Typically, articles titled “What’s in my wallet?” discuss the merits of various credit card products comparing interest rates, fees, hidden fees and features, like travel insurance or other consumer protection coverage, but that relates to the traditional financial operating environment.

However, this article addresses the title in the context of the alternative financial operating environment—an environment populated by transactions conducted using virtual assets, such as virtual currencies, cryptocurrencies and a plethora of other labels.

There are often misconceptions regarding how exchange wallets work when discussing cryptocurrency transactions and, more specifically, understanding what constitutes normal versus suspicious activity/transactions related to potential money laundering, terrorist financing, sanctions avoidance and other crimes with law enforcement, regulators and other interested parties. This article is intended to inform such conversations and dispel the myth that users (customers of exchanges) hold wallets on exchanges, particularly large exchanges; in most cases they do not, as an exchange become the custodian of the user’s funds.

So what is a wallet? Quite simply, “a cryptocurrency wallet is a software program that stores private and public keys and interacts with various blockchains to enable users to send and receive digital currency and monitor their balance. If you want to use bitcoin or any other cryptocurrency, you will need to have a digital wallet.”¹

Hot Wallet/Cold Wallet System

Centralized cryptocurrency exchanges typically work with a so-called hot wallet/cold wallet system.

A cold wallet is a secure, offline cryptocurrency wallet. Arguably, the most well-known forms of cold wallet cryptocurrency storage are hardware wallets such as Ledger, Trezor and KeepKey wallets. These are physical devices that hold the private keys of the generated public addresses. The addresses can be used to receive and send cryptocurrency.

For a hardware wallet, the device is only connected to the internet when transactions are undertaken. Otherwise, the device remains inaccessible when not connected. In order to send funds out of a cold wallet, the wallet owner needs to access the offline wallet, generate a transaction and sign the transaction using the wallet’s private key. Once the transaction is signed, the data of the signed transaction needs to be transferred to a device that does connect to the internet and that can broadcast the signed transaction to the blockchain. Using a cold wallet, at no point will the private key needed to sign a transaction be exposed to the internet. There are varying degrees of “cold” when discussing cold wallet cryptocurrency storage. There are certain types of wallets that never become connected to any online device, such as paper wallets. For those interested, an example of this type of storage is shown in the June 2018 ACAMS Today article, “Real Considerations for Law Enforcement in Seizing Virtual Currency.”²

While a cold wallet is highly secure, generating, signing and broadcasting transactions is a slow and cumbersome process. Therefore, to process transactions requested by its users quickly and more efficiently, the exchange will use an additional wallet: the so-called hot wallet.

Similar to the cold wallet, the hot wallet holds the private keys for addresses. Unlike the cold wallet, the hot wallet does connect directly to the internet. In the case of an exchange, the systems that process withdrawals for an exchange’s users will have access to the wallet software and are able to generate, sign and broadcast transactions programmatically, as part of executing trades for its users. The hot wallet can process transactions efficiently; however, because it is running on a system that is connected to the internet, and because of the exposure to the internet and the associated risks (such as hacking), a hot wallet is less secure than a cold wallet.

Typically, an exchange will hold 95%-99% of all its users’ funds in a cold wallet. For security reasons, these funds are swept into the cold wallet from the hot wallet where they were first received. Only a fraction of all funds an exchange is in custody of are held in a hot wallet in order to be able to process withdrawals requested by users efficiently. The hot wallet would be periodically replenished by transferring funds from a cold wallet for the hot wallet to hold sufficient funds to be able to process pending withdrawals.

When a user wishes to deposit cryptocurrency at an exchange, they request a deposit address from the receiving exchange. Deposit addresses are generated by the hot wallet of the exchange and are linked to the respective users’ accounts. The deposit addresses are part of the exchange’s hot wallet. When a user sends or receives funds to a deposit address linked to his account, the amount deposited will be credited to the user’s account balance. Once the funds arrive in the deposit address, the deposited cryptocurrency itself will no longer be under the control of the user, but rather will be part of the hot wallet that controls the private key of the deposit address.

One could think of a deposit address like a deposit box in a vault, except the vault looks after the key to the deposit box for the user and can use those funds as part of processing transactions for other users of the vault, as long as they honor the balance of funds one holds with them. The user is entitled to an “IOU” in the form of an account balance. By logging in to their account at the exchange, the user can then view and trade with their account balance.

Once the funds are part of the hot wallet, they will be used to process withdrawals for the other users of the exchange that requested withdrawals around the same time the deposit is confirmed. If more funds are deposited than are needed to immediately process withdrawals, the total amount of assets held in the hot wallet can exceed the threshold specified by the exchange operator and, as previously explained, the surplus is automatically transferred to the exchange’s cold wallet.

If a user chooses to sell their balance of a particular currency and purchase a different currency, (e.g., sell bitcoin [BTC] and purchase Litecoin [LTC], which are commonly referred to as exchange currencies), the exchange applies balance adjustments to reflect the effects of the trade as soon as a trade is matched. The user can then choose to withdraw their balance, meaning they request to pull their funds off the exchange, to be sent somewhere else.

When the user requests a withdrawal, the IOU is redeemed by reducing the user’s account balance with the amount and currency with which the withdrawal is requested. Next, the hot wallet will generate, sign and broadcast the transaction to process the requested withdrawal. As a side note, deposits and withdrawals into and out of exchanges are reflected as activity on the blockchain of the coin. However, transactions that take place within an exchange (e.g., user A exchanging BTC for LTC inside an exchange, or user A sending funds to user B on the same exchange) typically occur “off-chain.” These transactions are simply recorded as debits and credits to the users’ balances of those coins respectively and are therefore not recorded on the public blockchains of those coins. Only when the customer withdraws the LTC from the exchange would it be recorded on that coin’s blockchain.

