In our recent article in the professional journal Compliance, Ethics & Sustainability (“From inadequate oversight to effective regulation?”), we emphasized how the crypto industry is gradually maturing under the influence of European regulation. At the same time, risks related to money laundering, fraud, and sanctions evasion persist.

A concrete example of these risks are crypto ATMs. In the journal, we already highlighted the risk of sanctions evasion via crypto ATMs. To summarize: Poland currently hosts more than 280 machines, many strategically located near the borders with Belarus and Russia. Here, cash can be easily converted into crypto, carried across the border via a mobile wallet or paper voucher, and liquidated elsewhere. This process can occur entirely outside traditional financial channels and sanctions oversight.

In this article, we take a closer look at how these machines operate, the risks they pose, and the role regulation and enforcement play in mitigating abuse.

From Cash to Crypto – Beyond the Banks

Crypto ATMs provide users with a direct and familiar gateway to convert cash into crypto-assets and vice versa, without requiring an account at a (crypto) exchange. The process is straightforward: users select buy or sell, enter an amount, and verify their identity which, depending on the local regulation, is through an ID, phone number, or another simplified form of KYC. The machine then dispenses crypto or cash.

For individuals in regions with limited banking infrastructure or for less digitally skilled users, these terminals may seem like an ideal solution. Yet it is precisely the combination of accessibility and anonymity that makes crypto ATMs attractive for criminal misuse.[1]

A Magnet for Fraud and Money Laundering

Supervisors worldwide are increasingly reporting abuse of crypto ATMs for money laundering and fraud. The classic laundering process (placement, layering, and integration) can easily be executed through ATMs: cash is inserted, split across multiple terminals, converted into crypto, and later exchanged back into cash.[2]

In 2025, the U.S. Financial Crimes Enforcement Network (FinCEN) reported that victims lost over $247 million through crypto ATMs, with a notable concentration among people over 60.[3] Victims are often pressured over the phone by fraudsters impersonating bank employees or government officials, instructing them to deposit large sums via ATMs.

Some machines accept up to €15,000 (or $25,000) per day without strict identity verification.[4] Transaction fees are significantly higher than those of regulated exchanges (>5% vs. <1%). Certain terminals even print paper vouchers functioning as anonymous bearer instruments.

International Regulatory Differences

Regulation of crypto ATMs varies widely across jurisdictions. New Zealand, for example, banned the machines entirely,[5] while Australia applies a risk-based model with transaction limits and stricter KYC.[6] In the United States, warnings are paired with prosecutions of unregistered operators.[7]

Within the EU, greater clarity is provided through the Markets in Crypto-Assets Regulation (MiCAR). Crypto ATMs are classified as “Crypto-Asset Service Providers” (CASPs). They are not prohibited, but operators must meet licensing requirements, comply with KYC/AML obligations, conduct transaction monitoring, and apply risk-based customer due diligence.[8] Despite the expiration of MiCAR’s transitional regime in the Netherlands, we observed that several crypto ATMs remained active beyond the deadline.

Regulation alone is not enough. Effective enforcement is essential—as underlined by recent Dutch case law.[9]

Dutch Case Law: Crypto ATMs as Money-Laundering Vehicles

In a recent ruling, the Arnhem-Leeuwarden Court of Appeal (ECLI:NL:GHARL:2025:237) convicted an operator of crypto ATMs who repeatedly and deliberately violated the Dutch Anti-Money Laundering and Anti-Terrorist Financing Act (Wwft).[10]

Evidence showed that the ATMs were repeatedly used for transactions linked to criminal proceeds, including drug trafficking. Investigations revealed that the operator had deliberately designed the process to minimize traceability: no identity checks were performed for transactions below €10,000, deposits were often spread across multiple ATMs to avoid detection, and even for higher amounts, KYC checks were superficial and the ultimate beneficial owners of wallets were not verified.

The court ruled that this amounted to knowingly facilitating money laundering. The operator was sentenced to multiple years in prison, and the equipment was confiscated. This case demonstrates that Dutch courts treat crypto ATM violations as serious criminal offenses and highlights the critical role of national enforcement alongside EU regulation.

The Athena Bitcoin Inc. Case – A Wake-Up Call

In February 2025, the Attorney General of the District of Columbia filed a lawsuit against Athena Bitcoin Inc., one of the largest U.S. crypto ATM operators. Investigations revealed that during the first five months of operations in Washington D.C., as much as 93% of all transactions were fraudulent, with average losses of $8,000 per transaction and victims having a median age of 71. Victims were pressured to repeatedly send funds to the same, well-known scam wallets.[11]

Athena is accused of deliberately profiting from these practices by charging hidden fees of up to 26%, without clearly disclosing them to customers. The company systematically refused to compensate victims, even when transactions were visibly routed to previously abused wallets. In some cases, Athena demanded liability waivers from victims who attempted to recover part of their losses.

