Avoiding overt attacks is important, but guarding against covert ones is even more crucial: Ten case studies reveal the key to risk control for licensed platforms.

Author: Zhang Feng

As the anonymity, global circulation, and decentralization of cryptocurrencies become widely recognized, they have become a "new favorite" for money laundering crimes. From the early "Silk Road" darknet markets to today's complex on-chain transfers using decentralized finance protocols, money laundering methods are constantly evolving, posing a serious challenge to global financial security.

Against this backdrop, regulatory agencies in various countries are demanding, with unprecedented力度, that cryptocurrency trading platforms, custodians, and other virtual asset service providers fulfill strict anti-money laundering obligations.

I. Legal Framework and Regulatory Requirements Globally, the FATF Recommendations issued by the Financial Action Task Force (FATF) are the authoritative international standard for combating money laundering and terrorist financing. They explicitly include virtual asset service providers under regulation, requiring them to implement the "travel rule," which mandates the collection and transmission of information on the originator and recipient for virtual asset transfers exceeding a certain amount (typically $1,000/€1,000). In China, the law takes a strict stance against money laundering using cryptocurrencies. Article 191 of the Criminal Law stipulates the crime of money laundering, explicitly defining "transferring funds through bank transfers or other payment settlement methods" and "cross-border transfer of assets" as money laundering methods, fully covering cryptocurrency-related operations. Although the operation of cryptocurrency trading platforms is prohibited in China, law enforcement agencies still exercise long-arm jurisdiction and severely crack down on platforms operating overseas but serving Chinese users, as well as "underground banks" providing services for outbound funds, in accordance with relevant laws. The EU's Crypto Asset Markets Regulation (MiCA) and the US Bank Secrecy Act both impose clear registration, licensing, and anti-money laundering obligations on VASPs. Therefore, regardless of where a platform is located, fulfilling anti-money laundering obligations is no longer an option, but a mandatory requirement for survival and development. II. Analysis of Ten Typical Cases at Home and Abroad and Reflection on Platform Obligations Case 1: PlusToken Pyramid Scheme Money Laundering Case This is a typical case combining a Ponzi scheme with money laundering. PlusToken used high returns as bait, developing more than 2 million levels, involving a total value of digital currencies exceeding 40 billion yuan. After the case was exposed, the criminal gang used intensive on-chain transactions to convert huge amounts of assets between different addresses and different currencies, and finally cashed out through domestic and foreign exchanges. Money laundering methods: "Break large sums into smaller amounts," "on-chain obfuscation," and "cross-exchange withdrawals." They disperse huge sums of money into tens of thousands of addresses, using the anonymity of Bitcoin, Ethereum, and other cryptocurrencies to transfer funds multiple times, and finally sell them in batches on exchanges with relatively lax regulations, converting them into fiat currency. The platform's obligations and suggestions include: First, strengthening the identification and monitoring of high-risk businesses. The platform must establish an effective transaction monitoring system to automatically alert for frequent, small-amount deposits and withdrawals (meeting the characteristics of "structured transactions") originating from the same source or related addresses within a short period. Second, strictly enforcing the "travel rules." Although this case occurred primarily before the widespread implementation of the FATG recommendations, it highlights the importance of information traceability. The platform must collect and verify user identity information such as name and address for transactions exceeding thresholds to ensure the traceability of fund flows. Case Two: Money Laundering Case Using "Money Laundering Platforms" and USDT (Case Summary: Criminal gangs involved in telecommunications fraud, online gambling, and other crimes recruited large numbers of "code merchants" to receive payments using their own bank accounts or Alipay accounts. The "code merchants" were then instructed to purchase an equivalent amount of USDT on cryptocurrency platforms and transfer it to wallet addresses designated by the criminal gangs. In this way, criminal funds were seamlessly transferred from the traditional banking system to the cryptocurrency system.) Money laundering method: "Fiat currency to stablecoin" conversion, using the stable price of USDT as a medium of value to "launder" illicit funds. Platform Obligations and Reflections: Firstly, deepen customer due