Back to Blog

Crypto ATMs Under Global Scrutiny: FinCEN and AUSTRAC Tighten Controls Amid Rising Fraud and Money Laundering Risks

Phalcon Compliance
October 17, 2025
6 min read
Key Insights

Recently, Australia’s Home Affairs Minister Tony Burke officially announced new regulations targeting crypto ATMs, classifying them as "high-risk products" associated with money laundering, fraud, and child exploitation.

According to Burke, the number of crypto ATMs in Australia has surged from just 23 to over 2,000 in six years. An AUSTRAC investigation revealed that 85% of large transactions conducted via these terminals were linked to scams or illicit activities.

The proposed legislation would empower AUSTRAC to restrict or prohibit high-risk products, explicitly including crypto ATMs. Burke confirmed that the bill will be introduced to Parliament in the coming months. AUSTRAC and FinCEN are increasing scrutiny on crypto ATMs due to rising illicit activities. Meanwhile, on August 4, 2025, the U.S. Financial Crimes Enforcement Network (FinCEN) issued notice FIN-2025-NTC1, warning financial institutions of illegal activity tied to Convertible Virtual Currency kiosks (CVC kiosks) — the technical term for crypto ATMs — and setting clear expectations for Suspicious Activity Reports (SARs) and AML compliance obligations.

Understanding CVC Kiosks and Their Exploitation in Financial Crime

CVC kiosks function similarly to traditional ATMs, allowing users to buy or sell cryptocurrency with cash. They are often found in convenience stores, gas stations, and shopping areas, and typically support Bitcoin transactions, along with other cryptocurrencies like Litecoin and Ethereum. A crypto ATM (CVC kiosk) in a public setting, illustrating its accessibility. Yet, their risks have become increasingly apparent, making them prime targets for financial crime and illicit activities. The anonymity and speed of transactions via crypto ATMs pose significant blockchain security challenges.

In 2024, the FBI’s Internet Crime Complaint Center (IC3) received over 10,900 complaints related to crypto ATM fraud, with victim losses exceeding $246.7 million — a 99% surge in cases and 31% increase in losses compared to 2023.

The FTC similarly reported an “explosive rise” in scams involving crypto ATMs.

The reasons are clear: once a crypto transfer is executed, it’s nearly irreversible and instantaneous, unlike traditional bank transfers that can take days to settle. This gives victims virtually no time to recover lost funds. This characteristic, while appealing for legitimate use, is a major facilitator of fraud and money laundering.

Alarmingly, seniors are the main victims — individuals aged 60+ are three times more likely to fall prey to crypto ATM scams, accounting for two-thirds of all reported losses. This demographic is often less familiar with the nuances of blockchain security and the irreversibility of crypto transactions. Graph showing the explosive rise in crypto ATM fraud complaints and victim losses.

Crypto ATMs as Tools for Money Laundering and Organized Crime

Beyond scams, CVC kiosks have become powerful tools for drug cartels and organized crime. Their ability to facilitate anonymous and rapid transactions makes them ideal for money laundering.

FinCEN’s analysis of Bank Secrecy Act (BSA) data shows frequent use of kiosks to clean narcotics proceeds. The U.S. Drug Enforcement Administration (DEA) further confirmed that transnational crime groups like the Jalisco New Generation Cartel (CJNG) increasingly rely on CVC for rapid cross-border transfers that bypass traditional cash smuggling risks. This highlights a critical gap in AML enforcement.

In Illinois, for example, there are 1,626 crypto ATMs, with over 1,100 located in Chicago alone — now a major hub for laundering cartel funds.

DEA investigations found that criminals from other states even travel to Chicago specifically to convert drug money into crypto before sending it overseas. This pattern underscores the global nature of financial crime and the challenges in regulating these decentralized tools.

The Compliance Landscape for CVC Operators

Globally, the number of crypto ATMs has skyrocketed — in the U.S. alone, from 4,128 to 37,342 machines in six years, while Hong Kong SAR has deployed around 224 units, mostly clustered in busy commercial zones like Mong Kok.

However, FinCEN warns that the compliance rate among CVC operators is “alarmingly low.” Many are operating in violation of BSA obligations, dramatically amplifying financial crime risks and undermining blockchain security.

What Legitimate Operators Must Do for AML Compliance

Under the BSA, CVC kiosk operators qualify as Money Services Businesses (MSBs) — meaning operating without registration is equivalent to running a bank without a license. Violators face criminal prosecution. This is a cornerstone of AML regulations.

They must:

  • Register with FinCEN within 180 days of launching operations.
  • Report large or suspicious transactions — filing Currency Transaction Reports (CTR) for cash transactions over $10,000 and Suspicious Activity Reports (SAR) for suspicious activity exceeding $2,000.
  • Maintain records of customer identification and transaction data for at least 5 years. This includes robust KYC (Know Your Customer) procedures.

States like California have gone further, capping daily transaction limits per customer at 💲1,000. In Iowa, the Attorney General sued two operators whose kiosks facilitated over $20 million in fraud. These measures aim to enhance blockchain security and prevent money laundering.

Need Robust AML Solutions for Your Web3 Project?

BlockSec offers advanced on-chain monitoring and compliance tools to detect and prevent illicit activities. Protect your users and ensure regulatory adherence.

Get Started with Phalcon Compliance

Crypto compliance hub for wallet screening and KYT

Try now for free

Widespread Violations and Enforcement Actions Against Crypto ATM Operators

A 2021 New Jersey investigation found that one-third of operators were unregistered with FinCEN. Others ignored KYC requirements, accepting transactions based on phone numbers or email alone — creating ideal conditions for scammers and money laundering.

