red 
Most criminals dealing in crypto-assets of illicit origin will eventually need to cash out those assets – either as fiat currency or into bank accounts. This function is carried out by a number of mainstream virtual property services, some of which have become household brands with their names scattered across stadiums and billboards.
Despite being theoretically hungry for choice, cryptocriminals face a problem: As anti-money laundering (AML) regulations require exchanges to verify the identity of users, remaining anonymous becomes a challenge. In a manner consistent with crime displacement effect discussed in a recent blog, criminals have therefore sought alternative means of exchanging cryptocurrencies with greater anonymity.
Fortunately for them, there is a class of virtual asset services that knowingly and willingly provide anonymous cryptocurrency exchanges. These “coin exchange services” are online or instant messaging-based services that exchange cryptocurrencies, cash or other electronic funds without requiring you to first register for an account or provide any personal documents. Despite charging a higher commission for the convenience, Elliptic’s internal analysis suggests that the popularity of these services has grown over the past decade.
As Elliptic comes “The State of Cross Crime 2023” the report details, however, many of these services pose significant sanctions and money laundering risks. While this may not be clear at face value, it means that virtual asset services or law enforcement investigators may not immediately notice any red flags if they come across such a service in a crypto investigation.
Ahead of the release of the report, this blog provides insight into five of these indicators of shady coin exchange services that are flying somewhat under the radar.
1. They try to maintain an aura of legitimacy
Take for example the following coin exchange service (anonymous). The interface appears to provide a convenient way to exchange funds held in a bank account for cryptocurrencies, and even appears to have an AML policy that users must agree to before exchanging.
Indeed, clicking on the link to its anti-money laundering policy leads to a comprehensive-looking policy that any legitimate crypto exchange would likely adhere to and would be required to do so under AML regulations. However, digging deeper into the statement reveals that it is, in fact, a copy and paste of a standard template, which is used almost word for word on eight other coin exchange services.
The AML/KYC policy text is almost exactly the same across several coin exchange services. Some also have very similar website designs to each other.
Since none of these services require any KYC information to use, including a “policy” on their website is just a token attempt to maintain an aura of legitimacy.
2. They operate through cybercriminal forums
As seen in the example of a coin exchange ad on a cybercrime forum below, most services that deal with illicit funds do not aim to hide their business goal of laundering illicit funds while exchanging them. Many of these ads are posted on the same forums that advertise dark web markets and ransomware-as-a-service. They are therefore embedded in the wider ecosystem of cybercrime.
The coin exchange service is advertised on a Russian cybercrime forum, specifically stating that it can exchange dirty crypto transactions directly from dark web markets.
Many operators not only advertise their services through illegal forums, but also use them to recruit couriers and develop a loyal customer base. They will often organize lotteries among users who comment, rate or use their service within a certain period of time – rewarding the lucky winner with a crypto asset. Others will hold contests and games among their customers. This is a strategy used by many dark web marketplaces to attract users and increase brand loyalty.
3. They nest in high-risk and sanctioned services
Most crypto exchanges manage their own hot wallets and liquidity to facilitate deposits and withdrawals. Many coin exchange services, however, do not operate independently. Instead, they hold accounts on larger exchanges and operate as a service within a service. This is often referred to as a “nested service” that runs from a “parent exchange”.
Nested services in themselves are not a red flag, and some mainstream exchanges provide nesting as a service to legitimate small businesses with virtual assets. However, since coin exchange services are often focused on a largely illegal client base, mainstream exchanges are not their safest nesting option. In this light, many coin exchange services operate on approved exchanges such as Garantex.
One example of a coin exchange service nested within Garantex is none other than the example shown above – meaning that any user who interacts with it is in violation of US sanctions. This can only be identified through blockchain analytics and crypto intelligence, as coin exchange services typically do not advertise if/where they are nested.
Again, this is an example of a serious red flag flying under the radar – illustrating the need for strong capabilities to identify and immediately assess the underlying risk of any funds going to or coming from coin exchange services.
4. Operate in high-risk jurisdictions or areas under sector sanctions
It’s no secret that most coin exchange services are located in Russia – where they serve as an attractive alternative to mainstream exchanges that have ceased operations there due to the war in Ukraine.
Moreover, many of these coin exchange services also provide cash courier services to the Russian-annexed regions of Ukraine that are subject to United States sectoral sanctions.
