Understanding Financial Crime in Cryptocurrency

For the last several years we have closely tracked illicit finance in the crypto ecosystem - scams, ransomware, terrorist financing, and hacks. However, the landscape is evolving and the cryptocurrency space is witnessing a troubling rise in violent crimes targeting individuals for their digital assets. Today, TRM Labs published a blogpost on Adam Iza, known as the "Crypto Godfather," who, along with a Los Angeles County Sheriff's Department Detective, orchestrated a fraudulent scheme resulting in approximately $37 million in illicit revenue. To protect and further his operations, Iza collaborated with a Detective to harass, threaten, and extort individuals he perceived as threats or competitors, employing tactics such as falsifying police reports and conducting unlawful arrests. Other recent incidents underscore the severity of this trend and the need for heightened security measures within the crypto community. This month, David Balland, co-founder of Ledger, and his partner were kidnapped from their home in central France. The assailants demanded a ransom in cryptocurrency and inflicted severe injuries on Balland before their eventual rescue by elite police forces. In September 2024, Remy Ra St. Felix was sentenced to 47 years in prison for orchestrating a series of violent home invasions targeting individuals known to possess significant cryptocurrency holdings. St. Felix and his accomplices held victims at gunpoint, assaulting them, and using restraints to coerce them into transferring crypto. The group was responsible for stealing over $3.5 million through these methods. There is an increasing trend of criminals resorting to kidnappings and physical coercion to extort cryptocurrencies from victims. In fact, this issue was covered in an excellent podcast today with Laura Shin. These incidents often involve sophisticated planning and the use of violence or threats thereof to force individuals into surrendering access to their digital assets. To address these evolving threats, it is crucial for individuals and organizations involved in the cryptocurrency space to implement robust security measures, including: ✔️Personal Security Protocols: Maintaining a low profile regarding cryptocurrency holdings and implementing safety measures to protect against physical threats. ✔️Technological Safeguards: Utilizing hardware wallets, multi-factor authentication, and other security tools to protect digital assets from unauthorized access. ✔️Law Enforcement Collaboration: Engaging with authorities to report threats and suspicious activities, and supporting efforts to develop specialized units trained to handle crypto-related crimes that occur both on and off chain. As the cryptocurrency ecosystem continues to evolve, staying informed about emerging risks and adopting proactive security measures are essential steps in safeguarding against the increasing convergence of digital assets and violent crime. Key TRM blogposts are in the comments ⬇️

🕵🏽 Unmasking DeFi-Driven Financial Crime 🚨 The decentralized finance (DeFi) ecosystem has introduced innovative financial tools and equally innovative avenues for financial crime. From cross-chain bridges to algorithmic stablecoins, bad actors exploit these services to launder funds, evade sanctions, and obscure illicit transactions. For law enforcement, the challenge lies in keeping pace with rapidly evolving tactics. Here’s a breakdown of key DeFi-related threats and how advanced tools like Merkle Science’s Tracker are transforming investigations. 👉🏽 Top Types of DeFi Services Exploited by Criminals 1️⃣ Cross-Chain Bridges Risk: Criminals move funds across blockchains (e.g., Ethereum to Binance Smart Chain) to evade single-chain tracking tools. Over $7 billion in illicit crypto has been laundered through cross-chain methods. *️⃣ Enforcement Gap: Legacy tools fail to auto-detect inter-chain movements, creating blind spots. 2️⃣ Decentralized Mixers (e.g., Tornado Cash) Risk: Mixers obfuscate transaction trails, enabling money laundering and sanctions evasion. *️⃣ Enforcement Gap: Privacy coins and mixing protocols complicate attribution, delaying asset recovery. 3️⃣ Stablecoins Risk: Bearer instruments like Tether are used to bypass traditional financial controls, as seen in terrorism financing cases. *️⃣ Enforcement Gap: Lack of centralized oversight allows anonymous cross-border transfers. 4️⃣ Lending/Borrowing Protocols Risk: Criminals use DeFi pools to hide funds or generate yields on stolen assets. *️⃣ Enforcement Gap: Complex transaction histories require timeline reconstruction capabilities. ❗ How Merkle Science’s Tracker Closes the Gaps ❗ 💠 Cross-Chain Visibility: The tracker automates multi-chain tracing, mapping fund flows across bridges like Avalanche and Polygon in real time16. For example, a ransomware group moving ETH → BSC → privacy coin is tracked end-to-end, enabling rapid exchange freezes. 💠 Mixer & Privacy Coin Detection: Advanced algorithms flag interactions with mixers (e.g., Tornado Cash) and privacy coins (Monero, Zcash), even after chain-hopping. 💠 Stablecoin Monitoring: Tracker identifies high-risk stablecoin transactions, such as sudden large-volume transfers to sanctioned jurisdictions. Timeline Reconstruction: Visualizes complex laundering paths, including DeFi lending/borrowing cycles, to support prosecutions. 🚨 The FTX Drainer theft stole 477 million in wrapped tokens, stablecoins, and defi native tokens. These assets were laundered mainly through mixers and cross-chain swaps. 🚨 Merkle Science Mriganka Pattnaik Dr. Justus D. @nirmal Vidushi Tiwari Susrita Sen Thibaut Gravelle-Vivien

