AML Red Flags in Cryptocurrency: A Detection Guide

An AML red flag in cryptocurrency is a warning sign in a transaction, a customer's behaviour or a counterparty that may indicate money laundering or terrorist financing. It warrants heightened scrutiny rather than proving wrongdoing. The global benchmark for these signals is the Financial Action Task Force (FATF), which groups virtual-asset red flags into six categories.

For compliance officers, MLROs and operators of a virtual asset service provider, recognising these signals is the practical core of an anti-money-laundering programme. This guide explains what AML red flags are, walks through the six FATF categories with concrete indicators, defines the chain-analysis typologies that make laundering work, sets out the tools that detect them, and closes with what to do when a red flag fires. Every category here is anchored to the FATF taxonomy and to primary sources from FATF and the US Financial Crimes Enforcement Network (FinCEN), not to a home-grown scheme.

What are AML red flags in cryptocurrency?

AML red flags in cryptocurrency are warning signs in transactions, customer behaviour or counterparties that may indicate money laundering or terrorist financing. They are risk indicators that trigger heightened scrutiny, enhanced due diligence or a regulatory report. A red flag warrants investigation; on its own, it is not proof of a crime (FATF, Virtual Assets: Red Flag Indicators).

These indicators sit inside the broader AML and KYC compliance requirements that every regulated crypto business must meet. The red flags are the detection layer: the specific patterns a firm watches for so it can decide whether to escalate, apply Enhanced Due Diligence or file a suspicious activity report with its financial intelligence unit. Used well, they turn an abstract compliance obligation into a concrete monitoring discipline.

Red flag vs proof: what a red flag does and does not mean

A red flag is a signal, not a verdict. When one fires, the correct response is to investigate further, not to assume guilt. Many legitimate customers trigger individual indicators for innocent reasons: a business with cross-border operations may transact from foreign IP addresses, and a high-net-worth client may move large sums.

What matters is the pattern. A single indicator rarely justifies a report, but a cluster of indicators, or one indicator that fits a known laundering typology, raises the case to a level where Enhanced Due Diligence or a suspicious activity report becomes appropriate. FATF frames its indicators precisely this way: as inputs to a risk-based approach to customer due diligence, not as automatic triggers (FATF report summary, Norton Rose Fulbright). Treating every flag as proof produces false positives, wastes investigator time and drives away good customers.

Who must watch for them: VASPs, CASPs and crypto MSBs

FATF designed its red-flag indicators for reporting entities: financial institutions, designated non-financial businesses and professions (DNFBPs), and virtual asset service providers (VASPs) (Norton Rose Fulbright). In the European Union the equivalent regulated actor is the crypto-asset service provider (CASP); in the United States, money services businesses (MSBs) dealing in convertible virtual currency carry the same obligations.

Whatever the label, the duty is the same: monitor activity, detect suspicious patterns and report them. If you are still deciding which authorisation your business needs, that detail sits in our crypto licensing worldwide guide. This page assumes you already hold, or are building toward, a licence and need to operationalise red-flag detection.

The FATF "Virtual Assets: Red Flag Indicators" report explained

The authoritative source for crypto AML red flags is the FATF report "Virtual Assets: Red Flag Indicators of Money Laundering and Terrorist Financing," published 14 September 2020 and based on more than 100 case studies (Sanction Scanner, Covington). The report distils those cases into six categories of indicators that reporting entities can use to identify and report potential money laundering and terrorist financing involving virtual assets.

FATF is the global standard-setter for anti-money-laundering and counter-terrorist-financing. Its guidance is non-binding in itself, but its recommendations are implemented through national law in more than 200 jurisdictions, which is why its taxonomy carries weight far beyond a single regulator. The six-category framework has become the reference point that supervisors, auditors and analytics vendors map their own indicator libraries against.

Why FATF guidance, not a single "crypto red flags" statute

There is no standalone "crypto red flags" statute anywhere. The indicators are guidance, applied under each jurisdiction's existing AML/CFT law. A VASP in Switzerland applies them within the FINMA-supervised anti-money-laundering framework; a US MSB applies them under the Bank Secrecy Act and FinCEN rules; an EU CASP applies them alongside the AML obligations that run in parallel with MiCA's CASP authorisation.

This matters for compliance teams because it means the red flags themselves are stable and global, while the reporting mechanics, thresholds and supervisory expectations are local. Adopt the FATF taxonomy as your detection backbone, then bolt your jurisdiction's specific obligations on top.

