Back to list

Check your wallet: How to avoid bitcoin theft by the police

Проверьте кошелек: Как избежать кражи биткоинов полицейским

Introduction

In 2023, the volume of transactions associated with illicit activity in cryptocurrency reached $24.2 billion (Chainalysis, 2024), leading to tightened regulatory oversight. The purpose of this article is to provide an algorithm for auditing crypto-assets aimed at protecting capital from being blocked. This material is intended for private individuals and Crypto-Asset Service Providers (CASPs) building internal compliance procedures.

Decision-Making Algorithm Upon Receiving a Transfer

Below is a basic screening process, which is recommended to be visualized as a flowchart for internal regulations.

[Transaction Request] → [Check address in AML service] → [Risk Score Assessment]
(use an AML service such as this one)

  • If risk >75%:
    → [Reject transaction] → [Notify MLRO for analysis and potential SAR filing]
  • If risk 26–75%:
    → [Request Proof of Funds (PoF)] → [Conduct Enhanced Due Diligence (EDD)] → [Place funds in a quarantine address]
  • If risk 0–25%:
    → [Accept transaction] → [Automatically document the check]

Regulatory Environment: MiCA and EU AML Package

Key European initiatives defining compliance requirements:

  1. MiCA (Markets in Crypto-Assets Regulation) — establishes a unified regulatory framework for the crypto-asset market in the EU. The regulation defines licensing and operational requirements for Crypto-Asset Service Providers (CASPs) (Official Text).
  2. EU AML Package — extends strict AML/CTF (Anti-Money Laundering/Countering the Financing of Terrorism) obligations to the entire crypto sector. All CASPs are required to conduct Customer Due Diligence (CDD), monitor transactions, and report suspicious activity. Full implementation of the rules is expected by 2027, as it requires the transposition of directives into the national legislation of EU member states (Package Information).

Thus, MiCA forms the licensing and operational standards, while the AML Package imposes direct financial monitoring obligations on market participants.

How a Risk Score Is Formed

A risk score is a percentage rating reflecting the probability of a crypto-asset's connection to illegal activity. It is generated by AML services based on the analysis of the following metrics:

  • Source of Funds: Interaction with addresses associated with darknet markets, sanctioned entities, mixers (e.g., Tornado Cash), scam projects, or high-risk gambling platforms.
  • Counterparty Type: Transactions from regulated exchanges (low risk) vs. anonymous P2P platforms (increased risk).
  • Transaction Patterns: Unusual behavior such as "peel chains" or "chain hopping."
  • Technical Aspects of On-chain Analysis:
    • Clustering: AML services group addresses presumably belonging to the same owner to analyze their total activity.
    • Cross-chain Bridges: Using bridges complicates tracking and can increase the risk score.
    • Token Types: Analyzing tokens (e.g., ERC-20) requires studying interactions with smart contracts, unlike native assets.
    • Address History: New wallets with suspicious activity are evaluated as riskier.

Threshold Rationale and Scoring Limitations

The threshold values (0–25% — low, 26–75% — medium, >75% — high) are a generally accepted industry standard but are not a legally fixed norm. Each company must define its own boundaries based on its risk appetite model. For example, a crypto fund might set the medium-risk threshold at 15%, while a P2P platform might allow up to 40%.

Limitations:

  • False Positives/Negatives: No service guarantees 100% accuracy. False positives (a clean transaction marked as risky) and false negatives (missed risks) are possible.
  • Recommendation: To mitigate risks, it is recommended to aggregate data from multiple AML providers (e.g., Chainalysis, Elliptic, TRM Labs). In case of diverging scores, a weighted average can be used, where the weight of each provider is determined by its reputation and specialization.

Step-by-Step Audit Algorithm

1. Source Analysis and Decision Matrix

Risk ScoreActions for a Private IndividualActions for a Company (CASP)
0–25% (Low)Accept the transfer. Save the audit report.Accept the transfer. Automatically log the check in the system.
26–75% (Medium)Request Proof of Funds (PoF). Accept funds to a separate "quarantine" address.Initiate Enhanced Due Diligence (EDD). Request PoF. Place funds in an internal quarantine account.
>75% (High)Refuse the transaction. Explain the reason and request a transfer from a different, clean address.Reject the transaction. Notify the MLRO (Money Laundering Reporting Officer) to file a Suspicious Activity Report (SAR).

2. Sanctions List Screening

Ensure the counterparty does not appear on official lists: OFAC SDN List (USA), EU Sanctions List (EU), UN Consolidated List (UN).

3. Asset Separation and Isolation

  • "Cold" Wallet: For long-term storage of verified assets.
  • "Hot" Wallet: For daily operations.
  • "Transit/Quarantine" Wallet: For receiving funds from new or unverified counterparties. Do not transfer funds from here to regulated exchanges without full verification and documentation.

Preparing and Verifying Proof of Funds (PoF)

When dealing with amounts exceeding internal limits (e.g., $1,000) or medium-risk levels, always request PoF.

