Glossary
Crypto scam & compliance glossary
Plain-English definitions of the scams people run into and the AML/compliance terms they need — what they mean, why they matter, and where to read more. Built for victims, lawyers, accountants, and compliance teams who need to put the right name on what happened.
Scams & attacks
Pig butchering
A long-con investment scam, usually started through a dating app, social-media DM, or a “wrong number” text.
The scammer builds trust over weeks or months, then steers the victim onto a fake crypto trading or “high-yield” platform that shows fabricated profits. Withdrawals work for small amounts to build confidence, then stop. By the time the victim tries to pull the money out, the platform is gone and the deposits have been routed through a chain of wallets to an exchange off-ramp.
Read the full guide →Rug pull
Token or project creators drain the liquidity pool and disappear, leaving holders with worthless tokens.
Most common in newly launched DeFi tokens. A small founding team controls the liquidity pool or has a hidden mint function in the contract; once enough buyers are in, they pull the underlying liquidity or mint a flood of new supply and dump it. On-chain, you typically see a sudden, large transfer from the pool to a fresh wallet, followed by rapid bridging or exchange deposits.
How to track the funds →Romance scam
A relationship — usually online and long-distance — is used to extract money or crypto, often by funneling the victim into a fake investment.
Largely overlaps with pig butchering: the “relationship” is the trust vehicle, the fake investment platform is the extraction mechanism. Pure romance scams (gifts, “emergency” wires, never invested) are typically wire-transfer fraud, but increasingly the ask moves to USDT or BTC because the payment is irreversible and harder to trace through traditional channels.
Related guide →Wallet drainer
A malicious smart contract or signed message that empties a wallet in a single transaction after the user is tricked into approving it.
Sold as off-the-shelf kits to scammer affiliates (Inferno, Pink, MS, Angel). The victim visits a fake mint page, airdrop site, or DeFi front end, connects their wallet, and signs what looks like a routine approval — but the call grants the drainer contract permission to move tokens or NFTs. The drain happens immediately, with proceeds split between the kit operator and the affiliate.
If this just happened to you →Approval phishing
A scam that gets you to sign an ERC-20 (or similar) approval letting an attacker spend your tokens without further interaction.
Different from a one-shot drainer in that the malicious approval can sit dormant. The attacker waits, sometimes weeks, then sweeps the tokens when balances are high or gas is low. Mitigation: periodically revoke unused approvals (revoke.cash, Etherscan token approval tools) and screen any wallet you’re about to interact with.
How to check a wallet first →Address poisoning
An attacker sends a tiny transaction from a vanity address that visually resembles your own deposit address, hoping you copy-paste it from history.
The attacker generates an address with the same first and last few characters as one you regularly send to. Their wallet then sends you a 0-value or 1-wei “transaction” so it appears in your address book. Next time you copy from history without checking the full string, the funds go to the lookalike. Always verify the full address — not just the bookends.
Fake recovery service
A scammer poses as a “crypto recovery expert” who promises to get a victim’s stolen funds back — for an upfront fee that is itself the scam.
Particularly cruel because it targets people already in distress. Real on-chain investigation can sometimes trace where funds went and identify exchange off-ramps that may freeze them through legal process — but no one can “hack the blockchain” to return stolen crypto. Pay-to-recover offers, KYC fees on “unlocked” funds, and demands for wallet seed phrases are all variants of this.
Report a scam wallet →SIM swap
An attacker convinces a mobile carrier to port your phone number to their SIM, then uses it to reset exchange and email passwords.
Not strictly a crypto-protocol attack, but devastating against centralized exchange accounts and any wallet relying on SMS-based 2FA. The fix is structural: move 2FA off SMS to a hardware key or authenticator app, and assume your carrier’s account-recovery process is the weakest link in your stack.
Sanctioned wallet
An address listed on OFAC, EU, UK, or UN sanctions lists — interacting with one can create direct legal exposure.
Includes wallets tied to designated mixers (Tornado Cash, Sinbad), DPRK-linked clusters (Lazarus), ransomware operators, and sanctioned states or individuals. Compliance teams screen every address against these lists at onboarding and on each significant flow. WalletDNA flags hits inline on every report.
How sanctions screening works →Mixer / tumbler
A service that pools many users’ crypto together and pays out from the pool, breaking the on-chain link between source and destination.
Some mixers (Tornado Cash) are sanctioned in the US; others (Wasabi-style CoinJoin, Whirlpool) are protocol-level privacy tools. Either way, funds passing through a mixer are typically treated as elevated AML risk by exchanges, and many exchanges will freeze deposits with recent mixer exposure pending source-of-funds documentation.
Why this matters for AML →Honeypot token
A token contract designed so anyone can buy it, but no one except the deployer can sell.
The contract includes a sell restriction — sometimes obvious, often hidden in proxy upgrades or fee logic. Price charts look great because there are no sellers. Victims discover the problem only when they try to take profit. Always check sell-tax and transfer restrictions on a low-cap token before buying.
ICO / token launch fraud
Funds raised in a token sale never go to the promised product; the team disappears or quietly redirects the proceeds.
Distinct from rug pulls in that the deception happens before launch rather than after liquidity is added. The on-chain pattern is similar: raised funds get bridged, mixed, or sent through chained wallets to centralized exchange deposits. Investigation typically focuses on identifying the exchange off-ramps where KYC was performed.
How forensics work →Exchange exit scam
A centralized exchange suspends withdrawals, blames technical issues, and disappears with customer deposits.
Classic pattern from QuadrigaCX, FTX-adjacent operators, and a long tail of regional exchanges. Withdrawals slow, then halt; support stops responding; the team becomes uncontactable. On-chain, you typically see large outflows from hot wallets to fresh addresses and bridges shortly before the public announcement. Hold balances on reputable, audited exchanges or in self-custody.
