By Atul Krishnan, CAMS | Financial Crime Risk & Compliance | Bank of America
Published: Chainsutra | April 2026
“The blockchain remembers everything — the question is whether compliance teams are listening.”
The Numbers That Should Alarm Every Compliance Professional
In 2025, the cryptocurrency ecosystem lost $4 billion to cybercrime — a record high, up 34% year-over-year. Cross-border crypto fraud now represents 62% of all cases, up from just 34% in 2022. That is nearly double in three years.
99% of documented hacker attacks in 2025 involved multi-stage laundering. Over $2 billion in stolen funds passed through cross-chain bridges — nearly half of all theft proceeds for the year, and three times more than traditional mixers and privacy protocols combined. Since 2022, more than $21 billion has been moved through cross-chain services for illicit purposes — a fivefold increase.
And here is the detail that should keep every VASP compliance officer awake at night: in the second half of 2025, the share of cases where criminals transferred funds directly to an exchange as the first step dropped to zero.
They no longer need exchanges the way they used to. Some are bypassing them entirely.
This is not a future problem. It is happening right now — from Bengaluru to Buenos Aires, from London to Texas. Five cases from the past 30 days alone tell the complete story of how crypto-enabled financial crime has evolved, and what the compliance industry must do to catch up.
Part 1 — The Exit Ramp Problem: India’s Most Infamous Crypto Hacker
On April 22, 2026, the Enforcement Directorate (ED) conducted raids at 12 locations across Bengaluru, targeting premises linked to Congress MLA N A Haris and his family. The investigation centres on Srikrishna Ramesh — known as “Sriki” — one of India’s most notorious cybercriminals.
The alleged modus operandi reads like a textbook on crypto money laundering:
- Placement: Sriki allegedly hacked multiple national and international websites, stealing Bitcoin directly from cryptocurrency exchanges and digital wallets
- Layering: Stolen cryptocurrency was converted to fiat currency through trading platforms, then transferred through multiple bank accounts to obscure the source
- Integration: Proceeds were used for personal gain — and more alarmingly, to finance drug procurement and trafficking, with transactions routed through cryptocurrency channels
The ED is acting under the Prevention of Money Laundering Act (PMLA) 2002, examining financial trails and alleged proceeds of crime involving Virtual Digital Assets (VDAs).
What makes the Sriki case instructive for compliance professionals is not just what he did — it is what the exchange allowed. Stolen Bitcoin was converted to fiat. The exit ramp worked. Somewhere in that transaction chain, a VASP failed to ask the right questions.
Key compliance lesson: A cryptocurrency exchange that processes funds without adequate source-of-funds checks is not just a business — it is an accomplice.
Part 2 — The New Laundering Playbook: From Mixers to Bridges
The Sriki case represents the old model of crypto laundering. The new model is significantly more sophisticated — and significantly harder to detect.
According to Match Systems, an international blockchain forensics firm that has recovered more than $80 million for clients and is currently handling active cases worth over $641 million, the criminal cash-out model has fundamentally shifted.
The new laundering sequence looks like this:
STEAL → BRIDGE → BRIDGE AGAIN → FRAGMENT
→ PRIVACY PROTOCOL → WAIT → FRAGMENT AGAIN
→ THEN APPROACH EXCHANGE
“Attackers are no longer in a hurry,” Match Systems notes in its 2025 analysis. “They patiently break up the sums, switch networks, and use services without public transaction explorers before approaching conversion points.”
Cross-chain bridges — services that allow users to move assets between different blockchain networks — have become the primary tool of choice. In 2025 alone, $2 billion in stolen funds passed through cross-chain bridges, compared to just a fraction of that through traditional mixers.
Why bridges? Because they create what investigators call chain-hopping — a technique that makes forensic tracing exponentially more difficult. Each bridge crossing requires investigators to maintain surveillance across multiple blockchain networks simultaneously, using probabilistic analysis and temporal correlation of transactions.
The FBI has noted that actual crypto crime losses significantly exceed official figures, as many victims never file reports — believing recovery to be impossible.
Match Systems argues this assumption is the industry’s biggest and most dangerous myth.
The $68 Million Recovery: On May 3, 2024, a major crypto holder lost 1,155 WBTC valued at more than $68 million through an address poisoning attack. After engaging Match Systems, investigators located the assets and facilitated their full return within seven days — establishing digital evidence including a device fingerprint that strengthened the victim’s legal position.
“Criminals see the blockchain as an absolute hiding place,” said Ais Dorzhinov, Co-Founder of Match Systems. “In reality, it’s the most detailed public ledger of transaction history ever created. The blockchain remembers everything — you just have to know how to ask the right questions.”