diligence for fiat currency channels. When providing fiat-to-cryptocurrency exchange services, platforms should not be satisfied with just online KYC. Users who frequently engage in "small-amount, multiple transactions with numerous counterparties" should be considered high-risk customers, requiring enhanced due diligence to verify the legality of their funding sources. Secondly, an abnormal behavior model should be established. The system should be able to identify transaction patterns that are clearly inconsistent with the user's claimed profession and income level. For example, an ordinary office worker might conduct dozens of fiat currency transactions with different people every day. Case 3: A Cross-Border Transaction Using Bitcoin by an Underground Bank Case Summary: Domestic clients transfer RMB to an underground bank's domestic account. The underground bank then instructs its overseas partners to pay an equivalent amount in foreign currency (or cryptocurrency) to the client's designated overseas account. In this process, Bitcoin acts as the unit of account for balancing the domestic and overseas funds pools. While there is no physical cross-border flow of funds, the actual cross-border transfer of funds is completed. Money laundering methods: "Warranty trading," using cryptocurrencies as a measure of value and settlement tool to circumvent foreign exchange controls. Platform obligations and suggestions: First, strengthen regional risk monitoring. Platforms should identify and monitor transactions involving countries on embargo lists and high-risk regions. Accounts that frequently engage in "buying all on one side and selling all on the other" between two specific jurisdictions, and whose user IP addresses do not match their trading behavior, should be subject to close scrutiny. Secondly, a holistic risk assessment is crucial; trading on a single platform cannot be viewed in isolation. Platforms should actively participate in industry information sharing (within the scope permitted by law) to identify wash trading patterns from a global perspective. Case 4: Using Cross-Border E-commerce for Cryptocurrency Money Laundering A criminal gang established a fake cross-border e-commerce company, forged import and export trade contracts, purchased Bitcoin through domestic cryptocurrency OTC merchants, and transferred it to affiliated companies overseas. After the overseas company sold the Bitcoin, it paid foreign exchange to the domestic company under the guise of "export proceeds," thus giving the illicit funds a legitimate foreign trade facade. Money laundering methods: Trade-related money laundering, fabricating real transactions, and using the cross-border convenience of cryptocurrencies to forge fund flows. Platform Obligations and Suggestions: First, conduct thorough due diligence on corporate users. For corporate users claiming to engage in international trade, the platform should not only verify their business registration information but also examine their actual trade background, such as logistics documents and customs records, and be wary of situations where the transaction scale is significantly inconsistent with the company's size. Second, pay attention to the risks of the OTC market. OTC merchants are a key node connecting fiat currency and cryptocurrency. Platforms must conduct strict onboarding audits and continuous monitoring of OTC merchants, treating them as key targets for anti-money laundering efforts. Case Five: The USDT-based "Salary" Case in Online Gambling Online gambling platforms converted all gamblers' deposits, withdrawals, and payments to agents and employees—referred to as "salaries" and "commissions"—into USDT. Gamblers deposited fiat currency to purchase USDT, then deposited it into the gambling platform. After winning money or receiving commissions, the platform returned the USDT to the user's wallet, which the user then sold. Money laundering methods: The entire process is cryptanalyzed, isolating the entire illegal business system from the traditional financial system, greatly increasing the difficulty of investigation. Platform obligations and suggestions: First, identify addresses associated with illegal businesses. Platforms should use on-chain analytics tools to mark known deposit addresses related to gambling platforms, dark web markets, etc. Any user associated with these addresses should be immediately flagged and restricted; secondly, behavioral analysis and correlation mapping should be used to establish user behavior profiles. For example, a pattern where a large number of users regularly deposit USDT into a centralized address and then regularly receive USDT as a "salary" from that address should be automatically identified and trigger an alert. Case Six: Bitfinex 2016 Hacking and Money Laundering Case (USA) Case Summary: Hackers stole nearly 120,000 Bitcoins from the Bitfinex exchange. In the following years, they laundered money through mixers, exchanging tokens for other tokens on decentralized