In the relentless cat-and-mouse game between financial investigators and digital criminals, vigilance is paramount. Recognizing suspicious indicators can make the difference between uncovering illicit activity and letting it slip through the cracks. In this article, we delve into both established and emerging indicators that investigators should be vigilant about.
User admits or makes statements about involvement in illicit activities
User shows uncommon curiosity about an exchange’s internal systems, controls and policies
User presents contradictory details about the transaction or has few details about its purpose
The purpose of the user maintaining an account with the exchange is unclear, as the account appears dormant and user is not utilizing platform features
User does not provide information upon request
User fails to provide supporting documentation or provides misleading or inaccurate information regarding source use and destination of funds
User provides misleading or inaccurate information regarding purpose of transaction and relationship to counterparty
User’s portfolio only consists of privacy coins or has high value privacy coins (e.g., Monero, Dash, Zcash)
Use of privacy coins, which are highly or partially anonymous (e.g., Monero, Dash, Zcash) (i.e., privacy features are enabled)
User logins are from an IP address that appears to be connected to a VPN and/or The Onion Router (Tor) or similar IP anonymizers
User receives frequent deposits from gambling sites/cryptocurrency addresses followed by immediate withdrawals
User has a newly registered account
User is over-providing information or details when not necessary
User is conducting transactions of large volumes/amounts
User is conducting transactions at a high velocity that appears to be inconsistent with industry patterns or with their profile
User is operating as or conducting transactions with charitable organizations/nonprofits who accept cryptocurrency or fiat
User has a long period of dormancy followed by a large volume/velocity of transactions
There are frequent changes in the user’s identification information, such as home address, email address, IP address or linked bank accounts
Use of corporate vehicles (legal entities and legal arrangements) to obscure ownership, involved industries and jurisdictions
Paying and/or willingness to pay high commission fees for converting (selling) cryptocurrency in exchange for fiat compared to commission fees charged by other cryptocurrency exchanges
User has sent funds to an organization that could be operating illicit activity, as part of a payment resulting from a scam and/or ransomware
User has deposited funds from, withdrawn to, or has a connection with an organization that is listed on U.S. Department of the Treasury’s Office of Foreign Assets Control Specially Designated Nationals and Blocked Persons List
User is a U.S. resident (or similarly regulated jurisdiction) and is conducting a high frequency of transactions in a manner that is consistent with operating an illegal money transmitting business, that has no evidence of an AML program or registration
The ultimate beneficiary and destination of outgoing funds remains unknown or is unclear
User has multiple online profiles for apparent different individuals connected to their email address or other identifying information
User is stating they obtained and/or sold a large value of cryptocurrency for cash with an unknown third party
Exchange/Trading Platform Indicators
Source of funds is from an exchange, which has been connected to money laundering, or which law enforcement has shut down (e.g., BTC-e.com)
User abandons account and account balance, when supporting documentation and/or KYC information was requested
User operates more than one account without notifying or receiving consent from platform
User creates/operates an account on behalf of a third party without notifying or receiving consent from the platform
Funds are deposited soon after account registration and withdrawn again shortly after in the same currency without using platform features (i.e., trading/margin funding), which is consistent with using an exchange to obscure origins of funds
Outgoing funds are sent to newly created and never used cryptocurrency addresses
A registered account has an encrypted email or temporary email service (e.g., protonmail.com or tutanota.com)
Funds are deposited from or withdrawn to cryptocurrency address with direct/indirect links to known suspicious sources such as darknet marketplaces, mixing services, gambling sites, service providers, wallets known to be involved in illegal activities, and/or theft or ransomware reports
The funds in a user account have been reported stolen or otherwise reported to have been obtained illegally
User is associated or connected to an ICO that has shut down after the funds were raised, e.g., exit/Ponzi Scheme
Cryptocurrency is deposited and funds are withdrawn in fiat currency, with no other use of the platform
User requests a withdrawal to be processed unreasonably quickly or outside of terms of service agreements
There is a request from law enforcement for a user’s information as part of an investigation
User exploits technological glitches/failures to intentionally take advantage of a platform or obtain funds
User conducts transactions that are inconsistent with a user’s KYC, transaction history and/or market trends
User conducts transactions which appear to have no economic benefit and are not consistent with reasonable trading patterns/strategies
User conducts transactions at specific times/amounts not congruent with normal industry practices and/or are unnecessarily complex
User inquires about an employee’s personal information, functions and responsibilities
User attempts to form unreasonably close relationship with employees
The platform receives unusual/demanding requests from other exchanges/vendors/service providers regarding a user’s funds held on platform
User offers bribe/tip or is willing to pay unusual fees to process transaction
User conducts trades in a way that creates a negative balance or reduces equity in one account, to increase equity or create positive balance in another account operated by the same user
Users submits comments for transactions, (i.e., withdrawals), which may refer to illegal or illicit activity
User receives and/or sends wires or provides information to a financial institution from high-risk jurisdictions or areas run by an unstable government
User funds their fiat account consistent with structuring in the remitting jurisdiction, e.g., in multiples of less than $10,000
User draws their fiat account consistent with structuring in the receiving jurisdiction, e.g., in multiples of less than $10,000
Multiple third-party transactions are being transferred and accumulated into one user account
User conducts transactions of similar amounts to multiple third parties
User is being overly friendly and appreciative and showering exchange employees with compliments
User threatens legal action and/or reporting negative media to have funds unfrozen
User conducts a high volume of “off-chain” (internal transactions) with other platform users, which is consistent with attempting to obscure origins of funds or conducting illicit activity
User of a newly opened account makes a large value deposit as a first transaction, without making a nominal transaction first to test out the features/capabilities of the platform
Newly Identified Indicators:
While the list of suspicious indicators is extensive, here are a few newly identified red flags to consider:
Excessive Use of Privacy Coins: Beyond merely holding privacy coins, look out for users who frequently engage in transactions involving them. Criminals often use these coins to mask their tracks.
Multiple Unconnected Profiles: When one email address is linked to several unrelated user profiles, it can indicate attempts to hide connections and obfuscate activities.
Swift and Large Account Abandonment: A user suddenly abandoning an account with a significant balance upon receiving a KYC request could suggest an attempt to disappear with ill-gotten gains.
Obscure Email Services: Encrypted or temporary email services are commonly used to hide identities. Be cautious when encountering these in user registrations.
Immediate Deposit and Withdrawal: Funds deposited and withdrawn in rapid succession, without utilizing the platform's features, may signify an effort to obscure the origin of funds.
Criminals are crafty and adapt over time. Here's how they can bypass established indicators:
Sophisticated Use of Mixers: As investigators grow wise to the use of privacy coins, criminals may employ cryptocurrency mixers or tumblers to further obscure the source of funds.
Multi-Profile Management: Criminals might become more sophisticated in managing multiple profiles, creating intricate webs of connections that are challenging to unravel.
Adept Use of Timing: Criminals may become adept at conducting transactions at times that mimic normal industry patterns or utilizing more complex strategies to mimic economic benefit.
The fight against digital criminals is an ever-evolving battle. It's crucial to revisit and expand upon indicators regularly. This list is not exhaustive; it's a starting point.
In the world of financial investigations, vigilance and curiosity are our greatest assets. By identifying and understanding these indicators, investigators can stay one step ahead of agile digital criminals. Remember, the battle is ongoing, and our knowledge must evolve with the adversary's tactics.
Read more Blog posts here
Follow us on Linkedin
Looking for more details? Reach out to us at email@example.com