Cryptocurrency Wallets

• Criminals use newly created or unhosted wallets for each chain hop, ensuring no straightforward KYC linkage and fragmenting the transactional history.
• Deposits and withdrawals from these wallets appear as distinct on-chain events, requiring cross-referencing of multiple wallet addresses and bridging contracts.
• Rapid, pseudonymous wallet creation and disposal on different blockchains allow repeated layering of funds, reducing visibility into the ultimate beneficiary.

• Criminals utilize multiple self-hosted (unhosted) wallets across different chains to send and receive bridged assets, avoiding centralized exchange scrutiny.
• Limited or no KYC on these wallets aids in creating multiple layers of transactions, particularly when bridging tokens among various blockchains in rapid succession.
• By controlling private keys privately, criminals ensure the cross-chain flow remains outside typical regulatory oversight, concealing the definitive source or beneficiary of illicit proceeds.

• Mules transfer newly acquired cryptocurrency from ATMs into external wallets, often self-hosted, which typically lack rigorous KYC checks.
• This arrangement further distances the illicit funds from their origin, making it difficult for authorities to trace subsequent transfers or identify ultimate beneficiaries.

• Criminals store illicit proceeds in cryptocurrency wallets, omitting or underreporting capital gains or mining income in tax submissions.
• Conversion between multiple wallets and currencies obscures the transaction trail, undermining attempts by tax authorities to reconcile reported figures with blockchain records.
• Lack of clear regulatory oversight in certain jurisdictions aids in misstating or ignoring crypto-related earnings.

• Criminals access self-hosted or exchange-provided wallets behind anonymizing proxies, which block accurate IP attribution.
• Automated risk engines that rely on location or device consistency are circumvented by frequent changes of Tor exit nodes or VPN servers.
• This consistent obfuscation frustrates wallet activity monitoring and thwarts the correlation of addresses to specific individuals.

• VPN usage conceals the wallet user’s actual IP address, making it appear as if the wallet is accessed from a permissible or low-risk region.
• This deception hinders monitoring efforts that rely on geographic patterns or IP-based risk assessments, complicating the identification of suspicious wallet activity.
• Criminals can funnel or layer illicit funds through multiple wallet addresses across VPN endpoints, increasing anonymity and impeding investigators’ ability to trace the true origin of transactions.

• Criminals establish and log in to self-hosted wallets on unsecured hotspots, repeatedly switching networks to mask device and IP consistency.
• This practice defeats routine location-based analytics and complicates attempts to follow wallet ownership or usage patterns across multiple transactions.

• By accessing wallets through an Onion over VPN connection, criminals obscure the IP addresses used to log in or sign blockchain transactions. This thwarts platforms and investigators that rely on network metadata to identify suspicious account usage.
• Such layering of anonymizing services also inhibits link analysis tying multiple wallet activities back to a common user, thereby complicating AML compliance and investigative efforts.

• Criminals funnel newly minted coins directly into self-hosted or lightly regulated wallets, reducing any traceable link to the original illicit funds used to finance mining operations.
• These wallets often require minimal or no identity verification, allowing criminals to hold and transfer freshly mined crypto assets across borders with limited oversight.
• By storing illicit proceeds in such wallets, criminals obscure the source of funds and complicate investigators’ ability to connect the mined cryptocurrency to its illicit origin.

• Criminals route newly mined coins directly into wallets under their control, often in separate jurisdictions, to evade KYC requirements.
• These funds can be repeatedly transferred across multiple wallets, further distancing them from the original illicit source and hindering investigators' tracing efforts.

High-throughput wallet clusters generate and abandon addresses in bulk, letting scripts cycle funds through fresh keys every few seconds to frustrate clustering algorithms.

• Criminals leverage self-hosted (non-custodial) wallet applications to maintain full control over private keys, bypassing KYC checks typically required by custodial services.
• Because there is no central authority to freeze or monitor the wallet, illicit actors can move funds across borders with reduced scrutiny, complicating attempts by regulators or law enforcement to trace transactions or identify beneficiaries.
• The pseudonymous nature of these wallets enables layering and obfuscation of fund sources, as transfers can occur rapidly between multiple addresses under the user’s exclusive control.

• Operators create numerous wallet addresses for each ransom event, avoiding reuse that would link one incident to another.
• This rapid turnover in addresses severs a straightforward transaction trail, frustrating efforts to trace the origin of the extorted funds.
• Self-custody reduces oversight by regulated entities, enabling criminals to conceal movements more effectively.

