Compliance blind spots: cash-to-crypto risks

Key takeaways

• Crypto crime data has a structural blind spot. Most blockchain analytics tools only capture crimes that begin on-chain. When cash changes hands at an informal crypto desk, the illicit origin never appears in the data — meaning annual crypto crime reports significantly undercount real-world financial crime.

• Informal cash-to-crypto markets operate almost entirely outside compliance frameworks. Peer-to-peer crypto desks — many of which evolved from hawala and foreign exchange networks — handle billions in volume with no KYC, no registration, and no suspicious transaction reporting. FATF’s regulatory focus on licensed exchanges leaves these networks largely unaddressed.

• State-sponsored laundering operations are outpacing law enforcement. North Korea’s Lazarus Group has stolen an estimated $3B+ in crypto since 2017, with the $1.5B Bybit heist a recent example. After enforcement actions against Tornado Cash, DPRK shifted to loosely regulated OTC networks and scam-compound infrastructure — a laundering model that moves faster than current detection can keep pace.

• Token creation is a growing and underappreciated threat vector. The barrier to issuing new crypto tokens has dropped dramatically, enabling sanctioned states and criminal organizations to create financial instruments faster than compliance lists can be updated. Effective screening must go beyond established sanctions designations to examine issuers, jurisdictions, and transaction patterns.

• Compliance frameworks must be built for informal and emerging markets, not just regulated Western institutions. Red flags calibrated for Western financial behavior don’t transfer to markets where informal finance is the norm. Without geographic and cultural context built into compliance models, the highest-risk activities will continue to go undetected.

Following the publication of Crystal’s research into cash-to-crypto networks, published by both the New York Times and the International Consortium of Journalists, Crystal Intelligence brought together experts from financial crime investigation, journalism, and policy to discuss what crypto compliance is missing.

The main takeaway for compliance teams, regulators, and financial crime investigators was that the field is focused on regulated institutions that are relatively easy to monitor, while informal networks that handle billions in annual volume operate almost entirely out of sight.

The panel discussion was moderated by Crystal’s Chief Intelligence Officer, Nick Smart, and included:

• Geoff White, the award-winning investigative journalist and podcaster, and author of ‘Rinsed,’
• and Tom Keatinge, the founding director at the Centre for Financial Crime and Security at the Royal United Services Institute (RUSI).

Several polls were conducted during the discussion, with illuminating results.

Poll #1: Most respondents were concerned by unlicensed service provider activity and the risks associated with decentralized exchanges (56% and 54% respectively).

The limits of crypto crime statistics

The panel began the discussion by weighing the merits of the annual crypto crime report. While they agreed that these are useful, they have a structural problem: most blockchain analytics tools capture only crimes that start on-chain. When street-level drug cash gets handed to an informal crypto desk, there’s no blockchain record of where the money came from. The illicit origin never appears in the data.

Blockchain tracing is also retrospective by nature – wallets get attributed to criminal activity after investigation, often long after the funds have moved. Tom pointed out that the industry doesn’t have reliable benchmarks: the IMF’s 2–5% of global GDP figure for illicit finance has sat unchanged for some years, not because crime leveled off, but because measurement hasn’t kept pace.

Geoff added that larger headline numbers may actually dull public response rather than sharpen it. A specific person, a specific crime, and a specific amount of money are more relatable than aggregated, huge numbers.

For compliance teams, annual reports are an appreciated barometer, but not a conclusive health check.

Poll #2: An overwhelming 85% sought support from analytics service providers’ insights.

The informal market and its crypto crime risks

Many cash-for-crypto services are running outside formal regulatory frameworks worldwide. In some regions, many grew out of hawala networks and foreign exchange stalls whose operators simply added crypto to what they already did. They work peer-to-peer, often over mobile phones, with no registration, know-your-customer (KYC), or suspicious-transaction reporting requirements.

These services are often concentrated in emerging economies and developing countries, where they meet real demand: cheap remittances, cross-border payments in markets with limited banking, and a hedge against the collapse of vulnerable local currencies. The Financial Action Task Force’s (FATF) focus on the fiat-to-crypto boundary primarily targets licensed exchanges, while informal desks operate outside that framework.

Crystal Intelligence researchers have been collecting wallet addresses from informal cash desks in cities around the world -essentially, field-level financial investigation. It’s the kind of ground-up mapping that compliance frameworks currently lack a systematic way to do.

North Korea and state-sponsored money laundering via crypto

The Democratic People’s Republic of Korea’s (DPRK) Lazarus Group is a highly capable state-sponsored crypto laundering outfit, and blockchain analytics firms have struggled to keep pace with its methods. The $1.5B theft from Bybit in early 2025 was an event in a campaign estimated to have pulled in over $3B for Pyongyang’s weapons programs since 2017. It is not an outlier – it is the trend.

