Skip to content
Chimera readability score 0.6394 out of 100, reading level.

The Joint Chiefs of Global Tax Enforcement (J5) would like to bring attention to crypto assets risk indicators that may be indicative of money laundering, cybercrime, tax evasion, and other illicit activities.
The J5, a collaborative partnership among tax authorities and law enforcement from five countries, has identified several risk indicators that financial institutions should be aware of. Risk indicators play a pivotal role in enhancing the ability of financial institutions to detect and report money laundering and illicit activities involving crypto assets. To counteract these risks, timely identification allows institutions to intervene and to report to the relevant authorities contributing to the overall integrity of the financial system and ensure compliance with anti-money laundering (AML) regulations.
Detecting signs of money laundering and tax evasion requires the gathering, analysis and reporting of financial data. By disseminating the risk indicators to the financial institutions, valuable insights from law enforcement can be relayed to the financial sector and reporting agencies. This exchange enhances the abilities of reporting entities to detect and report suspicious activity necessary to disrupt illicit financial flows. While risk indicators may vary and not all are covered, the details in this advisory note are commonly observed.
Identifying Crypto Asset Layering
The following risk indicators involve transactions that are designed to conceal the illicit origin of funds, posing a major risk to the financial sector. Financial institutions should prioritize the detection of layering involving crypto assets, the phase in money laundering where transactions are intentionally made intricate to conceal illicit origin of funds, throughout their relationship with their customers. For example, unusually high volumes with rapid movement of funds between digital wallets, especially across multiple jurisdictions can signal potential layering.
To counteract these risks, financial institutions are advised to reference the following risk indicators and behaviors on evolving money laundering techniques.
– Rapid movement of funds between accounts held at crypto exchanges without apparent business rationale.
– The customer is sending or receiving in volumes inconsistent and larger than expected from private wallet addresses.
– Conversion across different crypto assets exploiting the wide range of digital assets to complicate the tracing of funds.
– The customer is sending/receiving in high volumes from peer-to-peer (P2P) platforms which enables a direct transfer between parties but bypasses traditional financial institutions.
– The customer is sending/receiving from crypto mixers.
– The customer is sending/receiving from gambling platforms.
– A disproportionate amount of the customer’s account activity involves the buying and selling of privacy coins or maintains a large portfolio of privacy coins. These crypto assets are designed for enhanced privacy and are commonly employed to conceal transaction details and the identities of the parties involved.
– The customer is sending/receiving cryptocurrency from darknet marketplaces, fraud shops, or high-risk exchanges.
– High volume and frequency of transfers between different types of crypto assets.
– The customer is transacting in round dollar and/or structured amounts to avoid bank reporting requirements.
– The customer’s cryptocurrency transactions flow through several intermediate addresses in a very short period of time prior to being added to a client’s wallet, or just after being withdrawn.
– The customer transfers Bitcoin in large volumes in exchange for privacy coins.
Geographical Risk Indicators
FIUs need to exercise vigilance when dealing with cryptocurrency transactions tied to jurisdictions known for weak regulatory frameworks, inadequate AML controls, or heightened levels of corruption. The following geographical risk indicators may indicate that there is sending and receiving exposure between high-risk exchanges that lack in customer identity verification measures, transactional due diligence, and legal/regulatory compliance measures, or may be in offshore jurisdictions with a history of tax havens and banking secrecy, or foreign countries known for public corruption.
– Transactions involving exchanges operating out of high-risk jurisdictions identified as non-cooperative for AML purposes.
– Changing IP addresses, which also change telephone providers. This could indicate identity concealment through technology.
– Customer accounts being accessed with IP addresses from high risk-jurisdictions. The shared use of an account or access login from devices tracked to IP addresses in high-risk jurisdictions may indicate that the account is part of a larger network of accounts.
– Crypto addresses that match addresses on recognized watch lists such as the list of the Office of Foreign Assets – Control (OFAC) or law enforcement information.
High Risk Counterparties
Customer counterparties and transaction beneficiaries and senders can serve as significant risk indicators for potential money laundering and illicit activities in the realm of crypto assets. Unusual counterparties, particularly if they involve high-risk entities with obscure ownership structures may warrant closer scrutiny. Moreover, transactions where the beneficiary and sender information is obscured or has multiple layers of intermediaries may be indicative of attempts to conceal the true source or destination of funds. Financial institutions and crypto exchanges should closely monitor their customer’s transactions and parties they engage with in the cryptocurrency space.
– The client’s crypto assets originated from an over-the-counter trade broker that advertises its services as privacy-oriented/anonymous.
– Direct sending and receiving from high-risk crypto exchanges which operate in jurisdictions with inadequate AML and regulatory framework.
– Funds or crypto currencies that are added or withdrawn from crypto addresses or wallet with direct and indirect exposure links to known suspicious sources, including darknet marketplaces, mixing/tumbling services, questionable gambling sites, illegal activities (for example, ransomware) and/or theft reports.
– Interaction with financial institutions or individuals subject to sanctions or based in sanctioned states.
New Client Onboarding Risk Indicators
Robust know your customer (KYC) practices enable crypto asset exchanges to identify potential risks associated with crypto asset transactions and ensure compliance with regulatory measures to strengthen the integrity of the financial system. By collecting and maintaining a comprehensive customer profile, financial institutions and crypto exchanges can verify source of crypto assets and transaction history to better establish a baseline understanding of their clients’ crypto exposure and activities.
– Customer attempts to provide as little identity information as possible, including incomplete or insufficient identification information.
– Company beneficial ownership is difficult to establish.
– Customer is difficult to contact, responds only via email or web chat, and at unusual hours.
– The level or volume of transactional activity is inconsistent with the client’s apparent financial profile, their usual pattern of activities, occupational information, or declared business information.
– Clients who register with the exchange within a short period using a shared address, mobile device, phone number, IP addresses and other common identity indicators.
– The customer’s use of an anonymity-oriented email provider.
– A customer’s crypto address appears on public forums related to illegal activities.
– Carrying out transactions with crypto addresses that are connected to public investigations.
– The customer has access to multiple accounts used to purchase crypto. The account set-up access can also be done as an authorized representative or if the customer carries out the transactions himself.
– The client provides an anonymous email address obtained through an encrypted email service.
– Multiple changes to an account’s contact information that could indicate a customer account takeover.
– Account set up where the client has access to multiple bank accounts and/or other people’s accounts may indicate money mule activity.
– The customer’s email address used in the transaction is linked to advertisements for the sale of crypto assets on P2P exchange platforms. These advertisements may suggest that the client is buying and selling crypto assets on a commercial scale through a business as a non-registered money services business.
– An account number in a country other than the customer’s nationality/residential address. This could indicate that the customer is hiding who the true owner of the account is.
– The client is unwilling or unable to provide supporting information about the source of crypto assets or the reasoning behind holding privacy coins.
Ransomware and Cybercriminal Risk Indicators
Crypto exchanges have an important role to detect and report financial flows related to ransomware and stop ransomware payments, because they are a key point where criminals interact with the legitimate financial system. Cybercriminals use many methods to try and conceal the origin and destination of ransomware payments before the digital currency arrives at the final wallet or bank account under their control. Cybercriminals will use sophisticated methods to try and obscure their flow of funds. These risk indicators are to assist financial institutions in identifying potential bad actors or accounts associated with organizations that perpetrate ransomware and cybercrime.
– The customer’s unusual high usage of privacy coins. Privacy coins are digital currencies that provide enhanced anonymity by obscuring the amount, destination, and origin of transactions.
– The customer’s transactions exhibit chain-hopping. This is where one digital currency is exchanged for another. The digital currency is moved from one blockchain to another, hence the term ‘chain-hopping’.
– The account and customer transact with a mixer. Cybercriminals direct ransomware payments through intermediary digital currency addresses, exchanges, and mixers. Mixers increase anonymity by mixing the customer’s digital currency with the transactions of others before being redirected back to the customer.
– Use of mule accounts. A mule account is created using a stolen or fake identity or, a legitimate account held by another party who is complicit in its use.
– Following an initial large digital currency transfer, a customer has little or no further digital currency activity.
– Customer’s digital currency account is linked to or funded by multiple bank accounts at several different institutions.
– A newly on-boarded customer wants to make an immediate and large purchase of digital currency, followed by an immediate withdrawal to an external digital currency address.

