We’ve created suspicious activity indicators for the cryptocurrency sector to help you identify potential money laundering, terrorism financing, proliferation financing and other serious criminal activities. 

On this page

These indicators can inform your transaction monitoring alerts that trigger further review. To complement these indicators, you must also ensure your transaction monitoring systems alert you to unusual, large or complex transactions or patterns of transactions. 

This indicators list isn’t exhaustive. You should consider other indicators specific to your business’s individual risk profile and circumstances. 

Customer identification and behaviour

Read our list of suspicious activity indicators for customer identification and behaviour.

Customer identification indicators

A customer:

  • provides identification information that’s false, misleading, vague or cannot be verified
  • is identified in open-source information or adverse media as known to law enforcement
  • has sources of funds or sources of wealth that are inconsistent with their profile
  • refuses or is reluctant to provide identification information or documents
  • frequently changes their identification information, including email addresses, IP addresses or financial information which may also indicate an account takeover
  • shares the same personal information with multiple other customers, such as address, email, phone number or wallet address.

Customer behaviour indicators

A customer:

  • makes an unusual enquiry about whether they report to government authorities. For example, AUSTRAC, the Australian Taxation Office or law enforcement agencies
  • is the subject of law enforcement enquiries, or their activity is
  • seems nervous, overly defensive, confused or evasive when questioned
  • doesn’t understand the product or transaction they’re asking for
  • cannot or doesn’t want to provide reasonable explanations for transactions that make no economic sense
  • makes large or frequent transactions through a product or service that has fees significantly higher than the industry average
  • makes transactions at unusual hours, particularly when using a crypto ATM.

Indicators specific to cryptocurrency ATM misuse

Read our suspicious activity indicators specific to cryptocurrency ATM misuse.

A customer:

  • appears to be confused or doesn’t understand the product or transaction
  • appears to be coached or is on the phone during the transaction taking instructions
  • uses wallet addresses that are flagged as having a high or extreme risk exposure, such as scam receipts, ransomware payments, darknet transactions, terrorism financing or child exploitation
  • makes multiple small-value payments within a day or on consecutive days (generally under $500 for each transaction)
  • moves large amounts of cryptocurrency to/from international wallets or exchanges, especially in high-risk countries
  • uses cryptocurrency ATMs at unusual hours or prefers machines with no security cameras around
  • who is using the machine doesn’t look like their ID photo
  • uses multiple machines in separate locations
  • appears to use different machines at the same time (which is multiple people using the same account)
  • conducts transactions to multiple wallets
  • moves cryptocurrency to third party wallets not controlled by them
  • has a transaction pattern that doesn’t match their source of wealth
  • appears to be using funds from third parties
  • moves a large value of funds in quick succession
  • says they’re sending money to a grandchild, friend, partner or another person but cannot clarify that person’s identity
  • appears confused or doesn’t understand the product or transaction
  • is paying a bill or fine that appears to be fake
  • makes large transactions at a frequency that doesn’t match their means.

Older customers

Our data shows that most cryptocurrency ATM users are aged 50 or over. We’ve developed the below indicators for customers over 50 as they’re known for being at the highest risk of scams and fraud

A customer over 50 who:

  • says they’re sending money to a grandchild, friend, partner or another person but cannot clarify that person’s identity
  • appears confused or doesn’t understand the product or transaction
  • appears to be coached, for example they’re on the phone during the transaction, taking instructions
  • is paying a bill or fine that appears to be fake
  • makes large transactions at a frequency that does not match their means.

Money laundering

Read our list of suspicious activity indicators for money laundering.

Money laundering indicators

A customer:

  • accepts transfers from an unregistered or unregulated virtual asset service provider, over-the-counter (OTC) broker, P2P network, cryptocurrency mixer or tumbler services, or higher-risk decentralised exchanges
  • makes rapid conversions or exchanges from one virtual asset to another, or a chain of rapid exchanges with no economic rationale
  • makes rapid conversions between fiat currencies and stablecoins with no economic rationale
  • transfers virtual assets to or from wallets that show previous patterns of activity associated with an unregistered virtual asset service provider, OTC brokers, P2P platforms, cryptocurrency mixer/tumbler services, or higher-risk decentralised exchanges
  • uses wallet addresses that your blockchain analysis flags as having a high or extreme risk exposure. For example, scam receipts, ransomware payments, darknet transactions, terrorism financing or child exploitation
  • uses cryptocurrency ATMs or kiosks, with no concern for higher transaction fees
  • makes deposits into their account that are significantly higher than normal, with an unknown or unexplained source of funds, followed by conversion to fiat currency
  • makes 'u-turn' transactions both domestically and internationally, where funds are transferred and then a portion of them returned
  • conducts ‘u-turn’ transactions, buying into virtual assets and then withdrawing in rapid succession
  • makes multiple deposits to their account via different cryptocurrency ATM/kiosks, including where the ATM or kiosk location is inconsistent with their profile
  • makes virtual asset transactions that originate from or are destined to online gambling services
  • structures a deposit into their fiat currency account as multiple smaller payments rather than a single transaction
  • structures a virtual asset transaction as multiple smaller transactions rather than a single transaction
  • makes multiple high value transactions in a short time period using an account that was recently created, or has been dormant for a significant period of time
  • regularly conducts virtual asset-fiat currency exchange at a potential loss that has no economic rationale
  • converts a large amount of fiat currency into virtual assets, or a large amount of one type of virtual asset into other types of virtual assets, with no economic rationale
  • has an account that’s accessed from several different IP addresses simultaneously, or in a short period of time
  • has funds originating from, or sent to, an exchange that isn’t registered in the jurisdiction where either the customer or the exchange is located
  • funds their trading account by deposits from third parties.

