Indicators of suspicious activity for the digital currency (cryptocurrency) sector

On this page

• Customer identification and behaviour
• Money laundering
• Cyber and digital
• Serious financial and organised crime
• Terrorism, national security and international crime
• Related pages

Customer identification and behaviour

Customer identification indicators

A customer:

• provides identification information that is false, misleading, vague, or cannot be verified
• is identified in open-source information or adverse media as known to law enforcement
• has sources of funds or sources of wealth that are inconsistent with their profile 
• refuses or is reluctant to provide identification information or documents
• frequently changes their identification information, including email addresses, IP addresses or financial information which may also indicate an account takeover 

Customer behaviour indicators

A customer:

• makes an unusual enquiry about whether they report to government authorities. For example, AUSTRAC, the Australian Taxation Office or law enforcement agencies
• and/or their activity is the subject of law enforcement enquiries
• seems nervous, overly defensive, or evasive when questioned
• is unwilling to or cannot provide reasonable explanations for exchanges of virtual assets that have no economic rationale

Money laundering

Money laundering indicators

A customer:

• accepts transfers from an unregistered and/or unregulated virtual asset service provider, over-the-counter (OTC) broker, P2P network, cryptocurrency mixer or tumbler services, or higher-risk decentralised exchanges
• makes rapid conversions or exchanges from one virtual asset to another, or a chain of rapid exchanges with no economic rationale
• makes rapid conversions between fiat currencies and stablecoins with no economic rationale
• transfers virtual assets to or from wallets that show previous patterns of activity associated with an unregistered virtual asset service provider, OTC brokers, P2P platforms, cryptocurrency mixer/tumbler services, or higher-risk decentralised exchanges
• uses virtual asset ATMs or kiosks, with no concern for higher transaction fees
• makes deposits into their account that are significantly higher than normal, with an unknown or unexplained source of funds, followed by conversion to fiat currency
• conducts 'u-turn' transactions both domestically and internationally, with a portion of those funds being returned
• conducts ‘u-turn’ transactions, buying into virtual assets and then withdrawing in rapid succession
• makes multiple deposits to their account via different crypto ATM/kiosks, including where the ATM or kiosk location is inconsistent with their profile 
• makes virtual asset transactions that originate from or are destined to online gambling services
• structures a deposit into their fiat currency account as multiple smaller payments rather than a single transaction
• structures a virtual asset transaction as multiple smaller transactions rather than a single transaction 
• makes multiple high value transactions in a short time period using an account that was recently created, or has been dormant for a significant period of time 
• regularly conducts virtual asset-fiat currency exchange at a potential loss that has no economic rationale
• converts a large amount of fiat currency into virtual assets, or a large amount of one type of virtual asset into other types of virtual assets, with no economic rationale
• has an account that is accessed from a number of different IP addresses simultaneously, or in a short period of time
• has funds originating from, or sent to, an exchange that is not registered in the jurisdiction where either the customer or the exchange is located
• funds their trading account by deposits from third parties

Cyber and digital

Darknet marketplace transaction indicators

A customer:

• makes transactions that are linked via blockchain analysis to darknet clusters, child exploitation clusters, mixers or higher-risk exchanges
• has a wallet address that appears to show exposure to higher-risk conversion services or darknet marketplaces
• owns an account that appears to indicate use of, access to, or donations to darknet explorers, including platform-enabling and anonymised internet access, and possible illicit purchases on darknet marketplaces

Ransomware indicators

A customer:

• increases any transaction limits on their account and then quickly sends funds to a third party
• appears anxious or impatient with the time taken to make a large payment from their account
• appears overly concerned with the speed of a transaction and or withdrawal approvals
• has sent funds from their digital currency address to an identified ransomware address 
• who is newly on-boarded wants to make an immediate and large purchase of digital currency, followed by an immediate withdrawal to an external digital currency address
• states that their transaction is in response to a cyber-attack
• is evasive when asked about the reason for a transaction
• is identified in the media as being subject to a ransomware attack
• mentions an ‘adviser’ or that they are being assisted to purchase cryptocurrency

A company customer:

• that you would not normally expect to transact in digital currency attempts to do so
• has operations that appear to have changed significantly, inconsistent with their profile

Cyber-crime indicators

A customer:

• provides a verification document that is a photograph of data on a computer screen
• appears to operate multiple accounts by the exchange or service, as indicated by their IP address/es 
• uses language, grammar or syntax that does not match their demographic
• presents ID or images with a file name that apparently indicates it was generated from a social media platform
• information indicates that the customer uses an email account from a high-privacy email service provider
• has inconsistent identification details
• attempts to create an account with fraudulent identification documents
• keeps images of their identification document/s in a physical plastic wallet, which may indicate the identification document is altered or fraudulent
• has accounts that appear to have the characteristics of a mule account, such as: multiple accounts linked to the same contact details, addresses shared under different names, or customers stating they are transacting for someone else
• provides an address that is not a residential address, such as an office, carpark or vacant lot
• appears to use a virtual private network
• uses or trades only in privacy coins, inconsistent with their profile
• makes payments to online infrastructure services used for cyber-offending, mixers, cyber threat actors, or darknet marketplaces or forums
• receives virtual assets from addresses identified with cyber-crime activity

Serious financial and organised crime

Scams indicators

A customer:

• is linked to a higher-risk jurisdiction for scams via their IP address
• receives deposits from multiple bank accounts in different names, inconsistent with their profile
• makes transactions that are inconsistent with their profile
• advises they are using their digital currency to participate in an investment opportunity
• demonstrates limited digital currency knowledge during on-boarding, but quickly purchases digital currency and sends it to another digital currency address
• appears coached or rehearsed when answering personal and on-boarding questions
• advises they are employed to purchase digital currency on behalf of another individual or company
• advises they are sending funds to a friend or family in a higher-risk jurisdiction for scams 
• reports fraud or scam activity against themselves, or their account

Tax evasion indicators

A customer:

• uses services in a manner that has no commercial or economic rationale
• enquires about avoiding tax reporting obligations
• enquires if personal or transaction information will be shared with the Australian Taxation Office
• requests to hide or delete transactions 
• sends or receives fiat currency to a wide range of related personal or business accounts at different institutions

Child exploitation indicators

A customer:

• transfers virtual assets to other wallets that are directly, or indirectly linked to child abuse materials
• has multiple small value same-day and/or consecutive-day payments (generally under $500 per transaction)
• uses privacy coins inconsistent with their profile

Terrorism, national security and international crime

Terrorism financing indicators

A customer:

• transacts with sanctioned wallet addresses or people of interest listed on government websites, such as the Office of Foreign Assets Control or the Department of Foreign Affairs and Trade Consolidated List
• is matched through screening against an Australian or international sanctions list
• transacts with social media, communication applications, crowdfunding or online fundraising campaigns linked to extremist forums
• transfers to or from international exchanges with less stringent customer identification processes, including those owned or hosted in higher-risk jurisdictions for terrorism financing
• receives multiple small deposits, which are immediately transferred to private wallets, inconsistent with their profile
• has transacted with websites or wallet addresses considered to be higher risk for terrorism financing, as indicated by blockchain analysis

Open source information:

• identifies a customer or transaction has links to known terrorist organisations or terrorism activities 
• indicates a customer displays extremist ideologies (for example, social, political or environmental)

Proliferation financing indicators

Proliferation financing is when a person makes available an asset, provides a financial service or conducts a financial transaction that is intended to facilitate the proliferation of weapons of mass destruction, regardless of whether the activity occurs or is attempted. 

All reporting entities must have risk-based systems and controls in their transaction monitoring programs to identify and report suspicious matters. This includes monitoring for suspicions that individuals or businesses are attempting to avoid Australia’s sanctions laws in connection with the provision of a designated service, or a request to provide a service.

Some indicators of circumstances that could be suspicious include a customer:

•  who is matched through screening against an Australian or international sanctions list
•  who transacts through jurisdictions of proliferation financing concern 

Related pages

• Your Industry
• Suspicious matter reports (SMRs)
• Enhanced customer due diligence (ECDD) program
• Proliferation financing in Australia national risk assessment 2022
• Money laundering in Australia national risk assessment 2024
• Terrorism financing in Australia national risk assessment 2024

The Department of Foreign Affairs and Trade’s Australian Sanctions Office has also published an advisory to digital currency exchanges to alert them to their obligations to comply with Australian sanctions laws.