Uncover the story behind the 'Biggest Heist Ever' — a gripping new Netflix documentary! Watch the trailer.

Rate of Illicit Activity at Crypto ATMs is Double That of Overall Crypto Industry

TRM InsightsInsights
Rate of Illicit Activity at Crypto ATMs is Double That of Overall Crypto Industry
  • German authorities seize 13 Bitcoin ATMs and about USD 280,000 in a nationwide operation
  • According to TRM, crypto ATMs have processed at least USD 160 million in illicit volumes since 2019. Last year, illicit volumes in the cash-to-crypto industry stood at 1.2% of total volume, double the 0.63% for the overall crypto ecosystem.
  • According to TRM, in 2023, over USD 30 million went to known scam addresses via cash-to-crypto services
  • Law enforcement and regulators globally are leveraging blockchain intelligence to investigate fraud and financial crime involving crypto ATMs

{{horizontal-line}}

German authorities, led by the Federal Financial Supervisory Authority (BaFin), recently announced the seizure of 13 Bitcoin ATMs across the country that were operating without the required licenses. The multi-agency operation, which spanned 35 locations, also involved Germany’s central bank, the Federal Criminal Police Office, and other local law enforcement agencies. In addition to the seizure of the ATMs, authorities confiscated EUR 250,000 (USD 279,000) in cash.

BaFin stated that the ATMs were in violation of Germany’s Banking Act, as they facilitated the exchange of fiat currency for digital assets without the necessary licenses from financial market authorities. The regulator warned other operators against running similar unlicensed machines, emphasizing the risk of these ATMs being used for criminal activities if proper KYC (know your customer) and AML (anti-money laundering) protocols are not followed. 

Crypto ATMs can be vulnerable to fraud and money laundering

Germany’s recent ATM crackdown is not an isolated incident, as law enforcement and regulators globally have been concerned about the use of crypto kiosks for scams and other illicit activity. According to TRM’s analysis, the cash-to-crypto industry—which is dominated by crypto ATMs—has processed at least USD 160 million in illicit volumes since 2019. Last year, illicit volumes in the cash-to-crypto industry stood at 1.2% of total volume, double the 0.63% for the overall crypto ecosystem. 

While illicit actors look to cryptocurrencies to move funds faster cross-border, crypto ATMs face additional money laundering vulnerabilities due to the use of cash and lack of face-to-face communication or account open controls. As with any virtual asset service provider, proper compliance infrastructure is critical in addressing the risks. In addition, TRM analysis shows that the vast majority of illicit transactions going through cash-to-crypto services are linked to scams and fraud: In 2023, 79% of all cash-to-crypto illicit volume, over USD 30 million, went to known scam and fraud addresses.

Typically, on-chain activity of ATM-based fraud schemes shows a litany of ATM transactions, which can span geographic borders and service providers, benefitting fraudster aggregation addresses. Investigators can use blockchain intelligence to both trace and freeze the proceeds of the fraud schemes, and even trace backwards to identify unknown victims.

A typical ATM-based fraud scheme shows ATM addresses (green within circle), sending crypto to fraudster-controlled aggregation addresses (red), then ultimately to fraudster-controlled cash out addresses (purple)

BaFin’s action is part of a broader trend, with similar crackdowns occurring in other countries. For instance, the UK’s Financial Conduct Authority (FCA) shut down 26 illegal or crime-associated Bitcoin ATMs in 2023, leading to a 90% reduction in the number of active machines in the country. And in 2023, in Ohio in the United States, over 50 Bitcoin of America ATMs were seized across Cuyahoga and Lorain counties as part of an investigation into money laundering.

Crypto ATMs can be attractive tools for scammers

Crypto ATMs are the most popular cash-to-crypto service. These terminals allow customers to insert banknotes, buy crypto, and then send it directly to a wallet without needing an exchange—or even a bank account. Crypto ATMs give individuals without access to banking or crypto exchanges a means to convert cash to crypto. And they can help drive financial inclusion by providing access to crypto for those who may not be able to otherwise access the crypto ecosystem—particularly useful for migrant workers sending remittances home. However, the speed of transfer can make them an appealing payment method for scammers.

According to the Internet Crime Complaint Center (IC3), a cybercrime reporting hub run by the FBI, there were over 15,000 complaints involving digital asset scams from individuals aged 60 and above last year, with total losses exceeding USD 1 billion. Of these, 2,000 involved Bitcoin ATMs.

Cash-to-crypto services are not associated with any one particular type of scam. Instead, they are used by perpetrators of romance scams, investment scams, impersonation scams, and others as neutral platforms enabling payment by victims.

