top of page

Suspicious Indicators: A Comprehensive Guide for Investigators

In the relentless cat-and-mouse game between financial investigators and digital criminals, vigilance is paramount. Recognizing suspicious indicators can make the difference between uncovering illicit activity and letting it slip through the cracks. In this article, we delve into both established and emerging indicators that investigators should be vigilant about.

General Indicators

  • User admits or makes statements about involvement in illicit activities

  • User shows uncommon curiosity about an exchange’s internal systems, controls and policies

  • User presents contradictory details about the transaction or has few details about its purpose

  • The purpose of the user maintaining an account with the exchange is unclear, as the account appears dormant and user is not utilizing platform features

  • User does not provide information upon request

  • User fails to provide supporting documentation or provides misleading or inaccurate information regarding source use and destination of funds

  • User provides misleading or inaccurate information regarding purpose of transaction and relationship to counterparty

  • User’s portfolio only consists of privacy coins or has high value privacy coins (e.g., Monero, Dash, Zcash)

  • Use of privacy coins, which are highly or partially anonymous (e.g., Monero, Dash, Zcash) (i.e., privacy features are enabled)

  • User logins are from an IP address that appears to be connected to a VPN and/or The Onion Router (Tor) or similar IP anonymizers

  • User receives frequent deposits from gambling sites/cryptocurrency addresses followed by immediate withdrawals

  • User has a newly registered account

  • User is over-providing information or details when not necessary

  • User is conducting transactions of large volumes/amounts

  • User is conducting transactions at a high velocity that appears to be inconsistent with industry patterns or with their profile

  • User is operating as or conducting transactions with charitable organizations/nonprofits who accept cryptocurrency or fiat

  • User has a long period of dormancy followed by a large volume/velocity of transactions

  • There are frequent changes in the user’s identification information, such as home address, email address, IP address or linked bank accounts

  • Use of corporate vehicles (legal entities and legal arrangements) to obscure ownership, involved industries and jurisdictions

  • Paying and/or willingness to pay high commission fees for converting (selling) cryptocurrency in exchange for fiat compared to commission fees charged by other cryptocurrency exchanges

  • User has sent funds to an organization that could be operating illicit activity, as part of a payment resulting from a scam and/or ransomware

  • User has deposited funds from, withdrawn to, or has a connection with an organization that is listed on U.S. Department of the Treasury’s Office of Foreign Assets Control Specially Designated Nationals and Blocked Persons List

  • User is a U.S. resident (or similarly regulated jurisdiction) and is conducting a high frequency of transactions in a manner that is consistent with operating an illegal money transmitting business, that has no evidence of an AML program or registration

  • The ultimate beneficiary and destination of outgoing funds remains unknown or is unclear

  • User has multiple online profiles for apparent different individuals connected to their email address or other identifying information

  • User is stating they obtained and/or sold a large value of cryptocurrency for cash with an unknown third party


Exchange/Trading Platform Indicators

  • Source of funds is from an exchange, which has been connected to money laundering, or which law enforcement has shut down (e.g.,

  • User abandons account and account balance, when supporting documentation and/or KYC information was requested

  • User operates more than one account without notifying or receiving consent from platform

  • User creates/operates an account on behalf of a third party without notifying or receiving consent from the platform

  • Funds are deposited soon after account registration and withdrawn again shortly after in the same currency without using platform features (i.e., trading/margin funding), which is consistent with using an exchange to obscure origins of funds

  • Outgoing funds are sent to newly created and never used cryptocurrency addresses

  • A registered account has an encrypted email or temporary email service (e.g., or

  • Funds are deposited from or withdrawn to cryptocurrency address with direct/indirect links to known suspicious sources such as darknet marketplaces, mixing services, gambling sites, service providers, wallets known to be involved in illegal activities, and/or theft or ransomware reports

  • The funds in a user account have been reported stolen or otherwise reported to have been obtained illegally

  • User is associated or connected to an ICO that has shut down after the funds were raised, e.g., exit/Ponzi Scheme

