Back to Blog

Crypto ATMs Under Global Scrutiny: FinCEN and AUSTRAC Tighten Controls Amid Rising Fraud and Money Laundering Risks

Phalcon Compliance
October 17, 2025
6 min read
Key Insights

Recently, Australia’s Home Affairs Minister Tony Burke officially announced new regulations targeting crypto ATMs, classifying them as "high-risk products" associated with money laundering, fraud, and child exploitation.

According to Burke, the number of crypto ATMs in Australia has surged from just 23 to over 2,000 in six years. An AUSTRAC investigation revealed that 85% of large transactions conducted via these terminals were linked to scams or illicit activities.

The proposed legislation would empower AUSTRAC to restrict or prohibit high-risk products, explicitly including crypto ATMs. Burke confirmed that the bill will be introduced to Parliament in the coming months. AUSTRAC and FinCEN are increasing scrutiny on crypto ATMs due to rising illicit activities. Meanwhile, on August 4, 2025, the U.S. Financial Crimes Enforcement Network (FinCEN) issued notice FIN-2025-NTC1, warning financial institutions of illegal activity tied to Convertible Virtual Currency kiosks (CVC kiosks) — the technical term for crypto ATMs — and setting clear expectations for Suspicious Activity Reports (SARs) and AML compliance obligations.

Understanding CVC Kiosks and Their Exploitation in Financial Crime

CVC kiosks function similarly to traditional ATMs, allowing users to buy or sell cryptocurrency with cash. They are often found in convenience stores, gas stations, and shopping areas, and typically support Bitcoin transactions, along with other cryptocurrencies like Litecoin and Ethereum. A crypto ATM (CVC kiosk) in a public setting, illustrating its accessibility. Yet, their risks have become increasingly apparent, making them prime targets for financial crime and illicit activities. The anonymity and speed of transactions via crypto ATMs pose significant blockchain security challenges.

In 2024, the FBI’s Internet Crime Complaint Center (IC3) received over 10,900 complaints related to crypto ATM fraud, with victim losses exceeding $246.7 million — a 99% surge in cases and 31% increase in losses compared to 2023.

The FTC similarly reported an “explosive rise” in scams involving crypto ATMs.

The reasons are clear: once a crypto transfer is executed, it’s nearly irreversible and instantaneous, unlike traditional bank transfers that can take days to settle. This gives victims virtually no time to recover lost funds. This characteristic, while appealing for legitimate use, is a major facilitator of fraud and money laundering.

Alarmingly, seniors are the main victims — individuals aged 60+ are three times more likely to fall prey to crypto ATM scams, accounting for two-thirds of all reported losses. This demographic is often less familiar with the nuances of blockchain security and the irreversibility of crypto transactions. Graph showing the explosive rise in crypto ATM fraud complaints and victim losses.

Crypto ATMs as Tools for Money Laundering and Organized Crime

Beyond scams, CVC kiosks have become powerful tools for drug cartels and organized crime. Their ability to facilitate anonymous and rapid transactions makes them ideal for money laundering.

FinCEN’s analysis of Bank Secrecy Act (BSA) data shows frequent use of kiosks to clean narcotics proceeds. The U.S. Drug Enforcement Administration (DEA) further confirmed that transnational crime groups like the Jalisco New Generation Cartel (CJNG) increasingly rely on CVC for rapid cross-border transfers that bypass traditional cash smuggling risks. This highlights a critical gap in AML enforcement.

In Illinois, for example, there are 1,626 crypto ATMs, with over 1,100 located in Chicago alone — now a major hub for laundering cartel funds.

DEA investigations found that criminals from other states even travel to Chicago specifically to convert drug money into crypto before sending it overseas. This pattern underscores the global nature of financial crime and the challenges in regulating these decentralized tools.

The Compliance Landscape for CVC Operators

Globally, the number of crypto ATMs has skyrocketed — in the U.S. alone, from 4,128 to 37,342 machines in six years, while Hong Kong SAR has deployed around 224 units, mostly clustered in busy commercial zones like Mong Kok.

However, FinCEN warns that the compliance rate among CVC operators is “alarmingly low.” Many are operating in violation of BSA obligations, dramatically amplifying financial crime risks and undermining blockchain security.

What Legitimate Operators Must Do for AML Compliance

Under the BSA, CVC kiosk operators qualify as Money Services Businesses (MSBs) — meaning operating without registration is equivalent to running a bank without a license. Violators face criminal prosecution. This is a cornerstone of AML regulations.

They must:

  • Register with FinCEN within 180 days of launching operations.
  • Report large or suspicious transactions — filing Currency Transaction Reports (CTR) for cash transactions over $10,000 and Suspicious Activity Reports (SAR) for suspicious activity exceeding $2,000.
  • Maintain records of customer identification and transaction data for at least 5 years. This includes robust KYC (Know Your Customer) procedures.

States like California have gone further, capping daily transaction limits per customer at 💲1,000. In Iowa, the Attorney General sued two operators whose kiosks facilitated over $20 million in fraud. These measures aim to enhance blockchain security and prevent money laundering.

