Money laundering is the process of making criminal funds appear legitimate. The basic goal has not changed for centuries. Criminals want to hide where the money came from, move it through different channels, and bring it back into the economy as if it came from a lawful source.
Crypto does not create money laundering by itself. However, it gives criminals new tools to move funds quickly, across borders, and through different wallets, exchanges, tokens, bridges, and decentralized platforms.
For compliance teams, this creates a major challenge. Transactions can happen at speed, wallets may not show real names, and funds can move through many layers before reaching a cash-out point. However, many public blockchains also create a permanent record. This means suspicious activity can often be traced, reviewed, and documented.
A good crypto investigator needs to understand the main laundering techniques, the warning signs, and the practical steps needed to respond.
The Three Stages of Money Laundering
Most money laundering follows three broad stages: placement, layering, and integration. These stages can look different in crypto, but the purpose is usually the same.
Placement
Placement is the point where criminal funds first enter the financial system. In traditional finance, this may involve depositing cash into bank accounts. In crypto, it may involve buying digital assets, receiving stolen crypto, using peer-to-peer trades, or moving funds into an exchange account.
For example, a criminal may use cash to buy crypto through an informal broker or peer-to-peer platform. They may also split funds into smaller amounts to avoid attention. This is often called structuring.
For compliance teams, placement risk can appear through unusual deposits, new accounts with sudden large activity, customers who cannot explain source of funds, or repeated deposits just below review thresholds.
Layering
Layering is the stage where criminals try to hide the source of the money. In crypto, this may involve moving funds through multiple wallets, swapping tokens, using bridges, interacting with decentralized finance protocols, or sending funds to services designed to break the transaction trail.
Layering is often the most complex stage for investigators. The goal is to make the funds harder to follow. A wallet may send funds to several other wallets in quick succession. The funds may then be swapped into another asset, moved across a bridge, or routed through a high-risk service.
Common red flags include rapid movement, unusual asset conversions, interaction with mixers, repeated transfers between related wallets, and activity that does not match the customer’s normal behavior.
Integration
Integration is the stage where criminal funds are brought back into the regular economy. In crypto, this may happen when someone cashes out through a centralized exchange, buys high-value assets, borrows against crypto holdings, invests in a business, or converts funds into fiat currency.
At this stage, the money may appear cleaner because it has passed through several wallets or services. However, investigators can still review the transaction history to identify earlier risk exposure.
For compliance teams, integration risk may appear when customers withdraw large amounts, liquidate crypto without clear economic reason, use funds for high-value purchases, or provide weak explanations for the origin of assets.
Mixing and Tumbling
Mixers, also known as tumblers, are services that pool crypto from different users and return funds in a way that makes the original source harder to trace.
From a compliance point of view, mixer exposure is a serious red flag. Some users may claim they use mixers for privacy, but these services are also commonly linked to laundering, fraud, ransomware, sanctions evasion, and stolen funds.
How to spot it:
Look for transactions connected to known mixer addresses or services. Blockchain analytics tools can help identify mixer exposure, but investigators should also review transaction timing, wallet behavior, and onward movement of funds.
Other warning signs include funds moving quickly after being received, broken transaction trails, multiple small transfers, and customer explanations that do not match the activity.
Chain Hopping
Chain hopping means moving funds across different blockchains or assets to make tracing more difficult. This may involve swapping one token for another, using bridges, or moving funds between centralized and decentralized platforms.
For example, funds may begin on one blockchain, move through a bridge, change into another asset, and then move to a different wallet. The purpose may be to complicate the audit trail and reduce the chance of detection.
How to spot it:
Look for rapid movement between assets, repeated bridge activity, frequent token swaps, and transactions involving privacy-focused coins or high-risk services. Chain hopping becomes more suspicious when there is no clear business reason for the activity.
Investigators should also check whether funds move shortly after a fraud event, hack, scam, or suspicious deposit. Fast movement across chains can be a sign that someone is trying to avoid being traced.
DeFi Layering
Decentralized finance can be used for legitimate activity, including lending, borrowing, staking, liquidity provision, and token swaps. However, criminals may also use DeFi to create complex transaction paths.
DeFi layering can involve moving funds through decentralized exchanges, lending platforms, liquidity pools, yield protocols, or bridges. These transactions may involve smart contracts rather than normal wallet-to-wallet transfers, which can make the activity harder to understand for beginners.
How to spot it:
Look for repeated smart contract interactions, complex flows across multiple DeFi platforms, high-value activity from new wallets, and rapid movement through swaps or bridges. It is also important to review token transfers and internal transactions, not just the main transaction summary.
Compliance teams should use blockchain analytics tools where possible because DeFi activity can involve multiple contracts and hidden flows that are difficult to review manually.