The new Dept of the Treasury/Financial Crimes Enforcement Network (FinCEN) guidance on Cryptocurrency Investment Scams is excellent, like so much of what they do! 15 Red Flags are identified that should become the new standard for everything we do around protecting victims here. The language is heavily slanted towards banker-speak, but still valuable concepts. VASPs (We would call them Crypto Exchanges, but VASP is "Virtual Asset Service Providers" which was language adopted by the international anti-money laundering community's primary organization, FATF, back when we were still pretending NFTs weren't a universal scam.) These are my simplifications of the Red Flags to convince you to download and make posters of the actual red flag content in the attached report and hang them prominently about your bank. Behavioral Red Flags: 1. first time crypto user tries to initiate a high-value transfer to a VASP. 2. customer mentions significant returns from crypto investments they learned about from an online only acquaintance. 3. customer mentions being guided to a kiosk or ATM to deposit crypto to an address the individual provided 4. customer seems distressed or anxious to access funds to meet an investment opportunity deadline Financial Red Flags 5. liquidating savings prior to maturation and attempting to wire to a VASP 6. taking out a HELOC or second mortgage and sending the money to VASP 7. depositing to fiat from crypto at a slightly larger amount than previously sent to crypto. This deposit is then followed by substantially larger fiat-to-crypto movement. 8. Inactive or limited activity high balance account starts showing uncharacteristic, sudden, abnormally frequent, or significant withdrawals of funds to VASP 9. Multiple EFTs or wires to VASP, espeically if noted as being "taxes," "fees," or "penalties." 10. A customer with a short history of small-value EFTs to a VASP begins sending high-value wires to holding companies, LLCs, or individuals with no prior transaction history Technical Red Flags 11. Accounts accessed by unique IPs, unique devices, or inconsistent geographies. 12. Crypto interactions with a poorly designed or amateurish website. 13. Crypto transactions to websites with newly registered domains, no physical street address, and international or chat/email-only contact details. 14. Downloading an app directly from a third-party website rather than a well known app store. 15. Crypto converted to a currency with a lower transaction fee, such as TRX, and then abruptly sent out from exchange. #FinCEN #CryptoRedFlags #CryptoInvestmentScams #CryptoScams #PigButchering

Europol illustrates a complex cryptocurrency Decentralized Finance (DeFi) hacking and theft case in their Internet organised crime threat assessment (IOCTA) 2023 report. Details of what occurred during the laundering process following the hack can be seen below: 1️⃣ The stolen BNB cryptocurrency was first sent to RenProject (a protocol that allows for chain hopping) to convert the BNB to Bitcoin, which was then sent through a mixer. 2️⃣ Then the funds were split, which often happens in ransomware cases (with affiliates splitting ransoms with developers). The split funds are converted to RenBTC, with some on the Ethereum blockchain and some on the BNB blockchain. 3️⃣ The former are converted to Ethereum, after which they are deposited to the sanctioned mixer Tornado Cash. 4️⃣ The latter is converted back to bitcoin on the Bitcoin blockchain (through REN) and then converted to RenBTC on Ethereum blockchain and eventually into Ethereum, after which it is sent to Tornado Cash. PDF: https://lnkd.in/dKvQvRHf #Europol #cryptocrime #cybercrime #intelligence #OSINT #CTI #FOR589 #threatintelligence #darkweb #crime

