Virtual Assets: Calibrating the Compass of Suspicion

Virtual Assets: Calibrating the Compass of Suspicion

On October 19, 2018, the Financial Action Task Force (FATF) published long-awaited changes to its recommendations and glossary relating to “virtual assets” and “virtual assets service providers;”1 these changes supplemented the 2015 FATF report, Guidance for a Risk-Based Approach to Virtual Currencies.2

Existing terms such as cryptocurrency, digital assets and virtual currency were consolidated into this new definition of virtual assets and related service providers such as exchanges, certain types of wallet providers and providers of financial services for Initial Coin Offerings (ICOs). Other than this, the changes held few surprises in calling for jurisdictions to “urgently take legal and practical steps to prevent the misuse of virtual assets.”

“The FATF uses the term ‘virtual asset’ to refer to digital representations of value that can be digitally traded or transferred and can be used for payment or investment purposes, including digital representations of value that function as a medium of exchange, a unit of account, and/or a store of value. The FATF emphasizes that virtual assets are distinct from fiat currency (a.k.a. ‘real currency,’ ‘real money,’ or ‘national currency’), which is the money of a country that is designated as its legal tender.”3

Without repeating the details of the FATF announcement, the recommended changes included subjecting virtual asset service providers to anti-money laundering (AML) and counter-terrorist financing (CTF) regulations, licensing and registration, monitoring and reporting, i.e., suspicious activity reports (SAR) or a country’s equivalent. FATF promised further information in due time on how the new requirements should be applied in relation to virtual assets.

Nevertheless, what is missing from the current space is published information from standard-setters such as FATF, the Egmont Group of Financial Intelligence Units (FIUs) and countries’ regulators as to what exactly constitutes “suspicion” of money laundering, terrorist financing and sanctions violations in the virtual asset space—so-called “red flags.” In other words, “the regulated”—exchanges, financial service providers, etc.—are left to determine suspicion and report accordingly without guidance, and are arguably subject to regulatory sanctions if they do not.

The good news is that responsible parties are ahead of the curve. These responsible parties include exchanges, and analytical tool providers such as Elliptic, Chainalysis and Blockchain Intelligence Group, either as standalone initiatives or as part of various working groups such as the Asian Cryptocurrency Intelligence Forum, in partnership with some major banks. These stakeholders have started to formulate and share indicators of suspicion in the virtual currency (asset) space that go beyond identifying direct and indirect connections to dark markets, gambling sites, ransomware attacks and other criminal transactional links. Their objectives are supporting robust transaction monitoring (TM) applications, training analysts, investigators and law enforcement, and informing regulators who are charged with investigating related crimes supported by SAR filings from responsible parties.

A forerunner of research into indicators of suspicion in the space (and a highly recommended read) was a 2016 paper by the National Research Nuclear University Moscow Engineering Physics Institute (MEPhI) titled, Investigation of Money Laundering Methods Through Cryptocurrency,  published in the Journal of Theoretical and Applied Information Technology.4 A particularly interesting finding of this research was that the deposit of a large amount of bitcoins followed by their dispersal over 98 layers of transactions was identified as suspicious, i.e., the opposite of “smurfing” in the traditional financial world. This finding was also referenced in the 2016 ACAMS Today  article, When Two Worlds Collide5 by Peter Warrack, Leonardo Real and Joseph Mari, which discussed indicators of suspicion and the importance of thinking in both the context of the traditional interactive financial environment and the contained space (which operates outside fiat currencies).

The FATF uses the term ‘virtual asset’ to refer to digital representations of value that can be digitally traded or transferred and can be used for payment or investment purposes, including digital representations of value that function as a medium of exchange, a unit of account, and/or a store of value

The remainder of this article shares some research by the authors conducted over several months of analyzing SARs to identify indicators of suspicion in the virtual asset service-provider space,6 (i.e., exchanges). Many indicators considered in isolation do not necessarily provide sufficient suspicion for meeting the threshold to report (“reasonable grounds to suspect”), which is arguably a threshold lacking clarity in many jurisdictions. As in the traditional financial space, indicators should be considered in context, including know your customer (KYC) information and the operating environment within which the transactions occur; useful information regarding evaluating transactions in context can be found in the 2017 ACAMS Today  article, An Introduction to the 360 Degree AML Investigation Model.7

Sometimes certain wallet users do not use new addresses deliberately with nefarious intent

Similar to traditional financial product exchanges, the cryptocurrency ecosystem also experiences major events, which could cause irregular market activity that could seem otherwise suspicious without considering the whole picture. Such an event took place in November 2017, when the planned “hard fork” labelled SegWit2x to create Bitcoin Cash (BCH) was postponed. Many users sent their bitcoins to exchanges that would allow conversion to receive the new BCH. However, they quickly removed such funds once the cancellation was published. Rapid movement of funds on and off an exchange would raise concerns that a user was attempting to obscure the funds, but knowledge of this industry event helps to mitigate such concerns.

