Using FATF (Financial Action Task Force) Indicators and Blockchain Data to Detect Money Laundering
The Financial Action Task Force FATF has developed a set of red flag indicators that, when combined with Bitquery data APIs and investigation tools like Coinpath®, can be instrumental in detecting suspicious activities.
This article explores how FATF indicators and Bitquery data can be used to detect anomalous transactions in the cryptocurrency ecosystem, particularly focusing on transactions within specific value ranges and patterns.
FATF Red Flag Indicators
FATF has identified several red flag indicators related to transactions, transaction patterns, anonymity, sender/recipient irregularities, and the source of funds. These indicators are crucial for identifying potential anomalous transactions activities in the virtual asset sector.
Key Indicators
-
Size and Frequency of Transactions
- Structuring transactions to avoid record-keeping thresholds (e.g., multiple transactions just below 1 ETH).
- Multiple high-value transactions in short succession.
- Incoming transactions from many unrelated wallets followed by a subsequent transfer to another wallet.
-
Transaction Patterns
- Large initial deposits inconsistent with customer profiles.
- Frequent virtual asset-to-fiat currency exchanges at a potential loss.
- Immediate transfers to multiple virtual asset service providers (VASPs) in different jurisdictions.
-
Anonymity
- Use of privacy coins or mixing/tumbling services.
- Use of decentralized/unhosted wallets to transport virtual assets across borders.
-
Sender/Recipient Irregularities
- Multiple accounts under different names to circumvent trading limits.
- Transactions from non-trusted or suspicious IP addresses.
- Insufficient KYC information.
-
Source of Funds
- Transactions linked to known fraud, extortion, or ransomware schemes.
- Use of credit/debit cards linked to virtual asset wallets for large fiat withdrawals.
Using Bitquery to Detect Anomalous Transactions
Bitquery provides extensive blockchain information that can be used to detect suspicious transactions based on FATF indicators. By querying specific transaction data, we can identify patterns that align with anomalous transactions behaviors.
Transactions Between 0.89 ETH to 0.99 ETH
A common tactic to avoid triggering anti-money laundering (AML) alerts is structuring transactions just below the reporting threshold. This can be identified through the following query where we filter txs that have value between 0.89 ETH to 0.99 ETH falling right below the 1 ETH threshold that might be flagged:
query MyQuery {
EVM(network: eth) {
Transactions(
where: {
Transaction: { Value: { ge: "0.89", le: "0.99" } }
Block: { Date: { after: "2024-03-01" } }
}
limit: { count: 1000 }
orderBy: { descending: Block_Time }
) {
Block {
Time
Number
}
Transaction {
From
Hash
To
Value
ValueInUSD
Type
}
Fee {
SenderFeeInUSD
SavingsInUSD
}
}
}
}
This query helps identify transactions that are structured to avoid detection, a key indicator of money laundering.
Transactions Involving Specific Exchange Wallets
Monitoring transactions involving known exchange wallets, especially those close to value thresholds, can reveal attempts to bypass exchange reporting requirements. The following query targets transactions from/to a specific OKX exchange wallet with values just below the threshold:
{
EVM(dataset: archive, network: eth) {
Transactions(
limit: { count: 100 }
where: {
any: [
{
Transaction: {
From: { is: "0xa7efae728d2936e78bda97dc267687568dd593f3" }
}
}
{
Transaction: {
To: { is: "0xa7efae728d2936e78bda97dc267687568dd593f3" }
}
}
]
Transaction: { ValueInUSD: { ge: "989", le: "999" } }
}
orderBy: { descending: Block_Time }
) {
Block {
Time
Number
}
Transaction {
Hash
Cost
To
From
ValueInUSD
Value
}
}
}
}
This query detects transactions that fall just below the threshold, potentially indicating attempts to circumvent reporting requirements by staying under value limits.