The six FATF categories of virtual-asset red flags

FATF groups virtual-asset red flags into six categories: transactions, transaction patterns, anonymity, senders or recipients, source of funds or wealth, and geographical risks (Sanction Scanner, Anaptyss). Together they cover the transaction itself, the behavioural pattern around it, the technology used to obscure it, the people behind it, where the money came from and where it is going. Each category below carries at least one concrete indicator drawn directly from the FATF framework as reconstructed from authoritative summaries of the report.

[INFOGRAPHIC 1 | six FATF category tiles | placed here, before the six H3s]

1. Transactions

This category treats the size and frequency of transactions as a suspicion signal. The headline indicator is structuring, also called smurfing: systematically breaking transfers into smaller denominations to stay below record-keeping or reporting thresholds (Norton Rose Fulbright, Anaptyss). Other transaction-level flags include multiple high-value transactions in a short window, such as a series of abrupt large transfers within 24 hours, and amounts deliberately set just under a regulatory reporting limit (Anaptyss). The pattern these share is an effort to keep individual movements small or fast enough to slip past automated controls.

2. Transaction patterns

Where the first category looks at single transactions, this one looks at the behaviour around them and compares it to the customer's profile. Classic indicators include a new user who deposits a large amount and then trades or withdraws a significant portion the same day, inconsistent with their stated profile, and the immediate withdrawal of a full balance shortly after deposit, known as pass-through behaviour (Anaptyss). Deposits that simply do not align with what the firm knows about the customer also belong here. The common thread is movement that makes no economic sense for the account in question.

3. Anonymity

This category covers technological features and behaviours that increase anonymity and break the link between sender and recipient. Indicators include the use of peer-to-peer platforms with weak or absent KYC, the use of mixers and tumblers to obscure the on-chain trail, and conversion into anonymity-enhanced cryptocurrencies (AECs), commonly called privacy coins (Norton Rose Fulbright, Sanction Scanner, Anaptyss). Using multiple virtual assets despite higher fees and with no economic rationale, and activity connected to darknet marketplaces or fraudulent schemes, also fall here. These tools are not illegal in themselves, which is exactly why they are flagged for scrutiny rather than treated as proof.

4. Senders or recipients

This category targets unusual or suspicious sender and recipient profiles. Indicators include creating separate accounts under different names or identities to circumvent limits or restrictions, incomplete or declined KYC documentation, and a mismatch between the IP addresses associated with the customer's profile and the IP addresses actually initiating transactions (Norton Rose Fulbright, Anaptyss). Transactions originating from sanctioned or flagged-jurisdiction IP addresses sit here too. These onboarding-stage signals are why robust KYC requirements for crypto exchanges are the first line of defence.

5. Source of funds or wealth

Here the focus is the origin of the money and the opacity around it. Indicators include funds linked to tainted virtual-asset addresses associated with fraud, ransomware, scams or sanctioned entities; a lack of transparency about the origin and owners of funds; and a source of wealth derived disproportionately from virtual-asset or ICO investments, or from online gambling services (Sanction Scanner, Anaptyss). A large cash-out through debit or credit cards followed by fiat conversion, with an unclear origin, is a further example. Tainted-address screening is the control that surfaces most of these.

6. Geographical risks

The final category covers the exploitation of jurisdictions with weak or absent virtual-asset controls. Indicators include using a virtual-asset exchange that is not registered or licensed in the customer's own jurisdiction, using exchanges or VASPs based in high-risk jurisdictions with weak or absent AML/CFT regulation, and establishing offices or operations in inadequately regulated jurisdictions without a rational business justification (Sanction Scanner, Anaptyss). Funds moving to or from countries with weak national virtual-asset measures complete the picture. Choosing the right home jurisdiction is itself a compliance decision, which our best countries for a crypto licence comparison addresses in depth.

Red-flag indicators at a glance (quick-reference table)

The table below consolidates each FATF category into a representative indicator and the detection signal a monitoring system typically watches for. It is a quick reference, not an exhaustive list: a mature programme maintains dozens of rules per category.

Source for indicators: FATF six-category framework as summarised by Sanction Scanner and Anaptyss. No reporting thresholds are stated here because they are jurisdiction-specific.

How money is laundered in crypto: chain-analysis typologies

Red flags make far more sense once you understand the mechanics they are meant to catch. Blockchain analytics firms describe a small set of recurring typologies that move illicit value through crypto. Understanding them lets a compliance team connect an isolated indicator to a known laundering method and decide whether to escalate.

