Monero privacy coin.
The use of privacy-focused cryptocurrencies or mixing services can further enhance the anonymity of transactions, making it more difficult for authorities to trace the source or destination of the funds. In December 2022, Iran executed four alleged Israeli spies who were accused of receiving payment in cryptocurrency. That same year, South Korea arrested two of its nationals for allegedly accepting cryptocurrency to spy on behalf of North Korea.
Export Control Evasion
Export control evasion involves using cryptocurrencies to bypass state capital controls and restrictions on the export of certain goods or technology. Individuals can use digital assets to facilitate payments for prohibited items, circumventing traditional financial systems that might flag or block such transactions.
A 2019 study by researchers at the Chinese University of Hong Kong, Deakin University and the University of Technology Sydney found that cryptocurrency was being widely used by traders in China to circumvent capital controls.
US officials have long warned that North Korea, Iran and Russia could use cryptocurrency to evade sanctions. The European Union has also taken steps to prevent crypto from being used by Russia to evade international sanctions imposed after its invasion of Ukraine in 2022.
On-chain analysis has yet to show this happening to a significant degree today. Experts believe this is likely to be due to crypto’s current lack of liquidity relative to a country’s economy.
Nevertheless, Russia, Iran and North Korea have been observed using crypto to offset the impact of international sanctions by conducting cyberattacks and mining bitcoin: both practices generate revenues that help make up for lost trade and investment. In 2022, the US Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned a Russian cryptocurrency mining company in order to prevent mining from becoming a “mechanism for the Putin regime to offset the impact of sanctions”.
OFAC has also sanctioned cryptocurrency addresses related to facilitators of North Korean weapons proliferation and Russian paramilitary groups. Additionally, the US Treasury has used sanctions to target money laundering linked to sanctions evasion. For example, in 2022, OFAC sanctioned Ethereum-based mixing service Tornado Cash for its involvement in laundering hacked and stolen funds by North Korea.
Proliferation financing involves the use of cryptocurrencies to fund the development or acquisition of weapons of mass destruction (WMD) or related materials. By using digital assets, parties involved in proliferation activities can avoid the scrutiny of traditional financial systems and evade international non-proliferation regimes.
In April 2023, the US, Japan and South Korea accused Pyongyang of funding its WMD programme using stolen cryptocurrency.
3. Fraud and Scams
Cryptocurrency fraud and scams include investment fraud such as pyramid schemes, insider trading, phishing attacks geared towards stealing private keys and exchange credentials, pig butchering and impersonation-based scams such as business email compromise (BEC). Scammers also resort to attempts at blackmail, in which they claim to possess sensitive or damaging information and demand cryptocurrency payment for its return or suppression.
Although “fraud” and “scam” are often used interchangeably, the cryptocurrency community typically refers to “scams.” Generally, the concept refers to people being deceived into sending cryptocurrency and other digital assets (or clicking on something that enables the transfer) to somewhere that they would otherwise not have done had they known the truth.
Many types of fraud can coexist within the same scheme. For example, a pig butchering scheme can involve a romance scam, an investment scam, an advance fee scam and an asset recovery scam. Equally, an investment scheme operating around a new token can involve market manipulation, a pyramid scheme and an exit scam.
TRM Labs identified about USD 9.04 billion being sent to various types of fraud schemes in 2022, with the large majority going to apparent Ponzi and/or pyramid schemes.
Investment fraud centers on the solicitation of funds for fraudulent investments or projects. In the cryptocurrency space, these often involve fake initial coin offerings (ICOs), unregistered securities or fraudulent investment platforms. Investment fraud involving cryptocurrency rose by nearly 200% from USD 907 million in 2021 to USD 2.57 billion in 2022, according to the FBI’s annual Internet Crime Report.
Pyramid and Ponzi Schemes
Deceptive Smart Contracts
Deceptive smart contracts are intentionally designed to trick users into transferring funds or granting permissions to them. The most notable example of this is drainware – smart contracts that, upon interaction, grant the attacker permission to move funds from the victim’s wallet. Spoof tokens are another form of deceptive smart contracts.
Exit scams, also known as rugpulls, occur when the operators of a project – one often related to investments or a new token – stop developing the project and withdraw user funds for themselves. They can either happen abruptly where project devs and funds suddenly disappear, or they can occur more slowly, where money is siphoned off a bit at a time and devs get less and less active. Sometimes, projects are called rugpulls by the community when they overpromise and underdeliver, though this is more difficult to outright label as fraud.
Often they target decentralized finance (DeFi) projects. In a rugpull related to a new token, the project creators can withdraw liquidity from the trading pool, causing the value of the associated tokens to plummet. Investors are left with worthless tokens and no way to recover their funds. Many pyramid and Ponzi schemes end in exit-scam-like behavior, where payouts stop being made to investors and the creators of the scheme take the remaining funds and disappear.