Identifying Top Senders in a Period
By identifying the top senders over a period, one can detect patterns such as the accumulation of funds from multiple sources into a single wallet, followed by large outflows. The following query identifies the top senders in the Binance Smart Chain (BSC) network:
{
EVM(dataset: archive, network: bsc) {
Transactions(
where: {
Block: { Date: { after: "2024-03-03" } }
Transaction: {
To: {
notIn: [
"0x55d398326f99059ff775485246999027b3197955"
"0x13f4ea83d0bd40e75c8222255bc855a974568dd4"
"0x10ed43c718714eb63d5aa57b78b54704e256024e"
]
}
}
}
orderBy: { descendingByField: "senders" }
limit: { count: 200 }
) {
Transaction {
From
}
senders: count(distinct: Transaction_To)
}
}
}
Transactions with Large Initial Deposits
To identify transactions with large initial deposits that are inconsistent with customer profiles you can use the below query.
{
EVM(network: eth) {
Transactions(
where: {
Transaction: { ValueInUSD: { ge: "50000" } }
Block: { Date: { after: "2024-03-01" } }
}
limit: { count: 1000 }
orderBy: { descending: Block_Time }
) {
Block {
Time
Number
}
Transaction {
From
Hash
To
Value
ValueInUSD
Type
}
}
}
}
Transactions Involving Privacy Coins or Mixing Services
To identify transactions involving privacy coins or mixing/tumbling services, which can obscure the origin of funds we can use the below query where we include tornado cash/mixing service addresses in the To filter. You can read more about tracing funds through Tornado Cash here
query MyQuery {
EVM(dataset: archive, network: eth) {
Calls(
limit: { count: 10 }
where: {
Transaction: {
To: {
in: [
"0x910Cbd523D972eb0a6f4cAe4618aD62622b39DbF"
"0x12D66f87A04A9E220743712cE6d9bB1B5616B8Fc"
]
}
}
}
) {
Transaction {
From
}
count
}
}
}
Run the query here
Transactions Linked to Known Fraudulent Activities
To identify transactions that are linked to addresses associated with known fraudulent activities, extortion, or ransomware schemes, filter the addresses using Transaction From filter. Such addresses will be flagged on explorers like Bitquery, for example this address has been labelled Fake_Phishing899, Phish / Hack.
{
EVM(network: eth) {
Transactions(
where: {
Transaction: {
From: { in: ["0xFraudulentAddress1", "0xFraudulentAddress2"] }
}
Block: { Date: { after: "2024-03-01" } }
}
limit: { count: 1000 }
orderBy: { descending: Block_Time }
) {
Block {
Time
Number
}
Transaction {
From
Hash
To
Value
ValueInUSD
Type
}
}
}
}
Utilization of VASPs in High-Risk Jurisdictions
To detect funds originating from or sent to exchanges in high-risk jurisdictions with inadequate AML/CFT regulations you can find exchange addresses based on the list provided by FATF
{
EVM(network: eth) {
Transactions(
where: {
Transaction: { To: { is: "0xHighRiskJurisdictionExchange Address" } }
Block: { Date: { after: "2024-03-01" } }
}
limit: { count: 1000 }
orderBy: { descending: Block_Time }
) {
Block {
Time
Number
}
Transaction {
From
Hash
To
Value
ValueInUSD
Type
}
}
}
}
By employing these queries alongside the FATF red flag indicators, investigators can gain deeper insights into suspicious activities within the cryptocurrency space, helping to uncover and prevent money laundering schemes.
About Bitquery
Bitquery is your comprehensive toolkit designed with developers in mind, simplifying blockchain data access. Our products offer practical advantages and flexibility.
-
APIs - Explore API: Easily retrieve precise real-time and historical data for over 40 blockchains using GraphQL. Seamlessly integrate blockchain data into your applications, making data-driven decisions effortless.
-
Coinpath® - Try Coinpath: Streamline compliance and crypto investigations by tracing money movements across 40+ blockchains. Gain insights for efficient decision-making.
-
Data in Cloud - Try Demo Bucket: Access indexed blockchain data cost-effectively and at scale for your data pipeline. We currently support Ethereum, BSC, Solana, with more blockchains on the horizon, simplifying your data access.
-
Explorer - Try Explorer: Discover an intuitive platform for exploring data from 40+ blockchains. Visualize data, generate queries, and integrate effortlessly into your applications.
Subscribe to our newsletter
Subscribe and never miss any updates related to our APIs, new developments & latest news etc. Our newsletter is sent once a week on Monday.