The three stages: placement, layering, integration

Money laundering follows three classic stages, and crypto is no exception. Placement introduces illicit funds into the system; layering moves them through a web of transactions to obscure their origin; integration returns them to the economy with an apparently legitimate source (Chainalysis). In crypto, layering is where most of the on-chain complexity lives, because the pseudonymous, programmable nature of blockchains offers many ways to fragment and reroute value.

Mixers and tumblers

Mixers, also called tumblers, pool funds from many users and redistribute them to break the on-chain link between sender and recipient, obscuring both origin and destination (Chainalysis). Because mixing deliberately severs traceability, mixer use is one of the strongest anonymity red flags under FATF category three. Analytics tools counter this by attributing addresses to known mixer services, so funds entering or leaving a mixer can still be flagged even when the hops between are obscured.

Peel chains

A peel chain pushes funds through a long sequence of wallets, peeling off a small amount at each hop while the main balance keeps moving (Chainalysis, Chainalysis 2024 Crypto Money Laundering Report). The technique disperses fragments across many addresses, which makes manual tracing impractical but leaves a distinctive on-chain signature that chain-analysis software is built to recognise. Spotting a peel chain usually requires automated tracing rather than human review.

[INFOGRAPHIC 2 | peel-chain dispersal diagram | placed here, inside the Peel chains H3]

Layering via DeFi, bridges and gambling

Beyond mixers and peel chains, launderers layer funds through conversion services: swapping coins, routing value through DeFi protocols, gambling sites and cross-chain bridges (Chainalysis). Cross-chain bridges are particularly effective for obscuring trails because they move value between blockchains that analytics tools must track separately. The decentralised nature of these venues raises distinct supervisory questions, which we cover in our DeFi compliance guide.

Does public-blockchain visibility help or hinder AML?

It helps. Public blockchains record every transaction permanently and openly, so analytics tools can often trace illicit flows across many hops, attribute addresses and reconstruct laundering paths. As a result, crypto laundering is frequently more detectable than equivalent activity in traditional finance (Chainalysis). The anonymity techniques above raise the cost of tracing, but they rarely make it impossible. For a well-equipped compliance team, the transparency of the ledger is an asset, not a liability.

How crypto businesses detect red flags: tools and monitoring

Detecting red flags is a combination of technology and judgement. Each category of indicator maps to a control: anonymity flags to chain analytics, transaction and pattern flags to monitoring rules, sender and source flags to KYC and screening. A credible programme runs all of them together and feeds the output to trained human reviewers.

Blockchain and chain analytics

Blockchain analytics tools trace fund flows on-chain and attribute addresses to mixers, darknet markets, ransomware strains and sanctioned entities, surfacing peel chains and layering that manual review would miss (Chainalysis, Chainalysis). This is the primary control for the anonymity and source-of-funds categories. Tainted-address and wallet screening against curated databases lets a firm block or escalate transactions touching known-bad addresses before they settle.

Real-time transaction monitoring and risk-based rules

Real-time transaction monitoring applies risk-based rules and thresholds to live activity, alerting on structuring, velocity spikes and pass-through behaviour (Norton Rose Fulbright). FATF's risk-based approach expects these rules to be calibrated to the firm's actual exposure, not a one-size-fits-all checklist. The rules catch most transaction and transaction-pattern red flags and should be reviewed and tuned regularly to keep false positives manageable.

KYC, CDD and Enhanced Due Diligence (EDD)

Know-your-customer and customer due diligence controls handle the people behind the transactions. Strong onboarding verifies identity, runs IP-versus-profile checks and screens against sanctions and politically exposed person (PEP) lists (Norton Rose Fulbright, Anaptyss). Enhanced Due Diligence applies a deeper level of investigation to high-risk customers, PEPs, high-risk jurisdictions and irregular transaction patterns. Together these controls catch the sender, recipient and onboarding red flags and form the basis of a defensible compliance file.

The Travel Rule and counterparty checks

FATF Recommendation 16, the Travel Rule for virtual assets, requires originator and beneficiary information to travel with VASP-to-VASP transfers. That counterparty data feeds directly into source-of-funds and counterparty red-flag checks, letting a firm assess who it is actually transacting with. Building the Travel Rule into your monitoring stack closes a gap that pure on-chain analysis cannot. For the mechanics and compliance scope, see our guide to the crypto Travel Rule.

