Five Crypto Financial Crime Typologies for FI Compliance Programs
Financial institutions running mature AML programs already know how to handle money laundering, sanctions evasion, and fraud. What digital assets change is not the nature of those risks but the speed and architecture through which they move. Funds can cross multiple blockchains via bridges and decentralised services in minutes, and account-based monitoring systems were never built to follow that trail. The good news: the trail is permanent. Public blockchains record every transaction, which means on-chain exposure is often more traceable than its fiat equivalent, provided the institution has the right analytical capability. The following five typologies represent the core of what compliance teams need to understand.
1. Drug Trafficking and Professional Money Laundering
How the Flows Reach a Bank's Accounts
Professional laundering organisations working on behalf of drug cartels convert cash proceeds into digital assets and transfer them internationally to bypass correspondent banking controls. Stablecoins have become a favoured instrument for paying suppliers involved in narcotics production, with brokers coordinating transfers across jurisdictions. A bank can be exposed at either end of the flow.
On the cash-in side, customers may deposit cash proceeds and then convert those funds into cryptoassets. The more common exposure point is the cash-out side: cartel-linked cryptoassets are ultimately converted back to fiat and deposited into an account that appears routine in isolation. Traditional transaction monitoring will often catch the fiat-side signals, including unexplained cash deposits, rapid conversion into cryptoassets, and structuring patterns that AML teams have recognised for decades. On-chain analytics closes the picture by checking wallet addresses against those linked to drug trafficking networks and tracing indirect exposure across multiple hops back to the original source.
2. Fraud Networks, Scam Infrastructure, and Forced-Labour Operations
The Scale and Surface Area for FIs
Romance scams, so-called pig-butchering schemes, and AI-enhanced phishing operations have grown into a multi-billion-dollar fraud industry that now accounts for a significant share of cryptoasset-based money laundering. Many individuals running these scams are themselves victims of trafficking or forced labour. AI-generated deepfakes and scaled social engineering have made these operations faster to deploy and harder to detect.
Exposure for financial institutions falls across three areas. First, retail and wealth management clients may be sending funds to scam-controlled wallets, often without realising it until losses are substantial. Second, corporate clients, particularly payment processors and fintechs, may be processing transaction volumes that contain fraud proceeds being laundered through scam infrastructure. Third, custody or brokerage services may be facilitating activity linked to wallets associated with active operations. Blockchain analytics traces both direct and indirect exposure to these networks, even when an individual transaction looks entirely routine. Understanding how illicit stablecoin networks exploit compliance gaps is part of the same picture: our earlier analysis of how illicit stablecoin networks exploit compliance gaps shows how fraud proceeds and stablecoin infrastructure intersect at scale.
3. Obfuscation Tools: Bridges, Mixers, and No-KYC Swaps
Why Single-Chain Screening Is No Longer Sufficient
Sophisticated actors use cross-chain bridges, mixing services, and no-KYC swap platforms to break the analytical trail that blockchain transparency would otherwise provide. The volume of funds moving through these channels is not trivial. Published data indicates that more than $21.8 billion in illicit or high-risk cryptoassets have been laundered through cross-chain methods, a figure that represents roughly a threefold increase since 2023. A third of complex on-chain investigations now span more than three blockchains; a fifth involve more than ten.
The implication for compliance teams is direct. Screening limited to one or two blockchains will miss laundering activity that is deliberately routed through more, and funds that appear clean on one network may originate from illicit activity on another. A single investigation can involve multiple chains, several bridges, and different asset types, and any one of those transitions can break a single-chain view entirely. When evaluating your analytical tooling, the questions covered in our piece on evaluating blockchain analytics data quality are directly applicable here.
4. Sanctions Evasion via Digital Assets
Three Exposure Vectors Compliance Teams Must Address
Sanctioned individuals, entities, and jurisdictions control wallets, and any transaction a customer makes with one of those addresses, or with a wallet in the chain behind it, creates a sanctions issue for their institution. State-linked actors have integrated digital assets into structured evasion strategies. Garantex, a Russia-based exchange that continued to process more than $60 billion in transactions after its 2022 OFAC designation, illustrates how persistent that exposure can be even after a public designation event.