Dusting attack
An attacker sends a trivial amount of crypto to many addresses in order to track or de-anonymize them.
Often a precursor to phishing campaigns — once the attacker maps clusters of addresses controlled by the same user, they can target the highest-value identity. Dust transactions are usually harmless on their own, but they’re a useful signal that the receiving wallet has been profiled. Do not interact with unknown dust deposits.
Compliance & regulation
AML (Anti-Money Laundering)
The framework of laws, regulations, and procedures that require regulated businesses to detect and prevent the disguising of illicit funds as legitimate.
AML obligations cover customer identification (KYC), ongoing monitoring, sanctions screening, record-keeping, and suspicious-activity reporting. In crypto they apply to VASPs — exchanges, custodians, and some wallet providers — which must screen counterparties and flows the way a bank screens wire transfers. On-chain analytics is how those obligations are met for blockchain transactions.
Crypto AML software →KYC (Know Your Customer)
The identity-verification step a regulated business performs before onboarding a customer — collecting and confirming legal name, government ID, and address.
KYC is the control every other AML obligation rests on: without a verified identity behind an account, monitoring and reporting are meaningless. For investigations it is why exchange off-ramps matter — the point where funds hit a KYC'd account is the point where a real-world identity can be obtained through legal process.
Why off-ramps matter →CDD & EDD (Customer Due Diligence)
The risk-based process of understanding who a customer is and what activity to expect — with Enhanced Due Diligence (EDD) applied to higher-risk customers.
Standard CDD verifies identity and expected activity. EDD kicks in for elevated risk — politically exposed persons, high-risk jurisdictions, or unusual on-chain patterns like recent mixer exposure — and requires deeper checks, senior sign-off, and documented source of funds before the relationship or transaction proceeds.
Blockchain compliance →SAR (Suspicious Activity Report)
A confidential report a regulated institution files with its financial-intelligence unit when it suspects a transaction involves illicit funds or has no apparent lawful purpose.
A SAR is suspicion-based, not threshold-based (a fixed-dollar report is a CTR). Common crypto triggers — the “criteria” — include structuring, exposure to mixers or sanctioned addresses, rapid pass-through or peel chains, chain-hopping through bridges, and funds that do not match a customer's stated profile. In the US, FinCEN requires filing within 30 days of detection and prohibits “tipping off” the customer. Outside the US the equivalent is often an STR (Suspicious Transaction Report). A documented WalletDNA report can serve as the on-chain evidence behind a filing.
How reports support filings →FATF (Financial Action Task Force)
The intergovernmental body that sets the global AML/CFT standards national regulators translate into law — including the rules that apply to crypto.
FATF's 40 Recommendations are the international baseline for anti-money-laundering and counter-terrorist-financing. Its guidance defines what a VASP is and introduced the crypto Travel Rule (Recommendation 16). Member jurisdictions implement these into domestic law, and FATF's “grey” and “black” lists name countries with weak controls — a jurisdiction-risk signal in itself.
Regulatory coverage →Travel Rule
FATF Recommendation 16 applied to crypto: VASPs must pass originator and beneficiary identity information alongside transfers above a set threshold.
It mirrors the decades-old wire-transfer rule in traditional banking. When one exchange sends crypto to another above the threshold (commonly around $1,000), it must transmit sender and recipient details so the receiving institution can screen them. It is why VASP-to-VASP transfers carry identity data that pure on-chain transfers between private wallets do not.
Regulatory coverage →VASP (Virtual Asset Service Provider)
The FATF term for a regulated crypto business — exchanges, custodians, and some wallet and transfer providers — that owes AML obligations.
A VASP is the crypto equivalent of a regulated financial institution: it must perform KYC, screen for sanctions, comply with the Travel Rule, and file suspicious-activity reports. In US terminology many VASPs register with FinCEN as Money Services Businesses (MSBs). Identifying whether a counterparty address belongs to a VASP is central to knowing where legal process can actually reach.
Blockchain compliance →OFAC / SDN list
The US Treasury's sanctions authority (OFAC) and its Specially Designated Nationals list — which names specific persons, entities, and crypto wallets US persons are prohibited from transacting with.
OFAC sanctions are effectively strict-liability: dealing with a listed party is a violation regardless of intent. The SDN list includes designated mixers (Tornado Cash), DPRK-linked clusters (Lazarus), and ransomware operators. WalletDNA screens every address against OFAC plus the EU, UK, and UN lists on each report. See also “Sanctioned wallet” above.
How sanctions screening works →Source of funds / source of wealth
Source of funds (SoF) is the origin of the specific money in a transaction; source of wealth (SoW) is how the customer built their overall net worth.
Regulated institutions request SoF/SoW documentation as part of due diligence — especially after high-risk signals like recent mixer exposure or a large unexplained inflow — before crediting or releasing funds. Proving clean provenance on-chain is the flip side: a documented trace showing funds came from a legitimate, non-sanctioned origin.
Prove clean funds →Red-flag indicators (typologies)
Behavioral and on-chain patterns that suggest money laundering — the signals AML programs and investigators watch for.
FATF and financial-intelligence units publish red-flag lists for virtual assets. Common ones: structuring deposits below reporting thresholds, rapid pass-through of funds, peel chains, chain-hopping through bridges to break the trail, mixer use, transactions with newly-created counterparties, and activity that does not match a customer's stated profile. Several of these map directly to WalletDNA's risk-score components.
How risk is scored →Got a wallet involved in one of these?
Run it through WalletDNA — risk score, entity attribution, and a documented report in under 60 seconds.
Analyze a wallet