The new year began with the news that notable Web3 entrepreneur Kevin Rose fell victim to a phishing scam in which he lost over $1 million worth of nonfungible tokens (NFTs).
As mainstream financial institutions begin to provide services related to Web3, crypto and NFTs, they would be custodians of client assets. They must protect their clients from bad actors and identify whether client assets have been obtained through illicit activities.
The crypto industry hasn’t made it easy for Anti-Money Laundering (AML) functions within organizations. The sector has innovated constructs like cross-chain bridges, mixers and privacy chains, which hackers and crypto thieves can use to obfuscate stolen assets. Very few technical tools or frameworks can help navigate this rabbit hole.
Regulators have recently come down hard on some crypto platforms, pressuring centralized exchanges to delist privacy tokens. In August 2022, Dutch police arrested Tornado Cash developer Alexey Pertsev, and they have worked on controlling transactions through mixers since then.
While centralized governance is considered antithetical to the Web3 ethos, the pendulum may have to swing in the other direction before reaching a balanced middle ground that protects users and doesn’t curtail innovation.
And while large institutions and banks have to grapple with the technological complexities of Web3 to provide digital assets services to their clients, they will only be able to provide suitable customer protection if they have a robust AML framework.
AML frameworks will need several capabilities that banks must evaluate and build. These capabilities could be built in-house or achieved by collaborating with third-party solutions.
A few vendors in this space are Solidus Labs, Moralis, Cipher Blade, Elliptic, Quantumstamp, TRM Labs, Crystal Chain and Chainalysis. These firms are focused on delivering holistic (full-stack) AML frameworks to banks and financial institutions.
For these vendor platforms to deliver a holistic approach to AML around digital assets, they must have several inputs. The vendor provides several of these, while others are sourced from the bank or institution they work with.
Data sources and inputs
Institutions need a ton of data from varied sources to effectively identify AML risks. The breadth and depth of data an institution can access will decide the effectiveness of its AML function. Some of the key inputs needed for AML and fraud detection are below.
The AML policy is often a broad definition of what a firm should watch for. This is generally broken down into rules and thresholds that will help implement the policy.
An AML policy could state that all digital assets linked to a sanctioned nation-state like North Korea must be flagged and addressed.
The policy could also provide that transactions would be flagged if more than 10% of the transaction value could be traced back to a wallet address that contains the proceeds of a known theft of assets.
For instance, if 1 Bitcoin (BTC) is sent for custody with a tier-one bank, and if 0.2 BTC had its source in a wallet containing the proceeds of the Mt. Gox hack, even if attempts had been made to hide the source by running it through 10 or more hops before reaching the bank, that would raise an AML red flag to alert the bank to this potential risk.
Recent: Death in the metaverse: Web3 aims to offer new answers to old questions
AML platforms use several methods to label wallets and identify the source of transactions. These include consulting third-party intelligence such as government lists (sanctions and other bad actors); web scraping crypto addresses, the darknet, terrorist financing websites or Facebook pages; employing common spend heuristics that can identify crypto addresses controlled by the same person; and machine learning techniques like clustering that can identify cryptocurrency addresses controlled by the same person or group.
Data gathered through these techniques are the building block to the fundamental capabilities AML functions within banks and financial services institutions must create to deal with digital assets.
Wallet monitoring and screening
Banks will need to perform proactive monitoring and screening of customer wallets, wherein they can assess whether a wallet has interacted directly or indirectly with illicit actors like hackers, sanctions, terrorist networks, mixers and so on.
Illustration of assets in a wallet categorized and labeled. Source: Elliptic
Once labels are tagged to wallets, AML rules are applied to ensure the wallet screening is within the risk limits.
Blockchain investigation
Blockchain investigation is critical to ensure transactions happening on the network do not involve any illicit activities.
An investigation is performed on blockchain transactions from ultimate source to ultimate destination. Vendor platforms offer functionalities such as filtering on transaction value, number of hops or even the ability to identify on-off ramp transactions as part of an investigation automatically.
Illustration of Elliptic platform tracing a transaction back to the dark web. Source: Elliptic
Platforms offer a pictorial hop chart showing every single hop a digital asset has taken through the network to get from the first to the most recent wallet. Platforms like Elliptic can identify transactions that even stem from the dark web.
Multiasset monitoring
Monitoring risk where multiple tokens are used to launder money on the same blockchain is another critical capability that AML platforms must have. Most layer 1 protocols have several applications that have their own tokens. Illicit transactions could happen using any of these tokens, and monitoring must be broader than just one base token.
Cross-chain monitoring
Cross-chain transaction monitoring has come to haunt data analysts and AML experts for a while. Apart from mixers and dark web transactions, cross-chain transactions are perhaps the hardest problem to solve. Unlike mixers and dark web transactions, cross-chain asset transfers are commonplace and a genuine use case that drives interoperability.
Also, wallets that hold assets that hopped through mixers and the dark web can be labeled and red-flagged, as these are considered amber flags from an AML perspective straightaway. It wouldn’t be possible just to flag a cross-chain transaction, as it is fundamental to interoperability.
AML initiatives around cross-chain transactions in the past have been a challenge as cross-chain bridges can be opaque in the way they move assets from one blockchain to another. As a result, Elliptic has come up with a multitiered approach to solving this problem.
An illustration of how a cross-chain transaction between Polygon and Ethereum is identified as having its source with a crypto mixer — a sanctioned entity. Source: Elliptic
The simplest scenario is when the bridge provides end-to-end transparency across chains for every transaction, and the AML platform can pick that up from the chains. Where such traceability is not possible due to the nature of the bridge, AML algorithms use time value matching, where assets that left a chain and arrived at another are matched using the time of transfer and the value of the transfer.
The most challenging scenario is where none of those techniques can be used. For instance, asset transfers to the Bitcoin Lightning Network from Ethereum can be opaque. In such cases, cross-bridge transactions can be treated like those into mixers and the dark web, and will generally be flagged by the algorithm due to the lack of transparency.
Smart contract screening
Smart contract screening is another crucial area to protect decentralized finance (DeFi) users. Here, smart contracts are checked to ensure there are no illicit activities with the smart contracts that institutions must be aware of.
This is perhaps most relevant for hedge funds wanting to participate in liquidity pools in a DeFi solution. It is less important for banks at this point, as they generally do not participate directly in DeFi activities. However, as banks get involved with institutional DeFi, smart contract-level screening would become extremely critical.
VASP due diligence
Exchanges are classed as Virtual assets service providers (VASPs). Due diligence will look at the exchange’s overall exposure based on all addresses associated with the exchange.
Some AML vendor platforms provide a view of risk based on the country of incorporation, Know Your Customer requirements and, in some cases, the state of financial crime programs. Unlike previous capabilities, VASP checks involve both on-chain and off-chain data.
Recent: Tel Aviv Stock Exchange’s crypto trading proposal a ‘closed-loop system’
AML and on-chain analytics is a fast-evolving space. Several platforms are working toward solving some of the most complex technology problems that would help institutions safeguard their client assets. Yet, this is a work in progress, and much needs to be done to have robust AML controls for digital assets.