This case illustrates that poorly regulated crypto ATMs not only endanger the integrity of the financial system but also pose a structural threat to financially vulnerable groups, especially the elderly.

From Signal to Structural Action

The introduction of MiCAR provides a necessary framework, but regulation without consistent enforcement remains toothless. Crypto ATMs operate at the intersection of financial inclusion and financial crime. A collective and decisive response is essential. As long as operators profit from opaque fee structures and criminals exploit the gaps, crypto ATMs will remain more of a getaway car for criminals than a bridge for financial inclusion.

What must happen?

• Operators must provide full transparency on fees and limits, implement structural transaction monitoring, and actively block suspicious wallets.
• Supervisors must move beyond registration requirements and invest in effective monitoring and enforcement.
• Financial institutions must stay alert to unusual cash flows that may disappear through crypto ATMs and act on them with a risk-based approach.
• Consumers must be better protected through education, warnings, and accessible reporting channels.
• CASPs are legally obliged to monitor transactions. Illicit flows—originating from crypto ATMs as well as darknet markets—are often detected through tools such as Cense, Chainalysis, TRM Labs, and Elliptic. CASPs are expected not only to conduct active monitoring but also to report suspicious activity.

Together with our partner Cense, we will soon publish a follow-up article exploring in more depth how blockchain analytics tools can strengthen organizations’ detection and control capabilities.

Conclusion

At Compliance Champs, we follow these developments with a critical lens. We support organizations in aligning their processes and controls with MiCAR, the Wwft, and international standards. Through knowledge sharing, training, and tailored advice, we help professionals identify risks in time, implement mitigating measures, and embed sustainable compliance. Only through joint efforts by operators, supervisors, financial institutions, and technology partners can the balance between innovation and integrity truly be restored.

 

Do you seek support and assistance in enhancing your Crypto Compliance Framework?

Please reach out to us on: info@compliancechamps.com

Read more articles here.

---

[1] The Record. (2025). Crypto ATMs fueling cybercrime.

[2] Sanction Scanner. (2025). How to ensure AML compliance on Bitcoin ATMs in the US. https://www.sanctionscanner.com/blog/how-to-ensure-aml-compliance-on-bitcoin-atms-in-the-us-448.

[3] FinCEN. (2025). FinCEN Notice on crypto kiosk scams. https://www.fincen.gov/sites/default/files/shared/FinCEN-Notice-CVCKIOSK.pdf

[4] Europol. (2022). Cryptocurrencies – Tracing the evolution of criminal finances. Europol.

[5] Rahman Ravelli. (2024). New Zealand to ban crypto ATMs. https://www.rahmanravelli.co.uk.

[6] CryptoNews. (2025). Tasmania joins nationwide crackdown on crypto ATMs as scam losses hit $1.6 million. https://cryptonews.com

[7] FinCEN. (2025). FinCEN Notice on crypto kiosk scams. https://www.fincen.gov/sites/default/files/shared/FinCEN-Notice-CVCKIOSK.pdf.

[8] European Parliament and Council. (2023). Markets in Crypto-Assets Regulation (MiCAR).

[9] Bitomat. (2024). MiCA impact on Bitcoin ATMs. https://www.bitomat.com.

[10] Gerechtshof Arnhem-Leeuwarden. (2025). ECLI:NL:GHARL:2025:237.

[11] Office of the Attorney General for the District of Columbia. (2025, February). Attorney General Schwalb Sues Athena Bitcoin for Failing to Protect Consumers from Scams . https://lnkd.in/eb8qGmqP.

On February 21, 2025, Bybit fell victim to a cyberattack that resulted in an unprecedented loss of approximately $1.46 billion in digital assets. To put the breach into perspective, the previous largest crypto heist was the $611 million that was stolen from Poly Network in 2021. Early reports pointed to the notorious Lazarus Group, a North Korean state-backed cybercriminal organization, which has already been implicated in several high-profile hacks and money laundering operations in the past. The FBI has since confirmed the Lazarus Group as the perpetrators of the attack.

The breach raises critical questions regarding the security of centralized exchanges, particularly in the wake of the Digital Operational Resilience Act (DORA). What truly underscores the importance of compliance and anti-money laundering (AML) measures is the speed with which the stolen funds were funnelled into laundering networks. TRM Labs estimates that at least $160 million was laundered within the first 48 hours, with this figure surpassing $400 million within a week, illustrating a level of operational efficiency and professionalism we haven’t seen before.