Early DPRK laundering was heavily carried out through platforms such as Tornado Cash. After US enforcement actions against those services, North Korea shifted to loosely regulated over-the-counter (OTC) networks and exchanges – particularly in China and neighboring countries where crypto operates without a clear legal status.

Stealing $1.5B in crypto means nothing without willing buyers on the other side. Southeast Asian scam compound networks, which already run large-scale crypto flows outside the formal system, provide exactly that market. This overlap means DPRK funds can clear through scam-compound liquidity before either law enforcement or compliance teams have flagged either party.

Meanwhile, Russia is building its own payment rails and exchanges to move money for sanctioned entities, and Iran is issuing sanctioned tokens.

Gray-market OTC desks, peer-to-peer platforms, and newly issued tokens issued in opaque jurisdictions are high-risk exposure points for state-sponsored laundered proceeds. Tracing what the funds are ultimately purchasing, for instance, missile components or other regime operating costs, is more revealing than tracing hops across wallets.

Poll #3: Although 71% of the audience believes they have some level of understanding of the countries in which they are active, only 12% claim an expert understanding of risks.

Token creation as an emerging threat vector in crypto crime

The barrier to creating new crypto tokens has lowered. What once required real technical expertise is now within reach of nearly any role-player, including sanctioned states and criminal organizations.

• Sanctioned entities and tokens: In January 2026, the US Office of Foreign Assets Control (OFAC) sanctioned two digital asset exchanges linked to the Iranian regime’s Islamic Revolutionary Guard Corps. Meanwhile, the EU sanctioned A7A5, a Russian Ruble-backed stablecoin, in October 2025- the first such action in Europe.
• Speed of exploitation: Crypto moves orders of magnitude faster than traditional finance. Schemes that took years to emerge in traditional banking – such as shell banks or layered correspondent relationships – can appear in crypto within weeks.
• Regulatory lag: Legislation tends to address the last crime, not the next one. Compliance teams should treat any new token issued by an opaque or adversarial jurisdiction as warranting scrutiny, whether or not it has been formally flagged.

For compliance teams: Token risk screening must go beyond established sanctions lists. Due diligence on issuers, jurisdictions, and transaction patterns – particularly for tokens linked to Russian, Iranian, or DPRK-connected networks – is now a baseline expectation.

Overregulating the visible, ignoring the informal

Current enforcement concentrates resources on the most visible, cooperative role-players while informal channels operate largely unchecked- a structural mistake that mirrors post-9/11 failures in financial oversight.

• The compliance cost trap: Compliance obligations can put financial pressure on smaller service providers. If compliance becomes economically unviable for them, they may, in fact, start operating outside the regulations.
• Anti-money laundering (AML) theater: The risk of private sector compliance becoming a performance for supervisors rather than a genuine disruption of illicit finance is real. Tom Keatinge argued that the industry must define what it is trying to achieve and work backwards from that, rather than defaulting to frameworks designed decades ago.
• Blockchain tracing dependence: As governments rely more heavily on private blockchain analytics tools, the risk of over-reliance is growing – analogous to how financial institutions deferred to credit rating agencies before the 2008financial crisis. The tracing community should develop internal conduct standards and engage the government before reliance hardens into blind trust.

Cultural and geographic literacy as a compliance requirement

Crypto serves different purposes across markets, and compliance models that ignore this will consistently miss the highest-risk activities.

• In Western Europe and North America, crypto is primarily speculative. In developing countries, it is often a survival mechanism against inflation, currency controls, or exclusion from formal banking.
• Red flags calibrated for Western contexts (income-to-balance ratios, expected account activity) do not transfer cleanly to emerging markets. Compliance teams operating across jurisdictions need market-specific behavioral models.
• Hawala offers a useful model: understanding its cultural role rather than treating it as inherently criminal is exactly how informal crypto networks should be approached – with context and discipline, not reflexive suspicion.

Key recommendations to overcome compliance blind spots

• Absence of flagged activity is not an absence of risk. Analytics surfaces only what it is configured to find.
• Treat informal OTC markets as a research priority. Collecting wallet addresses from cash desks is a practical and useful intelligence tool.
• Treat token issuance as a possible threat vector. Scrutiny should not wait for formal sanctions designation.
• Work backwards from end-use. What illicit entities want to buy is more telling than chasing transaction chains into gray-market liquidity pools.
• Build geographic and cultural context into compliance models. Frameworks built on Western norms will miss high-risk informal activities in markets where informal finance is the norm.
• Set internal standards before regulators impose external ones. Geoff highlighted the social media industry’s failure to self-regulate regarding children under 16 as a cautionary precedent.

Watch the full discussion