Back to Blog

Money Laundering Examples in Crypto: 3 Real Cases and What They Reveal

Phalcon Compliance
July 17, 2026
6 min read

7,400 ETH routed through a mixer. A 20-hop bridge attack executed in two hours. 151 addresses blacklisted for terrorist financing. These are three real crypto laundering cases, each leaving a permanent on-chain trail. The examples below span mixer-based laundering, a DeFi bridge attack, and stablecoin terrorist financing. Each reveals something specific about how laundering works. Each also shows what compliance systems need to detect.

These examples are drawn from documented enforcement actions, published blockchain research, and on-chain analysis. They are intended for compliance professionals who need more than definitions.


Why Crypto Examples Matter for Compliance Teams

Money laundering examples are not just historical records. They are the training data for compliance intuition. They are the basis on which risk teams build detection logic, set screening thresholds, and decide which address behaviors warrant escalation.

Crypto laundering examples are especially instructive because on-chain transactions are permanently recorded. Unlike cash laundering, which leaves limited documentary evidence, blockchain laundering leaves a full audit trail. The question is not whether evidence exists. The question is whether compliance tools are built to read it.

The DOJ's money laundering overview outlines the statutory framework. The cases below show what that framework encounters in practice.


Example 1: Mixer-Based Laundering (The Tornado Cash Case)

Tornado Cash is a decentralized Ethereum mixer: users deposit ETH in standard increments and withdraw equivalent amounts from a fresh address, breaking the on-chain link between sender and recipient. It became the layering tool of choice for multiple criminal groups before U.S. Treasury sanctioned it in August 2022.

MetaSleuth traced approximately 7,400 ETH (roughly $30 million) through Tornado Cash, mapping fund flows through Kraken, SimpleSwap, and Binance. The case shows why pre-deposit screening is critical. Those 7,400 ETH should never have entered the mixer platform.

Example 1: Mixer-Based Laundering (The Tornado Cash Case)
Example 1: Mixer-Based Laundering (The Tornado Cash Case)

The U.S. Treasury's Tornado Cash sanctions action established that a smart contract, not just an individual, can be sanctioned. Any address that interacts with a sanctioned smart contract after the designation date may itself be implicated.

What this case reveals: Mixer exposure does not always involve direct deposit. Funds can arrive at an exchange having passed through a mixer two or three hops earlier. Cross-chain tracing that follows funds back through their full history, not just the most recent hop, is required to detect mixer exposure.

For additional documented cases involving pig-butchering fraud and the Bybit hack, see our companion pieces What Does Money Laundering Mean? and Money Laundering Meaning.


Example 2: DeFi Bridge Attack (The LI.FI 20-Hop Case)

The LI.FI exploit demonstrates how stolen funds move at machine speed through DeFi infrastructure. In the LI.FI attack, stolen funds were moved across 32 downstream addresses within 2 hours. MetaSleuth traced the longest path to 20 hops deep, with portions flowing into Tornado Cash. (BlockSec, LI.FI attack case study)

Example 2: DeFi Bridge Attack (The LI.FI 20-Hop Case)
Example 2: DeFi Bridge Attack (The LI.FI 20-Hop Case)

Twenty hops in two hours. No manual compliance review operates at that cadence. By the time any human investigator began tracing the funds, the layering was structurally complete.

What this case reveals: DeFi bridge attacks produce layering that is intricate but fully readable on-chain. The funds do not disappear; they move. A tracing tool that supports unlimited hop depth and cross-chain following can reconstruct the full path. The compliance implication is that exchange screening must flag any address that sits within a risk-linked cluster, not just direct counterparties.


Example 3: Stablecoin Laundering and Terrorist Financing (151 Blacklisted Addresses)

Terrorist financing through crypto follows a similar technical pattern to commercial money laundering, but the stakes are different. Asset freezes tied to terrorist financing carry heightened regulatory scrutiny and can trigger broader platform-level reviews.

Example 3: Stablecoin Laundering and Terrorist Financing (151 Blacklisted Addresses)
Example 3: Stablecoin Laundering and Terrorist Financing (151 Blacklisted Addresses)

BlockSec analysis of USDT blacklisting between June 13–30, 2025 found:

  • 151 blacklisted addresses frozen, totaling approximately $86.34 million.

