5 new red flags for crypto transaction monitoring in 2022

February 21, 2022
Share the news!

Keeping up with new trends in transaction monitoring is a constant challenge. These new red flags will help you update your surveillance and monitoring protocols to keep pace with evolving trends in the cryptocurrency market.


We’ve written an article for 2023: Updated Red Flags for Improved Crypto Transaction Monitoring in 2023

Proactivity is key to successful AML compliance. There are few day-to-day compliance activities where this is more apparent than surveillance and monitoring, the process of reviewing customer transactions for potentially suspicious and/or unusual activity.

A surveillance and monitoring policy isn’t something that gets thrown into a file cabinet to collect dust. It’s a mission-critical document that details the steps an institution will take to identify and report potentially suspicious activity to the relevant authorities.

The meat and potatoes of surveillance and monitoring are the series of “red flags” that an institution uses to help identify both traditional and emerging forms of potential money laundering, fraud, or other illicit activities. 

The strength of an institution’s surveillance and monitoring capability is entirely dependent on the quality and relevance of these red flags.

While red flags may vary depending on the business model, a comprehensive and constantly-updated set that leaves no stone unturned is essential whether you’re monitoring millions of transactions a day at a major crypto exchange or a handful each week when you’re just starting out as a kiosk operator with a single machine.

Like we said; an institution’s specific red flags will vary depending on the business model. If you want absolute peace of mind that your red flags are relevant and effective, then reach out to us for a free consultation.

But some red flags apply fairly universally, and when there’s been a significant enough shift in best practices or an agency like FinCEN has handed down a specific advisory about criminal activity, we’ll put together a blog post containing red flags that all crypto businesses should incorporate into their transaction monitoring in an effort to keep pace with new trends.

Remember; the following red flags aren’t going to cover all of your bases.

If you want to be as comprehensive as possible, and as comprehensive as regulators expect cryptos to be, you’ll need to do some more research and seek assistance from qualified experts.

With that said, here are 5 new red flags to add to your surveillance and monitoring protocols for 2022.

1. Ransomware

We’re putting these right up top because FinCEN issued a specific advisory late last year warning financial institutions about an increase in ransomware payments (implementing routines to detect ransomware is also among our top recommendations for crypto compliance for this year).

Ransomware attacks, particularly those seeking cryptocurrency specifically, have increased in recent years, even poking through financial circles into the mainstream sphere of attention, with both the Colonial Pipeline attack and the JBS Meat Packing Corporation attack, which threatened to disrupt already fragile supply chains during the COVID-19 pandemic. 

To sharpen the point even further, in both cases, the hackers requested and were ultimately paid in bitcoin.

Needless to say, ransomware has everyone on edge right now, meaning that your transaction monitoring must be extremely vigilant for this typology.

Luckily, FinCEN has already done most of the heavy lifting for this one. On page 7 of the advisory linked above, FinCEN proffers a dozen or so red flags for financial institutions to watch for.

Do a bit of research to figure out how other cryptos have adapted this set to their business models, and you’re pretty much up to date in terms of ransomware surveillance.

2. Darknet wallet

Your blockchain analytics software should be updated in order to scan wallet addresses for potential association with the darknet.  

While there is growing interest in some quarters of crypto in privacy-enhancing technologies, and mainstream vendors that do offer anonymity-enhanced, or so-called “darknet” wallets, compliance-minded cryptos need to be on the lookout for these wallet addresses.

Funds associated with a darknet wallet may merely belong to consumers with a principled interest in privacy, but the problem is that they may also belong to financial criminals (or worse). Like we’ve said time and time again, the very technology that appeals to your average consumer also appeals to your average financial criminal. 

As such, darknet wallet funds may be considered “tainted” and require further investigation before a transaction is allowed to proceed.

3. Mixer or Tumbler

This red flag is a bit of a “cousin” to the darknet red flag detailed above, but distinct enough that it warrants its own entry.