• Criminals create numerous pseudonymous wallets to transfer NFTs and related proceeds back and forth, fragmenting transaction histories.
• These wallets bypass stringent KYC in many cases, withholding beneficial ownership details and masking the ultimate recipient.
• Rapid movement of NFTs and associated funds between multiple wallets frustrates investigators attempting to trace the original source of the money.

• Criminals create multiple self-hosted and pseudonymous wallets to fragment illicit funds across diverse addresses, making it difficult to trace origins and ultimate beneficiaries.
• Each wallet can store various blockchain tokens, enabling rapid, repeated conversions and cross-chain transfers that break transaction continuity.
• The minimal KYC requirements for self-hosted wallets reduce transparency and hamper investigators’ efforts to identify real owners.

• Criminals leverage self-custodial wallets to exercise full control over digital assets, sidestepping regulated intermediaries.
• Creating multiple wallets in quick succession fragments the traceable flow of illicit proceeds.
• Pseudonymous addresses mask beneficial ownership, obstructing effective AML and KYC checks as funds move across DeFi protocols.

• Criminals can swiftly generate new wallet addresses for each step of the transaction chain, dispersing illicit funds across numerous addresses.
• Repeated transfers between wallets, especially in different jurisdictions or through off-chain networks, make it harder to trace fund flows.
• The pseudonymous nature of many cryptocurrency wallets allows offenders to mask their identities while rapidly layering and moving funds.

• Offenders establish numerous self-hosted or lightly regulated crypto wallets to receive and store darknet proceeds.
• Repeated transfers among these wallet addresses fragment the transaction trail, exploiting pseudonymity to conceal ultimate beneficiaries.
• Tor-based access and minimal KYC requirements hinder investigators' ability to link wallet ownership to real-world identities.

• Criminals move privacy coins through multiple self-custodial wallets, each with unique addresses, to layer funds and mask ownership.
• Poorly regulated or unregulated wallet services may not enforce KYC, allowing anonymous creation of new addresses used solely for concealing illicit asset flows and breaking transaction trails.

• Self-hosted or custodial wallets enable criminals to control private keys and shuffle illicit proceeds across numerous addresses.
• Repeated wallet-to-wallet transfers create complex transaction chains, complicating law enforcement efforts to establish beneficial ownership.
• Privacy-focused wallet features, such as masking IP addresses or integrating mixing protocols, further hinder investigators' ability to link criminal funds to real-world identities.

• Unhosted or lightly regulated wallet apps allow criminals to store and transfer funds directly between individuals.
• Multiple pseudonymous wallets are created to break large sums into smaller increments for layering.
• Rapid, back-to-back wallet transfers fragment the trail, hampering effective monitoring or seizure.

• Scammers persuade victims to create cryptocurrency wallets under the guise of needing secure, private, or international transfers.
• The pseudonymous nature of blockchain transactions removes direct ties to the criminal mingling the funds, allowing rapid rerouting.
• Victims unknowingly aid in obscuring fund origins and destinations, believing they are merely assisting someone they care about, further escaping traditional AML processes.

• Criminals store gains from falsified medicine sales in self-hosted or weakly regulated wallets, reducing KYC exposure.
• They easily transfer funds among multiple addresses or combine them with legitimate transactions, adding layers of obfuscation before eventual cash-outs.

• Criminals immediately transfer rug-pulled tokens into multiple self-hosted wallets, generating distinct addresses to disperse the stolen funds.
• Controlling private keys for various wallets allows them to shuffle value among addresses, hindering blockchain analytics and complicating investigations.

• Fraudsters provide wallet addresses that masquerade as authentic investment accounts, prompting victims to transfer significant sums of cryptocurrency.
• Privately controlled by the scammers, these wallets allow for the swift movement of stolen digital assets across numerous wallet addresses, masking the funds’ true ownership and frustrating AML detection.

• In crypto-focused investment scams like Pig Butchering, victims are convinced to transfer cryptocurrency to wallets under the scammers' control.
• Perpetrators then conduct rapid transfers to other wallets they control, exploiting pseudonymous blockchain addresses to hinder investigation.
• Direct custody of wallet keys allows fraudsters to move funds immediately and avoid traditional financial oversight.

Attackers deposit cryptojacked funds into self-hosted or unregulated wallets, avoiding KYC checks and leveraging address proliferation to fragment flows. Regular creation of new wallets or use of hardware wallets further frustrates detection and seizure efforts.