Why do some criminals love crypto? Hint: It's not just about anonymity. 🔹 When a bad actor wants to conduct a financial transaction, they will assess whether a financial product can move funds: ▪ far, ▪ fast, ▪ in large amounts, ▪ irreversibly, ▪ anonymously, ▪ and to a third-party. There is no one feature that drives bad actors to a particular type of financial product. Anonymity is just one feature criminals' weigh. While a truckload of nickels and dimes is anonymous, it cannot be moved far or fast. Gift cards are anonymous but usually have a dollar cap. For example, paying a $150 million bribe with $2,000 gift cards would require roughly 75,000 gift cards. Wires can move large amounts, far but are reversible if caught early. The FBI's Recovery Asset Team successful froze $507 million in fraudulent wires in 2023. 🔹 Which Criminals Love Crypto? The 'ideal match' between bad actor and cryptocurrency, is one who needs to move large amounts, far, fast, irreversibly, anonymously, and to a third-party. Ransomware actors meet all six of these criteria. It shouldn't be surprising that FinCEN found that every ransomware attacker demanded payment in crypto in Q1 & Q2 2021. Some bad actors such as Transnational Criminal Organizations and Corrupt Government Officials relish the far and large amounts features of crypto. Fraudster and Hackers are more focused on the irreversibility, third-party and fast aspects of crypto. While Child Sexual Abuse Materials marketplaces & customers seek the anonymity offered by crypto. 🔹 Which Criminals "Aren't That Into" Crypto? The features offered by crypto as a financial product may not be needed by all criminals including: ▪ Criminals with small profits ▪ Hedonists who spend all their profits ▪ Bad actors engaging in domestic, non-crypto native crimes and living in corrupt or under-resourced countries Read the full post for much more detail and examples of the CSAM / crypto nexus. https://lnkd.in/eg5Erz7c

The Federal Bureau of Investigation (FBI)'s Internet Crime Complaint Center (#IC3) released its 2023 #Cryptocurrency #Fraud Report earlier this month, and the numbers tell a story: 📊 The numbers: - Over 69,000 crypto-related fraud complaints received by IC3 - $5.6 billion in estimated losses - a 45% increase from 2022 - Investment fraud accounted for 71% of all crypto-related losses 🔎 It's a quick and important 23-page read with lots of helpful details, typologies and examples. What caught my eye 👀 is the chart on page 10 ( 📸 pictured below). 📈 Chart Analysis - '2023 Country Statistics': - Complaints: The number of cryptocurrency complaints has shown significant fluctuations, with peaks in 2021 and 2023, indicating increased awareness and reporting of crypto-related crimes. A significant drop occurred in 2020, but complaints surged again in subsequent years. - Losses 💰: Crypto losses remained relatively stable and low until 2021. There's been a dramatic spike in losses starting in 2021, highlighting the escalating financial impact of these crimes or the uptick of reporting by victims - probably both. Something else? Geographical observations 🌎 : Complaints originate from over 200 countries with a clear concentration in the United States 🇺🇸, which dominates both complaint counts and losses. Canada 🇨🇦 and the UK 🇬🇧 rank high in both complaints and losses ( 🤔 are criminals going after English-speaking vics, crypto hubs, or do these countries have better reporting mechanisms?) Some countries with relatively few complaints report disproportionately high losses. For example the Cayman Islands 🇰🇾 ranks 2nd in losses, but doesn't appear in the top 2- for complaint counts. The reverse is also apparent, Nigeria 🇳🇬 and Pakistan 🇵🇰 rank high in complaint counts but don't appear in the top 20 for losses. #EmergingMarkets - Countries like India 🇮🇳 , Brazil 🇧🇷 and Turkey 🇹🇷 with growing crypto adoption appear in the top complaint counts and are maybe therefore also becoming targets for criminals. 💡 Why It Matters: It's important to understand current fraud trends so that we all protect ourselves, our assets, our businesses and our countries. While some of this is common sense, we have to come back to basics for staying safe: 1. Be wary of "too good to be true" investment opportunities 2. Never share personal info with unverified contacts 3. Research thoroughly before investing 4. Use reputable exchanges and wallets - 'Know Your Exchange' - KYE and 'Know Your Wallet' - KYW Thanks, FBI for sharing solid information for us all to stay informed and vigilant! 🧠💪 #Cryptocurrency #Cybersecurity #FinancialFraud #FBI 📚 Full FBI report here: https://lnkd.in/eT9waRXh