How the funds were laundered, an overview

With the stolen funds still circulating through the crypto ecosystem, examining the methods used to obfuscate the origin of the stolen funds is more relevant than ever. The Lazarus Group’s laundering tactics were notably sophisticated, leveraging various crypto services and decentralized exchanges (DEXs) to hide the trail of illicit funds.

The laundering operation commenced immediately after the breach, when the stolen assets- initially consisting of mETH and sETH (liquid staking tokens)[1]– were converted into ETH using DEXs. This step was vital to avoid intervention by token issuers, who could potentially freeze the compromised assets. Since Ether and Bitcoin are not controlled by a centralized authority, they are less susceptible to being frozen.

Following the conversion to ETH, the Lazarus group employed a common money laundering technique known as “layering”, dispersing the funds through multiple intermediary wallets in an attempt to conceal the origin of the funds and hinder tracking efforts. While the inherent transparency of the blockchain allow for the tracing of transactions, this strategy bought the hackers time to move the funds to different wallets, swap tokens, use cross-chain bridges, and interact with no-KYC instant swap services. Using these crypto services, the hackers swapped significant amounts of ETH for other cryptocurrencies, especially BTC and DAI.

Historically, North Korea has relied on crypto mixers as part of its laundering operations to obfuscate the origin of stolen assets before converting them into fiat currencies. With increased scrutiny and law enforcement actions targeting mixing services, it appears the Lazarus Group is now prioritizing speed and efficiency over privacy.

Key Compliance and AML Takeaways

The aftermath of the Bybit hack provides several important lessons for compliance officers, regulatory bodies, and businesses operating in the cryptocurrency sector. While the hack highlights vulnerabilities that still exist, it also underscores the importance of strong compliance frameworks, robust AML practises, and industry-wide cooperation. Some key takeaways include:

1. Enhanced Transaction Monitoring Systems

The sophistication of the laundering methods used in this case highlights the necessity for cryptocurrency platforms to implement advanced transaction monitoring systems. A combined effort between blockchain analytics firms, law enforcement and centralized exchanges were able to actively trace the stolen funds, identifying and flagging wallets related to the Lazarus Group. While several centralized exchanges were able to freeze assets, a large portion of the stolen funds remain under the hackers’ control and further attempts to launder these funds are expected in the coming days or weeks. The ongoing investigations illustrate both the effectiveness of blockchain- and transaction monitoring, as well as the challenges presented by cryptocurrency services such as DeFi protocols that potentially do not leverage blockchain analytics.

2. Strengthening KYC and AML Standards:

Crypto exchanges must ensure they adhere to stringent Know Your Customer (KYC) procedures and performing regular AML checks throughout the lifecycle of their client. While KYC requirements are now standard across exchanges, many DeFi platforms continue to lag in establishing robust identity verification processes. As decentralized finance and privacy tools continue to evolve, there is a growing need for a more rigorous approach to user onboarding and transaction monitoring to prevent illicit activity. A notable example of decentralized protocol already taking such actions is Chainflip, which implemented an emergency software update, blocking incoming funds tied to the hack.

3. Collaboration within the industry and law enforcement agencies

Effective collaboration within the industry and with law enforcement agencies is vital in combating money laundering threats and protecting the ecosystem. In response to the hack, Bybit launched a bounty program offering rewards of up to 10% for successfully frozen funds. This initiative sparked collaboration among industry actors, complicating efforts by the hackers to convert stolen assets into fiat currencies. This demonstrates the importance of swift, collaborative responses to protect the integrity of the cryptocurrency ecosystem and defend against these sophisticated cyber-attacks.

4. Education and Awareness

The Bybit hack highlights the need for continuous education and awareness within the crypto industry. Firms should invest in regular training for compliance teams to stay ahead of emerging laundering tactics. Moreover, educating users on the risks of interacting with unregulated platforms remains crucial to curbing illicit activity in the crypto space.

 

Conclusion: The Path Forward for Crypto Compliance

The Bybit hack serves as a reminder of the vulnerabilities currently present in the crypto ecosystem. As illicit actors become increasingly sophisticated in their methods, the need for robust compliance and AML measures has never been greater. Exchanges, DeFi platforms, and regulators must work together to close the gaps in the current system, implement strong monitoring tools, and ensure that the crypto space remains a safe and secure environment for legitimate users.