Acceptable Documents

  • Exchange Statements: Export of trading history in PDF or signed screenshots of the personal dashboard with a visible User ID.
  • Invoices and Contracts: Documents confirming the provision of services, specifying wallet addresses.
  • P2P Transaction Documents: Screenshots of correspondence confirming trade terms, or a screen recording demonstrating the withdrawal process from a P2P platform.
  • Signed Message: A request to sign a message from the sending address to prove ownership.

Document Verification Procedure

  1. Metadata Check: Examine the metadata of PDF files (author, creation date) to rule out basic forgeries.
  2. On-chain Verification: Cross-reference the transaction hash (tx hash) and addresses in the documents with data in a blockchain explorer. Ensure the block timestamp matches the date in the document.
  3. Request for Additional Data: To verify a withdrawal from an exchange, ask the client for a withdrawal ID or a screenshot from their exchange transaction history.

SAR/STR Procedures and Jurisdictional Differences

Filing Suspicious Activity Reports (SAR) or Suspicious Transaction Reports (STR) is an obligation for CASPs.

Action Algorithm for CASPs:

  1. Identification: An automated monitoring system or an employee identifies a suspicious transaction.
  2. Analysis: The MLRO conducts an internal investigation to confirm or refute suspicions.
  3. SAR Generation: The MLRO fills out a standard form for the local FIU (Financial Intelligence Unit), specifying client data, transaction details, amount, and a detailed rationale for the suspicion.
  4. Filing: The report is sent to the regulator within legally established timeframes (e.g., within 3–5 business days of discovery).

Legal Risks: Failure to file a SAR when grounds exist leads to administrative fines and license revocation. Unjustified filing may lead to lawsuits from the client.

Evidence Retention Requirements

  • Retention Period: Minimum of 5 years after the termination of the relationship with the client (up to 10 years in some EU jurisdictions).
  • Format: Immutable formats (PDF/A, PNG).
  • Archive Structure: Use a standardized file naming scheme for quick access, for example: [YYYY-MM-DD]_[ClientID]_[TransactionID].zip. The archive should contain clearly named files: aml_report.pdf, pof_invoice.pdf, correspondence.eml.
  • Security and Key Management: Store archives in encrypted form (VeraCrypt container, ZIP with AES-256). Use Hardware Security Modules (HSM) or cloud services (KMS) to manage encryption keys. Implement a key rotation policy and Role-Based Access Control (RBAC).

Internal Audit Checklist

  1. Is there an approved internal AML/CTF regulation?
  2. Has a Money Laundering Reporting Officer (MLRO) been appointed?
  3. Have risk score threshold values been defined?
  4. Is at least one professional AML service being used?
  5. Are all checks being documented?
  6. Is there a procedure for filing SARs?
  7. Is a secure data storage policy implemented (encryption, backups)?
  8. Do employees undergo regular AML training?

Real-World Cases (Anonymized)

  • Case 1 (Success): A freelancer received 2 ETH. AML score was 30% (indirect link to a P2P platform). An exchange froze the funds. The freelancer provided a digitally signed invoice, screenshots of correspondence with the client, and an AML audit report. The account was unblocked within 3 business days.
  • Case 2 (Error): A company accepted a BTC payment, ignoring an 85% risk score (direct link to a mixer), and commingled the funds with operational capital. An exchange blocked the entire corporate account. The investigation took 2 months, and part of the funds was confiscated.

What to Do if an Account Is Blocked?

  1. Contact Support via the official ticket system.

    Email Template:

    Subject: Account Block - Clarification Request (User ID: [Your ID])

    Dear Support Team,
    My account (ID: [Your ID], email: [Your email]) was blocked on [date]. I believe this is related to transaction [tx hash]. I am prepared to provide a full Proof of Funds package to confirm the legitimate origin of the assets.

    Attached is an archive containing the AML audit report and the invoice related to this transaction. Please inform me of the reason for the block and the steps required to lift it.

    Sincerely, [Your Name]

  2. Provide Documents in a structured manner.

  3. Escalation: If there is no response for more than 5–7 business days, request that your case be transferred to a senior specialist or the compliance department.

  4. Regulatory Complaint: If the service remains unresponsive, the final step is to file a complaint with the financial ombudsman in the company's jurisdiction of registration.

Major AML Providers

ProviderBrief description
ChainalysisMarket leader focused on investigations and public-sector collaboration.
EllipticSpecialized in compliance solutions for exchanges and financial institutions.
TRM LabsIn-depth analysis of DeFi, NFTs, and cross-chain transactions.
Crystal BlockchainComprehensive platform from Bitfury for monitoring and investigations.
ScorechainEuropean provider focusing on MiCA compliance requirements.

Note: Free or trial versions of AML services have limited databases and are not suitable for professional CASP activities.

Conclusion

Proactive AML analysis is an indispensable element of risk management in the crypto industry. Thorough counterparty verification, documentation of the source of funds, and asset segregation are fundamental practices for protecting capital in an environment of global regulatory tightening.

Legal Disclaimer: This article does not constitute legal or financial advice. The information is provided for informational purposes only. For specific legal issues, it is recommended to consult a qualified lawyer or compliance consultant.

Tags

crypto compliance
bitcoin transaction monitoring
aml risk assessment
micar regulation
eu aml package