7,400 ETH routed through a mixer. A 20-hop bridge attack executed in two hours. 151 addresses blacklisted for terrorist financing. These are three real crypto laundering cases, each leaving a permanent on-chain trail. The examples below span mixer-based laundering, a DeFi bridge attack, and stablecoin terrorist financing. Each reveals something specific about how laundering works. Each also shows what compliance systems need to detect.
These examples are drawn from documented enforcement actions, published blockchain research, and on-chain analysis. They are intended for compliance professionals who need more than definitions.
Why Crypto Examples Matter for Compliance Teams
Money laundering examples are not just historical records. They are the training data for compliance intuition. They are the basis on which risk teams build detection logic, set screening thresholds, and decide which address behaviors warrant escalation.
Crypto laundering examples are especially instructive because on-chain transactions are permanently recorded. Unlike cash laundering, which leaves limited documentary evidence, blockchain laundering leaves a full audit trail. The question is not whether evidence exists. The question is whether compliance tools are built to read it.
The DOJ's money laundering overview outlines the statutory framework. The cases below show what that framework encounters in practice.
Example 1: Mixer-Based Laundering (The Tornado Cash Case)
Tornado Cash is a decentralized Ethereum mixer: users deposit ETH in standard increments and withdraw equivalent amounts from a fresh address, breaking the on-chain link between sender and recipient. It became the layering tool of choice for multiple criminal groups before U.S. Treasury sanctioned it in August 2022.
MetaSleuth traced approximately 7,400 ETH (roughly $30 million) through Tornado Cash, mapping fund flows through Kraken, SimpleSwap, and Binance. The case shows why pre-deposit screening is critical. Those 7,400 ETH should never have entered the mixer platform.

The U.S. Treasury's Tornado Cash sanctions action established that a smart contract, not just an individual, can be sanctioned. Any address that interacts with a sanctioned smart contract after the designation date may itself be implicated.
What this case reveals: Mixer exposure does not always involve direct deposit. Funds can arrive at an exchange having passed through a mixer two or three hops earlier. Cross-chain tracing that follows funds back through their full history, not just the most recent hop, is required to detect mixer exposure.
For additional documented cases involving pig-butchering fraud and the Bybit hack, see our companion pieces What Does Money Laundering Mean? and Money Laundering Meaning.
Example 2: DeFi Bridge Attack (The LI.FI 20-Hop Case)
The LI.FI exploit demonstrates how stolen funds move at machine speed through DeFi infrastructure. In the LI.FI attack, stolen funds were moved across 32 downstream addresses within 2 hours. MetaSleuth traced the longest path to 20 hops deep, with portions flowing into Tornado Cash. (BlockSec, LI.FI attack case study)

Twenty hops in two hours. No manual compliance review operates at that cadence. By the time any human investigator began tracing the funds, the layering was structurally complete.
What this case reveals: DeFi bridge attacks produce layering that is intricate but fully readable on-chain. The funds do not disappear; they move. A tracing tool that supports unlimited hop depth and cross-chain following can reconstruct the full path. The compliance implication is that exchange screening must flag any address that sits within a risk-linked cluster, not just direct counterparties.
Example 3: Stablecoin Laundering and Terrorist Financing (151 Blacklisted Addresses)
Terrorist financing through crypto follows a similar technical pattern to commercial money laundering, but the stakes are different. Asset freezes tied to terrorist financing carry heightened regulatory scrutiny and can trigger broader platform-level reviews.

BlockSec analysis of USDT blacklisting between June 13–30, 2025 found:
-
151 blacklisted addresses frozen, totaling approximately $86.34 million.
-
90% of the blacklisted addresses sat on the Tron network.
-
Upstream deposit sources included Binance (20 addresses), OKX (7), and MEXC (7).
-
Hamas-linked wallets were among those frozen.
(BlockSec, USDT terrorist financing analysis)
The FATF Virtual Assets 2025 Update specifically notes a significant uptick in virtual asset fraud and its links to terrorist financing. FATF's updated guidance requires virtual asset service providers (VASPs) to screen for both sanctions exposure and terrorist financing indicators, not just commercial fraud patterns.
For platforms handling USDT at scale, OFAC's guidance on digital currency addresses clarifies that transacting with a blacklisted address, even indirectly, can constitute a sanctions violation under U.S. law.
What this case reveals: The upstream exchange data is particularly important. Twenty of the 151 blacklisted addresses had prior interactions with Binance. Seven each had prior interactions with OKX and MEXC. This does not mean those exchanges were complicit. It means that blacklisted addresses had deposit histories at major platforms. It underscores the importance of continuous monitoring, not just onboarding-time screening.
For a related operational check, BlockSec's USDT Freeze Checker lets compliance teams verify whether a Tron or Ethereum USDT address has been frozen by Tether, which is directly relevant to the kind of blacklisting shown in Example 3.
What These Examples Mean for Your Platform
Three cases. Three different laundering mechanisms. One common thread: every case left on-chain evidence that purpose-built tools could detect.
| Case | Amount | Primary Method | Laundering Stage | Detection Method | Compliance Implication |
|---|---|---|---|---|---|
| Tornado Cash network | ~$30M traced (MetaSleuth analysis) | Mixer deposits, multi-exchange layering | Layering | Pre-deposit mixer exposure screening | Without pre-deposit screening, mixer-linked funds enter the platform and create downstream seizure exposure |
| LI.FI Bridge Attack | Undisclosed | 32 addresses, 20-hop chain, cross-chain | Layering | Deep-hop cross-chain tracing | Batch-only screening misses the full layering path; real-time cross-chain tracing is required to reconstruct it |
| USDT Terrorist Financing | 151 addresses blacklisted (Jun 2025) | Tron-based USDT, exchange deposits | Placement | Blacklist monitoring + upstream exchange analysis | Processing funds from blacklisted upstream addresses triggers sanctions exposure regardless of hop count |
For how AML compliance works in practice for exchanges and VASPs, see AML Compliance for Crypto.
Frequently Asked Questions
Q: If a crypto platform unknowingly processed laundered funds that are later identified, what is the platform's legal exposure?
The platform's liability depends on whether it had a functioning AML program at the time of the transaction. Under FinCEN guidance, platforms that maintained reasonable screening procedures and filed SARs where appropriate may qualify for safe harbor. Platforms that had no AML controls face civil money penalties, which FinCEN has issued in amounts ranging from $1 million to over $100 million in recent enforcement actions. Retroactive remediation does not eliminate past exposure.
Q: Does filing a Suspicious Activity Report (SAR) notify the person or entity being reported?
No. Under 31 U.S.C. § 5318(g)(2), financial institutions are explicitly prohibited from disclosing to the subject of a SAR that a report has been filed. Violating this confidentiality requirement is itself a federal crime. The subject has no legal right to know they were reported, and the institution cannot confirm or deny a SAR's existence if asked.
Q: Can rotating one-time wallet addresses reliably evade on-chain compliance screening?
Not against cluster-based analysis. Blockchain analytics systems group addresses by shared transaction patterns: common inputs, timing correlations, and reuse of deposit addresses. Even if a launderer rotates through hundreds of freshly generated addresses, behavioral clustering can link those addresses to a known entity or risk cluster. The LI.FI attack's 32 downstream addresses were mapped this way within hours of the exploit, despite each address being freshly generated and used only once.
→ Book a Phalcon Compliance demo and watch these three laundering patterns get flagged before settlement — Book a demo




