Layering in Crypto AML: How It Works and How to Detect It

Money Laundering has always involved concealing the origins of illicit funds, but layering in Crypto AML has introduced technical complexity that traditional institutions never handled. In legacy finance, layering meant moving money through multiple accounts across jurisdictions. In cryptocurrency, the goal is achieved through multi-chain transactions, decentralized protocols, automated swaps, and wallet fragmentation — processes that can move funds through dozens of hops within minutes.

For exchanges, fintech platforms, and custodians, this is a genuine risk. Funds can pass through infrastructure as part of a layering sequence without triggering conventional alerts. A user deposits ETH, converts it to a stablecoin, bridges to Tron, and withdraws — each step appearing routine in isolation. Taken together, the sequence represents textbook layering, and without blockchain analytics, no compliance team can see it as a single coordinated pattern. Understanding how layering in cryptocurrency works, as practical sequences of techniques, not abstractions, is essential for managing AML risk. This article breaks down core methods, explains why detection is difficult, and describes what crypto businesses can do to identify suspicious transaction flows.

What Is Layering in Money Laundering

Layering is the second stage of the classic three-phase money laundering model: placement, layering, and integration. Where placement introduces illicit funds into the financial system, layering deliberately severs the chain between those funds and their criminal origin. The goal is to make the money appear clean before re-entering the legitimate economy at the integration stage.

How Layering Works in Crypto

Layering in Crypto AML occurs through transaction patterns that exploit the decentralized, multi-chain architecture of the crypto ecosystem. What distinguishes modern crypto layering is not any single technique but the way techniques combine — launderers rarely rely on one method alone.

In contrast to traditional financial systems, layering in cryptocurrencies occurs through a combination of transaction patterns rather than a single laundering step. Funds may be split, bridged, swapped, mixed, and re-aggregated across multiple services and blockchains, making the full sequence difficult to interpret without wallet clustering and entity attribution.

See Wallet and Entity Identification in Blockchain Analytics for more on how blockchain analytics connects these fragmented movements into a meaningful investigation path.

Chain Hopping Across Blockchains

Chain Hopping is the practice of moving funds between different blockchain networks to disrupt traceability. A typical sequence might begin with ETH on Ethereum, bridge to BSC, convert to USDT, and forward to Tron — all within minutes. Each bridge transaction creates a gap in the on-chain record: the source chain logs an outbound transfer and the destination chain logs an inbound deposit, but no direct on-chain data links the two events.

In 2025, chain hopping has emerged as the defining Money Laundering Method of modern crypto crime, with 33% of complex cross-chain investigations involving more than three blockchains. The data loss at bridge boundaries significantly complicates forensic analysis. Without specialized tools, a compliance team examining only a single network sees a fragment of the actual transaction path — which is precisely what launderers engineer.

Use of Mixers and Privacy Tools

Mixers, also called tumblers, are services that pool cryptocurrency from multiple users and redistribute equivalent amounts to different addresses. The mechanism breaks the connection between sender and recipient by distributing outputs with no direct on-chain link that standard address-level analysis can reconstruct.

Mixers function as one stage within broader layering sequences, combined with prior wallet fragmentation and subsequent chain hops. While major services like Tornado Cash faced regulatory action in August 2022, decentralized alternatives continue to operate.

DeFi as a Layering Mechanism

Decentralized Finance (DeFi) protocols have created layering tools that operate without centralized intermediaries. Through decentralized exchanges (DEXs), launderers can perform token swaps without KYC requirements, without a counterparty identity, and without a compliant institution in the transaction path. Liquidity pools introduce an additional dimension: depositing and withdrawing creates a temporal mixing effect that resembles tumbling.

The FATF's 2024 Targeted Update on Virtual Assets noted concern about DeFi's role in money laundering, observing that the absence of centralized control creates regulatory gaps. For compliance teams, the challenge is that DeFi interactions are structurally indistinguishable from legitimate trading activity without behavioral context.

Multi-Wallet Fragmentation

Multi-Wallet Fragmentation — splitting funds across dozens or hundreds of intermediate wallets before recombining them — is one of the oldest techniques in the crypto layering playbook. The logic mirrors smurfing: small amounts distributed across many addresses are individually unremarkable and fall below scrutiny thresholds. An operator might receive a large payment, disperse it to 50 intermediate addresses, and later aggregate outputs.

This technique exploits a fundamental challenge: Wallet Clustering. Identifying which addresses belong to the same controlling entity requires computationally intensive heuristics that are sometimes statistically inconclusive. When fragmentation combines with chain hopping and mixer usage, the analytical burden multiplies exponentially.

Layering is a combination of these techniques, not a single operation — and it is the combination that defeats most conventional monitoring approaches.

Real Examples of Layering in Crypto

To understand how these techniques operate in practice, consider a representative layering sequence. A launderer begins with illicit funds in a Bitcoin address. Step 1: the BTC is split across 15 intermediate wallets. Step 2: each wallet executes a swap on a DEX for a privacy-preserving asset. Step 3: funds bridge to Ethereum. Step 4: they pass through a DeFi liquidity pool. Step 5: outputs aggregate at a new wallet before exchange deposit.

According to 2024 Crypto Money Laundering Report, illicit funds traveled through multi-hop layering chains before reaching exchanges, with DeFi protocols appearing in a growing share of illicit paths. Blockchain investigators studying the Lazarus Group documented chain hopping across Ethereum, TRON, and Binance Smart Chain combined with DEX swaps and fragmentation as their primary methodology.