While some openly advertise that they operate out of such high-risk jurisdictions, others are more subtle and may reveal the nature of their business only on obscure Telegram channels. Elliptic’s crypto-intelligence capabilities actively collect this information through open source intelligence gathering, and we place risk indicators in our tools to inform users of any such risks.
Elliptic’s blockchain analytics solutions indicate that the coin exchange service is operating out of the Zaporizhia region of Ukraine.
5. They offer conversions to and from accounts with sanctioned banks
As already stated, coin exchange services do not only offer crypto conversions. They may also offer conversions to and from cash and virtual accounts, provided by financial institutions such as banks or payment processors.
Especially after Moscow’s invasion of Ukraine in February 2022, many of Russia’s largest financial institutions were placed under sanctions. Given that these coin exchange services provide exchange services for account holders at these institutions, there is an increased risk of indirectly interacting with sanctioned entities – even if they themselves do not work with the cryptoasset.
A coin exchange service that allows users to withdraw Monero directly into their account at Sberbank – a sanctioned Russian financial institution.
Addressing risks arising from coin exchange services
Coin exchange services can serve a legal audience and can be used for legitimate purposes, such as disguising crypto investment strategies from rival traders. However, these five indicators highlight the risks of financial crime and sanctions that virtual asset businesses can be exposed to without appropriate risk mitigation strategies in place.
It also indicates that law enforcement investigators can gain insight into the value by investigating the nature of the coin exchange services they encounter when tracking suspicious cryptoassets. This is especially the case when investigating where the suspect sent his funds and the likely further destinations.
Given the multiple assets that coin exchange services deal with, an effective strategy to mitigate the risk of financial crime against them requires a holistic approach to monitoring and verifying blockchain activity – so that activity across all cryptoassets involved in a given scenario is recorded. There can be several reasons why this might be necessary:
- You are investigating suspicious blockchain activity – either as a virtual asset service or as a law enforcement agency – and the suspect sent funds through or is connected to the service.
- You are a virtual funds business and your customers receive deposits into their accounts from this service – or vice versa.
- You are a virtual property business and this entity wants to partner with you.
- You are a financial service and this person wants to open a bank account with you.
Elliptical Discovery – our entity due diligence tool – can check this entity for risk factors that will inform any decisions or conclusions regarding the above. Powered by holistic technology, Discovery can assess risk across all assets an entity engages with. For example, it may provide details of:
- The jurisdiction in which the entity is located.
- Are privacy coins accepted.
- Whether the entity is involved in KYC.
- Monthly allowed/unallowed incoming and outgoing funds across multiple cryptoassets and blockchains.
The image below shows the result of a review of Elliptic Discovery’s coin exchange service. The results suggest that – given the lack of registration – this service does not operate as a legal entity, but is located outside of Russia. It also deals with privacy coins and the Russian ruble, which are increased risk factors.
Using Elliptic Discovery with Holistic enabled to review the coin exchange service.
An examination of the blockchain activity of this service reveals that it handled a significant amount of funds originating from both illegal and sanctioned entities. Specifically in September 2022, over $310,000 of incoming cryptocurrency originated from addresses listed on the US Treasury Exchange – and a similar amount from illicit sources. Elliptic Investigator shows that the sanctioned sources of these funds are Hydra, Garantex, and Secondeye Solution (a fake identity vendor that helped Russian trolls interfere in the US election).
Elliptic Discovery shows monthly cryptocurrency inflows from illicit and sanctioned sources for the coin exchange service (left), and Elliptic Investigator shows specific sanctioned entities of origin (right).
The insights provided by Elliptic Discovery are used to assess the risk of interacting with coin exchange services – or identify more information about suspects associated with them. In this case, Elliptic’s blockchain analytics solutions suggest that interacting with this service, for example, poses a significant financial crime and sanction risk for cryptoassets and blocks.
Find out more
Our upcoming report “The State of Cross Crime 2023” – itself an update of ours Inaugural publication 2022 – contains case studies of the latest cross-typologies and trends that professionals need to be aware of.
It also contains a comprehensive manual on how to use holistic blockchain analytics tools to solve cross-chain cases, often in just one or a few clicks. Pre-register here to receive a copy of the report as soon as it is published.
If you want to know more about coin exchange services, you can download our free briefing note.
Want to learn more about holistic blockchain analytics? Check it out this page or contact us for a demo.
