Case snapshot: fast on, faster off
Luc was reviewing a set of alerts triggered by the bank’s virtual asset exposure rule. A retail customer—previously low-risk and with no history of crypto investments—had suddenly initiated a series of SEPA transfers to a foreign crypto exchange.
The pattern immediately raised questions:
- Transfers ranged from €4,000–€7,000, increasing in amount
- Frequency spiked over a three-week period
- No updated KYC or declared source of funds
- The exchange was licensed under MiCA, but based in a jurisdiction where enforcement practices were still maturing
“The onboarding profile doesn’t support this type of activity,” Ella noted. “It’s out of pattern and out of context.”
Marcus followed the trail on-chain. Once the crypto hit the exchange, it was withdrawn almost immediately to unhosted wallets. Within hours, it was fragmented across multiple addresses, some of which:
- Interacted with known mixing services
- Had historical links to anonymity-first marketplaces
- Were tagged in previous blockchain analysis reports for high-risk flows
“There’s no criminal record, no direct trigger from the exchange,” Marcus said. “But the flow is straight out of the typology manual.”
Luc filed a Suspicious Transaction Report (STR) citing:
- Sudden, unjustified exposure to virtual assets
- Use of unhosted wallets for immediate off-ramping
- Interaction with privacy tools often associated with layering
- Absence of investment rationale, raising questions about predicate offences like tax evasion or illicit trade
The regulatory lens: where MiCA meets AML
This case underscores the evolving tension between formal compliance and residual risk in crypto transaction flows.
Under MiCA (Markets in Crypto-Assets Regulation – EU 2023/1114):
- The exchange was registered and met MiCA’s licensing requirements
- MiCA focuses on Crypto-Asset Service Providers (CASPs), not individual users or wallet-level behavior
- MiCA does not prohibit the use of unhosted wallets or mixing services
Under the Transfer of Funds Regulation (EU 2023/1113):
- CASPs must collect and transmit originator/beneficiary information for crypto transfers, including those involving unhosted wallets
- For transfers above €1,000, the identity of the unhosted wallet owner must be verified where technically feasible
- Institutions are expected to apply risk-based measures when transactions involve mixers, privacy coins, and jurisdictions with weak AML supervision
Transfers to high-risk destinations may trigger enhanced due diligence, and in some cases, refusal or freezing under broader AML frameworks—not TFR specifically.
Risk without cash
In this scenario, cash structuring was replaced by digital behavior manipulation—small but increasing transfers, inconsistent with the customer’s profile, leading to fragmented off-chain activity.
Red flags in focus:
- Unexplained spike in virtual asset activity
- Transfers to jurisdictions with lax crypto enforcement
- On-chain movement to anonymity tools and unhosted wallets
- Customer behavior misaligned with declared source of wealth
When onboarding lies, the blockchain doesn’t
This wasn’t about a rogue exchange or a compliance gap. It was a customer using legitimate infrastructure to create illegitimate distance—exploiting the space between rules and risk.
“Crypto doesn’t erase the trail,” Ella said. “It just forces you to follow it somewhere new.”
This wasn’t a failure of the exchange. It was a failure of the customer’s economic narrative—and the obligation to question what that narrative hides.