The indicators provided an understanding of the difference between an exchange and a money services business (MSB). Currently some country’s FIUs, like the U.S. Financial Crimes Enforcement Network (FinCEN), Canada’s Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) and including FATF, consider exchanges to be MSBs and regulate them or set standards and provide guidance based on this classification. For instance, Canada’s proposed legislation mandates regulated entities to report every virtual currency transaction equivalent to $10,000 or more (which would also capture change transactions). Arguably, this approach skews the concept of suspicion as not all of such “MSBs” are created or operate equally, and there may be contextual differences within the virtual asset landscape.

Traditional MSB activity (as a money transmitter) may be low volume remittances for the purpose of sending value overseas. This activity is very different than that of an exchange operating as a professional or semi-professional trading platform in which it is common for traders to transact hundreds of times in a 24-hour period. This is activity that in the traditional financial space might be viewed as suspicious (i.e., as rapid in-and-out activity).

While the world of virtual assets may share many of the indicators of suspicion, long since documented in the traditional space, others remain unique and relatively new. Examples include the use of mixers and tumblers; utilizing so-called “privacy coins” such as Monero and Zcash; the use of anonymous email or browsers and virtual private networks (VPNs). It should be noted that the use of VPNs in particular should be considered as indicatively neutral unless accompanied by other factors. Although used by criminals, VPNs are also considered standard security practice by legitimate users.

Another potential indicator, which at first glance may be viewed as suspicious, is sending or receiving transactions from or to crypto addresses that have not been previously used. Many popular wallets function this way by design. Sometimes certain wallet users do not use new addresses deliberately with nefarious intent; they have no choice as this function is built into the wallet’s protocol.

The list of indicators provided below is not exhaustive and research in this space continues; the authors welcome feedback from fellow AML professionals including interest in partaking in future working groups.

General Indicators

  • User admits or makes statements about involvement in illicit activities
  • User shows uncommon curiosity about an exchange’s internal systems, controls and policies
  • User presents contradictory details about the transaction or has few details about its purpose
  • The purpose of the user maintaining an account with the exchange is unclear, as the account appears dormant and user is not utilizing platform features
  • User does not provide information upon request
  • User fails to provide supporting documentation or provides misleading or inaccurate information regarding source use and destination of funds
  • User provides misleading or inaccurate information regarding purpose of transaction and relationship to counterparty
  • User’s portfolio only consists of privacy coins or has high value privacy coins (e.g., Monero, Dash, Zcash)
  • Use of privacy coins, which are highly or partially anonymous (e.g., Monero, Dash, Zcash) (i.e., privacy features are enabled)
  • User logins are from an IP address that appears to be connected to a VPN and/or The Onion Router (Tor) or similar IP anonymizers
  • User receives frequent deposits from gambling sites/cryptocurrency addresses followed by immediate withdrawals
  • User has a newly registered account
  • User is over-providing information or details when not necessary
  • User is conducting transactions of large volumes/amounts
  • User is conducting transactions at a high velocity that appears to be inconsistent with industry patterns or with their profile
  • User is operating as or conducting transactions with charitable organizations/nonprofits who accept cryptocurrency or fiat
  • User has a long period of dormancy followed by a large volume/velocity of transactions
  • There are frequent changes in the user’s identification information, such as home address, email address, IP address or linked bank accounts
  • Use of corporate vehicles (legal entities and legal arrangements) to obscure ownership, involved industries and jurisdictions
  • Paying and/or willingness to pay high commission fees for converting (selling) cryptocurrency in exchange for fiat compared to commission fees charged by other cryptocurrency exchanges
  • User has sent funds to an organization that could be operating illicit activity, as part of a payment resulting from a scam and/or ransomware
  • User has deposited funds from, withdrawn to, or has a connection with an organization that is listed on U.S. Department of the Treasury’s Office of Foreign Assets Control Specially Designated Nationals and Blocked Persons List
  • User is a U.S. resident (or similarly regulated jurisdiction) and is conducting a high frequency of transactions in a manner that is consistent with operating an illegal money transmitting business, that has no evidence of an AML program or registration
  • The ultimate beneficiary and destination of outgoing funds remains unknown or is unclear
  • User has multiple online profiles for apparent different individuals connected to their email address or other identifying information
  • User is stating they obtained and/or sold a large value of cryptocurrency for cash with an unknown third party

Similar to traditional financial product exchanges, the cryptocurrency ecosystem also experiences major events, which could cause irregular market activity that could seem otherwise suspicious without considering the whole picture