Have questions about building red-flag monitoring into your AML programme? Book a free 15-minute discovery call with our crypto-licensing experts. No commitment, just clarity. Book a Call

When a red flag fires: filing a SAR or STR

Detection is only half the obligation. When red flags indicate possible money laundering or terrorist financing, a reporting entity must escalate and, where the suspicion holds, file a report with its national financial intelligence unit (FIU). The workflow below is the general shape; the exact mechanics depend on your jurisdiction.

1. Detect and review. A monitoring rule, analytics hit or KYC mismatch raises an alert; a trained analyst reviews it against the customer profile and recent activity.
2. Investigate. Gather context, run additional chain analytics, apply Enhanced Due Diligence if the customer is high-risk, and decide whether the suspicion is supported.
3. Decide. If red flags indicate possible ML/TF under a risk-based approach, escalate to the MLRO or nominated officer for a reporting decision (Norton Rose Fulbright).
4. File. Submit a Suspicious Activity Report (SAR) or Suspicious Transaction Report (STR) to the national FIU, following its format and field requirements.
5. Record and monitor. Keep a full audit trail and continue monitoring the customer, as filing a report does not by itself end the relationship.

When you must report

You must report when red flags, individually or in combination, indicate possible money laundering or terrorist financing, applying the risk-based approach FATF sets out (Norton Rose Fulbright). The threshold is suspicion, not certainty: you do not need to prove a crime to file, and in most regimes failing to report a reasonable suspicion is itself an offence. The judgement call belongs to your nominated officer, supported by the investigation file.

FinCEN as a concrete example: CVC and ransomware advisories

The US FinCEN illustrates how a regulator operationalises crypto red flags. Its ransomware advisory, updated 8 November 2021 (CYBER-FIN-2020-A006), lists convertible-virtual-currency (CVC) red flags, such as a customer's address or a counterparty address appearing in analyses linked to a ransomware strain, and instructs filers to reference the advisory key term in SAR field 2 and select the Cyber-event SAR fields (FinCEN ransomware advisory). The earlier advisory FIN-2019-A003, issued 9 May 2019, sets out CVC red flags and the obligations of money services businesses (FinCEN advisory FIN-2019-A003). These are the concrete primary examples of red-flag-to-report mechanics.

Reporting in Switzerland (MROS / FINMA framework)

In Switzerland, virtual-asset businesses report suspicious activity within the FINMA-supervised anti-money-laundering framework, with the Money Laundering Reporting Office Switzerland (MROS) acting as the national financial intelligence unit. The exact report format, the deadlines and the precise FINMA obligations for VASPs depend on your authorisation and your self-regulatory organisation membership. Rather than restate them imprecisely here, we cover the Swiss reporting channel in our AML and KYC compliance requirements guide and confirm the specifics directly for each client. [VERIFY: MROS report format and FINMA AMLA VASP obligations not yet researched; keep this section generic until confirmed against a dedicated Swiss AML source.]

Red-flag detection best practices for VASPs

The firms that detect laundering reliably combine technology with human judgement and keep both adaptive. A few principles hold across jurisdictions and business models.

• Adopt the FATF six-category taxonomy as your detection backbone, then map your monitoring rules to it so coverage is auditable.
• Combine analytics, monitoring and KYC with human review. No single tool catches everything; layered controls plus trained reviewers reduce both false positives and missed cases.
• Keep rules adaptive. Laundering typologies evolve, so review and retune monitoring rules and risk scores regularly rather than setting them once.
• Train staff and share information. Frontline and compliance teams need to recognise emerging patterns, and information sharing across the industry strengthens everyone's detection.
• Document everything. A clear audit trail from alert to decision is what stands up to a supervisor.

These habits are the operational core of any serious programme. If you are designing yours from scratch, the structured path is in our guide to build an effective AML program. For the wider enforcement context shaping how regulators expect firms to act, see the latest SEC enforcement guidance and our crypto regulation news and analysis.

From our practice

In our advisory work helping VASPs and CASPs design and document their AML programmes, the recurring lesson is the same: the firms that pass supervisory review are the ones that can show their work. A red flag that fires, gets reviewed, gets a documented decision and, where warranted, gets reported, is worth far more to a regulator than a long rule list that nobody acts on. We focus client programmes on that audit trail, mapping each control to a FATF category so that, when an examiner asks how a given indicator is covered, there is a clear answer. We do not publish detection rule-sets or volume figures, because effective monitoring is calibrated to each firm's exposure, not copied from a template.