Indicators of suspicious activity for the digital currency (cryptocurrency) sector

On this page

• Customer identification and behaviour
• Indicators specific to cryptocurrency ATM misuse
• Money laundering
• Cyber and digital
• Serious financial and organised crime
• Terrorism, national security and international crime
• Related pages

Customer identification and behaviour

Customer identification indicators

A customer:

• provides identification information that is false, misleading, vague, or cannot be verified
• is identified in open-source information or adverse media as known to law enforcement
• has sources of funds or sources of wealth that are inconsistent with their profile
• refuses or is reluctant to provide identification information or documents
• frequently changes their identification information, including email addresses, IP addresses or financial information which may also indicate an account takeover
• shares the same personal information such as address, email, phone number or wallet address, with multiple other customers

Customer behaviour indicators

A customer:

• makes an unusual enquiry about whether they report to government authorities. For example, AUSTRAC, the Australian Taxation Office or law enforcement agencies
• and/or their activity is the subject of law enforcement enquiries
• seems nervous, overly defensive, confused or evasive when questioned
• does not understand the product or transaction they are asking for
• cannot or doesn’t want to provide reasonable explanations for transactions that make no economic sense
• makes large or frequent transactions through a product or service that has fees significantly higher than the industry average
• makes transactions at unusual hours, particularly when using a crypto ATM

Indicators specific to cryptocurrency ATM misuse

A customer:

• appears to be confused or doesn’t understand the product or transaction
• appears to be coached or is on the phone during the transaction taking instructions
• uses wallet addresses that are flagged as having a high or extreme risk exposure, such as scam receipts, ransomware payments, darknet transactions, terrorism financing or child exploitation
• makes multiple small-value payments within a day or on consecutive days (generally under $500 for each transaction)
• moves large amounts of cryptocurrency to/from international wallets or exchanges, especially in high-risk countries
• uses cryptocurrency ATMs at unusual hours or prefers machines with no security cameras around
• using the machine does not look like their ID photo
• uses multiple machines in separate locations
• appears to use different machines at the same time (which is multiple people using the same account)
• conducts transactions to multiple wallets
• moves cryptocurrency to third party wallets not controlled by them
• has a transaction pattern that does not match their source of wealth
• appears to be using funds from third parties
• moves a large value of funds in quick succession
• says they’re sending money to a grandchild, friend, partner or another person but cannot clarify that person’s identity
• appears confused or doesn’t understand the product or transaction
• appears to be coached, for example they’re on the phone during the transaction, taking instructions
• is paying a bill or fine that appears to be fake
• makes large transactions at a frequency that does not match their means

Older customers

AUSTRAC data shows that the majority of cryptocurrency ATM users are aged 50 or over. We have developed the below indicators for customers over 50 as they are known for being at the highest risk of scams and fraud. 

A customer over 50 who:

• says they’re sending money to a grandchild, friend, partner or another person but cannot clarify that person’s identity
• appears confused or doesn’t understand the product or transaction
• appears to be coached, for example they’re on the phone during the transaction, taking instructions
• is paying a bill or fine that appears to be fake
• makes large transactions at a frequency that does not match their means.

Money laundering

Money laundering indicators

A customer:

• accepts transfers from an unregistered and/or unregulated virtual asset service provider, over-the-counter (OTC) broker, P2P network, cryptocurrency mixer or tumbler services, or higher-risk decentralised exchanges
• makes rapid conversions or exchanges from one virtual asset to another, or a chain of rapid exchanges with no economic rationale
• makes rapid conversions between fiat currencies and stablecoins with no economic rationale
• transfers virtual assets to or from wallets that show previous patterns of activity associated with an unregistered virtual asset service provider, OTC brokers, P2P platforms, cryptocurrency mixer/tumbler services, or higher-risk decentralised exchanges
• uses wallet addresses that your blockchain analysis flags as having a high or extreme risk exposure, such as scam receipts, ransomware payments, darknet transactions, terrorism financing or child exploitation
• uses cryptocurrency ATMs or kiosks, with no concern for higher transaction fees
• makes deposits into their account that are significantly higher than normal, with an unknown or unexplained source of funds, followed by conversion to fiat currency
• makes 'u-turn' transactions both domestically and internationally, where funds are transferred and then a portion of them returned
• conducts ‘u-turn’ transactions, buying into virtual assets and then withdrawing in rapid succession
• makes multiple deposits to their account via different cryptocurrency ATM/kiosks, including where the ATM or kiosk location is inconsistent with their profile
• makes virtual asset transactions that originate from or are destined to online gambling services
• structures a deposit into their fiat currency account as multiple smaller payments rather than a single transaction
• structures a virtual asset transaction as multiple smaller transactions rather than a single transaction
• makes multiple high value transactions in a short time period using an account that was recently created, or has been dormant for a significant period of time
• regularly conducts virtual asset-fiat currency exchange at a potential loss that has no economic rationale
• converts a large amount of fiat currency into virtual assets, or a large amount of one type of virtual asset into other types of virtual assets, with no economic rationale
• has an account that is accessed from a number of different IP addresses simultaneously, or in a short period of time
• has funds originating from, or sent to, an exchange that is not registered in the jurisdiction where either the customer or the exchange is located
• funds their trading account by deposits from third parties

Cyber and digital

Darknet marketplace transaction indicators

A customer:

• makes transactions that are linked to darknet clusters, child exploitation, mixers or higher-risk exchanges
• has a wallet address that appears to show exposure to higher-risk conversion services or darknet marketplaces, or that your blockchain analysis flags as high-risk or extreme-risk wallets
• owns an account that appears to indicate use of, access to, or donations to darknet explorers, including platform-enabling and anonymised internet access, and possible illicit purchases on darknet marketplaces