Exchanges Act as Mixers

Depending on the implementation of the exchange and on the design of the cryptocurrency itself, funds that are deposited at a user’s deposit address may be transferred to a collection address, which essentially consolidates the funds held in different users’ deposit addresses as soon as a deposit completes, before then being used again to process withdrawals for other users. This is similar to the concept of a mixer or tumbler, which sends coins from one user to a pool of other people’s funds, then sends coins back to the original user with completely different addresses, effectively breaking the money trail. It is analogous to a group of people each putting a $5 bill in to a bucket, and then each receiving back $5 from the bucket—they are unlikely to receive their original $5 bill.

However, moving the funds to a collection address is not required for many cryptocurrencies. Instead of moving the funds from a user’s deposit address to a collection address, the funds held in a user’s deposit address can be used directly to process withdrawals for other users. Processing withdrawal transactions by using the funds held directly in deposit addresses helps the hot wallet function more efficiently.

When analyzing blockchain transactions, from the moment funds are deposited into a user’s deposit address with an exchange, all blockchain transactions thereafter are no longer executed by the user who received the funds into his deposit address. Transactions made after a deposit completes will be executed by the exchange’s hot wallet. Much like when a customer of a bank requests funds to be sent from their bank account to another, the bank is the entity that executes the transaction. Furthermore, funds that have moved to a deposit address linked to an exchange can no longer be traced by looking at the public transaction data as recorded in the blockchain. Only the exchange operator can determine what happened to funds deposited to a deposit address with the exchange. Even if the user first deposits and next withdraws the funds in the same cryptocurrency, the funds withdrawn cannot be directly linked to the funds deposited originally, therefore the exchange acts as a mixer.

Similarly, when funds move from an exchange’s hot wallet, one cannot deduce who the sending user of the exchange is just by looking at the sending address. The sending address will be operated by the exchange and not by the user that made the request to withdraw funds. Only the exchange operator can identify which user requested a withdrawal of funds from their account to an external address. To establish the connectivity of a user’s incoming and outgoing transactions to/from an exchange would require law enforcement to contact the exchange directly and, in most cases, serve a production or similar court order.

Know the Indicators

Considering the role of a compliance professional, it is important to not only know how exchange wallets function, but why they are important in the context of money laundering and indicators of potential suspicious activity in the virtual asset industry. Such indicators were talked to in an ACAMS Today  article, “Virtual Assets: Calibrating the Compass of Suspicion.”³ The following are a few examples of indicators that could be signs that individuals are looking to exploit the functionality of hot wallet exchanges:

• Funds are deposited soon after account registration and withdrawn again shortly after in the same currency without using platform features (i.e., trading/margin funding), which is consistent with using an exchange to obscure origins of funds
• User conducts a high volume of “off-chain” (internal transactions) with other platform users, which is consistent with attempting to obscure origins of funds or conducting illicit activity
• User of a newly opened account makes a large value deposit as a first transaction without making a nominal transaction first to test out the features/capabilities of the platform
• User has multiple online profiles for apparent different individuals connected to their email address or other identifying information

In Summary

Users do not generally hold wallets on exchanges; instead, they have accounts credited with the balance of their crypto transactions. Funds remitted by users are deposited into addresses in an exchange’s hot wallet (as opposed to that of an individual user) for the particular cryptocurrency, e.g., bitcoin. For security reasons, an exchange will typically transfer (sweep) the majority of funds from the hot wallet into a more secure cold wallet not connected to the internet.

When a user wishes to transfer funds from the exchange, their account is debited accordingly and the funds are transferred from the exchange’s hot wallet. The incoming deposits from an individual user cannot be matched using either free (e.g., blockchain.info) or commercial blockchain software to funds transferred out subsequently. Therefore, exchanges are mixers and only the exchange knows the relationship between the incoming and outgoing transactions.

This article has hopefully dispelled some of the myths and misconceptions surrounding how exchange wallets function and has sought to make the link to what it means for compliance professionals looking to mitigate the threat of those actors trying to exploit the technology. The indicators touched on are only a few examples. Through industry initiatives such as Project Participate,⁴ it is hoped that others will continue to share knowledge around anti-money laundering typologies in this space.

Peter Warrack, CAMS, CBP, CCI, CFE, chief compliance officer, Bitfinex, (and special thanks to colleagues at Bitfinex for their technical insight)

Giles Dixon, CBP, CCI, senior manager AML advisory services, Grant Thornton

1. Ameer Rosic, “Cryptocurrency Wallet Guide: A Step-By-Step Tutorial,” Blockgeeks, 2016, https://blockgeeks.com/guides/cryptocurrency wallet-guide/
2. Dwayne King and Peter Warrack, “Real Considerations for Law Enforcement in Seizing Virtual Currency,” ACAMS Today, June 26, 2018, https://www.acamstoday.org/real-considerations-for-law-enforcement-in-seizing-virtual-currency/
3. Peter Warrack et. al, “Virtual Assets: Calibrating the Compass of Suspicion,” ACAMS Today, March 28, 2019, https://www.acamstoday.org/virtual-assets-calibrating-the-compass-of-suspicion/
4. Michael del Castillo, “Crypto’s Valachi Papers,” Forbes, December 4, 2019, https://www.forbes.com/sites/michaeldelcastillo/2019/12/04/cryptos-valachi-papers/