Key compliance lesson: Traditional single-chain transaction monitoring is no longer sufficient. Cross-chain monitoring, temporal correlation analysis, and the “golden hour” response protocol — tagging attacker addresses immediately across all major blockchain explorers — are now baseline requirements for serious VASP compliance.
Part 3 — The Threat You Haven’t Planned For: Approval Phishing
While the industry focused on tracking stolen funds, criminals developed a new attack vector that bypasses theft entirely.
Approval phishing works like this: victims are tricked into granting malicious actors direct access to their cryptocurrency wallets — often through malicious websites or applications that mimic legitimate platforms. The victim does not send funds. They unknowingly hand over the keys.
In Operation Atlantic — a coordinated international law enforcement effort led by the UK’s National Crime Agency (NCA), co-led with the US Secret Service, Ontario Provincial Police, and Ontario Securities Commission — the scale of this threat became clear:
- More than $45 million in suspected criminal proceeds identified
- Over $12 million frozen
- More than 20,000 potential victims identified across multiple jurisdictions
What made Operation Atlantic remarkable was not just its results — it was how it worked. Payward (Kraken), one of the world’s largest cryptocurrency exchanges, participated as an active operational partner:
- Identified clients who may have been impacted and proactively notified them
- Responded to law enforcement data requests
- Deployed team members on-site at NCA London headquarters, working directly alongside investigators
This is what responsible VASP cooperation looks like in practice. Not reactive compliance. Not filing reports after the fact. Actual investigators sitting in law enforcement offices, in real time, helping freeze criminal proceeds.
“Protecting clients and maintaining the integrity of the crypto ecosystem is not just a regulatory obligation,” Payward stated. “It is a core part of how we operate.”
Key compliance lesson: Approval phishing requires a different detection approach from traditional fraud. Since no outgoing transfer is initiated by the criminal, standard transaction monitoring may not trigger. VASPs need wallet permission monitoring, anomalous authorisation detection, and real-time client notification protocols.
Part 4 — Jurisdiction as a Weapon: The $49.4 Million International Rug Pull
On March 15, 2025, Argentine airport police at Ministro Pistarini International Airport in Buenos Aires intercepted a Chinese national attempting to enter the country using falsified Paraguayan documentation. The suspect was wanted on an international warrant issued by Nigerian authorities in connection with a $49.4 million cryptocurrency investment fraud.
The scheme followed a classic Ponzi-to-rug-pull structure:
- Professional marketing materials mimicking legitimate exchanges
- Fabricated performance metrics showing consistent above-market returns
- Artificial testimonials via fake user accounts
- Initial small withdrawals allowed to build trust
- Gradual introduction of complex withdrawal obstacles
- Complete disabling of withdrawal functionality — $49.4 million trapped
Blockchain analysis firms traced portions of the stolen funds through multiple cryptocurrency exchanges and mixing services designed to obscure transaction trails.
The cross-border dimension is what makes this case significant from a compliance perspective. The suspect exploited jurisdictional gaps between countries with differing regulatory frameworks — a strategy that FATF has identified as one of the fastest-growing trends in crypto crime.
FATF Cross-Border Crypto Fraud Data:
| Year | Reported Cases | Estimated Losses | Cross-Border % |
|---|---|---|---|
| 2022 | 4,327 | $2.1B | 34% |
| 2023 | 6,892 | $3.8B | 47% |
| 2024 | 9,451 | $5.6B | 58% |
| Q1 2025 | 2,817 | $1.9B | 62% |
Cross-border crypto fraud reports have increased 187% globally since 2022. The Argentina case was only resolved because Nigerian and Argentine authorities had established cooperation frameworks — frameworks that do not yet exist between many pairs of countries.
Key compliance lesson: VASPs operating across multiple jurisdictions cannot rely on domestic compliance frameworks alone. Cross-border information sharing, FATF Recommendation 16 (Travel Rule) implementation, and proactive engagement with international law enforcement are no longer optional.
Part 5 — The Evolution Beyond Exchanges: When Criminals Stop Needing Exit Ramps
On April 8, 2025, US authorities arrested Dhyey Rakeshkumar Patel, a Gujarati-origin man, moments before he could allegedly collect gold worth $335,000 from a victim’s residence in Texas.
The scheme reveals a chilling evolution in crypto-enabled financial crime:
- Victim contacted by individuals impersonating federal agents
- Victim manipulated into transferring $25,000 in cryptocurrency to “secure” funds under a fake investigation
- Victim instructed to purchase $335,000 in gold
- Field agent dispatched to physically collect the gold from the victim’s home
Crypto → Gold → Physical collection.
No exchange. No fiat off-ramp. No blockchain forensics required. The criminal network had engineered a system that bypasses every VASP control entirely.