Cyber and digital

Read our suspicious activity indicators for cyber and digital transactions.

Darknet marketplace transaction indicators

A customer:

  • makes transactions that are linked to darknet clusters, child exploitation, mixers or higher-risk exchanges
  • has a wallet address that appears to show exposure to higher-risk conversion services or darknet marketplaces, or that your blockchain analysis flags as high-risk or extreme-risk wallets
  • owns an account that appears to indicate use of, access to or donations to darknet explorers. This includes platform-enabling and anonymised internet access, and possible illicit purchases on darknet marketplaces.

Ransomware indicators

A customer:

  • increases any transaction limits on their account and then quickly sends funds to a third party
  • appears anxious or impatient with the time taken to make a large payment from their account
  • appears overly concerned with the speed of a transaction and or withdrawal approvals
  • has sent funds from their digital currency address to an identified ransomware address
  • who is newly onboarded wants to make an immediate and large purchase of digital currency, followed by an immediate withdrawal to an external digital currency address
  • states that their transaction is in response to a cyber-attack
  • is evasive when asked about the reason for a transaction
  • is identified in the media as being subject to a ransomware attack
  • mentions an ‘adviser’ or that they are being assisted to purchase cryptocurrency
  • makes payment to intermediary wallets, where the cryptocurrency is rapidly cleared out of that wallet.

A company customer:

  • that you wouldn’t normally expect to transact in digital currency attempts to do so
  • has operations that appear to have changed significantly, inconsistent with their profile.

Cybercrime indicators

A customer:

  • provides a verification document that’s a photograph of data on a computer screen
  • appears to operate multiple accounts by the exchange or service, as indicated by their IP addresses
  • uses language, grammar or syntax that doesn’t match their demographic
  • presents ID or images with a file name that indicates it was generated from a social media platform
  • information indicates that the customer uses an email account from a high-privacy email service provider
  • has inconsistent identification details
  • attempts to create an account with fraudulent identification documents
  • keeps images of their identification documents in a physical plastic wallet, which may indicate the identification document is altered or fraudulent
  • has accounts that appear to have the characteristics of a mule account. For example, multiple accounts linked to the same contact details, addresses shared under different names, or customers stating they’re transacting for someone else
  • provides an address that isn’t a residential address, such as an office, carpark or vacant lot
  • appears to use a virtual private network
  • uses or trades only in privacy coins, inconsistent with their profile
  • makes payments to online infrastructure services used for cyber-offending, mixers, cyber threat actors, or darknet marketplaces or forums
  • receives virtual assets from addresses identified with cybercrime activity.

Serious financial and organised crime

Read our suspicious activity indictors for serious financial and organised crime.

Scams indicators

A customer:

  • is linked to a higher-risk jurisdiction for scams via their IP address
  • receives deposits from multiple bank accounts in different names, inconsistent with their profile
  • makes transactions that are inconsistent with their profile
  • makes payment to intermediary wallets, where the cryptocurrency is rapidly cleared out of that wallet
  • advises they’re using their digital currency to participate in an investment opportunity
  • demonstrates limited digital currency knowledge during onboarding, but quickly purchases digital currency and sends it to another digital currency address
  • appears coached or rehearsed when answering personal and onboarding questions
  • advises they’re employed to purchase digital currency on behalf of another individual or company
  • advises they’re sending funds to a friend or family in a higher-risk jurisdiction for scams
  • reports fraud or scam activity against themselves, or their account
  • conducts large cryptocurrency movements to or from international wallets or exchanges, especially in high-risk countries.

Tax evasion indicators

A customer:

  • uses services in a manner that has no commercial or economic rationale
  • enquires about avoiding tax reporting obligations
  • enquires if personal or transaction information will be shared with the Australian Taxation Office
  • requests to hide or delete transactions
  • sends or receives fiat currency to a wide range of related personal or business accounts at different institutions.

