red 
While transaction data on the blockchain is transparent, immutable and publicly available, the identities of wallet owners remain private. It is challenging to even know whether the owner of the wallet is an individual or a legal entity. This is known as the pseudonymous nature of the blockchain.
Blockchain analytics overcome this pseudonymity by helping users identify the ownership or control of wallets by illegal actors and their interactions with other wallets and transactions on the blockchain. This enables Regulated Virtual Asset Service Providers (VASPs) to comply with Anti-Money Laundering and Anti-Terrorist Financing (AML/CFT) requirements.
In response to the general traceability of most tokens, cryptoasset enthusiasts—especially those concerned about the privacy of their on-chain transactions—have begun using various ways to increase their anonymity on the blockchain. These include the use of cloaking services – such as mixers, glasses and privacy wallets – and privacy coins. Unfortunately, criminals also turn to using such methods to hide their illegal activities and avoid detection by law enforcement.
Mixers and privacy wallets
As noted in Elliptic’s report on typologies, mixing services add privacy and opacity to an otherwise highly transparent crypto ecosystem. By aggregating and redistributing cryptoassets among many users, these services break the end-to-end chain of custody around blockchain transactions.
Mixers – also known as tumblers – play a vital role in money laundering due to their ability to disguise crypto-asset transaction flows. Criminal use of such services is generally associated with a small number of mixers, whose creators in some cases advertise themselves as dark web providers, cybercriminals, and other illegal actors.
Mixer transactions also pose a risk of sanctions as they are increasingly used by state actors in Russia and North Korea to finance terrorism and weapons proliferation. Elliptic’s research shows that Tornado Cash, a popular decentralized mixer, has been used to launder as much as $1.5 billion by criminal actors, roughly a third of which was Lazarus Group funds.
Over the past two years, privacy wallets – such as Wasabi Wallet – have also become a more important way for criminals to launder money. They use built-in anonymization techniques such as CoinJoin to achieve a mixing effect that hides the source of a user’s funds and prevents proper user analysis.
Another popular Bitcoin privacy wallet – Samourai – allows users to add additional history hops to their transactions using a technique known as Ricochet. This technique helps users hide their tracks on the blockchain and avoid detection of illicit interactions by VASPs using block analysis tools that are limited in the number of intermediary wallets or addresses they can examine.
Coin Privacy and Hop Chain
Privacy coins – such as Monero, Dash, Zcash and Litecoin – have recently featured in high-profile criminal cases. Elliptic’s research found that most darknet markets – including the now-defunct AlphaBay – accept Monero payments for goods and services. Recent sanctions by the US Treasury’s Office of Foreign Assets Control (OFAC) also highlight how cybercriminals are using privacy coins as part of their operations.
However, not all privacy coins present the same level of money laundering and terrorist financing (ML/TF) risk. Some like Monero remain impervious to blockchain analytics, while others like Zcash and Litecoin are not. Because they don’t provide privacy features like Monero does, users of blockchain analytics can check unprotected transactions for interactions with illegal actors – much like they would with other non-privacy coins.
A common typology used by criminal actors in conjunction with privacy coins is to move value between different cryptoassets and blockchains as a way to hide the flow of funds. This is an emerging risk known as the “jump chain” highlighted by the Financial Action Task Force (FATF) in 2022.
In particular, this activity has increased dramatically in recent years due to the growth of decentralized exchanges (DEX) and “coinswap” services that require little or no know-your-customer (KYC) checks for crypto-to-crypto or peer-to-peer transactions.
Law enforcement actions
The increased PN/TF risks posed by obfuscation methods have not gone unnoticed by regulators and law enforcement agencies.
In May 2022, OFAC sanctioned Blender.io, a blending service frequently used by the Lazarus Group—a sanctioned North Korean-sponsored cybercrime organization—to launder Bitcoin. For example, Elliptic’s analysis found that the Lazarus Group laundered more than $20.5 million worth of Bitcoin through Blender.io following the March 2022 hack of Ronin Bridge – a decentralized finance (DeFi) service linked to a popular blockchain-based game. Axie Infinity – resulting in the theft of more than $540 million.
In August of the same year, OFAC sanctioned Tornado Cash for being used by criminals to facilitate the mixing of transactions on Ethereum and other DeFi blockchains. By imposing such sanctions, OFAC prohibited US persons – including VASPs – from processing mixer transactions at the risk of serious consequences such as fines and imprisonment.
Regulatory development
Regulators have also begun to crack down on the use of hazing methods by licensed VASPs in their jurisdictions.
In February 2023, the Virtual Assets Regulatory Authority (VARA) banned “the issuance of anonymity-enhanced cryptocurrencies and all VA activities[ies] associated with them” in Dubai.
VARA defined such cryptocurrencies as “a type of virtual asset that prevents transaction tracking or ownership records through distributed public ledgers and for which VASP has no mitigation technologies or mechanisms to enable ownership tracking or identification.” While the ban may not apply to cryptoassets whose privacy features are optional, others like Monero – where all transactions are protected – will be caught.
In May 2023, the Monetary Authority of Singapore (MAS) issued a consultation that included a proposal to expand existing data collection requirements to improve oversight of the crypto-asset sector. In particular, the MAS will require regular reporting of statistical data on VASPs’ exposure to anonymity-enhancing technologies or mechanisms to monitor the PN/TF risk profile of licensed VASPs.
Explaining its reasoning, MAS stated that transactions involving such technologies pose a higher risk than PN/TF as they obscure the identity of the sender, recipient or owner of the crypto-asset and therefore the area needs to be carefully monitored.
In its AML/CFT Guidelines for its new licensing regime for virtual asset trading platforms effective June 1, 2023, the Securities and Futures Commission of Hong Kong (SFC) has determined that cryptoassets can be “traceable through anonymity-enhancing services such as mixers and tumblers and the use of other technologies or mechanisms to enhance anonymity (eg, anonymity-enhanced virtual asset or privacy coin, privacy wallet, etc.)”.
Specifically, the SFC requires VASPs to identify and assess the PN/TF risks that may arise from conducting transactions involving the use of such methods that “disguise the identity of the creator, recipient, owner or beneficial owner of a virtual asset”, and take appropriate measures to mitigate and managing identified risks – including refraining from conducting transactions if necessary.
Addressing the risks of obfuscation methods
Given the increasing regulatory scrutiny, it is critical for VASPs to implement controls to mitigate ML/TF risk due to exposure to mixers, pots, privacy wallets and privacy coins, as well as chain hops. They include:
- Wallet verification tools to identify customer withdrawal attempts to wallets associated with mixers and privacy wallets;
- Transaction monitoring tools to identify transactions exposed to mixers, privacy wallets and privacy coins;
- cross-chain and cross-asset verification tools to ensure detection of transactions involving coin exchange services and DEXs involved in potential chain hopping;
- VASP deep analysis tools to identify cryptoasset exchanges that offer coin trading in privacy; and
- policies and procedures for enhanced due diligence and KYC in higher risk scenarios involving mixers and privacy wallets – including obtaining additional information from users about the purpose and ultimate source or destination of funds.
Equally important, VASPs must be able to recognize criminal typologies and red flags involved in the use of technologies and techniques that enhance anonymity.
To learn more about them and gain actionable insights for financial crime compliance, download our Typologies Report below.