The ongoing investigations and the collaborative actions taken in response to the hack exemplify the cryptocurrency sector’s growing commitment to improving security standards and protecting users from illicit activity. By focusing on enhancing compliance frameworks, tightening KYC and AML standards, and fostering a culture of cooperation, the industry is taking crucial steps toward mitigating the risks of future breaches.

 

Do you seek support and assistance in enhancing your Crypto Compliance Framework?

Please reach out to us on: info@compliancechamps.com

Read more articles here.

---

[1] Liquid staking tokens refer to obtain a tradeable asset in exchange for staking a cryptocurrency in a proof-of-stake blockchain.

The European Banking Authority (EBA) has taken another significant step towards integrating crypto assets into the regulatory framework, with its recent consultation on draft technical standards. This consultation is a key move in ensuring financial stability while supporting innovation in such a rapidly evolving sector.

As businesses and financial institutions increasingly engage with crypto assets, the challenges of managing associated risks have become more present. The EBA’s proposed standards, rooted in the Basel Committee’s prudential guidelines, aim to provide clarity on capital requirements for crypto-asset exposures. By doing so, they seek to strike a balance between risk mitigation and maintaining a level playing field in the financial ecosystem.

These are the key aspects of the consultation:

1. Classification of crypto-assets: The framework outlines distinctions between tokenized traditional assets, stablecoins, and unbacked crypto-assets, tailoring capital requirements to the specific risk profiles of each category.
2. Risk sensitivity: The draft standards propose different treatments for crypto assets based on their volatility, liquidity, and transparency. This approach helps address concerns related to potential market disruptions.
3. Operational and market risks: Beyond credit and counterparty risks, the standards consider the operational and market risks unique to crypto assets, ensuring a complete risk management.

For firms operating in the crypto space, this consultation signals the importance of aligning operational practices with growing regulatory expectations. Compliance professionals must stay ahead of these developments, proactively assessing their exposure and ensuring robust frameworks to meet potential requirements.

At Compliance Champs we understand the complexity of managing regulations like these, therefore we are here to help businesses interpret and implement these changes effectively.

The EBA’s initiative is the proof to the increasing recognition of crypto assets within mainstream finance. While challenges remain, this regulatory clarity is a step forward in enabling sustainable growth and innovation.

What are your thoughts on these draft standards? Let’s discuss how these measures might shape the future of crypto-asset regulation.

New EU travel rules go into effect in 2025, some crypto coins and bank cards can’t be used.

With the MiCAR approaching, a lot of parties involved with crypto-assets, including crypto-asset service providers (CASPs), will have to implement this new regulation. Services like the placing of crypto-assets and providing advice on crypto-assets need to comply to an extensive set of requirements, while these services were not yet regulated under the AMLD5.

Under the AMLD5, CASPs in the Netherlands providing the services for the exchange between virtual currencies and fiat currencies and providing custodian wallet services fall under the scope of the Money Laundering and Terrorist Financing (Prevention) Act (Wwft), which includes the AMLD5 implementation.

In this article we would like to look at some of the most significant differences between the current AMLD5 regime and the new MiCAR regime:

• MiCAR requires a license, which takes a lot more effort to receive than a registration, due to the more extensive range of requirements included in the regulation. AMLD5 only requires a registration.
• Where the AMLD focusses on AML-CFT issues and risks, the MiCAR has broadened this scope and includes rules on for example market abuse and sets prudential requirement for CASPs.
• MiCAR is a Regulation instead of a Directive (AMLD5). A Regulation is directly applicable in Member States after its entry into force (another example is the GDPR). A Directive first needs to be implemented in the national laws of a member state. Just like the AMLD5 was implemented in the Wwft.
• The competent authority for most service providers under the MiCAR, including the crypto-asset services that currently require a registration, will be the AFM instead of the DNB under which they are currently registered. The DNB will however become the competent authority for issuers of ARTs and EMTs.
• MiCAR introduces passporting opportunities, whereas registration only permits service providers to offer and market services in one country. As a result, under the old regime, a CASP (Crypto-Asset Service Provider) needed to apply for registration in multiple countries to offer and market services there.
• Lastly, a lot more services are in scope of the MiCAR. The registration only focuses on service providers offering services for the exchange between virtual currencies and fiat currencies and providing custodian wallet services. The MiCAR focusses on a lot more crypto-asset services (full list of CASP-services can be found in article 3 (1) under 16 MiCAR).

The MiCAR regime leads to further regulation in the crypto market, with more crypto parties required to obtain and maintain a license. It is an understatement to say that challenging times are ahead.