Need Robust AML Solutions for Your Web3 Project?

BlockSec offers advanced on-chain monitoring and compliance tools to detect and prevent illicit activities. Protect your users and ensure regulatory adherence.

Get Started with Phalcon Compliance

Crypto compliance hub for wallet screening and KYT

Try now for free

Widespread Violations and Enforcement Actions Against Crypto ATM Operators

A 2021 New Jersey investigation found that one-third of operators were unregistered with FinCEN. Others ignored KYC requirements, accepting transactions based on phone numbers or email alone — creating ideal conditions for scammers and money laundering.

Some even falsified business registrations, used personal or fake company bank accounts, and structured transactions to evade CTR/SAR thresholds, a practice strictly prohibited under federal law. These actions directly undermine AML efforts and expose users to significant fraud risks. Illustration depicting illegal structuring of transactions to evade regulatory oversight. FinCEN’s notice cites real enforcement examples:

  • Orange County Case (2021): Former bank employee Kais Mohammad operated an unregistered ATM network processing over $25 million, failed to implement AML checks, and was sentenced to 24 months in prison. This case highlights the severe consequences of neglecting compliance and blockchain security protocols.
  • New Hampshire Case (2022): Three operators used fake company accounts for crypto ATM cash deposits and were convicted of wire fraud, facing prison and fines.

Dozens of similar prosecutions have occurred nationwide, with fines reaching millions of dollars and mandatory forfeiture of illegal proceeds. These enforcement actions serve as a stark warning to all operators in the digital asset space regarding the importance of robust AML and compliance frameworks.

Lessons for the Web3 Industry: Prioritizing Compliance and Blockchain Security

While FinCEN and AUSTRAC’s actions appear focused on physical crypto ATMs, they reflect a broader message for the entire Web3 ecosystem: compliance is not optional — it’s existential. From scammers exploiting AML gaps to operators facing prosecution, these cases underscore one truth: “Risk knows no boundaries, and compliance leaves no shortcuts.” This principle is paramount for ensuring blockchain security.

The lesson extends beyond crypto ATMs — to exchanges, DeFi protocols, and payment platforms. As global regulators shift from reactive to proactive enforcement, integrated AML tools and on-chain monitoring solutions, like those offered by BlockSec, are becoming essential infrastructure for digital finance. These tools are crucial for detecting and preventing financial crime and illicit activities.

Web3 innovation should never come at the cost of compliance and blockchain security — and this global crackdown proves it. Proactive measures, including thorough smart contract audits and continuous on-chain monitoring, are vital for any project aiming for long-term sustainability and trust in the digital asset space.

Protect Your Web3 Project from Illicit Activities

BlockSec's comprehensive security solutions, including smart contract audits and real-time on-chain monitoring, help you build a secure and compliant ecosystem.

Explore BlockSec Solutions
Sign up for the latest updates
Building a Secure Stablecoin Payment Network: BlockSec Partners with Morph
Partnership

Building a Secure Stablecoin Payment Network: BlockSec Partners with Morph

BlockSec has partnered with Morph as an official audit partner for the $150M Morph Payment Accelerator. By offering exclusive discounts on smart contract audits and penetration testing, BlockSec provides institutional-grade security to payment builders, ensuring a safe and resilient foundation for the future of global stablecoin payments.

Weekly Web3 Security Incident Roundup | Mar 9 – Mar 15, 2026
Security Insights

Weekly Web3 Security Incident Roundup | Mar 9 – Mar 15, 2026

This BlockSec weekly security report covers eight DeFi attack incidents detected between March 9 and March 15, 2026, across Ethereum and BNB Chain, with total estimated losses of approximately $1.66M. Incidents include a $1.01M AAVE incorrect liquidation caused by oracle misconfiguration, a $242K exploit on the deflationary token MT due to flawed trading restrictions, a $149K exploit on the burn-to-earn protocol DBXen from `_msgSender()` and `msg.sender` inconsistency, and a $131K attack on AM Token exploiting a flawed delayed-burn mechanism. The report provides detailed vulnerability analysis and attack transaction breakdowns for each incident.

Venus Thena (THE) Incident: What Broke and What Was Missed

Venus Thena (THE) Incident: What Broke and What Was Missed

On March 15, 2026, an attacker bypassed the THE (Thena) supply cap on Venus Protocol (BNB Chain) through a donation attack, inflating a collateral position to 3.67x the intended limit and borrowing ~$14.9M in assets. Both sides lost money on-chain: Venus was left with ~$2.15M in bad debt after 254 liquidation bots competed across 8,048 transactions, while the attacker retained only ~$5.2M against a $9.92M investment. This deep dive examines what broke across three lines of defense (exposure limits, collateral valuation, and liquidation) and the monitoring gaps that left months of on-chain warning signals unacted upon.

Start Real-Time AML with Phalcon Compliance

Turn Phalcon Network alerts into actions with Phalcon Compliance. Use verified blockchain intelligence to screen wallets, monitor transactions and investigate risks. This helps you respond quickly and stay compliant in the digital assets ecosystem.

Get Started with Phalcon Compliance
Contact Sales
Phalcon Compliance