A peel chain, also known as chain peeling, is a method used to obscure the origin of illicit funds, primarily within the cryptocurrency ecosystem. It involves transferring cryptocurrency from an initial address and distributing it across numerous new addresses in small amounts (micro-transactions) over many hops, creating a complex web that frustrates investigators. Many launderers use automated scripts or specialized software to generate hundreds of fresh addresses, each receiving small increments of the total balance. If the funds stem from a crypto exchange hack or similar incident, criminals often initiate a peel chain immediately to break the direct trail, complicating both investigations and exchange-based monitoring. A typical sequence includes: - Receiving a large sum of cryptocurrency into a wallet controlled by the launderer. - Sending repeated micro-transactions to newly generated addresses, incrementally “peeling off” smaller portions of the funds. - Involving a potentially vast number of wallets, each holding only a fraction of the original amount. - Periodically moving “peeled” amounts to exchanges, mixers, or other conversion services to obtain fiat. - Potentially continuing additional peel chains or consolidating leftover balances into centralized wallets once laundering is deemed sufficient. Notable examples of peel chains have surfaced in large-scale hacks, such as the 2016 Bitfinex breach and the 2018 Bithumb hack, where criminals laundered digital assets through dozens of transfers to obscure the true source of funds. By peeling off smaller amounts, launderers reduce the likelihood of triggering automated anti-money laundering (AML) flags, as each individual transaction generally appears less suspicious. Over time, these repeated small transfers—resembling layers of an onion—significantly complicate forensic tracing and compliance oversight, underscoring the importance of enhanced monitoring and blockchain analytics solutions for detection.
Peel Chain
Chain Peeling
Tactics
Peel chains repeatedly split large cryptocurrency balances into numerous small transfers across many newly generated addresses, creating a convoluted transaction trail that obscures the true origin of illicit funds. This multi-hop process adds layers of complexity intended to distance the proceeds from the underlying criminal activity.
Risks
This peel chain technique exploits the fast, pseudonymous nature of cryptocurrency transfer channels. Criminals repeatedly fragment large illicit balances into small micro-transactions routed through newly generated addresses. Because the channel imposes minimal or no identity checks and transactions remain below typical AML thresholds, it is far more difficult for standard monitoring systems to detect or flag suspicious activity.
Indicators
A single customer receives a substantial amount of cryptoassets at an exchange, followed by evidence of 20 or more quick wallet hops in a short time (for example, within a few hours).
Repeated micro-transactions from newly created addresses occur within a short timeframe, often landing in the same block or separated by only a few blocks.
Suspicious cryptocurrency activity begins immediately following a publicly reported crypto exchange hack or large-scale theft incident.
Transaction records show continuous transfers to newly generated addresses, with no address re-use, indicating systematic layering of funds.
A high volume of consecutive micro-transactions occurs in a short timeframe, exceeding typical user behavior norms.
The initial source of funds is tied to known illicit activity (e.g., dark web marketplaces or ransomware) before peel chain transfers begin.
A large crypto deposit is immediately followed by numerous small, fragmented transfers that distribute the original amount into smaller sums.
The originating wallet initiates a high frequency of micro-transfers to numerous newly generated addresses within a short timeframe.
Funds pass through a long sequence of intermediary wallets—multiple hops—before eventually reaching an exchange, mixer, or other exit point.
A cluster of newly created wallet addresses, each with minimal or no prior history, is used solely to redirect small portions of the funds.
Following multiple layering steps with micro-transactions, funds are consolidated and eventually transferred to an exchange, mixer, or fiat onramp.
The initial deposit is traced to a compromised exchange or otherwise illicit source, indicating the potential involvement of stolen or fraudulent funds.
A layering pattern emerges where transaction amounts decrease progressively at each hop, reflecting a peel chain structure.
Cryptoassets from newly generated addresses are transferred into multiple accounts with no clear relationship to the original depositor.
Transaction amounts, intervals, or frequency appear systematically uniform, suggesting automated peeling processes across multiple addresses.
Data Sources
Comprehensive records of deposits, withdrawals, and other monetary movements across user accounts capture timestamps, amounts, account identifiers, and counterparties. These logs help correlate on-chain peel chain hops with off-chain transactions, revealing patterns of rapid micro-transfers and layering attempts.
Includes VASP-held transaction logs, user account details, wallet address assignments, and deposit/withdrawal records, allowing the linkage of on-chain peel chain hops to specific exchange user accounts or identities. This data is critical for detecting suspicious patterns, such as multiple micro-deposits or rapid withdrawals, and correlating them with on-chain evidence of layering and fragmentation in a peel chain scheme.
On-chain transaction details—including addresses, timestamps, amounts, and analytic insights—are used to trace funds across multiple hops. This data uncovers micro-transactions, address reuse, and fragmentation patterns characteristic of peel chain activity, enabling investigators to track the movement of illicit funds.
Mitigations
Obtain evidence of the original source of funds when large inbound transfers or multiple small deposits from new or non-custodial wallets appear, especially if blockchain analysis indicates prior peel chain activity. Validate the customer’s ownership of external wallets, investigate the provenance of funds, and continuously update risk assessments if transaction patterns suggest layering through peel chains.