In June 2022 the US Department of Justice charged a Vietnamese national with one count of conspiracy to commit wire fraud and one count of conspiracy to commit international money laundering. Le Ahn Tuan had created an NFT project called Baller Ape Club, which sold NFTs of cartoon monkeys. According to the indictment, once Tuan and his co-conspirators had collected some USD 2.6 million from investors, they carried out a rugpull, ending the purported investment project, deleting its website, and stealing the investors’ money.
Frosties NFT was another NFT project that promised exclusive digital art and collectibles. However, shortly after the project's launch the two 20-year-old creators shut down its website and Discord servers, removed the liquidity from the trading pool and disappeared with USD 1.1 million of investors' funds. According to the DOJ complaint, the duo transferred the proceeds from the scheme to various cryptocurrency wallets under their control in multiple transactions designed to obfuscate the original source of funds. They were later arrested and charged with wire fraud and conspiracy to commit money laundering.
Phishing involves the use of fraudulent emails, websites, or messages to trick users into revealing sensitive information, such as private keys or login credentials. In the cryptocurrency space, phishing attacks may target users of digital wallets or exchanges, leading to the theft of funds.
Crypto-related phishing attacks grew in prominence during the 2017 Initial Coin Offering (ICO) boom. Victims targeted in these phishing attacks would only lose the amount of cryptocurrency they sent to the wrong address in error. As NFTs entered the mainstream, attackers began to target novice NFT investors by exploiting the “FOMO” – fear of missing out – and hype surrounding the NFT world.
TRM Labs has observed hundreds of phishing attacks over the last year targeting NFT projects, where real-time messaging across multiple platforms has enabled attackers to target NFT investors by publishing phishing website links at a rapid pace.
“Address poisoning”, a relatively new type of phishing, rose to prominence in 2022. It involves the scammer creating an address that resembles one to which the intended victim had previously sent funds. The scammer then sends a small amount of cryptocurrency to the target in the hope that they will unwittingly make a future payment to that scam address in place of their intended recipient.
Related to phishing, impersonation scams involve criminals posing as well-known individuals or organizations to deceive victims into sending funds or revealing sensitive information. In the cryptocurrency space, impersonation scams may involve criminals pretending to be representatives of exchanges, wallet providers or celebrities to trick users into sending cryptocurrencies to fraudulent addresses or divulging sensitive information.
Scammers can create fake websites or social media accounts that resemble legitimate crypto exchanges or wallet providers. They impersonate customer support agents and reach out to unsuspecting users, offering assistance with technical issues or account problems. The users are persuaded to share their login credentials, private keys, or sensitive information, allowing the scammers to steal their funds.
Similarly, scammers also create fraudulent websites, social media accounts, or email campaigns to impersonate legitimate crypto projects. Unsuspecting users send their cryptocurrencies, but the scammers disappear with the funds, leaving investors with nothing.
Business Email Compromise
Business email compromise (BEC) is a type of scam where criminals impersonate a legitimate business or organization to trick employees or partners into transferring funds or revealing sensitive information.
BEC scams may involve the compromise of email accounts belonging to employees of exchanges, wallet providers, or other organizations, leading to the theft of funds or sensitive data. In 2022, BEC accounted for USD 2.7 billion (crypto and fiat) in losses reported by victims to the FBI’s Internet Crime Complaint Center (IC3).
Illicit Commerce Scams
For almost every type of illicit commerce or activity in the crypto space, there is a scam version of it, sometimes found on the dark web. TRM Labs has found scam money laundering services, carding shops, drug vendors, murder-for-hire providers, weapons dealers, CSAM sellers, hacking services, market manipulation services, scam-as-a-service providers and ransomware sellers.
Blackmail scams typically involve the scammer sending threatening emails to random recipients, claiming knowledge of infidelity, pornography use or other potentially embarrassing personal details that would be released publicly unless a cryptocurrency payment was made.
In many cases, the scammer does not in fact have the information in question. The most common type appears to be “sextortion”, where the scammer emails hundreds or thousands of people claiming to have installed malware on their computer or phone that recorded the recipient viewing pornographic sites. They then instruct the intended victim to send cryptocurrency – usually bitcoin – to the scammer in order not to have the videos sent to their friends and family.
Scammers are creative and can make a scam version out of nearly any activity. As such, there are many other types of scams than those mentioned in this paper. They include asset recovery scams, overpayment scams, money mule scams, different variations of the advance-fee scam, and the basic scam of simply not giving the buyer what they purchased.
Misappropriation of Funds
Misappropriation of funds often occurs as part of many of the other frauds and scams mentioned here, though it can also occur independently. It is related to, but in some jurisdictions is a separate crime from, embezzlement.
Misappropriation of funds frequently accompanies investment fraud schemes, where, instead of investing customer funds as promised, the operator of the scheme instead diverts them either for personal use – such as to buy luxury goods – or for other business purposes. For example, the SEC alleges that the former CEO of Alameda Research “used misappropriated FTX customer funds for Alameda’s trading activity.”
In 2021, a Microsoft employee was arrested for allegedly misappropriating USD 10 million in company funds by secretly creating thousands of official XBox gift card codes that he then sold at a discount online in exchange for cryptocurrency.