Peer-to-Peer Trading Risk
Peer-to-peer trading allows users to buy and sell crypto directly with each other. This can be legitimate. However, it can also create AML risk because the platform or seller may not fully understand the source of funds.
Criminals may use peer-to-peer channels to move funds outside normal exchange controls, avoid stronger KYC checks, or convert crypto into local currency.
How to spot it:
Watch for customers who frequently trade with unrelated wallets, use many counterparties, conduct large trades without a clear source of funds, or show activity that does not match their profile.
Other red flags include repeated deposits from high-risk wallets, unusual payment methods, inconsistent customer explanations, and sudden increases in transaction volume.
Structuring and Smurfing
Structuring means breaking large amounts into smaller transactions to avoid detection. In crypto, this may involve many small deposits, withdrawals, or transfers across different wallets.
A customer may send multiple transactions just below internal review limits. They may also use several wallets to create the appearance of unrelated activity.
How to spot it:
Look for repeated transactions just below thresholds, several wallets sending funds to the same account, multiple deposits within a short time, or patterns that appear designed to avoid alerts.
Threshold-based monitoring is useful, but it should not be the only control. Pattern-based monitoring is also needed because criminals may understand simple thresholds and try to work around them.
Fraud and Rug Pull Proceeds
A rug pull is a crypto scam where token creators or project insiders attract investors and then remove liquidity, abandon the project, or sell their holdings suddenly. Although the rug pull itself is fraud, the stolen funds may later be laundered.
After the fraud, proceeds may move through wallets, decentralized exchanges, bridges, mixers, or centralized exchanges. Compliance teams may detect exposure when stolen funds reach their platform.
How to spot it:
Look for funds connected to suspicious token launches, sudden liquidity removal, scam reports, new wallets receiving large values, or wallet clusters linked to known fraud activity.
Token warning signs may include anonymous teams, unrealistic promises, low liquidity, aggressive promotion, sudden price spikes, and large insider wallet movements.
Real-World Scenario: Mixer Exposure and Exchange Deposit
A compliance analyst receives an alert for a customer deposit of 100,000 USDC. The customer account is relatively new, and the deposit size is much larger than previous activity.
The analyst reviews the transaction hash using a blockchain explorer and blockchain analytics tool. The funds came from a wallet with recent exposure to a known mixer. The same wallet also received funds from several unrelated addresses before sending the USDC to the customer’s deposit address.
The analyst identifies several red flags. The customer’s activity is inconsistent with their profile. The source of funds is unclear. The wallet has mixer exposure. The funds moved quickly through several addresses before reaching the exchange.
The analyst documents the wallet addresses, transaction hashes, timing, risk indicators, screenshots, customer profile information, and source of funds concerns. The case is escalated for review. Depending on internal policy and local requirements, the business may restrict the account, request more information, or file a suspicious activity report.
How Compliance Teams Can Respond
Spotting crypto money laundering requires a mix of technology, policy, and human judgment. Blockchain analytics tools can help identify risky wallets, mixer exposure, sanctions links, scam connections, and suspicious patterns. However, tools are not enough on their own.
Teams should also train analysts to understand blockchain explorers, wallet behavior, transaction flows, DeFi activity, and red flags. Internal procedures should explain how alerts are reviewed, when cases are escalated, and what evidence must be recorded.
Strong documentation is essential. Every investigation should include the reason for review, transaction hashes, wallet addresses, timeline, risk indicators, customer information, analyst notes, and the final decision.
Conclusion
Crypto money laundering can involve mixers, chain hopping, DeFi layering, peer-to-peer trading, structuring, fraud proceeds, and rapid movement across wallets or platforms. These methods are designed to hide the source of funds and make investigations harder.
However, blockchain activity often leaves a visible trail. Compliance teams that understand common laundering techniques are better prepared to detect suspicious patterns, investigate alerts, document evidence, and protect their business.
To develop practical investigation skills, explore our Blockchain Forensics Basics for Compliance Investigations course.
FAQs
What is a crypto mixer?
A crypto mixer is a service that pools crypto from multiple users and redistributes it in a way that makes the original transaction trail harder to follow.
What is chain hopping?
Chain hopping is the movement of funds between different blockchains or crypto assets to make tracing more difficult.
What is layering in crypto money laundering?
Layering is the process of moving funds through multiple wallets, services, assets, or platforms to hide the original source of the money.
What is a rug pull?
A rug pull is a crypto scam where project creators or insiders remove liquidity, abandon a project, or take investor funds. The proceeds may later be laundered.
How can compliance teams spot crypto money laundering?
Compliance teams can spot it by monitoring wallet risk, transaction patterns, mixer exposure, rapid fund movement, unusual swaps, DeFi activity, and behavior that does not match the customer profile.
Understanding these techniques is crucial for any investigator. Our Blockchain Forensics Basics course provides the practical skills to identify and investigate these methods.