Child exploitation indicators

A customer:

  • transfers virtual assets to other wallets that are directly or indirectly linked to child abuse materials
  • uses wallet addresses that your blockchain analysis flags as being linked to child exploitation
  • has multiple small value same-day or consecutive-day payments (generally under $500 per transaction)
  • uses privacy coins inconsistent with their profile.

Terrorism, national security and international crime

Read our suspicious activity indicators for terrorism, national security and international crime.

Terrorism financing indicators

A customer:

  • transacts with sanctioned wallet addresses or people of interest listed on government websites. For example, the Office of Foreign Assets Control or the Department of Foreign Affairs and Trade Consolidated List
  • is matched through screening against an Australian or international sanctions list
  • transacts with social media, communication applications, crowdfunding or online fundraising campaigns linked to extremist forums
  • transfers to or from international exchanges with less stringent customer identification processes. This includes those owned or hosted in higher-risk jurisdictions for terrorism financing
  • receives multiple small deposits, which are immediately transferred to private wallets, inconsistent with their profile
  • has transacted with websites or wallet addresses considered to be higher risk for terrorism financing, as indicated by blockchain analysis
  • transfers large amounts of cryptocurrency to/from international wallets or exchanges, especially in high-risk countries.

Open-source information:

  • identifies that a customer or transaction has links to known terrorist organisations or terrorism activities
  • indicates a customer displays extremist ideologies. For example, social, political or environmental.

Proliferation financing indicators

Proliferation financing is when a person makes available an asset, provides a financial service or conducts a financial transaction that’s intended to facilitate the proliferation of weapons of mass destruction, regardless of whether the activity occurs or is attempted. 

A customer:

  • is matched through screening against an Australian or international sanctions list
  • blockchain or wallet analysis shows links to sanctioned entities, high-risk jurisdictions or areas of proliferation financial concern
  • uses anonymity-enhancing services such as privacy coins, tumblers or mixers
  • transacts through jurisdictions of proliferation financing concern
  • enquires about due diligence processes when transacting with individuals, networks, companies or countries of proliferation concern
  • uses complex company or trust structures to obscure the source and beneficial ownership of their funds
  • makes or receives payments through a digital currency exchange service that’s registered in a different jurisdiction to where the trade of goods or service occurs. For example, an Australian-registered company may ship goods from an overseas operational location, but use Australian-registered digital currency exchange to receive payment
  • transacts through a digital currency exchange service with no obvious link to their business or personal activities. For example, an overseas customer uses an Australian-registered digital currency exchange without any connection to Australia
  • conducts business in dual use goods (goods suitable for both civilian and military purposes) listed on the Defence and Strategic Goods List
  • has trade or shipment activity that doesn’t align with the customer’s profile or stated purpose, based on enhanced customer due diligence information
  • trades in dual use goods without a clear end use or end user
  • is connected to industries with higher proliferation financing risks. This includes but is not limited to those identified in Australia’s proliferation financing national risk assessments and the Australian Sanctions Office advisory note on sanctions and proliferation financing.

Corporations:

  • share directors and management, addresses, emails, phone numbers or financial infrastructure with other entities in their network
  • obscure their identities and activities by:
    • using aliases and using alternate spellings or versions of company names
  • using subsidiaries or branches
    • using third-country nationals in ownership structures
    • registering in jurisdictions with opaque corporate registers where information on ultimate beneficial ownership is not easily accessible
  • whose activity doesn’t match its business profile.

Suspicious matter reporting

If you suspect on reasonable grounds that a customer or a transaction involving your customer is linked to a crime, submit a suspicious matter report (SMR) to us within the required timeframes. This includes where you suspect on reasonable grounds that a person:

  • is committing a crime
  • isn’t who they claim to be
  • could be the victim of a crime.

On their own, one of these indicators may not suggest suspicious activity. If you’re unsure whether there are reasonable grounds for a suspicion, you should conduct further monitoring and examination. This may include applying enhanced customer due diligence (ECDD) measures. 

For more information on complying with your reporting obligations, see our suspicious matter reporting reference guide and suspicious matter reporting checklist.

The Department of Foreign Affairs and Trade’s Australian Sanctions Office has also published an advisory to digital currency exchanges to alert them to their obligations to comply with Australian sanctions laws.

This guidance sets out how we interpret the Act, along with associated Rules and regulations. Australian courts are ultimately responsible for interpreting these laws and determining if any provisions of these laws are contravened. 

The examples and scenarios in this guidance are meant to help explain our interpretation of these laws. They’re not exhaustive or meant to cover every possible scenario.

This guidance provides general information and isn't a substitute for legal advice. This guidance avoids legal language wherever possible and it might include generalisations about the application of the law. Some provisions of the law referred to have exceptions or important qualifications. In most cases your particular circumstances must be taken into account when determining how the law applies to you.

Last updated: 5 Feb 2026
Page ID: 1110

Was this page helpful?

Please note that feedback you provide here will be used only for the purpose of improving our website. If you have a specific question about your AML/CTF obligations, please contact us.