Crypto extortion can take many forms. At its most basic, it involves individuals threatening their victims and demanding payment in cryptocurrency. It can also involve the use of malicious software known as ransomware. As such, it is often prosecuted in the US under fraud statutes.
In May 2023 a former employee of a public New York-based technology company was sentenced to six years in prison for stealing company files and demanding nearly USD 2 million for their return. In 2019, a group of Russian secret service agents were reported to have extorted a media mogul in exchange for USD 670,000 worth of bitcoin.
Other variations of extortion begin with the scammer using phishing techniques to take control of the victim’s Instagram profile. The criminals then force the victims into filming videos instructing their followers to participate in fraudulent get-rich-quick Bitcoin schemes.
Yet by far the biggest driver of crypto extortion is ransomware, which has also increasingly been adopted by groups targeting countries’ national security infrastructure (see below).
Kidnap for Ransom
Market manipulation in the cryptocurrency space can involve various schemes designed to artificially influence the price of a cryptocurrency or token. These schemes can include pump and dump schemes, scalping, touting, and front-running.
One of the most prominent recent examples of this practice took place in October 2022, when the Solana-based platform Mango Markets lost around USD 115 million when a group manipulated its price oracle, the authority that determines a token’s value. The hackers’ self-proclaimed leader, Avraham Eisenberg, later revealed his identity and characterized his team’s activities as a “highly profitable trading strategy” rather than a hack.
Eisenberg initially reached an agreement with Mango Markets to return around USD 70 million in exchange for a promise not to pursue criminal charges against him. Nevertheless, he was arrested by US officials in December 2022 and charged by the SEC with violating anti-fraud and market manipulation provisions of the securities laws. Eisenberg was later also sued by Mango Markets to return his remaining USD 47 million plus interest.
Also in December 2022, the SEC charged leaders of Alameda Research and FTX with manipulating the price of FTX’s FTT Token “by purchasing large quantities on the open market to prop up its price.”
Pump and Dump Schemes
Crypto insider trading entails the use of non-public information to purchase cryptocurrency or other digital assets ahead of exchange listing announcements and profiting from the price surge that follows an announcement. As much as USD 24 million worth of ERC20 tokens was linked to insider trading in 2022 alone, generating at least USD 5.5 million in profit for the traders, according to proprietary research by Argus Inc, a blockchain insider trading and front-running analytics firm. Many of these wallets have continued to be active into 2023.
In June 2022 a former employee of an NFT marketplace became the first individual to be charged with wire fraud and money laundering in connection with a scheme to commit insider trading in NFTs by using confidential information about what NFTs were going to be featured on the exchange’s homepage. Others have since faced similar charges.
Cryptocurrency “poses a significant detection problem by facilitating illegal activity broadly including tax evasion”, according to a US Treasury report released in 2021. High net worth individuals may shift taxable assets into the crypto economy to avoid tax, as governments may not be able to trace crypto income or transactions if they go unreported by exchanges, businesses and other third parties.
A 2022 study found that crypto investors were likely paying less than half the taxes they owed. In response to these tax evasion concerns, in 2022 the European Commission proposed an amendment to the Directive on Administrative Cooperation (known as DAC8) that would widen tax reporting and information sharing requirements relating to holders of crypto and some NFTs. The new rules are likely to come into force in mid-2023.
Theft is the biggest driver of crypto crime. It comprises a wide array of malfeasance, from hacks and exploits to robbery. In total, nearly USD 4 billion was stolen in 2022 through the main types of crypto theft studied by TRM Labs.
Hacks and Exploits
The year 2022 was the biggest on record for cryptocurrency hacks and exploits, with about USD 3.7 billion stolen across over 175 incidents, according to a review of attacks by TRM Labs. The average hack was over USD 20 million per incident.
Hacks and exploits can be divided into smart contract and infrastructure attacks. The former group encompasses code exploits and protocol attacks; the latter includes private key theft and SIM swapping, among others.
Nearly 90% of the USD 3.7 billion stolen last year was through infrastructure attacks and code exploits, with most of the remaining value stolen from protocol attacks. The most common attack type in 2022 were code exploits, at 57 incidents, followed by infrastructure attacks (52) and protocol attacks (45). There were nearly 15 attacks per month on average in 2022, roughly one hack every two days.
Attacks against DeFi projects were more common and damaging than attacks against CeFi targets in 2022, with approximately 80% of all stolen funds, or USD 3 billion, involving DeFi victims and nine of the ten largest attacks occurring against DeFi projects. Flaws in smart contracts, a key component of DeFi that facilitate automation and transparency, provide attackers a seemingly endless supply of bugs to exploit.
Smart Contract Attacks
Cryptocurrency robberies involve the use of force, coercion, or threats to physically steal cryptocurrencies from victims. Sometimes known as “five dollar wrench attacks”, such robberies can occur during in-person transactions, such as buying or selling cryptocurrencies, or in more sophisticated and organized criminal operations.