Ransomware indicators

A customer:

• increases any transaction limits on their account and then quickly sends funds to a third party
• appears anxious or impatient with the time taken to make a large payment from their account
• appears overly concerned with the speed of a transaction and or withdrawal approvals
• has sent funds from their digital currency address to an identified ransomware address
• who is newly on-boarded wants to make an immediate and large purchase of digital currency, followed by an immediate withdrawal to an external digital currency address
• states that their transaction is in response to a cyber-attack
• is evasive when asked about the reason for a transaction
• is identified in the media as being subject to a ransomware attack
• mentions an ‘adviser’ or that they are being assisted to purchase cryptocurrency
• makes payment to intermediary wallets, where the cryptocurrency is rapidly cleared out of that wallet

A company customer:

• that you would not normally expect to transact in digital currency attempts to do so
• has operations that appear to have changed significantly, inconsistent with their profile

Cybercrime indicators

A customer:

• provides a verification document that is a photograph of data on a computer screen
• appears to operate multiple accounts by the exchange or service, as indicated by their IP address/es
• uses language, grammar or syntax that does not match their demographic
• presents ID or images with a file name that apparently indicates it was generated from a social media platform
• information indicates that the customer uses an email account from a high-privacy email service provider
• has inconsistent identification details
• attempts to create an account with fraudulent identification documents
• keeps images of their identification document/s in a physical plastic wallet, which may indicate the identification document is altered or fraudulent
• has accounts that appear to have the characteristics of a mule account, such as: multiple accounts linked to the same contact details, addresses shared under different names, or customers stating they are transacting for someone else
• provides an address that is not a residential address, such as an office, carpark or vacant lot
• appears to use a virtual private network
• uses or trades only in privacy coins, inconsistent with their profile
• makes payments to online infrastructure services used for cyber-offending, mixers, cyber threat actors, or darknet marketplaces or forums
• receives virtual assets from addresses identified with cyber-crime activity

Serious financial and organised crime

Scams indicators

A customer:

• is linked to a higher-risk jurisdiction for scams via their IP address
• receives deposits from multiple bank accounts in different names, inconsistent with their profile
• makes transactions that are inconsistent with their profile
• makes payment to intermediary wallets, where the cryptocurrency is rapidly cleared out of that wallet
• advises they are using their digital currency to participate in an investment opportunity
• demonstrates limited digital currency knowledge during on-boarding, but quickly purchases digital currency and sends it to another digital currency address
• appears coached or rehearsed when answering personal and on-boarding questions
• advises they are employed to purchase digital currency on behalf of another individual or company
• advises they are sending funds to a friend or family in a higher-risk jurisdiction for scams
• reports fraud or scam activity against themselves, or their account
• conducts large cryptocurrency movements to or from international wallets or exchanges, especially in high-risk countries

Tax evasion indicators

A customer:

• uses services in a manner that has no commercial or economic rationale
• enquires about avoiding tax reporting obligations
• enquires if personal or transaction information will be shared with the Australian Taxation Office
• requests to hide or delete transactions
• sends or receives fiat currency to a wide range of related personal or business accounts at different institutions

Child exploitation indicators

A customer:

• transfers virtual assets to other wallets that are directly, or indirectly linked to child abuse materials
• uses wallet addresses that your blockchain analysis flags as being linked to child exploitation
• has multiple small value same-day and/or consecutive-day payments (generally under $500 per transaction)
• uses privacy coins inconsistent with their profile

Terrorism, national security and international crime

Terrorism financing indicators

A customer:

• transacts with sanctioned wallet addresses or people of interest listed on government websites, such as the Office of Foreign Assets Control or the Department of Foreign Affairs and Trade Consolidated List
• is matched through screening against an Australian or international sanctions list
• transacts with social media, communication applications, crowdfunding or online fundraising campaigns linked to extremist forums
• transfers to or from international exchanges with less stringent customer identification processes, including those owned or hosted in higher-risk jurisdictions for terrorism financing
• receives multiple small deposits, which are immediately transferred to private wallets, inconsistent with their profile
• has transacted with websites or wallet addresses considered to be higher risk for terrorism financing, as indicated by blockchain analysis
• transfers large amounts of cryptocurrency to/from international wallets or exchanges, especially in high-risk countries

Open source information:

• identifies that a customer or transaction has links to known terrorist organisations or terrorism activities
• indicates a customer displays extremist ideologies (for example, social, political or environmental)

Proliferation financing indicators

Proliferation financing is when a person makes available an asset, provides a financial service or conducts a financial transaction that is intended to facilitate the proliferation of weapons of mass destruction, regardless of whether the activity occurs or is attempted. 

All reporting entities must have risk-based systems and controls in their transaction monitoring programs to identify and report suspicious matters. This includes monitoring for suspicions that individuals or businesses are attempting to avoid Australia’s sanctions laws in connection with the provision of a designated service, or a request to provide a service.

Some indicators of circumstances that could be suspicious include a customer:

•  who is matched through screening against an Australian or international sanctions list
• who transacts through jurisdictions of proliferation financing concern 

Related pages

• Your Industry
• Suspicious matter reports (SMRs)
• Enhanced customer due diligence (ECDD) program
• Proliferation financing in Australia national risk assessment 2022
• Money laundering in Australia national risk assessment 2024
• Terrorism financing in Australia national risk assessment 2024

The Department of Foreign Affairs and Trade’s Australian Sanctions Office has also published an advisory to digital currency exchanges to alert them to their obligations to comply with Australian sanctions laws.