The Bybit Hack: When Cybercrime Becomes Statecraft Another day, another major financial breach—but this one wasn’t just about money. Bybit just fell victim to a precision deception operation, where attackers manipulated the signing interface to reroute funds while displaying legitimate transaction data. A digital sleight of hand with major geopolitical implications. Who’s behind it? All indicators point to North Korea’s Lazarus Group—the same state-backed cyber unit responsible for: 🔹 $308M—Japanese crypto firm (Dec 2024) 🔹 $600M—Ronin Network 🔹 $600M—Poly Network 🔹 $1.4B—Stolen in a single crypto hack (the largest cryptocurrency theft in history) This isn’t just cybercrime—it’s asymmetric economic warfare. North Korea has turned financial exploitation into state policy, using stolen digital assets to circumvent sanctions and fund nuclear weapons development. The New York Times recently covered this breach, highlighting the staggering scale of cryptocurrency theft by state-sponsored actors. But what’s missing from the conversation is how corporate leaders, compliance teams, and national security professionals should respond. 🔹 Corporate Leaders: The financial world is now a battleground. High-value transactions, supply chains, and proprietary technologies are active targets. This isn’t just a cybersecurity issue—it’s an existential risk to business continuity. 🔹 Compliance & Risk Teams: Sanctioned regimes are no longer just evading detection—they’re embedding themselves into global financial ecosystems. Ensuring your assets, transactions, and partnerships aren’t fueling illicit state-sponsored operations is no longer optional. 🔹 National Security Leaders: Financial infrastructure is now a frontline in geopolitical conflict. Cyber-enabled economic warfare has made traditional sanctions less effective, requiring new intelligence-driven strategies to stay ahead. At Gray Matter Resources (GMR), we operate at the intersection of corporate risk, financial intelligence, and national security. As these threats escalate, staying reactive is no longer an option. The future belongs to those who can anticipate, disrupt, and counter adversarial maneuvers before they unfold. For decision-makers in finance, compliance, and national security—the question isn’t if this will impact you. It’s how soon. [For those interested in mainstream coverage of the Bybit attack, the NYT recently reported on it (🔗link in comments🔗). But the deeper implications extend far beyond what’s written there.] #CyberTradecraft #CorporateRisk #GeopoliticalThreats #GrayMatterResources #StateSponsoredHacking #EconomicWarfare #Compliance #NationalSecurity #FinancialIntelligence #GMR #NationalSecurity #AML

☘️ Another heartbreaking Survivor Series story for Operation Shamrock — and more critical lessons for banks & credit unions.☘️ 👉 This scam began with a simple message on Hinge. 👉 It ended with a mother and daughter losing their life savings — over $160K — to a pig butchering scam. How did it happen? - Grooming through WhatsApp and fake “financial analyst” screenshots - Pushed to distrust their bank: “The bank isn’t trustworthy. If they ask questions, it proves it.” - Pressured to move money quickly, “small enough” to avoid bank scrutiny - Used multiple platforms: Bitget Wallet, fake Robinhood links, VPNs - Manipulated the victim’s relationship with her own mother to reinforce trust in the scam When the banks asked: 💬 “What is this money for?” → “Crypto investment” 💬 “How long have you been investing?” → “1–2 years” 💬 “Has anyone promised gains?” → No. (The victim rationalized — “He didn’t promise, he just said I’d see gains…”) Red Flags for FIs: 🚩 Customers being coached to distrust the bank 🚩 Crypto use suddenly emerging in transaction patterns 🚩 Wire transactions layered across platforms like Coinbase 🚩 Small batch wires structured to stay “below” questioning thresholds 🚩 Statements like “Why won’t the bank let me access my own money?” — a warning sign they are being manipulated What can banks do better? ✅ Equip frontline and wire staff with targeted questions — and roleplay the types of rationalizations victims will use ✅ Be aware: many scam victims are actively coached to lie during transaction reviews ✅ Build triggers for crypto first-timers, rapid increases in volume, or VPN use patterns ✅ Understand the emotional hooks: not just “greed” — but hope, family dynamics, shame, and desperation One of the most chilling lines from this survivor: 👉 “I trusted him because my mom trusted him…” Fraud isn’t just a financial crime — it’s deeply psychological. And until our frontlines are prepared for that reality, these scams will continue to win. Erin West Michele Ilich-Daubas, CAMS, CRC ☘️ Andrew Reid #OperationShamrock #SurvivorSeries #PigButcheringScams #FraudPrevention