exchanges, and creating thousands of new wallet addresses. It wasn't until 2022 that the U.S. Department of Justice arrested two suspects and recovered some assets. Money laundering methods: Using mixers and DeFi protocols to obfuscate on-chain information and cut off the flow of funds. Platform Reflections and Suggestions: First, block addresses related to coin mixers. The platform should blacklist known deposit addresses for coin mixing services (such as ChipMixer, Wasabi Wallet, etc.), prohibiting users from depositing coins from these addresses, and reviewing withdrawals to these addresses. Second, integrate on-chain analytics tools. The platform must purchase or build its own on-chain tracking capabilities, using tools such as Chainalysis and Elliptic to score the "purity" of deposited funds. Funds from high-risk addresses or those associated with illegal activities should be refused service or frozen pending investigation. Case Seven: The OneCoin Ponzi Scheme (Global) Case Summary: OneCoin, touted as a "Bitcoin killer," was actually a pyramid scheme without blockchain and centralized ledger, raking in over €4 billion globally. It transferred funds through a complex global network of bank accounts and cash transportation, but also partially utilized cryptocurrencies for layering. Money Laundering Methods: Combining traditional and new methods, using cryptocurrencies as one of the multi-layering tools. Platform Obligations and Recommendations: First, be wary of "fake cryptocurrency" projects: Platforms should conduct thorough due diligence before listing any token to ensure its technical authenticity, team transparency, and the rationality of its business logic. Centralized "pyramid scheme coins" promising high returns should be resolutely resisted. Second, strengthen internal compliance culture to prevent employees from being bribed or colluding with criminal groups. Regularly provide anti-money laundering training to employees and establish an independent compliance reporting channel. Case 8: Africrypt Investment Platform Abuse of Funds (South Africa) Case Summary: The founders of cryptocurrency investment platform Africrypt disappeared after claiming a "hacking attack," absconding with approximately 69,000 bitcoins. They quickly converted the bitcoins into other tokens using mixers and cross-chain bridges, and cashed out through unregulated exchanges. Money Laundering Methods: Embezzlement and the use of cross-chain technology to transfer assets. Platform Obligations and Recommendations: First, fulfill monitoring obligations regarding DeFi and cross-chain protocols. With the increasing prevalence of cross-chain bridges, money laundering paths are becoming more complex. Platforms need to update their monitoring rules to track asset transfers across different blockchains. Second, establish a rapid response mechanism with law enforcement agencies. Upon receiving reports of suspicious activity or requests for law enforcement assistance, platforms should have a standardized internal process to ensure rapid asset freezing and data provision, avoiding missed opportunities due to lengthy internal procedures. Case Nine: Russian Drug Cartel's Money Laundering Case Using BTC Case Summary: A Russian drug cartel sold drugs on the dark web, received Bitcoin, and then hired a professional money laundering team. This team laundered the money through exchanges like BTC-e, which had weak anti-money laundering measures at the time, and ultimately channeled the funds into the legitimate economy. Money Laundering Method: Dark web - exchange - real economy, a typical three-stage money laundering process. Platform Obligations and Recommendations: First, classify dark web-related addresses as the highest risk. Any funds flowing into known dark web marketplace addresses should be considered extremely high risk. The platform should automatically trigger investigations and consider directly freezing related accounts. Second, implement a risk-based approach. Based on users' nationality, transaction behavior, source of funds, occupation, and other multi-dimensional information, classify users into risk levels (low, medium, high), and implement stricter continuous monitoring and transaction limits for high-risk users. Case 10: Lazarus Group Money Laundering Case (Global) This organization stole huge amounts of cryptocurrency (such as the $625 million stolen from the Ronin Network cross-chain bridge) through phishing, malware, and other methods. They then employed a complex "on-chain hopping" strategy to exchange, stake, and transfer cryptocurrency through multiple DeFi protocols, ultimately attempting to launder money using a coin mixer. Money laundering methods: National-level, highly complex on-chain money laundering combines various techniques such as hacking, DeFi, and coin mixers. Platform Reflections and Recommendations: First, comply with sanctions regulations. The platform must incorporate international sanctions lists such as OFAC into its