Sanctions exposure through digital assets takes three forms. The first is indirect wallet exposure: a customer's wallet is connected, through one or more intermediary hops, to a sanctioned actor. The second is reserve-level exposure: relevant for institutions managing stablecoin reserves, where those reserves may back tokens circulating through sanctioned channels. The third is transactional exposure arising from processing payments that pass through sanctioned infrastructure. Robust blockchain analytics traces all three back to the original sanctioned entity regardless of how many wallets the funds have passed through. For teams managing OFAC obligations specifically, the compliance priorities for OFAC SDN cryptocurrency addresses set out what firms need to have in place.
5. State-Sponsored Theft and Rapid Asset Movement
The Bybit Case as a Reference Point
North Korea operates one of the most sophisticated state-sponsored cryptoasset theft programs documented to date. In February 2025, the country's Lazarus Group executed the largest cryptoasset theft on record, targeting the exchange Bybit. Within hours of the breach, stolen assets were being converted and moved through dozens of intermediary wallets, cross-chain bridges, and mixing services.
The compliance challenge here combines speed, surface-level normality, and hidden transaction history. Stolen funds can cross multiple blockchains within hours of an event. By the time proceeds arrive at a customer's account they appear unremarkable in isolation. Without the ability to trace back to the original event, exposure goes undetected entirely. Analytical response to the Bybit incident began within minutes of the theft, tracing stolen assets as they moved, and working with the exchange and investigators to freeze assets before laundering was complete. That kind of rapid chain-of-custody tracing, from a customer deposit back to an original theft event, is what separates institutions that can safely engage with digital assets from those that cannot.
What This Means for Compliance Program Design
Building On-Chain Visibility Into Existing Controls
Every one of these typologies leaves a permanent on-chain record. Drug proceeds, fraud flows, sanctions evasion, and stolen assets all move through public infrastructure that makes them traceable, and in many cases more traceable than equivalent fiat activity. The gap is not in the data; it is in whether an institution's compliance program is equipped to read it.
For teams working through how digital asset risk fits into their existing AML/CFT frameworks, the foundational question is whether your crypto accounting software and transaction monitoring stack can handle multi-chain attribution, indirect exposure tracing, and real-time sanctions screening simultaneously. Many institutions built their digital asset controls on single-chain assumptions that no longer match the threat environment. Reviewing those assumptions against the five typologies above is a practical starting point. Digital asset accounting software that integrates on-chain data with your existing ledger and compliance infrastructure closes the gap between what your monitoring system sees and what is actually happening on chain. Crypto bookkeeping software alone does not solve the problem; the on-chain layer needs to sit alongside it.
Source: Elliptic
FAQ
Fraud network exposure is typically the broadest for retail banks, because retail and wealth management clients may unknowingly send funds to scam-controlled wallets. The cash-out side of drug trafficking flows is also a common exposure point, as cartel-linked cryptoassets are converted back to fiat and deposited into accounts that look ordinary without on-chain context.
Most account-based monitoring systems track activity within a single ledger or a limited set of blockchains. When funds move through cross-chain bridges, mixing services, or no-KYC swap platforms across multiple networks, the trail falls outside the view of systems not designed for multi-chain attribution. Published data indicates a third of complex on-chain investigations now span more than three blockchains.
Direct exposure arises when a customer transacts with a wallet belonging to a designated entity. Indirect exposure arises when a wallet is connected to a sanctioned actor through one or more intermediary hops. Both create compliance risk, but indirect exposure is harder to detect without on-chain tracing that follows funds through multiple wallet layers back to the original sanctioned party.
The priority is to pause the transaction where legally permissible, initiate a suspicious activity report in line with local obligations, and run a full chain-of-custody trace using blockchain analytics to establish whether the deposit links to the known theft addresses. Coordination with the relevant financial intelligence unit may be required depending on jurisdiction.
No. On-chain analytics is additive. It closes the visibility gap that account-based monitoring systems leave when customers interact with digital assets, but it does not replace transaction monitoring, KYC processes, or sanctions screening programs. The two layers work together: traditional controls catch fiat-side signals, and blockchain analytics traces the on-chain history behind those signals.