Deploy tailored transaction monitoring rules to detect classic peel chain patterns, such as rapid, repeated micro-transfers into newly generated addresses, progressively decreasing transaction amounts at each hop, and large sums quickly split into small increments. Investigate and escalate accounts showing these anomalies, especially if recipients lack prior transaction histories or are linked to high-risk sources.
Blockchain analytics tools can track and identify typical chain peeling indicators, such as when a user repeatedly creates new addresses for each transfer instead of reusing them, and multiple hops in the transaction chain.
Implement strict transaction velocity or frequency controls to cap repeated micro-transfers, block transactions from known high-risk addresses or jurisdictions, and introduce time delays for higher-risk transactions. These measures directly inhibit typical peel chain practices by limiting a criminal’s ability to rapidly disperse a large balance into numerous small amounts.
Instruments
- Criminals initiate peel chains by sending repeated micro-transactions from a large initial balance to newly generated wallet addresses, incrementally 'peeling off' smaller amounts.
- The transparent yet pseudonymous nature of public blockchains enables the rapid creation of numerous addresses, forming a complex web of transfers that obscures the origin of illicit funds.
- By maintaining low-value transactions below AML alert thresholds, launderers significantly reduce the likelihood of detection, thereby complicating forensic tracing and prolonging investigators’ efforts.
Service & Products
- Launderers use peer-to-peer trades to exchange peeled crypto portions with minimal or inconsistent KYC, further obscuring traceability.
- The fragmented nature of peel chain transfers aligns with using direct user-to-user deals, reducing reliance on centralized controls.
Actors
Cybercriminals who steal or illicitly acquire crypto (for instance, via exchange hacks) use peel chains by:
- Rapidly dispersing stolen funds across many newly created addresses, reducing the chance of immediate detection.
- Employing repetitive small transfers that fracture the available trail, complicating investigators’ ability to trace funds back to the hack or theft.
This tactic leverages large-scale hacks like the Bitfinex or Bithumb breaches, where stolen crypto was systematically moved through numerous micro-transactions to conceal its illicit source.
Professional money launderers implement peel chains by:
- Generating numerous addresses to receive incremental transfers from a large illicit balance.
- Automating the peeling of funds, splitting them into micro-transactions that typically avoid detection.
They orchestrate the workflow, ensuring that each individual transaction appears minor, complicating financial institutions’ oversight when attempting to link funds back to their criminal origin.
Criminals route peeled funds through mixers to:
- Combine small transfers with other users’ deposits, obscuring the source of each portion.
- Break the transaction chain, making it more difficult for investigators or financial institutions to connect funds back to the original illicit address.
By cycling micro-transactions through mixers, launderers significantly reduce the traceability of the peeled amounts.
Criminals exploit virtual asset service providers by:
- Depositing peeled funds in repeated small increments that appear unrelated, making it harder to connect them to illicit origins.
- Converting fragmented cryptocurrency into fiat or other digital assets, further distancing the funds from the initial illicit source.
These processes complicate detection for financial institutions, as each transaction often falls below typical alert thresholds, masking the laundering operation.
References
FATF (Financial Action Task Force). (2023, March). Countering ransomware financing. FATF. https://www.fatf-gafi.org/content/fatf-gafi/en/publications/Methodsandtrends/countering-ransomware-financing.html
FATF (Financial Action Task Force), Interpol, Egmont Group. (2023, November). Illicit financial flows from cyber-enabled fraud. FATF. http://www.fatf-gafi.org/content/fatf-gafi/en/publications/Methodsandtrends/illicit-financial-flows-cyber-enabled-fraud.html
AUSTRAC (Australian Transaction Reports and Analysis Centre). (2022, April). Detecting and reporting ransomware financial crime guide. AUSTRAC. http://homeaffairs.gov.au/about-us/our-portfolios/cyber-security/strategy/australias-ransomware-action-plan
Carlisle, D. (2024). Preventing financial crime in cryptoassets: Identifying evolving criminal behavior. Elliptic.https://www.elliptic.co/hubfs/Elliptic%20Typologies%20Report%202024.pdf
Costa, A. (2023). Preventing financial crime in cryptoassets: Investigating illicit funds flows in a cross-chain world. Elliptic.https://www.elliptic.co/hubfs/Elliptic_LEA_Typologies_2023_Report.pdf
CGMF (Interdepartmental coordinating group on combating money laundering and the financing of terrorism) Switzerland. (2024). National Risk Assessment (NRA): Risk of money laundering and the financing of terrorism through crypto assets. CGMF. Switzerland. https://www.newsd.admin.ch/newsd/message/attachments/86329.pdf
Whitaker, R. (2024). "What Is a Peel Chain in Crypto Money Laundering?". Merkle Science. https://www.merklescience.com/blog/what-is-a-peel-chain-in-crypto-money-laundering
Haig, S. (2020). Revealed: How North Korea Laundered $100 Million of Stolen Crypto. https://cointelegraph.com/news/revealed-how-north-korea-laundered-100-million-of-stolen-crypto
SlowMist. (2022). Crypto Compliance Series | What is Peel Chain. Medium. https://slowmist.medium.com/crypto-compliance-series-what-is-peel-chain-7b5be0bb7214