AML/CFT Risks in Crypto: How Financial Crime Works and How to Detect It

According to AMLBot's Crypto Crime Report 2025–2026, based on the analysis of 2,500+ real post-incident investigations, 65% of crypto crime cases were driven by Social Engineering rather than Technical Exploits. Investment Scams accounted for 25% of all cases by volume, followed by Phishing (18%) and Device Compromise (13%).

The data confirms that modern crypto crime has entered a sustained operational phase — losses are driven less by isolated vulnerabilities and more by persistent exploitation of trust, access, and process gaps.

At the macro level, the picture is equally stark. Industry-wide estimates place illicit on-chain activity for 2024 at over $40 billion, with revised figures expected to exceed $51 billion once delayed attribution is complete. By mid-2025, over $2.17 billion had already been stolen from crypto platforms — surpassing the total for all of 2024. Stablecoins now account for the majority of all illicit transaction volume, and state-linked actors have become dominant drivers of on-chain financial crime.

These are not abstract compliance risks. They are operational realities that crypto businesses encounter in their transaction flows every day — through exposure to addresses linked to fraud, sanctions evasion, ransomware, or terrorism financing. The question for any business processing virtual asset transactions is not whether illicit funds will interact with its platform, but how quickly it can identify that interaction when it occurs.

This article examines how financial crime schemes operate in practice on-chain, why certain structural features of crypto make the ecosystem attractive for illicit use, and how businesses detect and respond to AML/CFT risks using transaction monitoring, blockchain analytics, and risk scoring systems.

Why Crypto Is Attractive for Financial Crime

Crypto does not cause financial crime. But several structural characteristics of blockchain-based value transfer create conditions that criminals exploit — often more efficiently than through traditional financial channels.

(Source: FATF, Targeted Update on Implementation of the FATF Standards on VA and VASPs, June 2025)

None of these characteristics are inherently criminal. Pseudonymity also protects user privacy. Speed benefits legitimate commerce. Global reach enables financial inclusion. But when combined with weak compliance infrastructure, these features create an environment where illicit funds can move with minimal friction.

How Money Laundering Works in Crypto

Money laundering through cryptocurrency follows the same three-stage model that applies to traditional financial crime — placement, layering, and integration — but the specific techniques used at each stage exploit the unique properties of blockchain infrastructure.

Placement

Placement is the stage at which illicit funds first enter the financial system. In the crypto context, this typically means converting criminally derived fiat currency into virtual assets, or receiving virtual assets directly as the proceeds of crime (as in the case of ransomware payments, darknet market proceeds, or theft).

Common Placement Methods Include:

At the placement stage, funds are at their most identifiable. The link between the criminal activity and the on-chain transaction is at its shortest. This is where effective onboarding controls — including KYC, source-of-funds verification, and initial risk assessment — provide the highest detection value.

Layering

Layering is the process of obscuring the connection between illicit funds and their origin. In the crypto context, this is where the most technically sophisticated techniques are deployed. The objective is to create enough transactional complexity that tracing the funds back to their source becomes operationally difficult — or prohibitively expensive — for compliance teams and investigators.

Common Layering Techniques on-chain Include:

The FATF's 2025 Targeted Update specifically noted the continued growth in stablecoin use by illicit actors and the increasing professionalization of laundering infrastructure, including networks providing "Laundering-as-a-Service" operations with dedicated customer support and quality assurance mechanisms.

Integration

Integration is the final stage, where laundered funds re-enter the legitimate economy in a form that appears clean. In the crypto context, integration typically involves:

At the integration stage, the effectiveness of detection depends almost entirely on the quality of upstream monitoring. If placement and layering were not flagged, integration transactions will appear indistinguishable from legitimate activity.

Terrorist Financing in Crypto: How It Differs from Money Laundering

While money laundering and terrorist financing (CFT) share common infrastructure on-chain, they differ in a fundamental way: money laundering conceals the origin of funds, while terrorist financing conceals the purpose.

In money laundering, the funds themselves are the proceeds of crime — generated by drug trafficking, fraud, ransomware, theft, or other predicate offenses. The objective is to make dirty money appear clean.

In terrorist financing, the funds may be entirely legitimate in origin. Charitable donations, business revenue, or personal savings can become instruments of terrorist financing the moment they are directed toward a designated individual, organization, or activity. The regulatory framework (CFT) is concerned not with where the money came from, but with where it is going and what it will be used for. In the crypto context, this distinction has practical consequences:

The FATF's 2025 Targeted Update highlighted the continued use of virtual assets by terrorist groups at unprecedented scales, including by Hezbollah, Hamas, and the Houthis, with Iranian proxy networks facilitating over $2 billion in on-chain activity for money laundering, illicit oil sales, and arms procurement. Detecting terrorist financing requires monitoring systems capable of identifying low-value, high-frequency patterns, mapping network connections between addresses, and cross-referencing against sanctions lists and geographic risk indicators — capabilities that go beyond simple threshold-based monitoring.

Common Crypto Crime Schemes

Beyond the three-stage laundering model, crypto financial crime encompasses a range of operational schemes that exploit specific features of blockchain infrastructure. Below are the most prevalent.

