red 
March 7, The Financial Crimes Enforcement Network (FinCEN) has issued a warning urging financial institutions to be more vigilant against possible evasion of Russian sanctions. FinCEN’s warning also lists reporting obligations under the Bank Secrecy Act (BSA) and 11 “red flags.” Six of them involve cryptoassets, referred to here as convertible virtual currencies (CVCs). The warning states:
“It is critical that all financial institutions, including those with visibility into CVC flows, such as CVC clearing houses and administrators – generally considered money services businesses (MSBs) under the BSA – identify and quickly report suspicious activity associated with potential by avoiding sanctions and conducting appropriate risk-based client analysis or, where necessary, enhanced due diligence.”
Below are six FinCEN red flags that specifically target cryptoassets, along with a summary of how Elliptic’s suite of products can offer different solutions. These red flags are divided between those related to sanctions evasion and those related to possible ransomware attacks or other cyber crimes.
Red flags related to evasion of sanctions using CVC
Client’s transactions are initiated or sent to the following types of Internet Protocol (IP) addresses: untrusted sources; locations in Russia, Belarus, jurisdictions identified by the FATF with AML/CFT/CP deficiencies,19 and comprehensively sanctioned jurisdictions; or IP addresses previously flagged as suspicious.
Sanctions are a foreign policy tool that blocks regional economic activity, ranging from financial exchange, travel, to imports and exports. These measures are applied against countries – such as Russia – or groups that undermine a nation’s political and national security interests. They can target specific people, banks or entire regions. In the case of the US, doing any business or trade with any of the 19 sanctioned countries is highly illegal and risky.
The Financial Action Task Force (FATF) has also identified several regions with deficiencies in anti-money laundering (AML), counter-financing of terrorism (CFT) and counter-proliferation (CP) protocols. Only some of these countries have committed to improving their compliance regimes under the FATF guidelines. Although not illegal, interacting with these regions can expose financial institutions to excessive risks, so it should be done with great caution.
Internet Protocol (IP) addresses are numerical labels that connect a device to a network. The IP address of a device connected to the Internet will also reveal its location. Elliptic’s country risk rules allow users to quickly identify wallets and transactions occurring in a sanctioned region, a high-risk region, or on a device that has been flagged as suspicious. These geographic insights help prevent transactions that may be high-risk or illegal.
Customer transactions are linked to CVC addresses listed on OFAC’s list of Specially Designated Nationals and Blocked Persons.
The United States Treasury’s Office of Foreign Assets Control (OFAC) maintains the list Specially Designated Nationals and Blocked Persons (SDN). This includes “individuals and companies owned or controlled by, or acting for or on behalf of, targeted countries.
It also lists individuals, groups and entities, such as terrorists and narcotics traffickers, who are designated under the non-country-specific program.” US entities are prohibited from doing business with people or organizations on the SDN list. OFAC has also included specific crypto wallet addresses on this list in recent years.
OFAC currently does not allow fuzzy logic when querying the SDN list for crypto wallet addresses, so only exact matches will return a result. Although all information contained in this list is publicly available, it can be overwhelming to refer manually.
Elliptic’s tools can automatically scan and identify whether a wallet address matches an address on OFAC’s SDN list, causing risk rules to be triggered. These risk rules allow users to prevent or block any transaction involving a sanctioned wallet address.
The client uses a CVC exchanger or MSB located abroad in a high-risk jurisdiction with AML/CFT/CP deficiencies – specifically for CVC entities and activities – including inadequate know-your-customer (KYC) or due diligence (CDD) measures.
Measures such as CDD or KYC protect financial institutions from engaging in fraudulent or illegal activities by imposing a certain degree of certainty that the customer is who they say they are. These identity verification rules are an essential part of any AML/CFT regime.
AML/CFT regulation varies by jurisdiction or region. To account for these regional differences, The FATF has identified several countries with anti-money laundering and terrorist financing protocols that are considered insufficient and are inherently riskier engagements.
Some of these countries have indeed “committed to or are actively working with the FATF to address these deficiencies”. While all require “enhanced due diligence, i […] countermeasures to protect the international financial system from money laundering, terrorist financing and proliferation financing risks arising from identified countries”.
US-based financial institutions may use discretion based on risk tolerance, but engaging with these AML/CFT deficient Virtual Asset Service Providers (VASPs) or Money Service Businesses (MSBs) requires enhanced due diligence checks.
Elliptic’s Discovery The tool contains detailed information on more than 1000 VASPs worldwide – profiling their regulatory compliance, AML/KYC programs, areas of operation and blockchain activities. This information displays and guides VASPs before direct contact with them.
Red flags associated with possible ransomware attacks and other cybercrime
The client receives CVCs from an external wallet and immediately initiates multiple, high-speed trades between multiple CVCs for no apparent related purpose – followed by an off-platform transaction. This may indicate attempts to break the chain of custody on the respective blockchains or further obfuscate the transaction.
Multiple crypto transactions in rapid succession – often referred to as peeling chains – are a typical trading pattern associated with money laundering or illegal activity. Small amounts of cryptoassets are “shelled” and placed in another wallet during these successive trades. These trading patterns are used to obscure or distract from the direction of assets.
For a financial institution or VASP, shelled chains represent a significant indicator of suspicious activity occurring – triggering suspicious activity reporting obligations. Elliptic co-founder and chief scientist Tom Robinson wrote recently blog post about the 2016 Bitfinex hack, where shell chains were one of the methods used to launder stolen funds.
Using Elliptic’s Forensics software, skimming chains and other laundering typologies can be easily identified and tracked. Robinson’s blog post expands on this by explaining that “Elliptic has developed automated tracking techniques that can determine within milliseconds the ultimate source or destination of funds at an address, regardless of the number or complexity of transactions used by the launderer.”
The user initiates a fund transfer that includes CVC’s blending service.
A crypto mixer is a tool that combines all funds directed into one pot. Blending services are often used to clean laundered or stolen assets – making it much more difficult to identify the source of origin. Like peeling chains, mixers are another indicator that illegal activity has occurred. While privacy has long been a value espoused by the crypto community, these types of obfuscation methods are important to pay attention to for AML/CTF compliance.
Elliptic has identified and labeled more than 100 entities within the specific category of “mixers”. Using Elliptic’s Lens or Navigator toolswallet addresses or transactions exposed to mixers at any time will trigger an automatic risk alert. Insights from these tools allow users to quickly determine whether it’s a wallet or a person they want to communicate with.
The client has direct or indirect exposure to receiving a transaction that the blockchain monitoring software identifies as related to ransomware.
Without implementing blockchain forensics technology, it can be challenging to determine whether funds are coming directly or indirectly from a ransomware attack. Elliptic’s clients are empowered to determine their own risk appetite, which may vary by industry or jurisdiction. Even for the most risk-tolerant financial institution or VASP, handling funds associated with a ransomware attack is an absolute non-starter and should be blocked as soon as possible.
Elliptic has successfully identified several wallets associated with major ransomware attacks, including Colonial Pipeline attack conducted by the DarkSide group.
Using Elliptic’s Lens or Navigator tools, users can quickly identify whether a wallet or transaction is linked to a Russian ransomware attack. Regardless of how many obfuscation methods are applied or how indirect the ransomware exposure is, Elliptic’s software will be able to identify this correlation and eliminate the possibility of exposure to these illicit means.
Sanctions Compliance with the law