A scam warning and checklist on RockItCoin

The range of scam warnings displayed prominently on all of these kiosks suggests that crypto ATM companies are aware of the potential risks of scams that might occur via their machines. Yet, despite warnings and compliance controls, TRM Labs research shows that cash-to-crypto services remain susceptible to illicit activity. 

A common red flag for investigators

An analysis of crypto ATM transaction data from over 300 different ATM companies across 56 countries, together with other proprietary sources, revealed a recurring pattern that could be used by authorities and compliance teams to identify suspicious activity: multiple payments sent from different ATM companies—often located in different countries—to a single address. 

One reason this activity raises a red flag is that most ATM companies ask the sender of the funds to be the owner of the destination wallet address. These rules are designed to reinforce the intended use of the machines for personal finance and prevent abuse by unidentified third parties. It’s possible to see when these rules are being violated thanks to a key characteristic of crypto ATMs: Unlike web browsers, transaction location data cannot be spoofed by using a VPN. Thus, if a device is based in a particular country, the transactions from that device can reliably be said to have occurred in that country. When a single address receives multiple deposits from different ATMs in various locations, often within moments of each other, it suggests that user(s) are not complying with these rules. 

TRM graph: A single exchange address receiving funds from 40 different cash-to-crypto services ATMs located all over North America

In the TRM graph shown above, a single exchange address received funds from 40 different cash-to-crypto services ATMs located all over North America. The same address was reported in multiple public reports and investigations as being used by scammers as an aggregator and off-ramp for stolen funds. In this case, the significant number of transfers from multiple cash-to-crypto service locations to the same address served as the trigger for investigators to identify the suspicious destination address. 

Law enforcement and regulators take action against the use of ATMs for money laundering

While the US remains the home of about 31,893 Bitcoin ATMs today—by far the most in the world— regulatory actions have forced over 1,000 machines offline since May 2024.

For example, Ian Freeman, a libertarian activist and operator of a Bitcoin ATM network, was sentenced on October 2, 2023 to 96 months (eight years) in federal prison after being convicted at trial of multiple charges—including operating an unlicensed money transmitting business and money laundering. Freeman and his associates were accused of running a business that allowed customers to exchange fiat currency for Bitcoin without adhering to AML regulations. This business facilitated transactions for criminals involved in various illegal activities, including drug trafficking and fraud.

The US Department of Justice (DOJ) charged Freeman with operating an unlicensed money transmitting business, money laundering, and wire fraud. The authorities argued that Freeman and his co-conspirators intentionally avoided registering their business with the Financial Crimes Enforcement Network (FinCEN), failed to implement required KYC procedures, and knowingly processed transactions for scammers and criminals, earning substantial profits while turning a blind eye to illegal activity.

In addition to the sentence, the Court—in an unprecedented move—ordered restitution to victims, amounting to more than USD 3.5 million, even though Freeman was not directly involved in the fraudulent activity itself. Read TRM’s case study of the Freeman case, and watch interviews with the US Attorney for the District of New Hampshire and the trial attorney on the case, here.

ATM expansion in Australia and what comes next 

While it’s too early to predict the outcome of BaFin’s enforcement activity or whether other European regulators will address similar concerns, the number of crypto ATMs operating within Germany will likely decrease, mirroring behavior seen post-enforcement in Singapore and the UK. Germany currently has over 175 crypto ATMs in use, ranking them seventh globally on ATM adoption—one of only four countries in the top ten that grew their number of active kiosks in the last year. 

The most significant expansion of the cash-to-crypto industry over the last few years has been in the Southern Hemisphere. Australia has seen a 17x increase in their number of kiosks over the last 24 months, and New Zealand has gone from zero kiosks to 157 in the last 12 months—now ranking ninth globally. With Australia now the third largest market for crypto ATMs, Australian authorities have identified crypto ATMs as a money laundering vulnerability.

Whether the number and use of crypto kiosks grows or contracts, one of the strengths of cryptocurrency is the ability to follow the flow of funds on-chain and share information across networks—such as Chainabuse—in near real-time. 

TRM is working to hinder the ability of scammers to launder and cash out the proceeds of these exploits by identifying patterns and surfacing wallet addresses known to be associated with cash-to-crypto scams in our compliance and forensics tools—used by crypto platforms, financial institutions, and law enforcement agencies to detect and investigate scams and other illicit activity, including money laundering, hacks, and sanctions evasion.

This is some text inside of a div block.
Subscribe and stay up to date with our insights

Access our coverage of TRON, Solana and 23 other blockchains

Fill out the form to speak with our team about investigative professional services.

Services of interest
Select
Transaction Monitoring/Wallet Screening
Training Services
Training Services
 
By clicking the button below, you agree to the TRM Labs Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
No items found.