  • Cryptocurrency is deposited and funds are withdrawn in fiat currency, with no other use of the platform

  • User requests a withdrawal to be processed unreasonably quickly or outside of terms of service agreements

  • There is a request from law enforcement for a user’s information as part of an investigation

  • User exploits technological glitches/failures to intentionally take advantage of a platform or obtain funds

  • User conducts transactions that are inconsistent with a user’s KYC, transaction history and/or market trends

  • User conducts transactions which appear to have no economic benefit and are not consistent with reasonable trading patterns/strategies

  • User conducts transactions at specific times/amounts not congruent with normal industry practices and/or are unnecessarily complex

  • User inquires about an employee’s personal information, functions and responsibilities

  • User attempts to form unreasonably close relationship with employees

  • The platform receives unusual/demanding requests from other exchanges/vendors/service providers regarding a user’s funds held on platform

  • User offers bribe/tip or is willing to pay unusual fees to process transaction

  • User conducts trades in a way that creates a negative balance or reduces equity in one account, to increase equity or create positive balance in another account operated by the same user

  • Users submits comments for transactions, (i.e., withdrawals), which may refer to illegal or illicit activity

  • User receives and/or sends wires or provides information to a financial institution from high-risk jurisdictions or areas run by an unstable government

  • User funds their fiat account consistent with structuring in the remitting jurisdiction, e.g., in multiples of less than $10,000

  • User draws their fiat account consistent with structuring in the receiving jurisdiction, e.g., in multiples of less than $10,000

  • Multiple third-party transactions are being transferred and accumulated into one user account

  • User conducts transactions of similar amounts to multiple third parties

  • User is being overly friendly and appreciative and showering exchange employees with compliments

  • User threatens legal action and/or reporting negative media to have funds unfrozen

  • User conducts a high volume of “off-chain” (internal transactions) with other platform users, which is consistent with attempting to obscure origins of funds or conducting illicit activity

  • User of a newly opened account makes a large value deposit as a first transaction, without making a nominal transaction first to test out the features/capabilities of the platform


Newly Identified Indicators:

While the list of suspicious indicators is extensive, here are a few newly identified red flags to consider:

  1. Excessive Use of Privacy Coins: Beyond merely holding privacy coins, look out for users who frequently engage in transactions involving them. Criminals often use these coins to mask their tracks.

  2. Multiple Unconnected Profiles: When one email address is linked to several unrelated user profiles, it can indicate attempts to hide connections and obfuscate activities.

  3. Swift and Large Account Abandonment: A user suddenly abandoning an account with a significant balance upon receiving a KYC request could suggest an attempt to disappear with ill-gotten gains.

  4. Obscure Email Services: Encrypted or temporary email services are commonly used to hide identities. Be cautious when encountering these in user registrations.

  5. Immediate Deposit and Withdrawal: Funds deposited and withdrawn in rapid succession, without utilizing the platform's features, may signify an effort to obscure the origin of funds.

Criminal Adaptations:

Criminals are crafty and adapt over time. Here's how they can bypass established indicators:

  1. Sophisticated Use of Mixers: As investigators grow wise to the use of privacy coins, criminals may employ cryptocurrency mixers or tumblers to further obscure the source of funds.

  2. Multi-Profile Management: Criminals might become more sophisticated in managing multiple profiles, creating intricate webs of connections that are challenging to unravel.

  3. Adept Use of Timing: Criminals may become adept at conducting transactions at times that mimic normal industry patterns or utilizing more complex strategies to mimic economic benefit.

Revisiting Indicators:

The fight against digital criminals is an ever-evolving battle. It's crucial to revisit and expand upon indicators regularly. This list is not exhaustive; it's a starting point.


In the world of financial investigations, vigilance and curiosity are our greatest assets. By identifying and understanding these indicators, investigators can stay one step ahead of agile digital criminals. Remember, the battle is ongoing, and our knowledge must evolve with the adversary's tactics.



Read more Blog posts here

Follow us on Linkedin

Looking for more details? Reach out to us at

23 views0 comments


bottom of page