Exchange/Trading Platform Indicators

  • Source of funds is from an exchange, which has been connected to money laundering, or which law enforcement has shut down (e.g.,
  • User abandons account and account balance, when supporting documentation and/or KYC information was requested
  • User operates more than one account without notifying or receiving consent from platform
  • User creates/operates an account on behalf of a third party without notifying or receiving consent from the platform
  • Funds are deposited soon after account registration and withdrawn again shortly after in the same currency without using platform features (i.e., trading/margin funding), which is consistent with using an exchange to obscure origins of funds
  • Outgoing funds are sent to newly created and never used cryptocurrency addresses
  • A registered account has an encrypted email or temporary email service (e.g., or
  • Funds are deposited from or withdrawn to cryptocurrency address with direct/indirect links to known suspicious sources such as darknet marketplaces, mixing services, gambling sites, service providers, wallets known to be involved in illegal activities, and/or theft or ransomware reports
  • The funds in a user account have been reported stolen or otherwise reported to have been obtained illegally
  • User is associated or connected to an ICO that has shut down after the funds were raised, e.g., exit/Ponzi Scheme
  • Cryptocurrency is deposited and funds are withdrawn in fiat currency, with no other use of the platform
  • User requests a withdrawal to be processed unreasonably quickly or outside of terms of service agreements
  • There is a request from law enforcement for a user’s information as part of an investigation
  • User exploits technological glitches/failures to intentionally take advantage of a platform or obtain funds
  • User conducts transactions that are inconsistent with a user’s KYC, transaction history and/or market trends
  • User conducts transactions which appear to have no economic benefit and are not consistent with reasonable trading patterns/strategies
  • User conducts transactions at specific times/amounts not congruent with normal industry practices and/or are unnecessarily complex
  • User inquires about an employee’s personal information, functions and responsibilities
  • User attempts to form unreasonably close relationship with employees
  • The platform receives unusual/demanding requests from other exchanges/vendors/service providers regarding a user’s funds held on platform
  • User offers bribe/tip or is willing to pay unusual fees to process transaction
  • User conducts trades in a way that creates a negative balance or reduces equity in one account, to increase equity or create positive balance in another account operated by the same user
  • Users submits comments for transactions, (i.e., withdrawals), which may refer to illegal or illicit activity
  • User receives and/or sends wires or provides information to a financial institution from high-risk jurisdictions or areas run by an unstable government
  • User funds their fiat account consistent with structuring in the remitting jurisdiction, e.g., in multiples of less than $10,000
  • User draws their fiat account consistent with structuring in the receiving jurisdiction, e.g., in multiples of less than $10,000
  • Multiple third-party transactions are being transferred and accumulated into one user account
  • User conducts transactions of similar amounts to multiple third parties
  • User is being overly friendly and appreciative and showering exchange employees with compliments
  • User threatens legal action and/or reporting negative media to have funds unfrozen
  • User conducts a high volume of “off-chain” (internal transactions) with other platform users, which is consistent with attempting to obscure origins of funds or conducting illicit activity
  • User of a newly opened account makes a large value deposit as a first transaction, without making a nominal transaction first to test out the features/capabilities of the platform


Formal guidance and standards provide added legitimacy to the relatively new space of virtual assets, but in the absence of guidance regarding what is suspicious and reportable, practitioners are adrift in a virtual sea of uncertainty and left to their own devices to calibrate the expected regulatory compass. Further guidance and direction are welcomed from FATF, the Egmont Group, similar bodies and regulators. The authors understand this will be forthcoming as the space matures. In the interim, this article may provide food for thought and practical consideration by readers and fellow Association of Certified Anti-Money Laundering Specialists professionals.

Formal guidance and standards provide added legitimacy to the relatively new space of virtual assets

Again, feedback is encouraged and interest in participating in future workshops on the subject is invited by contacting the authors.

Peter Warrack, CAMS, CBP, CCI, CFE, chief compliance officer, Bitfinex

Stephen Brent Sargeant, AML investigator, Bitfinex

Research contributions by: Adnan Tahir, CBP, AML investigator, Bitfinex

Ruslan Nichkasov, CBP, CAMS, AML investigator, Bitfinex

Giles Dixon, CBP, BA, financial services advisory, Grant Thornton LLP

  1. “Regulation of virtual assets,” Financial Action Task Force, October 19, 2018,
  2. “Guidance for a Risk-Based Approach to Virtual Currencies,” Financial Action Task Force, June 2015,
  3. “Regulation of virtual assets,” Financial Action Task Force, October 19, 2018,
  4. Diana Mergenovna Sat et. al, “Investigation of Money Laundering Methods Through Cryptocurrency,” Journal of Theoretical and Applied Information Technology, January 20, 2016,
  5. Joseph Mari, Peter Warrack and Leonardo Real, “When Two Worlds Collide,” ACAMS Today, September 20, 2016,
  6. Ibid.
  7. Peter Warrack, “An Introduction to the 360 Degree AML Investigation Model,” ACAMS Today, June 30, 2017,

Leave a Reply