In 2022, police in Sweden were called to an incident involving an assault on a couple by armed strangers who broke into their home, tied them up, and forced them to transfer their cryptocurrency at gunpoint. During the same year, a Canadian man was held at gunpoint, tied up and assaulted during an in-person deal to exchange bitcoin for cash.
Illicit Crypto Ecosystem Report
Money laundering amplifies the total amount of illicit activity in the ecosystem because all transactions made to try to launder funds are themselves illicit. It involves processing the criminally-derived funds in order to disguise their illicit origin.
This is done largely through the abuse of otherwise legitimate tools, such as privacy coins and cash-to-crypto services. However, money launderers also leverage darknet markets and cybercrime services, creating a multiplier effect on total illicit activity.
Cryptocurrency services are attractive to money launderers for many of the same factors appreciated by regular consumers: fast transfers, pseudo-anonymity and convenience. Criminals are interested in collecting funds via a non-reversible format that is nearly instantaneous.
Money laundering involving cryptocurrency largely follows the same path as its conventional counterpart, starting with placement, followed by layering and integration. This section maps the key mechanisms for money laundering within the crypto ecosystem.
During this initial stage of money laundering, criminals can use the profits obtained through illegal activity to purchase cryptocurrencies. In cases where the initial funds are received in cryptocurrency, for example from theft, extortion or illicit commerce, placement involves obscuring their origins and converting them into more widely-accepted or less traceable forms.
The form that placement takes depends on the type of predicate crime and the service used. In cases of fraud, particularly pig butchering and romance scams, victim funds often enter the crypto ecosystem through cash-to-crypto services. Ransomware perpetrators, on the other hand, tend to require victims to use a third-party service or VASP in order to make a payment.
Among the fastest ways to convert fiat currency into cryptocurrency and vice-versa is through cash-to-crypto services. Of these, crypto ATMs are the most popular. These kiosks allow customers to insert banknotes, buy cryptocurrency and send it directly to a wallet without needing an exchange or even a bank account. There are over 30,000 crypto ATMs around the world, over 90% of which are located in North America.
Crypto ATMs and other cash-to-crypto services are not illegal; however, they can be an appealing payment method for cybercriminals and other illicit actors. In 2022, over USD 40 million was sent to known scam addresses via cash-to-crypto services, according to research by TRM Labs. These addresses were linked to perpetrators of romance scams, investment scams, impersonation scams and others as neutral platforms enabling payment by victims.
In the case shown above, a single exchange address received funds from 40 different cash-to-crypto services ATMs located all over North America. The same address was reported in multiple public reports and investigations as being used by scammers as an aggregator and off-ramp for stolen funds. In this case, the significant number of transfers from multiple cash-to-crypto service locations to the same address served as the trigger for investigators to identify the suspicious destination address.
As a reflection of the use of cash-to-crypto services by illicit actors, state and local police departments regularly receive reports of victims being coerced into sending cryptocurrency to fraudsters through crypto ATMs.
These victim payments are often representative of placement in the money laundering context.
In March 2023, authorities in New York arrested a man accused of helping to launder over USD 1 million in fraudulently-obtained small business loans which were offered as part of the US government’s COVID-19 relief strategy. He allegedly converted some of the funds to bitcoin and “used a portion of the rest to start his own lucrative cryptocurrency ATM business.”
Parasite VASPs rely on the architecture of a larger exchange to provide digital assets trading services to users, often without the knowledge or consent of the host exchange. Criminals and sanctioned individuals may use parasite VASPs to move their illicit proceeds through the crypto ecosystem to make the transactions appear legitimate. Parasite exchanges usually have weak to non-existent Know-Your-Customer (KYC) and AML requirements, which can make them a preferred vehicle of cybercriminals and money launderers for moving funds.
Relative to their volume, parasite exchanges facilitate as much as 100 times more illicit on-chain activity than their mainstream counterparts, according to research by TRM Labs. Funds linked to sanctioned entities account for over half of the illicit volume processed by parasite exchanges. This is partly because nearly two-thirds of parasite exchanges appear to be based in Russia and Iran, with the Iranian exchanges being sanctioned based on their jurisdiction. SUEX, a crypto exchange and OTC broker sanctioned by OFAC in 2021, operated as a parasite exchange and was complicit in laundering millions of dollars for Russian ransomware groups.
Parasite exchanges were also found to play an important role in the Russian darknet market ecosystem, resulting in significant exposure to Hydra - the world’s largest DNM until its sanctioning by OFAC in April 2022. Even controlling for sanctions exposure, TRM Labs research found parasite exchanges to carry 45 times more illicit exposure than compliant exchanges, as a percentage of their volume.
High-risk exchanges and other VASPs are characterized by lax compliance controls or are located in jurisdictions with weak regulatory oversight, which makes them attractive channels for money laundering activities. Over the course of 2022, TRM Labs tracked more than 500 active high-risk exchanges that together transferred tens of billions of dollars in value.