Some even falsified business registrations, used personal or fake company bank accounts, and structured transactions to evade CTR/SAR thresholds, a practice strictly prohibited under federal law. These actions directly undermine AML efforts and expose users to significant fraud risks. Illustration depicting illegal structuring of transactions to evade regulatory oversight. FinCEN’s notice cites real enforcement examples:

  • Orange County Case (2021): Former bank employee Kais Mohammad operated an unregistered ATM network processing over $25 million, failed to implement AML checks, and was sentenced to 24 months in prison. This case highlights the severe consequences of neglecting compliance and blockchain security protocols.
  • New Hampshire Case (2022): Three operators used fake company accounts for crypto ATM cash deposits and were convicted of wire fraud, facing prison and fines.

Dozens of similar prosecutions have occurred nationwide, with fines reaching millions of dollars and mandatory forfeiture of illegal proceeds. These enforcement actions serve as a stark warning to all operators in the digital asset space regarding the importance of robust AML and compliance frameworks.

Lessons for the Web3 Industry: Prioritizing Compliance and Blockchain Security

While FinCEN and AUSTRAC’s actions appear focused on physical crypto ATMs, they reflect a broader message for the entire Web3 ecosystem: compliance is not optional — it’s existential. From scammers exploiting AML gaps to operators facing prosecution, these cases underscore one truth: “Risk knows no boundaries, and compliance leaves no shortcuts.” This principle is paramount for ensuring blockchain security.

The lesson extends beyond crypto ATMs — to exchanges, DeFi protocols, and payment platforms. As global regulators shift from reactive to proactive enforcement, integrated AML tools and on-chain monitoring solutions, like those offered by BlockSec, are becoming essential infrastructure for digital finance. These tools are crucial for detecting and preventing financial crime and illicit activities.

Web3 innovation should never come at the cost of compliance and blockchain security — and this global crackdown proves it. Proactive measures, including thorough smart contract audits and continuous on-chain monitoring, are vital for any project aiming for long-term sustainability and trust in the digital asset space.

Protect Your Web3 Project from Illicit Activities

BlockSec's comprehensive security solutions, including smart contract audits and real-time on-chain monitoring, help you build a secure and compliant ecosystem.

Explore BlockSec Solutions
Sign up for the latest updates
Weekly Web3 Security Incident Roundup | Apr 13 – Apr 19, 2026
Security Insights

Weekly Web3 Security Incident Roundup | Apr 13 – Apr 19, 2026

This BlockSec weekly security report covers four attack incidents detected between April 13 and April 19, 2026, across multiple chains such as Ethereum, Unichain, Arbitrum, and NEAR, with total estimated losses of approximately $310M. The highlighted incident is the $290M KelpDAO rsETH bridge exploit, where an attacker poisoned the RPC infrastructure of the sole LayerZero DVN to fabricate a cross-chain message, triggering a cascading WETH freeze across five chains and an Arbitrum Security Council forced state transition that raises questions about the actual trust boundaries of decentralized systems. Other incidents include a $242K MMR proof forgery on Hyperbridge, a $1.5M signed integer abuse on Dango, and an $18.4M circular swap path exploit on Rhea Finance's Burrowland protocol.

The Decentralization Dilemma: Cascading Risk and Emergency Power in the KelpDAO Crisis
Security Insights

The Decentralization Dilemma: Cascading Risk and Emergency Power in the KelpDAO Crisis

This BlockSec deep-dive analyzes the KelpDAO $290M rsETH cross-chain bridge exploit (April 18, 2026), attributed to the Lazarus Group, tracing a causal chain across three layers: how a single-point DVN dependency enabled the attack, how DeFi composability cascaded the damage through Aave V3 lending markets to freeze WETH liquidity exceeding $6.7B across Ethereum, Arbitrum, Base, Mantle, and Linea, and how the crisis forced decentralized governance to exercise centralized emergency powers. The article examines three parameters that shaped the cascade's severity (LTV, pool depth, and cross-chain deployment count) and provides an exclusive technical breakdown of Arbitrum Security Council's forced state transition, an atomic contract upgrade that moved 30,766 ETH without the holder's signature.

Weekly Web3 Security Incident Roundup | Apr 6 – Apr 12, 2026
Security Insights

Weekly Web3 Security Incident Roundup | Apr 6 – Apr 12, 2026

This BlockSec weekly security report covers four DeFi attack incidents detected between April 6 and April 12, 2026, across Linea, BNB Chain, Arbitrum, Optimism, Avalanche, and Base, with total estimated losses of approximately $928.6K. Notable incidents include a $517K approval-related exploit where a user mistakenly approved a permissionless SquidMulticall contract enabling arbitrary external calls, a $193K business logic flaw in the HB token's reward-settlement logic that allowed direct AMM reserve manipulation, a $165.6K exploit in Denaria's perpetual DEX caused by a rounding asymmetry compounded with an unsafe cast, and a $53K access control issue in XBITVault caused by an initialization-dependent check that failed open. The report provides detailed vulnerability analysis and attack transaction breakdowns for each incident.

Start Real-Time AML with Phalcon Compliance

Turn Phalcon Network alerts into actions with Phalcon Compliance. Use verified blockchain intelligence to screen wallets, monitor transactions and investigate risks. This helps you respond quickly and stay compliant in the digital assets ecosystem.

Get Started with Phalcon Compliance
Contact Sales
Phalcon Compliance