When ‘clean’ is not enough

Why exchanges freeze accounts not tainted by crime

When the safety of a digital-asset transaction is at stake, users chiefly worry about avoiding “dirty” funds. Crypto is deemed “dirty” if it is linked to unlawful activity or comes from sanctioned companies or addresses tied to Russian services.

Why do trading platforms block accounts, how can a “clean” transaction still lead to frozen funds, and how deeply do AML systems trace transaction chains? Fedor Ivanov, director of analytics at Shard, explains.

What shapes an exchange’s trust

In recent months our firm has been approached by clients of crypto exchanges whose accounts were blocked without obvious cause. Such freezes usually come with demands to document the source of funds or undergo extra KYC procedures. Convinced that “dirty” crypto is to blame, clients try to pinpoint its source and fault the exchanger or counterparty they received it from. In practice, that is far from always the case.

An exchange’s risk view of a user is shaped not only by the “cleanliness” of the crypto arriving at their address, but by a broader assessment of factors, including registration data. Despite headline daily and monthly limits touted by many platforms, ordinary users often face much tighter practical caps. Your stated deposit/withdrawal limit might be $1m, but large exchanges will still ask for proof of funds. Fail to provide it and the account can be blocked along with all assets. Unlike banks, exchanges may hold funds for a long time, making withdrawals difficult.

Exchanges are financial institutions and, despite the lack of regulation in Russia, they adhere to international standards and scrutinise the quality of their client base. In a recent case a major platform blocked a user after a transfer of more than 100,000 USDT arrived from the address of another well-known exchange. Although the funds were “clean”, the account was frozen. The review showed the client had never run such large transactions before and had only basic verification, despite high stated limits.

The provenance of crypto matters, too. As more exchanges fall under regulatory oversight, they tighten scrutiny of customers and incoming funds. For example, many European services, wary of sanctions evasion, do not accept crypto into accounts of EU residents, Russians and other CIS citizens unless it comes from a large international exchange or a European centralised platform. Such customers are classed as high risk.

The upshot is that any transfer that is not fully “clean” can trigger an account freeze, a demand for extensive documentation and an uncertain outcome. Exchanges err on the side of caution: AML tools are updated constantly, past transactions are re-examined in light of new data, and address labelling is ongoing. An exchange will not assume the risk that funds came from sanctioned entities unknown to its AML system at the moment of transfer. If the payment is transparent—say, from a well-known large exchange—there is no issue; where there are “grey” zones, the client must document the path in detail.

Hence the need to check addresses with AML systems that maintain and update their own databases, rather than reselling third-party data with unknown refresh cycles.

The techniques criminals use

Criminals know blockchain transactions are immutable, and AML services automatically track all known criminal activity. They therefore use various schemes to slip past monitoring. Despite ever-improving defences, they sometimes succeed.

An address that once received “dirty” coins will always be treated as tainted by an AML service. It cannot be fully “cleaned”: transaction data are immutable, even if large amounts of “clean” crypto later pass through. Modern AML tools can tell accidental “dust” from deliberate laundering. Offenders may switch addresses by sending funds to a mixer or a decentralised exchange (DEX), where cleanliness requirements are looser. Some decentralised services still do not perform AML checks. This remains a go-to tactic: funds routed through mixers are hard to trace and are not considered clean, since mixers are inherently dubious sources.

In run-of-the-mill frauds, thieves try to push stolen crypto to a centralised exchange before the wrongdoing becomes public. If they succeed, the crypto is considered laundered: it is swapped into fiat and lands with other exchange clients.

From a labelling standpoint, such funds become “clean”. That is why any incident should be reported not only to the police but also to well-known AML providers. Exchanges and OTC desks that work with them will refuse such funds, making life much harder for wrongdoers.

Can on-chain activity be faked

On-chain activity cannot be forged, but it can be simulated. Blockchain is transparent, and that openness can be exploited by fraudsters. They use cheap, effective ways to create the illusion of popularity where none exists. Common trust-building ploys include:

• Sybil attack. Hundreds of wallets are created to simulate token trading, DAO voting and the trappings of an active community. Victims are led to believe they are dealing with genuine, vetted addresses of well-known projects;
• wash trading. Used for the same ends. Better known as a way to inflate volumes on decentralised exchanges, it also creates a veneer of activity: the fraudster transacts with himself across services, then shows a supposedly active, high-turnover wallet. This can hide ties to dubious sources and lull victims into complacency.

People tend to trust the crowd. If something looks popular, they subconsciously label it “quality” and “safe”. Newcomers struggle to separate real activity from fakery. Simple metrics—wallet transaction counts or token holder numbers—are easy to rig, while deep chain analysis takes time and expertise.

Why even vetted addresses can feature in dubious transactions

As noted, crypto labelling is fluid. Your vetted counterparty may have received seemingly “clean” crypto from another vetted counterparty, only for an AML provider later to identify more addresses of a sanctioned service—instantly rendering those funds “dirty”.

“Triangle” schemes are common, too, where stolen crypto is sent to a bona fide buyer (or seller). An exchange may then ban that account and your address can end up on blacklists, because the victim will file a police report and pass the wallet data to AML services for labelling.

What can reveal hidden ties in outwardly safe wallets:

• AML checks. Any counterparty wallet you plan to send funds to—or receive from—should first be screened by an AML service. For large amounts and less-than-transparent sources, use multiple systems for greater assurance;
• a suspicious chain of transit addresses. If an address was created recently and received funds from another new transit address, which in turn received from yet another, this may indicate an attempt to conceal the true source of crypto;
• mixer traces and DEX activity. Coins previously routed through mixers, and unusually high activity on decentralised exchanges, do not automatically mean wrongdoing—but the owner should be able to explain such flows clearly;
• criminal tags in the address history. If coins marked as linked to crime have already hit the address, that is always a red flag;
• pumped-up on-chain activity. Repetitive, templated transactions: identical amounts, round numbers (for example, exactly 1,000 tokens), rapid shuttling between the same addresses. In any case, do not stop at an AML score—review the wallet’s on-chain behaviour as well.