A “mixer” or “tumbler” is a service that mixes streams of potentially identifiable cryptocurrencies in order to make transactions more anonymous, and the tokens themselves harder to trace.

While, again, these services may appeal to your average consumer with an interest in privacy, they also appeal to financial criminals who have an immediate, recurring need to attempt to disguise the “paper trail” of cryptocurrency transactions.

If a wallet address potentially associated with a mixing or tumbling service appears in a transaction, then further investigation is required. 

4. Internal SAR filing

Filing a Suspicious Activity Report (SAR) is one possible next step once potentially suspicious activity is identified during the course of transaction monitoring.  

But keeping an eye out for information associated with SARs previously filed by your institution is an emerging best practice in crypto compliance.

This red flag should be vigilant for certain details, like phone number or wallet address, that were included in, or the subject of, a previous SAR filing by the institution.

A match could trigger enhanced due diligence or blacklisting of a customer, depending on the facts of the case.

5. Dormant accounts

In traditional finance, accounts that do not engage in any transaction activity for a specified period of time (yet maintain a balance) are considered “dormant” and are subject to certain regulations about how they are to be maintained.

The reason is that dormant accounts are targets for hackers, identity thieves, and other forms of fraud.

If an account is transacting regularly, this signals an engaged customer aware of the financial activity of their account. But an account that hasn’t transacted for months and years may have been “forgotten about.”

The next time you see a transaction from that account, it may well be the account owner re-engaging your business. But, it could also be suspicious, and thus, more investigation is required.

How long does an account need to be “inactive” to trigger your surveillance and monitoring red flag?

Protocols for identifying and handling dormant accounts vary in traditional finance. But given the scale of financial crime within the cryptocurrency market, we typically recommend more conservative controls to business owners. If you observe no account activity for a period of 90 days, it’s worth doing a quick investigation.

BONUS: Multiple users/same wallet

We’ll throw in an extra flag for you here before we wrap up. It’s not a newer flag based on nascent trends, but it is one that we’ve noticed more frequently in independent reviews lately. 

So if you don’t have this flag implemented, make sure you do so ASAP.

Multiple users transacting cryptocurrency using a single wallet address is potentially suspicious activity that is always worth looking into. The reason is that this behavior is consistent with “smurfing.” 

Imagine low-level drug dealers attempting to launder ill-gotten gains by converting the fiat cash they gather from their sales into cryptocurrency at your kiosk. But all of these transactions go to the same wallet address, which is owned by the higher-level drug dealer in charge of the network. That’s smurfing.

This kind of activity can also be associated with other scam activity, like ransomware attacks or romance scams. If multiple victims are sending funds to the same wallet address, it will also be identifiable with this red flag. As you can see, it covers a wide variety of criminal activity.

Key takeaways

We’re in an interesting period in the development and growth of the cryptocurrency market.

While there is a clear path to mainstream adoption, more regulatory oversight is just around the corner and financial criminals are increasingly interested in the privacy-enhancing technologies and accessibility of crypto, and requesting it instead of other payment types.

This means that more robust transaction monitoring is required, both to keep pace with emerging typologies in financial crime, and also to more proactively and conservatively self-regulate the market to ensure fairness and protection for consumers, many of whom may be transacting crypto for the first time.

If it’s time to update your surveillance and monitoring procedures or any other part of your AML compliance program or to schedule an annual independent AML review, reach out to BitAML here.


Similiar Blog Post

I’m a Crypto Startup With a Newly Written AML Policy. Now What?

August 17, 2020
This old-fashioned scam is more prevalent than you think — and your customers could be at risk. If you run a cryptocurrency exchange, kiosk...

Crypto KYC: New School Meets Old School Compliance

August 17, 2020
This old-fashioned scam is more prevalent than you think — and your customers could be at risk. If you run a cryptocurrency exchange, kiosk...

Striding Towards Compliance: Understanding DeFi’s Need for AML Policies

August 17, 2020
This old-fashioned scam is more prevalent than you think — and your customers could be at risk. If you run a cryptocurrency exchange, kiosk...