system, automatically blocking transactions involving IP addresses, email addresses, and wallet addresses related to sanctioned countries such as North Korea and Iran. Second, enhance defenses against advanced persistent threats (APS), as the platform itself may become a target for hackers. Significant investment in cybersecurity is essential to prevent becoming a source of money laundering. Simultaneously, threat intelligence should be shared with peers and law enforcement to jointly address threats from nation-state hacking organizations. III. Systematic Construction of Platforms' Anti-Money Laundering Obligations Based on the above cases, for an encrypted business platform to effectively fulfill its anti-money laundering obligations, it must build a multi-layered, end-to-end defense system. First, customer due diligence is the cornerstone. Identity verification should not be limited to name and ID card; it should incorporate biometric technologies such as facial recognition and liveness detection to ensure "real person, real name, real identity." Risk classification should be implemented, establishing a dynamic risk assessment model to adjust risk levels in real time based on user behavior, region, and transaction patterns. Strengthened and continuous due diligence should be conducted; for high-risk users, their source of funds, wealth status, and transaction purposes should be understood, and their transaction behavior should be continuously monitored to ensure consistency with their initial statements. Secondly, transaction monitoring is crucial. A smart rule engine establishes monitoring rules based on case experience, such as "structured transactions," "rapid asset transfers," and "interaction with blacklisted addresses." A behavioral analysis model incorporates machine learning to analyze each user's "normal" behavioral baseline; any significant deviations (such as sudden large transactions or changes in transaction partners) trigger immediate alerts. On-chain tracing capabilities are essential, requiring professional on-chain analytics tools capable of tracing the source of funds and identifying coin mixing activities. Finally, recording and reporting are crucial. Complete record keeping: All KYC documents, transaction records, and internal communication records must be kept for at least five years in accordance with the law. Prompt submission of suspicious transaction reports: Establish an independent anti-money laundering compliance officer who should report any suspicious transactions to the Financial Intelligence Center without hesitation. Furthermore, organization and systems are essential for safeguards. Clear anti-money laundering policies: Develop clear and enforceable internal anti-money laundering policies and ensure that all employees are aware of and comply with them. An independent compliance function is essential. The anti-money laundering compliance department should possess a high degree of independence and authority, reporting directly to the board of directors or top management. Continuous employee training is crucial to ensure frontline staff, especially customer service and operations personnel, are familiar with the latest money laundering methods and the platform's countermeasures. Furthermore, technological investment and innovation are the future. Embracing regulatory technology and actively exploring the application of privacy-preserving technologies such as zero-knowledge proofs in the compliance field will enable compliance verification to be completed while protecting user privacy. Industry collaboration is crucial to promoting the establishment of an industry-wide risk address sharing database (within the legal and privacy framework) and forming a joint prevention and control force. For crypto business platforms, anti-money laundering is no longer just external regulatory pressure, but an intrinsic requirement for their long-term healthy development; it is a "passport" to building market trust and winning legitimate users. From PlusToken to Lazarus Group, each case is a painful lesson and a clear mirror reflecting the vulnerabilities in the platforms' anti-money laundering defenses. Only by integrating anti-money laundering obligations into the very fabric of corporate culture, using technology as a shield and regulations as a sword, and building a robust, intelligent, and dynamic defense system, can we steadily navigate the balance between innovation and compliance, truly becoming responsible and trustworthy participants in the future financial ecosystem. The fight against money laundering is a never-ending journey. As a licensed exchange, one faces various risks, including legal compliance and anti-money laundering regulatory requirements, technology and security, market and operations, asset and management, strategy, and public relations. The key points of anti-money laundering risk management discussed in this article lie in the continuous adherence to evolving global and local regulatory requirements.