Scam and Fraud Networks

Crypto-related fraud remains the largest single category of illicit on-chain activity by volume. The FATF's 2025 update noted that industry estimates place approximately $51 billion in illicit on-chain activity relating to fraud and scams for 2024, with a significant growth in the professionalization of scam operations — including "scam-as-a-service" infrastructure and AI-powered social engineering.

(Source: FATF, Targeted Update on Implementation of the FATF Standards on VA and VASPs, June 2025, p.20)

Common Fraud Schemes in Crypto Include:

Mixers and Obfuscation Tools

Crypto mixers — including both centralized mixing services and decentralized protocols like Tornado Cash — remain a primary tool for obscuring the origin of illicit funds. Mixers operate by pooling inputs from multiple users and redistributing them, breaking the deterministic link between sender and receiver addresses.

Despite OFAC's designation of Tornado Cash in August 2022, the protocol's smart contracts continue to operate autonomously on-chain. AMLBot's public Dune Analytics dashboard tracking stablecoin turnover through privacy protocols shows that significant volumes continue to flow through Tornado Cash, Railgun, zkBOB, and Hinkal — serving both legitimate privacy use cases and illicit laundering workflows.

(Source: AMLBot, Stablecoin Turnover in On-Chain Privacy Tools: Dune Dashboard, February 2026)

From a compliance perspective, any interaction with a mixer — even indirect exposure through intermediary wallets — raises the risk profile of a transaction. Blockchain analytics tools flag mixer interactions as high-risk indicators, and regulators expect VASPs to apply enhanced due diligence when such exposure is identified.

Cross-Chain Laundering

Cross-chain laundering exploits the fragmentation of blockchain ecosystems to break transaction traceability. When funds move from one chain to another through a bridge protocol, the on-chain link between the source transaction and the destination transaction is broken. The asset is burned on the source chain and minted on the destination chain under a new transaction hash — effectively starting a fresh trail.

2025 mid-year analysis confirmed that threat actors targeting crypto services made significant use of bridges for chain-hopping laundering. The technique is particularly effective because most compliance tools and internal monitoring systems are chain-specific: a monitoring system that covers Ethereum may not track the same funds after they bridge to TRON or a Layer 2 network.

Effective detection of cross-chain laundering requires analytics capabilities that span multiple blockchains and can reconstruct transaction flows across bridge transfers.

Use of Stablecoins in Illicit Flows

Stablecoins — particularly USDT on the TRON network — have become the dominant instrument for illicit crypto transaction volume. Data shows that stablecoins accounted for 63% of all illicit transaction volume in 2024, rising to 84% in 2025. The reasons are practical: stablecoins offer dollar-pegged stability, high liquidity, fast settlement, and broad acceptance across exchanges and OTC desks.

The Stablecoin Risk Landscape has Additional Dimensions:

(Source: AMLBot, Tether Freeze Gap Analysis, May 2025; AMLBot, Stablecoin Freezes 2023–2025: USDT vs USDC Analysis, January 2026)

Where AML Systems Fail in Crypto

Understanding how financial crime schemes work is only half the equation. The other half is understanding where detection systems fail — and why illicit funds pass through platforms undetected despite the availability of monitoring tools.

The Most Common Failure Points Include:

These are not theoretical gaps. They are the specific deficiencies that regulators cite in enforcement actions and supervisory findings. Addressing them requires not only the right tools but the right operational integration between those tools and the compliance team's investigative workflow.

How Crypto Businesses Detect AML/CFT Risks

Effective detection of financial crime in crypto relies on three interconnected capabilities: transaction monitoring, blockchain analytics and tracing, and risk scoring with alert management.

Transaction Monitoring

Transaction monitoring is the operational backbone of any crypto AML program. It involves continuous, automated analysis of incoming and outgoing transactions to identify behavior consistent with known laundering typologies, fraud patterns, or sanctions exposure.

In the crypto context, effective transaction monitoring goes beyond fiat-equivalent threshold monitoring. It must incorporate:

Blockchain Analytics and Tracing

Blockchain analytics tools allow compliance teams and investigators to trace the origin and destination of funds across multiple transactions, wallets, and — in advanced implementations — across multiple blockchains.

Core Capabilities of Blockchain Analytics Include:

Risk Scoring and Alerts

Risk scoring translates raw blockchain data into actionable compliance decisions. Every wallet address, transaction, and customer interaction is assigned a risk score based on a combination of factors:

Effective risk scoring systems produce tiered alerts — differentiating between Low, Medium, High, and Critical Risk — and feed into documented investigation workflows that produce audit-ready records for regulatory examination.

Conclusion

Crypto financial crime is not random. It follows identifiable patterns, exploits specific structural features of blockchain infrastructure, and uses a defined set of techniques — from mixers and cross-chain bridges to stablecoin consolidation and scam-as-a-service platforms. These schemes are increasingly professionalized, operationally sophisticated, and backed by state-level resources.

Detection is not optional. For VASPs and other crypto businesses, the ability to identify, flag, and investigate suspicious activity is a regulatory obligation — and a business necessity. The schemes described in this article repeat across jurisdictions, across chains, and across time. The businesses that survive and maintain banking relationships, licenses, and customer trust are those that invest in the monitoring, analytics, and investigative infrastructure necessary to see these patterns in real time.

-AMLBot Team

FAQ