  • 90% of the blacklisted addresses sat on the Tron network.

  • Upstream deposit sources included Binance (20 addresses), OKX (7), and MEXC (7).

  • Hamas-linked wallets were among those frozen.

(BlockSec, USDT terrorist financing analysis)

The FATF Virtual Assets 2025 Update specifically notes a significant uptick in virtual asset fraud and its links to terrorist financing. FATF's updated guidance requires virtual asset service providers (VASPs) to screen for both sanctions exposure and terrorist financing indicators, not just commercial fraud patterns.

For platforms handling USDT at scale, OFAC's guidance on digital currency addresses clarifies that transacting with a blacklisted address, even indirectly, can constitute a sanctions violation under U.S. law.

What this case reveals: The upstream exchange data is particularly important. Twenty of the 151 blacklisted addresses had prior interactions with Binance. Seven each had prior interactions with OKX and MEXC. This does not mean those exchanges were complicit. It means that blacklisted addresses had deposit histories at major platforms. It underscores the importance of continuous monitoring, not just onboarding-time screening.


For a related operational check, BlockSec's USDT Freeze Checker lets compliance teams verify whether a Tron or Ethereum USDT address has been frozen by Tether, which is directly relevant to the kind of blacklisting shown in Example 3.


What These Examples Mean for Your Platform

Three cases. Three different laundering mechanisms. One common thread: every case left on-chain evidence that purpose-built tools could detect.

Case Amount Primary Method Laundering Stage Detection Method Compliance Implication
Tornado Cash network ~$30M traced (MetaSleuth analysis) Mixer deposits, multi-exchange layering Layering Pre-deposit mixer exposure screening Without pre-deposit screening, mixer-linked funds enter the platform and create downstream seizure exposure
LI.FI Bridge Attack Undisclosed 32 addresses, 20-hop chain, cross-chain Layering Deep-hop cross-chain tracing Batch-only screening misses the full layering path; real-time cross-chain tracing is required to reconstruct it
USDT Terrorist Financing 151 addresses blacklisted (Jun 2025) Tron-based USDT, exchange deposits Placement Blacklist monitoring + upstream exchange analysis Processing funds from blacklisted upstream addresses triggers sanctions exposure regardless of hop count

For how AML compliance works in practice for exchanges and VASPs, see AML Compliance for Crypto.

Frequently Asked Questions

Q: If a crypto platform unknowingly processed laundered funds that are later identified, what is the platform's legal exposure?

The platform's liability depends on whether it had a functioning AML program at the time of the transaction. Under FinCEN guidance, platforms that maintained reasonable screening procedures and filed SARs where appropriate may qualify for safe harbor. Platforms that had no AML controls face civil money penalties, which FinCEN has issued in amounts ranging from $1 million to over $100 million in recent enforcement actions. Retroactive remediation does not eliminate past exposure.

Q: Does filing a Suspicious Activity Report (SAR) notify the person or entity being reported?

No. Under 31 U.S.C. § 5318(g)(2), financial institutions are explicitly prohibited from disclosing to the subject of a SAR that a report has been filed. Violating this confidentiality requirement is itself a federal crime. The subject has no legal right to know they were reported, and the institution cannot confirm or deny a SAR's existence if asked.

Q: Can rotating one-time wallet addresses reliably evade on-chain compliance screening?

Not against cluster-based analysis. Blockchain analytics systems group addresses by shared transaction patterns: common inputs, timing correlations, and reuse of deposit addresses. Even if a launderer rotates through hundreds of freshly generated addresses, behavioral clustering can link those addresses to a known entity or risk cluster. The LI.FI attack's 32 downstream addresses were mapped this way within hours of the exploit, despite each address being freshly generated and used only once.

→ Book a Phalcon Compliance demo and watch these three laundering patterns get flagged before settlement — Book a demo

Frequently Asked Questions
Frequently Asked Questions

Start Real-Time AML with Phalcon Compliance

Turn Phalcon Network alerts into actions with Phalcon Compliance. Use verified blockchain intelligence to screen wallets, monitor transactions and investigate risks. This helps you respond quickly and stay compliant in the digital assets ecosystem.

Phalcon Compliance