High-risk VASPs share a combination of the following characteristics:
- Exhibit elevated counterparty risk exposure to darknet marketplaces, scams, cybercrime services and other incidence of illicit on-chain activity such as money laundering
- Facilitate transactions using accounts of other exchanges without having a contractual relationship with them
- Use multiple accounts registered under fake or stolen identities to distribute their trading activity, making it harder for the host exchange to detect them
- Have inadequate KYC and AML procedures as well as weak or non-existent identity verification processes, making it easier for criminals to use these platforms for illegal activities
- Offer services that allow users to directly convert cryptocurrencies to cash or vice-versa, which helps to anonymize funds and avoid detection of illicit activities by authorities
- Operate from sanctioned jurisdictions or those listed on FATF Black and Grey lists
In addition to their primary role in crypto crime – the sale of illicit drugs – darknet markets (DNMs) are also involved in the laundering of proceeds from crime. Over the course of 2022, TRM Labs has witnessed a rise in international criminals using Russian-language DNMs to launder money.
Cryptocurrency payment processors are legitimate services that help individuals and businesses accept cryptocurrency as payment. These payment processors create payment addresses for customers and provide services that allow them to accept payments directly from their own websites, such as via an API, in return for a small percentage of the transaction value.
Payment processors can be abused by criminals seeking to launder money, most commonly in placement and layering. Lightly regulated, they often have little to no KYC. By allowing users to create new addresses for every payment – or in some cases, reuse addresses for different actors – payment processors can make it more difficult for investigators to follow the flow of funds.
OTC (Over-the-Counter) Desks
OTC desks allow users to exchange crypto for fiat and vice-versa without a centralized exchange or broker. They tend to specialize in larger sums. Although some established exchanges have proprietary OTC operations that are subject to stringent oversight, many private OTC brokers do not perform KYC or source of wealth checks on their customers. As a result, such OTC brokers are vulnerable to abuse by criminals seeking to cash out illegally-derived cryptocurrency.
P2P (Peer-to-Peer) Exchanges
P2P exchanges operate on the same principle as OTC desks: they enable users to change between cryptocurrencies and fiat. However, unlike OTC desks that are manned by brokers, P2P exchanges operate as fully automated DeFi entities. They operate by connecting trading partners seeking to buy or sell cryptocurrency without a third party intermediary. Some of these transactions can be arranged using cash or other non-crypto payment methods via the P2P platform.
Layering is designed to make the tracing of illicit assets more difficult by putting them through a series of transactions and by using a variety of tools. Mixers, bridges, swap services, and coin-joins – individual transactions where multiple senders combine funds to obfuscate their source – are commonly used for layering as they are designed to enhance privacy and make it more difficult for investigators to trace the flow of funds. While some will simply funnel funds to exchanges in order to cash out quickly, advanced launderers may incorporate programmatic money laundering techniques.
Data science models that can identify different types of money laundering patterns (called Signatures in TRM tools) are an essential toolkit for money laundering investigators, as is the ability to demix transactions from mixers and automatically trace through cross-chain bridges.
Mixers, also known as tumblers, are services that blend multiple cryptocurrency transactions, making it difficult to trace the origin and destination of funds. According to the US Treasury’s National Money Laundering Risk Assessment from 2022, mixers and tumblers “help criminals hide the movement or origin of funds, creating additional obstacles for investigators.”
Mixers are not illegal; nor are they used exclusively for illicit activity. For example, many mixers advertise themselves as means to increase privacy and anonymity online. However, mixers are also frequently used by cybercriminals as a layering technique to disguise the source of illicit funds. The graph below shows an illicit actor using the Ethereum-based mixer Tornado Cash to obfuscate around USD 1 million of proceeds from a hack. After migrating the funds to the Ethereum blockchain and swapping them from USDC to ETH, the actor sends them to various wallets before depositing them into Tornado Cash.
In August 2022, OFAC sanctioned Tornado Cash, which has been used by North Korean cyber-criminals and other threat actors to launder the proceeds of hacks and other illicit activity. TRM Labs showed that North Korean cyber actors used Tornado Cash to launder over USD 1 billion of stolen funds in at least ten major cryptocurrency heists.
In March 2023, German and US authorities, supported by Europol, announced the shutdown of ChipMixer, a cryptocurrency mixing service that facilitated international money laundering. During the operation, officials seized four servers and nearly USD 44.2 million in cryptocurrency. Research by TRM Labs confirms that ChipMixer was widely used by prominent ransomware syndicates to launder illicit proceeds. Among them were Karakurt, SunCrypt, REvil, Conti, LockBit, Ragnar Locker, and Royal. TRM Labs research also found at least 20 darknet marketplaces (DNMs) that sent funds to ChipMixer during the mixer’s nearly six years of activity.
Cash-to-crypto services can be used for layering through a laundering technique called money muling or smurfing. This entails the transfer of stolen funds by individuals unconnected to the original crime.
In the example below, in August 2022 a money laundering group deposited illicitly-obtained cash from into several crypto ATMs. From there, the funds, now in bitcoin, were sent to a consolidation wallet before being deposited at a large exchange.
