28 April 2026: FATF Targeted Report on Stablecoins and Unhosted Wallets

 

The Financial Action Task Force (FATF) has released a report entitled “Targeted Report on Stablecoins and Unhosted Wallets: Peer-to-Peer Transactions.” The report aims to enhance understanding of emerging Money Laundering, Terrorist Financing, and Proliferation Financing (ML/TF/PF) risks, threat actors and vulnerabilities related to Virtual Assets/Goods (VA/VGs) with a focus on stablecoins and unhosted wallets, particularly during peer-to-peer (P2P) transactions.

There is increasing use of stablecoins by threat actors, including organised crime groups, terrorist financiers, and drug trafficking networks, due to their liquidity, fast settlement, stability (retention of value) and cross‑border nature.  

P2P transfers through unhosted wallets are a key vulnerability, given that these transactions operate outside of regulated oversight and allow for fast, cross-border movement, making illicit activity harder to detect. The majority of illicit activity in stablecoins occurs in the secondary market (when stablecoins circulate between holders, move across chains, and pass through unhosted wallets without the involvement of an AML/CFT‑obliged intermediary).

The report notes that Stablecoin ecosystems can enable obfuscation techniques. FATF describes vulnerabilities such as programmability, high interoperability, use of DeFi, cross‑chain bridges, and automated smart‑contract transactions that obscure fund origins and complicate source of funds assessments.

 

Key Takeaways:

Money Laundering Typologies

1.    Money launderers and perpetrators have been observed to use stablecoins to collect proceeds involving investment fraud, impersonation fraud, romance scams, pig butchering, and sextortion. These are noted in the Isle of Man’s Gambling Sectoral Risk Assessment as developing and evolving threats to the sector.

2.    Drug trafficking organisations are increasingly leveraging the use of stablecoins, particularly USDT on TRON and USDC on Ethereum, for paying overseas suppliers of synthetic drug precursors, settling drug transactions and laundering proceeds of drug trafficking.

3.    Using stolen IDs

a.    Drug trafficking organisations also exploit high-volume online gambling platforms and merchant refund loops, where goods are purchased using stolen identities and returned for refunds in stablecoins to third-party wallets.

4.    Exploiting countries with weaker AML/CFT controls

a.    Drug trafficking proceeds are often exchanged for fiat currency via unlicensed or unregistered VASPs, including OTCbrokers, in jurisdictions with weak or non-existent AML/CFT controls.

5.    Gambling platforms as part of the layering process

a.    Professional money launderers employ sophisticated layering techniques using stablecoins, including chain-hopping, smurfing (breaking transactions into smaller amounts), and cross-chain transfers to obscure the origin and destination of funds.

b.    They also use DEXs that lack know your customer protocols, virtual asset automated teller machines (ATMs), and online gambling platforms, which can further complicate tracing efforts. Additionally, in some cases, stablecoins are used to settle transactions in underground banking arrangements.

 

Terrorist Financing / Proliferation Financing Typologies

1.    State-linked cybercriminal groups have rapidly adopted stablecoins as a preferred method for laundering proceeds from ransomware, phishing, and other cyber-enabled crimes.

2.    The ability to conduct transactions using stablecoins such as USDT for prohibited activities provides UN-designated entities with an additional mechanism to evade international sanctions.

a.    The DPRK and Iranian actors are known to use stablecoins, such as USDT, to evade sanctions for proliferation.

Flag Indicators:

Circumvention of Funding Restrictions

Indicators

• Deposits originating from wallets, payment methods, or instruments not demonstrably owned or controlled by the customer
• Repeated failed or reversed deposit attempts followed by successful funding from alternative sources
• Multiple customer accounts linked to shared funding instruments or wallet clusters
• Evidence of indirect third-party funding, including peer-to-peer transfers immediately preceding deposits.

Controls

• Verification of wallet ownership prior to acceptance of deposits (e.g. cryptographic verification or equivalent methods)
• Implementation of wallet whitelisting procedures - The operator can verify that the wallet belongs to the customer.  Common methods include:
• Cryptographic proof
  (e.g. signing a message with the private key)
• Satoshi test / micro-transfer
  Customer confirms receipt or returns a small amount
• Behavioural linkage
  Matching wallet activity with known customer behaviour (supporting evidence only)
• Third-party analytics tools
  Assess whether the wallet is linked to exchanges, services, or other entities
• Use of blockchain analytics tools to assess source of funds and counterparty risk
• Monitoring of device, IP address, and behavioural data to detect linked accounts
• Rejection or suspension of transactions where beneficial ownership cannot be established.

 

Minimal or Artificial Gameplay

Indicators

• Large deposits followed by low-risk, low-variance, or offsetting bets designed to minimise exposure
• Rapid completion of wagering activity inconsistent with genuine gambling behaviour
• Patterns of deposit followed by minimal gameplay and a prompt withdrawal request
• Coordinated activity across multiple accounts to simulate legitimate play.

Controls

• Definition and enforcement of “meaningful gameplay” thresholds based on risk
• Monitoring for low-risk betting strategies indicative of artificial gameplay
• Automated alerts for disproportionate deposit-to-turnover ratios
• Restriction of withdrawals until gameplay requirements are demonstrably met
• Application of behavioural analytics to identify non-recreational patterns of gameplay.

 

Suspicious Withdrawal Activity

Indicators

• Withdrawal requests submitted shortly after deposit with limited gameplay
• Requests to withdraw funds to wallets or payment methods not match the original funding source that are not verified as belonging to the customer
• Repeated withdrawals to newly introduced or previously inactive destinations
• Structuring of withdrawals into multiple smaller transactions
• Acceptance of unfavourable fees or conditions to expedite withdrawal.