Drug trafficking, money laundering, Tether, Binance, unhosted wallets, and gas fees. This forfeiture case (seeking the civil forfeiture of about $2 million in USDT) could be a crypto investigators' exam question. I learned something from this complaint: unhosted wallets aren't as "safe" for money launderers as they're sometimes touted to be. Paragraph 52 of the Complaint points out that: With an unhosted wallet, a user needs “gas” to send USDT via the Ethereum or Tron network. Gas is the fee required to successfully conduct a transaction or execute a contract on the Ethereum or Tron blockchain platform. By following the trail related to “gas fees,” agents can connect individuals associated with the unhosted wallet because “gas fees” can generally be traced to a virtual currency exchange that requires KYC. And because this particular currency exchange, Binance, cooperated with law enforcement, agents were able to learn the identity and location of the suspect. They eventually were able to seize about 2 million USDT from an offshore account, and are now seeking a forfeiture order. Ari Redbord, Joseph Ciccolo, CAMS, AMLCA

Key Crypto Compliance Insights from ACAMS Virtual Currencies Panel It was an absolute pleasure sharing the stage with Melissa Strait (Chief Compliance Officer at Coinbase), Megan Gonzales, CAMS (Global Head of Financial Crimes at Cash App), and Julie Lascar (Director of Payments & Innovation at the U.S. Department of the Treasury), during the ACAMS Virtual Currencies panel earlier this week in Las Vegas. Top five takeaways 1️⃣ Crypto is Mainstream: 52 million Americans now own cryptocurrency, with 70% of U.S. states enacting crypto-related legislation 🌍. States like California, New York, and Florida lead the way in crypto ownership, while the SEC's approval of BTC and ETH ETFs reflects increasing institutional trust, with over $70 billion in assets under management 📈 2️⃣ Unhosted Wallets vs. Hosted Wallets: Hosted wallets are managed by a service provider, offering built-in security and KYC (Know Your Customer) requirements 🛡️. Unhosted wallets, on the other hand, lack such oversight. While they give users full control, they also present higher risks, especially in AML (Anti-Money Laundering) compliance due to anonymity and lack of KYC checks ⚠️. 3️⃣ Mixers – What Are They? Mixers are services used to obfuscate the source of cryptocurrency transactions. While they offer privacy for users, they are commonly linked to money laundering and illicit activities, making them a regulatory concern 🚨. Although often seen negatively, mixers provide essential privacy protection in jurisdictions with strict government surveillance or for activists and journalists needing financial anonymity 🌐. 4️⃣ Building teams and blockchain analytics muscle While AML and Sanctions investigations can be interoperable skills, bespoke training, and specialized skills are required to develop a strong and robust crypto investigations organization. A primary requirement is a deep understanding of blockchain technology and hands-on experience with multiple blockchain analytics tools. 💪 5️⃣ Compliance is Key: Navigating these risks requires a strong compliance framework, including transaction monitoring, blockchain analytics, and collaboration with law enforcement agencies to tackle illicit crypto activity in crypto 🧩. Staying informed on these issues is crucial for safeguarding the future of crypto 🚀 #CryptoCompliance #RiskMitigation #BlockchainSecurity #FinCrime