In April 2023, a Missouri woman was arrested on charges of assisting with the movement of stolen funds. The suspect used cashiers checks and cryptocurrency ATMs to transfer USD 565,000 on behalf of the criminals that committed fraud in order to steal the victim’s funds. As smurfing can take place by unwitting third parties, it is often difficult to identify as the person committing the layering activity may not be aware of the source or destination of the funds.
High-risk exchanges are significantly more exposed to illicit counterparties than regulated exchanges, according to TRM Labs research. Some high-risk exchanges also operate as parasite exchanges, and usually have lax or non-existent KYC and AML processes. This makes them attractive platforms for cybercriminals who want to launder money or fund illicit activities. Administrators of such exchanges claim to earn 0.5%-1.0% commission on the transaction volume, depending on the share of revenue allocated to advertising and affiliate marketing necessary to drive traffic to their exchange.
In the example below, after hopping chains and diverting some of their stolen funds to a mixer, a scammer sends the remainder of the ill-gotten proceeds to a series of accounts at a Russia-based high-risk exchange.
Programmatic Money Laundering
Programmatic money laundering (PML) includes using software to quickly move funds through hundreds or thousands of transactions, in an attempt to obfuscate the illicit origin. One of the most high-profile examples of cryptocurrency-based PML involved the North Korean Military in 2021.
In the example below, an actor sent illicit funds from a mixer through a series of peel chains to “peel off” small amounts of BTC (represented by the green nodes) that are then sent to an exchange.
Chain-hopping refers to the practice of moving cryptocurrency from one blockchain to another. While chain-hopping is not inherently illicit, it can be used by money launderers to obfuscate the transaction trail.
For example, Bitfinex, a cryptocurrency exchange, fell victim in 2016 to a breach that resulted in the theft of nearly BTC 120,000. In 2022, the US Department of Justice (DOJ) used on-chain analytics to charge the two suspects in the case with fraud and money laundering. The money launderers conducted chain-hopping from Bitcoin to other blockchains, including swaps to anonymity-enhanced cryptocurrencies like Monero, before the funds were deposited into traditional financial accounts.
TRM Labs research has also found bridge-hopping to be a favored money laundering methodology used by CSAM actors.
Privacy coins such as Monero, Zcash, and Dash provide enhanced privacy and anonymity features compared to standard cryptocurrencies like Bitcoin. Although privacy coins are not illegal, their ability to render transactions difficult to trace make them attractive for criminals seeking to launder illicit proceeds.
Several countries have cracked down on their use. Australia and South Korea have banned exchanges from offering privacy coins, while Japan banned them entirely in 2018. The use of blockchain intelligence tools to monitor crypto services that offer privacy coins helps law enforcement and regulators to identify on-ramps and off-ramps involving these protocols.
One challenge for such on-chain surveillance is that criminals frequently cash out using brokers who exchange physical banknotes for privacy coins deposited to their receiving address. The cash is then smuggled across borders while the cryptocurrency is traded on exchanges.
High-Risk and Parasite VASPs
Because high-risk VASPs and parasite VASPs usually have weak to non-existent KYC and AML requirements, they are a preferred vehicle of cybercriminals and money launderers for moving funds as part of the layering process. These exchanges are sometimes referred to as swap services, because they allow criminals to pass funds through the service by exchanging one type of cryptocurrency for another, making tracing more difficult. Cybercriminals can also use these services to cash out into the traditional financial system.
Darknet markets (DNMs) are also used for layering illicit funds. The below example shows a drug vendor cashing out their profits from the DNM (represented by the red nodes) and sending the funds to addresses controlled by them at two separate exchanges.
The collapse in cooperation between Russia and the West on cybercrime matters since the start of the Ukraine war has created the perception among criminals that Russian-language DNMs have become a safe-haven from US and European law enforcement. As such, a wide range of criminals – including CSAM threat actors – have been observed depositing cryptocurrency to DNMs in order to obscure their original source: once crypto funds are withdrawn from DNM’s escrow accounts, they are no longer the same coins as those originally deposited.
Inter-VASP layering involves the use of several exchanges or other VASPs to break up and move funds during the money laundering process in order to make it more difficult for investigators to trace. Inter-VASP layering mirrors traditional money laundering techniques, whereby criminals use multiple banking services to obfuscate the source of funds; it is particularly difficult to trace funds through VASPs that settle transactions off-chain.
Although blockchain forensics tools can assist with identifying the transactions that reach the VASP, investigators are required to apply for legal data access to obtain the necessary transaction data to identify the off-ramps.
Payment processors can be abused by a variety of criminals and threat actors, including extremist and militant groups, to layer their funds. TRM Labs has identified numerous investment fraud schemes that have used mainstream payment processors. Violent extremist groups, including US-based neo-Nazi actors, have used payment processors to generate dynamic addresses, typically for the exchange of goods, services, or subscriptions. Following seizures by the Israeli government, Hamas and other Gaza-based militant groups stopped publicly publishing their cryptocurrency donation addresses and instead turned to payment processors, typically embedding them in their websites’ fundraising pages.