The syndicate structure is layered and organised:
- Callers who initiate psychological manipulation
- Handlers who manage digital cryptocurrency transactions
- Field agents who collect physical assets on the ground
Patel faces charges of money laundering exceeding $300,000 — a second-degree felony under Texas law — with additional charges related to transactions between $2,500 and $30,000.
This case represents the logical endpoint of a trend that has been building since 2022. As exchanges improve their AML controls, as blockchain forensics firms get better at tracing cross-chain activity, and as law enforcement cooperation improves — criminals adapt. They find new exit mechanisms. When the digital exit ramp becomes too risky, they build a physical one.
Key compliance lesson: The compliance perimeter is no longer just the exchange. Crypto-to-physical asset conversion — gold, cash, luxury goods — represents a category of layering that falls outside traditional transaction monitoring entirely. Financial intelligence units need to develop specific typologies for physical asset conversion following cryptocurrency transactions.
What VASPs Must Do: A Practitioner’s Checklist
Drawing from all five cases, here is what responsible VASP compliance looks like in 2026:
1. Cross-Chain Transaction Monitoring
Single-chain monitoring is obsolete. VASPs need visibility across Ethereum, Bitcoin, Solana, Tron, and all major chains simultaneously. Bridge transactions must be treated as high-risk by default.
2. Approval Phishing Detection
Monitor for unusual wallet permission grants. Flag authorisations to unknown smart contracts. Implement real-time client notification for suspicious permission activity.
3. The Golden Hour Protocol
When theft is detected, the first hour is decisive. Immediately tag attacker addresses across all major blockchain explorers and AML screening services. Analytical reports prepared with sufficient legal rigor are accepted by compliant exchanges as basis for asset freezes.
4. Proactive Law Enforcement Partnership
Kraken did not wait to be subpoenaed. They deployed staff to NCA headquarters. This is the model. VASPs should establish standing relationships with financial intelligence units before incidents occur — not during them.
5. Physical Asset Conversion Typologies
Develop specific red flags for customers who purchase cryptocurrency followed by unusual cash withdrawals or known gold dealer transactions. The crypto-to-gold pipeline is now a documented laundering typology.
6. Travel Rule Compliance Across Jurisdictions
The Argentina case succeeded partly because of international cooperation frameworks. VASPs must implement FATF Recommendation 16 Travel Rule obligations rigorously — not minimally — to ensure originator and beneficiary information travels with every transaction.
7. Source of Funds at Off-Ramp Points
The Sriki case happened because an exchange processed stolen Bitcoin without adequate source-of-funds verification. Every fiat conversion is a potential exit ramp. Treat it accordingly.
My Take
I work in AML every day — transaction monitoring, high-risk due diligence, sanctions screening across retail, corporate, and correspondent banking portfolios. And what strikes me about these five cases, happening simultaneously across five continents, is how they represent different stages of the same evolutionary pressure.
Regulators tighten. Forensics improve. Law enforcement cooperates. And criminals adapt — from direct exchange deposits, to cross-chain bridges, to approval phishing, to gold deliveries at the front door.
The Sriki case shows what happens when a VASP doesn’t ask enough questions at the exit ramp. Operation Atlantic shows what happens when one does. Match Systems proves that the blockchain, far from being a hiding place, is the most powerful audit trail ever created — if you know how to read it.
The compliance professionals who will define this decade are not the ones who file the most SARs. They are the ones who understand that crypto-enabled financial crime is not a technology problem — it is a human ingenuity problem. And human ingenuity, fortunately, can be matched.
The blockchain remembers everything. Our job is to listen.
Key Terms Glossary
| Term | Definition |
|---|---|
| Approval Phishing | Tricking victims into granting wallet access to criminals |
| Chain-Hopping | Moving funds across multiple blockchains to evade tracing |
| Cross-Chain Bridge | Service enabling asset transfer between blockchains |
| Exit Ramp | Point where crypto is converted to fiat or physical assets |
| Golden Hour | Critical first hour after theft when address tagging maximises blocking probability |
| Micro-Structuring | Breaking large amounts into many small transactions over extended periods |
| PMLA | Prevention of Money Laundering Act (India) |
| Rug Pull | Sudden abandonment of a crypto project by operators, taking investor funds |
| Travel Rule | FATF Recommendation 16 requiring originator/beneficiary info with transfers |
| VASP | Virtual Asset Service Provider — exchanges, wallets, platforms |
| VDA | Virtual Digital Asset — regulatory term used in India |
Atul Krishnan is a CAMS-Certified Financial Crime Analyst with 8+ years of experience in AML, KYC, and sanctions risk. He currently leads Local Screening operations at Bank of America’s High Risk Detection Team. He writes about crypto compliance at Chainsutra.
The views expressed in this article are the author’s own and do not represent the views of Bank of America or any affiliated entity.