Facts Only

The Joint Chiefs of Global Tax Enforcement (J5) is a collaborative partnership among tax authorities and law enforcement from five countries.
The J5 has identified risk indicators for crypto assets that may signal money laundering, cybercrime, tax evasion, and other illicit activities.
Risk indicators include rapid movement of funds between digital wallets, especially across multiple jurisdictions.
High-volume transactions with private wallet addresses, conversions across different crypto assets, and use of peer-to-peer (P2P) platforms are flagged as suspicious.
Transactions involving crypto mixers, gambling platforms, privacy coins, darknet marketplaces, and high-risk exchanges are highlighted as high-risk behaviors.
Geographical risk indicators include transactions tied to jurisdictions with weak AML controls, high corruption, or offshore tax havens.
High-risk counterparties include over-the-counter trade brokers advertising privacy-oriented services and entities linked to sanctioned individuals or states.
New client onboarding risk indicators include incomplete identification information, use of anonymity-oriented email providers, and transactions linked to public investigations.
Ransomware and cybercriminal risk indicators include unusual use of privacy coins, chain-hopping, and transactions with mixers or mule accounts.
Financial institutions are advised to monitor these behaviors to detect and report suspicious activity.
The J5 aims to enhance collaboration between law enforcement and financial institutions to disrupt illicit financial flows.