Why Layering Is Difficult to Detect

Detection difficulty stems from several structural characteristics. Fragmentation creates volume: hundreds of intermediate addresses generate thousands of transactions, each requiring evaluation. Transaction speed eliminates response time: crypto transactions confirm in seconds, whereas investigators work with daily alert batches — by the time a team processes alerts, a four-hour layering chain is complete.

Cross-chain complexity is the most significant detection barrier. When funds move from Ethereum to Tron via a bridge, the data integrity underlying single-chain analysis breaks down. Investigators must reconstruct paths using bridge logs, timing data, and amount matching — a process requiring specialized expertise and tools many compliance functions lack. See Transaction Tracing Explained for deeper context.

The absence of centralized control creates a further barrier with no equivalent in traditional finance. A suspicious wire transfer can be held pending review; in decentralized systems, no intermediary can pause a transaction. By the time layering is identified, enforcement must target wherever funds arrived, not earlier chain stages — making real-time detection the operationally relevant standard.

How Crypto Businesses Detect Layering

Detecting layering requires shifting from transaction-by-transaction monitoring to pattern-level analysis across time and wallets. A single 0.5 ETH transfer to an unfamiliar address is unremarkable. The same transaction within context — 40 similar transfers over 24 hours, each followed by outbound transfers to different addresses — is a significant risk indicator. The challenge is building systems that identify behavioral patterns, not just individual transactions.

Behavioral Pattern Analysis

Behavioral Pattern Analysis examines relationships between transactions over time and across wallet clusters. Common risk indicators include rapid hops from a single deposit, unusual conversion sequences (ETH → stablecoin → privacy coin), deposit-withdrawal cycles with no economic purpose, and wallet clustering suggesting coordinated control. See Cryptocurrency Investigations Explained for deeper investigation methods. Behavioral analysis identifies risk that rule-based screening cannot. A launderer keeping individual transactions below reporting thresholds and using addresses with no prior flags passes most static controls. But the behavioral pattern — timing, sequencing, wallet relationships, asset conversion logic — is harder to disguise. Effective detection requires machine learning models trained on known sequences, continuously updated as techniques evolve.

Transaction Monitoring Systems

Transaction Monitoring Systems in crypto operate under fundamentally different requirements than traditional finance. Effective monitoring must operate in near real-time because layering chains complete within minutes. Systems must screen not just immediate counterparties but the full transaction history of sending addresses — which sources funded the wallet, where funds went previously, and whether any history node involves sanctioned entities, mixers, or high-risk clusters.

Continuous Monitoring eliminates the review gap manual processes create. Continuous Transaction Monitoring ensures alerts are generated within timeframes giving compliance staff meaningful action opportunities. In crypto AML, automation is not just an operational enhancement — it is structurally essential given transaction speed and volume.

Cross-Chain Tracking Challenges

Cross-Chain Tracking is the most technically demanding detection component and where the largest gaps exist. When funds bridge from Ethereum to Solana via wrapped asset protocols, transaction trails must be reconstructed by matching outbound source-chain events with inbound destination-chain events using bridge records, timing data, and asset transformation patterns. This process introduces latency, probabilistic uncertainty, and false-negative risk. As explained in Cross-Chain Analysis Explained: Tracing Crypto Across Multiple Blockchains, the challenge is not simply following one transaction, but correlating structurally separate events across ledgers that share no native continuity. Compliance teams need tools that natively support cross-chain reconstruction — not single-chain address screening applied separately to each network. The capability gap between single-chain and multi-chain analysis is where most undetected layering currently passes through.

This process introduces latency, probabilistic uncertainty, and false-negative risk. Compliance teams need tools that natively support cross-chain reconstruction — not single-chain address screening applied separately to each network. The capability gap between single-chain and multi-chain analysis is where most undetected layering currently passes through.

How AML Regulations Treat Layering

Regulators classify layering as suspicious activity that crypto businesses must monitor, detect, and report. Under FATF Recommendation 16 — the Travel Rule — virtual asset service providers must collect and transmit originator and beneficiary information for transfers above applicable thresholds. This directly targets layering: when funds move through a compliant VASP, the Travel Rule creates data records for investigator follow-up. See Travel Rule Requirements for Crypto Businesses for implementation details.

The FATF's June 2024 targeted update identified layering through DeFi, mixers, and cross-chain bridges as primary risk categories, explicitly requiring businesses to implement detection systems — not merely document policies. Under the EU's Markets in Crypto-Assets Regulation (MiCA), crypto asset service providers face continuous transaction monitoring requirements aligned with this framework. National regulators including BaFin and the AMF conduct inspections testing layering detection capability in practice.

VASPs must apply risk-based approaches to cross-chain activity, assessing whether customers receive funds originating from mixers or high-risk protocols on other networks. These expectations require blockchain analytics extending across chains. See AML Requirements for Crypto Companies for comprehensive regulatory obligation overview.

Conclusion

Layering in Crypto AML is not defined by any single technique but by dynamic combinations of chain hopping, mixers, DeFi protocols, and multi-wallet fragmentation that evolve continuously. The speed, volume, and cross-chain nature of modern transactions mean manual compliance processes are structurally inadequate for identifying layering activity when intervention is possible.

For crypto businesses under FATF Recommendation 15, MiCA, or equivalent frameworks, the requirement is specific: continuous, pattern-aware, cross-chain transaction monitoring. Regulators test these capabilities directly through inspections, with enforcement actions increasingly focused on whether firms can demonstrate their systems would detect known patterns — not whether policies exist on paper.

Effective layering detection requires operational understanding of what layering looks like in practice: the sequences, behavioral indicators, and risk patterns across multi-technique chains. Without this embedded in automated systems, no policy can close the gap between documentation and detection.

FAQ