Anti-money laundering (AML) in cryptocurrency refers to the interconnected legal, institutional, and technological framework for preventing bad actors from using crypto to launder illicit funds, finance terrorism, or evade sanctions. Regulators worldwide classify most centralized crypto exchanges, custodians, and brokers as “virtual asset service providers” (VASPs) subject to the same AML obligations as traditional financial institutions. AML compliance is one of the most consequential and contested areas of crypto regulation, with enormous impact on which platforms survive, which users can access them, and crypto’s relationship with the broader financial system.
Money Laundering Fundamentals
Traditional money laundering follows three stages:
- Placement: Introducing illicit funds into the financial system
- Layering: Obscuring the trail through complex transactions
- Integration: Funds re-enter legitimate economy appearing clean
Crypto’s properties create both risks and opportunities for AML:
- Pseudonymity makes placement easier (no bank teller to question large cash deposits)
- Programmability enables complex layering through mixers/bridges/DeFi
- Blockchain transparency enables unprecedented tracing back to origin wallets
- Immutability means all transactions are permanently recorded (unlike cash)
Regulatory Framework
The regulatory landscape breaks down as follows.
FATF (Financial Action Task Force)
- 2019: FATF classified VASPs; required KYC/AML programs for crypto exchanges globally
- Travel Rule (Recommendation 16): When a VASP sends a crypto transaction above threshold ($1,000 in US), it must transmit sender/receiver identifying information to the recipient VASP — identical to wire transfer rules
The Travel Rule is massively disruptive: blockchain transactions don’t carry identity data natively, requiring VASPs to implement overlay protocols (TRISA, Notabene, Sygna Bridge) to share information.
US Framework
- OFAC: Sanctions enforcement — exchanges must block transactions involving sanctioned individuals/addresses (e.g., Tornado Cash)
- FinCEN: Administers BSA; proposed “unhosted wallet” rules in 2020/2022 requiring identity verification for transactions to/from private wallets
EU Framework
- Transfer of Funds Regulation (TFR): EU version of Travel Rule; implemented 2023; controversially includes all transactions over €0 (no minimum threshold) to unhosted wallets
Blockchain Analytics Tools
The dominant AML monitoring approach for on-chain activity:
Chainalysis:
- Market leader; used by exchanges, governments, FinCEN, IRS, DOJ
- Clusters wallets by entity; assigns risk labels (exchange, mixer, darknet, sanctions)
- Products: Reactor (investigation), KYT (Know Your Transaction, real-time screening), Storyline
Elliptic:
- Founded in UK; similar capabilities; strong EU regulatory relationships
- Used by major European exchanges and banks
TRM Labs:
- Founded by ex-Coinbase; strong in stablecoin and cross-chain tracing
- Government contracts including OFAC enforcement
Methodology:
Analytics firms combine:
- Exchange KYC data (what wallet = what customer; shared via reports)
- On-chain clustering heuristics (UTXO co-spending, peel chains)
- Web scraping (darknet markets, mixer advertising)
- Law enforcement data sharing
Tornado Cash & Protocol Sanctions
August 2022: OFAC sanctioned Tornado Cash, an Ethereum privacy protocol, making it illegal for US persons to interact with its smart contract addresses.
Key implications:
- First time OFAC sanctioned code (open-source smart contracts), not just individuals/entities
- USDC issuer Circle froze $75,000 in USDC held in Tornado Cash contracts
- GitHub removed Tornado Cash repositories
- Developer Roman Storm arrested, Roman Semenov added to SDN list
- Led to legal challenge: Van Loon v. Dept of Treasury — appeals court ruled in 2024 that immutable smart contracts cannot be sanctioned, but mutable contracts can
This case defines the frontier of AML compliance vs. financial privacy and open-source software rights.
DeFi and AML
DeFi structures fundamentally challenge VASP-style AML:
- DEXes have no operator to file SARs or implement KYC
- Smart contracts execute automatically; no “teller” can block transactions
- Mixers and bridges obscure fund flows
Regulatory positions:
- FATF (2021): DeFi protocols “with sufficient control” by developers/governance are VASPs
- US Treasury: “sufficient indicia of control” standard — if a developer retains admin keys, they may be regulated
- EU MiCA: Requires “sufficient decentralization” before protocol escapes VASP classification
In practice: No major DEX implements KYC. Regulators focus enforcement on fiat on/off ramps (centralized exchanges).
Chainalysis Illicit Activity Data
2024 Crypto Crime Report (Chainalysis):
- Illicit transaction volume: ~$24.2B in 2023 (down from ~$39.6B in 2022) — but this is estimated minimum; actual may be higher
- ~0.34% of all crypto transaction volume was illicit in 2023 (context: dollar bills have AML compliance issues at much higher rates by value)
- Largest categories: sanctions evasion, scams, ransomware
- DeFi protocols received largest volume of illicit crypto globally
Social Media Sentiment
AML in crypto is a polarizing topic. Privacy advocates on Crypto Twitter argue that blockchain AML requirements destroy financial privacy and create surveillance infrastructure. Others counter that AML rules are necessary for institutional adoption and mainstream legitimacy. The Tornado Cash sanctions in 2022 and subsequent arrest of Alex Pertsev ignited major debate about whether code should be subject to AML law. r/CryptoCurrency discussions often split along ideological lines: cypherpunks vs. regulatory realists. The industry trend toward KYC/AML compliance is accepted as inevitable by most institutional players.
Last updated: 2026-04
Sources
- FATF — Guidance on Virtual Assets — global AML standards
- FinCEN Guidance — US AML regulatory requirements
- Chainalysis — Crypto Crime Report — annual AML/illicit flow data