Executive Summary

The Joint Chiefs of Global Tax Enforcement (J5), a coalition of tax authorities and law enforcement from five countries, has issued guidance on risk indicators for crypto assets that may signal money laundering, cybercrime, tax evasion, and other illicit activities. The advisory highlights behaviors such as rapid fund movements between digital wallets, use of privacy coins, transactions with high-risk exchanges, and interactions with darknet marketplaces or mixers. Financial institutions are urged to monitor these patterns to enhance detection and reporting of suspicious activity, ensuring compliance with anti-money laundering (AML) regulations. The J5 emphasizes the importance of robust know-your-customer (KYC) practices, particularly during client onboarding, to mitigate risks associated with anonymity and obscure ownership structures. Additionally, the advisory warns of geographical risks tied to jurisdictions with weak regulatory frameworks and high corruption levels, as well as red flags in ransomware-related transactions, such as chain-hopping and the use of mule accounts. The goal is to disrupt illicit financial flows by improving collaboration between law enforcement and financial institutions.
While the indicators provide a framework for identifying potential threats, the J5 acknowledges that not all risk factors are exhaustive and that evolving money laundering techniques require ongoing vigilance. The advisory serves as a tool to bridge the gap between law enforcement insights and the financial sector’s detection capabilities, aiming to strengthen the integrity of the global financial system.

Full Take

The J5’s advisory on crypto asset risk indicators presents a strong case for heightened vigilance in the financial sector, leveraging law enforcement insights to combat illicit activities. The strongest version of this narrative is that it provides a practical framework for financial institutions to identify and report suspicious transactions, thereby strengthening AML compliance and protecting the integrity of the financial system. The advisory is thorough, covering a wide range of behaviors—from layering techniques to geographical risks—and acknowledges the evolving nature of financial crimes.
However, the narrative also reflects a broader paradigm of regulatory control and surveillance, where the burden of detection is placed on financial institutions. This raises questions about the balance between security and privacy, as well as the potential for overreach in monitoring transactions. The advisory’s focus on privacy coins and anonymity tools, while justified by their use in illicit activities, may also inadvertently target legitimate users seeking financial privacy. The assumption that all transactions involving these tools are suspicious could lead to false positives and unnecessary scrutiny.
Historically, this echoes the tension between law enforcement’s need for transparency and individuals’ right to privacy—a debate that has intensified with the rise of digital currencies. The implications for human agency are significant: while the advisory aims to protect the financial system, it also risks eroding trust in crypto assets as a whole, particularly for users in regions with weak banking infrastructure who rely on these tools for financial inclusion.
Bridge questions to consider: How can financial institutions balance the need for security with the protection of legitimate privacy? What safeguards are in place to prevent the misuse of these risk indicators for overreach or discrimination? Would the inclusion of perspectives from crypto advocates or privacy experts change the narrative?
Counterstrike scan: If this were part of a coordinated influence campaign, the playbook might involve amplifying fears of crypto-related crime to justify expanded surveillance powers. However, the J5’s advisory appears to be a genuine effort to address real risks rather than a manipulative tactic. The content aligns with standard law enforcement practices and does not exhibit patterns of distortion or bad faith.
Patterns detected: none

Sentinel — Human

Confidence

The text exhibits some stylometric and structural patterns that could suggest AI assistance, but the domain expertise, regulatory tone, and minor irregularities strongly indicate human authorship, likely from a professional or institutional source.

Signals Detected
low severity: Moderate sentence length variance and some hedging phrases, but not excessive.
medium severity: Structured and fluent, but lacks idiosyncratic emphasis or personal voice typical of human writing.
low severity: List-based format and repetitive structure could indicate template use, but common in regulatory advisories.
low severity: No verifiable claims or suspicious attributions; relies on general risk indicators rather than specific cases.
Human Indicators
Domain-specific terminology and regulatory focus suggest institutional authorship.
Varied sentence structure and occasional phrasing irregularities.
Lacks the 'too perfect' balance or over-hedging typical of AI-generated content.