Although gambling is legal and socially acceptable in many jurisdictions, it has long been a useful method of laundering funds from illicit activity. The gambling process involves customers paying money into a casino or bookmakers’ and later cashing out any winnings along with the remaining funds and an official receipt. This gives money launderers the opportunity to claim that their illicitly-obtained funds are merely gambling profits.
Cryptocurrency-based gambling platforms make it difficult to trace funds through the service. However, they are increasingly subject to compliance regulations. This means that casinos must perform KYC and source of wealth checks on customers seeking to deposit large amounts. Later, should a suspected criminal claim gambling winnings as the source of their funds, the online casino in question can be subpoenaed by local law enforcement to release records relating to that user.
Decentralized Finance (DeFi)
Decentralized finance (DeFi) is at risk of abuse by money launderers. While DeFi has the potential to increase financial inclusivity and provide more accessible and transparent services, it can also be exploited by those seeking to engage in illicit activities.
It is important to note that many DeFi platforms are actively implementing measures to enhance security, compliance and transparency. Regulatory authorities are also working on frameworks to address money laundering risks in the context of DeFi.
Cryptocurrency mining has been abused for laundering funds by ransomware groups, such as APT43, and other illicit actors. The coins minted on mining equipment acquired with illicit funds have no apparent ties to criminal activity, allowing criminals to cash out without leaving a traceable path on the blockchain.
For example, TRM Labs has identified a DNM vendor using illicit funds made from the sale of drugs to purchase cloud mining accounts. The outputs from the mining transactions were then laundered through a Bitcoin ATM business controlled by the vendor, which provided a front for the illicit activity. From there the funds were withdrawn to a personally-held wallet.
Integration is the final stage of money laundering, during which the laundered proceeds are re-introduced into the legitimate economy. This is done by funneling the funds to legitimate channels so that the source of funds can plausibly be explained.
The key purpose of integration is to convert the tainted crypto funds into fiat currency or stablecoins which are then off-ramped through VASPs such as payment processors, exchanges, OTC desks, cash-to-crypto services and peer-to-peer (P2P) services. Criminals may also use their crypto proceeds directly to purchase goods and services such as NFT artwork, computers, airline tickets and clothing. Dozens of mainstream retailers already accept payment in cryptocurrency.
Transaction analysis of declared wallets – incorporating both direct and indirect risk exposure – belonging to accused criminals can help investigators to identify the true source of funds.
Crypto-Fiat Value Transfer
There are numerous options for transforming criminally obtained crypto into fiat currency. Bitcoin, Ethereum, and a range of other assets can be used online to buy gift vouchers, prepaid debit cards, or iTunes vouchers – without undergoing KYC or source of wealth checks. Unscrupulous OTC (“over the counter”) traders and P2P exchanges also offer cash-changing services with minimal scrutiny while maintaining client anonymity.
This transaction mechanism is often seen as part of the integration process for launders. Often they will engage services or peer traders that will not ask any questions about the source of funds so that the transfer is not subject to scrutiny.
Spend as Crypto
It is possible for criminals to integrate their crypto-based wealth without resorting to fiat currency off-ramps. Over the past five years, an increasing array of goods and services has become available for purchase directly using cryptocurrency. This ranges from digital goods such as NFTs and in-game purchases to luxury goods and even real estate. These purchases may also be seen as stores of value, depending on how the criminal intends to use the asset in the future.
Crypto Gift Cards
The taxonomy development process followed a systematic and iterative approach, incorporating various data sources and expert input, with a view to including the most comprehensive range of predicate offenses.
Initially, a preliminary list of illicit activities associated with cryptocurrency was compiled through a literature review and expert interviews. This included an analysis of predicate offenses defined by the FATF Recommendations, an examination of past and ongoing criminal investigations involving cryptocurrency, and consultations with key stakeholders such as crypto businesses, financial institutions, law enforcement agencies, regulators, and public sector organizations globally. The identified activities were then categorized into broad themes and subcategories, taking into account the nature of the activities, the actors involved, and their prosecution in different jurisdictions. For instance, ransomware was classified under extortion and fraud due to its frequent prosecution in the United States under the Computer Fraud and Abuse Act (CFAA) - 18 U.S.C. § 1030.
To gather data, historical transaction data from 20 public blockchains was indexed. A combination of open-source intelligence, active intelligence collection, and pattern recognition algorithms was employed to collect information on blockchain addresses and transactions associated with illicit activity. The absolute volume of a specific category ($X) was measured by aggregating the USD value of incoming transfers to addresses associated with that category, with consideration given to the USD price of the asset on the date of the transfer.
Several limitations should be acknowledged in this report. First, the reported volume for specific categories may be underestimated if TRM lacks attribution for addresses or transactions within those categories. Certain categories, such as darknet marketplaces and investment schemes, are more likely to be comprehensively addressed due to their inherent visibility and the presence of platforms like Chainabuse that facilitate victim reporting. The transparency of the blockchain allows for an estimation of the upper bound of illicit activity by differentiating total volume from known volume associated with legitimate activity such as trading or gaming.
Second, this report does not measure the conversion of fiat proceeds of crime into crypto for money laundering. Virtual asset service providers (VASPs) and financial intelligence units (FIUs) play a critical role in detecting the conversion of fiat proceeds of crime into cryptocurrency and digital assets for money laundering purposes.
As TRM continues to collect more data, it is possible that the reported numbers may increase over time, improving the accuracy and completeness of the taxonomy. These limitations are essential to consider in interpreting the findings and recognizing the potential for further refinement and expansion of the taxonomy in the future.
Conclusion and Recommendations
Despite only existing in mainstream use for around a decade, cryptocurrencies have embroidered themselves into every typology of crime, from the purely digital theft enabled by hacks to drugs trafficking, extortion, terrorist financing and espionage. Crypto did not introduce these criminal forms; nor has it (yet) come to dominate them. Indeed, fiat currencies and even older forms of finance such as hawala remain the default means by which illicit activity is financed and its proceeds are laundered.
The “crypto winter” of 2022 did little to erode the use of crypto in illicit activity and money laundering. The year saw as much as USD 2 trillion worth of cryptocurrency assets wiped out from investors’ balance sheets, according to World Economic Forum estimates. Yet the fall in crypto’s value does not appear to have dissuaded criminals from using and exploiting crypto. This has been particularly true regarding DeFi, with hacks on DeFi targets and cross-chain bridges resulting in USD 3.7 billion stolen – an average of over USD 20 million per incident. Illicit investment schemes, too, have seen significant activity, with at least USD 7 billion in volume linked to such addresses.
The continued proliferation of cryptocurrencies and blockchain technology suggests that they will retain a significant place in the criminal arsenal. The good news for investigators, law enforcement and regulators is that cryptocurrencies can provide granular visibility into the structure, operations and, most of all, interconnectivity between different criminal actors and enterprises.
As this report shows, the various kinds of crypto crime and their perpetrators do not operate in silos; rather, they are highly intertwined. Seemingly unrelated pig butchering incidents were found to be linked to major international crime groups; cryptocurrency ATM scams have been alleged to fuel people trafficking syndicates; Russian-language DNMs specializing in drugs are also used by CSAM actors to launder funds; the sanctioned mixing service Chipmixer was facilitating the work of Royal, a notorious ransomware syndicate that targets US national security infrastructure.
Over the last two years, the US Treasury Department’s Office of Foreign Assets Control (OFAC) has sanctioned non-compliant VASPs, darknet markets and other parts of the illicit crypto ecosystem for facilitating ransomware, sanctions evasion, and other activity.
In January 2023, the US Department of Justice and the US Treasury Department announced a coordinated action against non-compliant Hong Kong-registered cryptocurrency exchange Bitzlato. Its owner was arrested for “conducting a money transmitting business that transported and transmitted illicit funds and that failed to meet US regulatory safeguards, including anti-money laundering requirements.”
Disrupting these criminal enterprises depends on understanding not just the ways in which they connect but also on the ability to overcome their attempts at obscuring the origin and flow of their cryptocurrencies across blockchains. As the number of blockchains continues to proliferate, tracking these financial flows becomes ever more technically demanding.
As the first blockchain intelligence platform designed for the multi-chain era, TRM Labs has pioneered tracing support for new blockchains, including all assets on Ethereum (2019), TRON (2019) and Solana (2021). Today, TRM Labs can trace over 28 blockchains and over a million assets including all derivative assets, wrapped assets, stablecoin and NFTs, enabling historical replay of 99% of crypto volume.
TRM Labs was the first to launch state-of-the-art capabilities including automated cross-chain tracing, automated demixing, NFT tracing, nested entity analytics, and mobile-first forensics. TRM Labs offers one-click tracing through 50 blockchain pairs and over 10 million cross-chain swaps.
Blockchain intelligence represents a transformative leap forward in the ongoing fight against illicit finance. Previously, law enforcement agencies, regulators and the broader private sector lacked a real-time understanding of illicit economies, their size, how their assets are transferred and how they are overlapping with other illicit networks.
Approaching crypto crime in a systematic way allows for a holistic view that can inform a broad strategy for dealing with crypto crime risks. Any such strategy should consider the following questions:
How detailed is our understanding of crypto crime and money laundering, and do we need to adjust our frameworks to mirror a more granular risk taxonomy?
Are we overly focused on activity involving bitcoin to the detriment of other emerging chains showing increased involvement in illicit activity?
Have we conducted a coverage assessment against these risks to better understand our exposure to the various illicit risk categories?
Are our resources (both technological and human) well positioned to identify not just a singular risk and typology but multiple illicit activities interacting within one connected scheme?
Such an approach can help equip law enforcement and compliance professionals with a more comprehensive, granular and targeted view of where to allocate their surveillance, investigative and technological resources.
About TRM Labs
This report was written by TRM Labs, the blockchain intelligence company. We work with crypto businesses, financial institutions and government agencies to monitor, detect and investigate fraud and financial crime in crypto.