Controls

• Enforcement of return to source or a source verified as belonging to the customer withdrawal requirements
• Re-verification of wallet ownership at the point of withdrawal
• Application of cooling-off periods for higher-risk transactions
• Transaction monitoring for rapid deposit-withdrawal cycles
• Manual review and approval of first-time or high-value withdrawals.

 

Account Misuse and Control Risks

Indicators

• Multiple accounts linked through shared devices, IP addresses, or behavioural characteristics
• Accounts functioning as mechanisms for value transfer rather than gambling
• Activity inconsistent with the customer’s known profile, location, or financial position
• Sudden increases in activity following prolonged dormancy.

Controls

• Robust customer due diligence and ongoing monitoring procedures
• Device fingerprinting and IP intelligence to identify linked users
• Network and link analysis to detect coordinated account activity
• Triggering of enhanced due diligence in response to significant behavioural changes.

 

Use of Virtual Assets to Obscure Source of Funds

Indicators

• Deposits linked to mixers, tumblers, privacy-enhancing tools, or obfuscation services
• Evidence of cross-chain transfers or rapid asset swaps prior to deposit
• Complex transaction paths designed to conceal origin of funds
• Interaction with unregulated or high-risk virtual asset service providers
• Funds received following multiple rapid transfers between wallets.

Controls

• Integration of blockchain analytics solutions to risk-score transactions and counterparties
• Blocking or enhanced scrutiny of transactions linked to high-risk services or typologies
• Requirement for source of wealth information where risk indicators are present
• Ongoing monitoring of wallet activity and transaction patterns.

 

High-Risk Counterparties and Jurisdictions

Indicators

• Transactions involving jurisdictions with known deficiencies in AML/CFT controls
• Exposure to unlicensed or non-compliant virtual asset service providers
• Wallets or counterparties with unverifiable beneficial ownership
• Links to illegal gambling operators or other high-risk environments.

Controls

• Real-time sanctions screening and adverse media checks
• Jurisdiction-based risk assessment and application of restrictions where appropriate
• Prohibition or limitation of interactions with non-compliant entities
• Continuous monitoring of counterparty risk.

 

Terrorist Financing Indicators

Indicators

• Multiple small or medium-value deposits from disparate sources
• Rapid movement of funds through the platform with minimal gameplay
• Use of virtual assets associated with fundraising campaigns or high-risk regions
• Complex transaction routing designed to obscure ultimate destination of funds.

Controls

• Application of enhanced due diligence for high-risk customers and geographies
• Lower thresholds for internal escalation and suspicious activity reporting
• Monitoring for rapid and unusual transaction flows
• Immediate escalation in line with AML/CFT reporting obligations.

 

Escalation and Reporting

Where one or more of the above indicators are identified, particularly in combination, the activity must be subject to:

• Immediate internal escalation to the Money Laundering Reporting Officer (MLRO) or equivalent
• Consideration of account restriction, suspension, or termination
• Investigation in line with internal procedures; and
• Submission of a SAR where appropriate.

 

Core Risk Principle

In a controlled online gambling environment, elevated money laundering risk arises where there is evidence of:

• Unclear or unverifiable ownership of funds
• Artificial or minimal gameplay designed to legitimise funds
• Rapid withdrawal behaviour inconsistent with recreational gambling
• Attempts to obscure the origin or destination of funds.

 

In assessing the risk associated with virtual asset deposits and withdrawals, the operator must take into account the traceability of funds and the degree of exposure to high-risk sources observable through blockchain analysis and determine risk based on a reasonable threshold of exposure to higher risk factors.  Operators should adopt a risk-based approach when assessing blockchain traceability, recognising that as the number of intermediary transactions (hops) increases, the ability to attribute ownership or intent diminishes.

In particular, virtual assets received from centralised or widely used exchanges may have extensive and mixed transaction histories, and remote exposure to higher-risk sources (beyond a defined proximity threshold) should not, in isolation, be treated as indicative of customer risk.  It is recommended that operators should therefore establish and document reasonable thresholds for assessing the materiality of exposure, giving greater weight to recent and proximate interactions (e.g. within a limited number of hops) and to activity suggesting intentional obfuscation, while discounting distant or diluted exposure unless supported by additional risk indicators.

 

 

Anonymity-related indicators

1. Stablecoin transfers involving unhosted wallets that are multiple hops away from Travel Rule-covered wallets (TRW);
2. The unhosted wallet is suddenly activated after a long period of inactivity, completes multiple cross-chain transactions in a short period of time, and then becomes inactive again;
3. 3.    Unhosted wallets frequently conduct "large-value two-way transfers" with hosted wallets of offshore stablecoin exchanges without reasonable business explanations;
4. The unhosted wallet has transferred funds to addresses of illegal domestic and offshore stablecoin trading platforms and dark web markets or has received funds from these platforms;
5. Use of offshore issuers not authorised or registered in the jurisdiction.
6. Integration with DeFi for swapping stablecoins, liquidity pooling, and yield farming to obscure transaction trails;
7. Smurfed stablecoin transfers are coordinated from overlapping devices, Internet Protocol Autonomous System Numbers (IP ASNs), and browsers, with perennial near instant conversions from fiat to stablecoins via a DEX and off ramped back into fiat which is executed within sub-hour windows to minimise detection opportunities;
8. Movement of funds between different blockchains using stablecoins to complicate tracing and exploit gaps in blockchain analytics tools;
9. Conducting stablecoin cross-chain transfers across multiple blockchains in a short period of time, with a high cumulative transaction amount;
10. Progressively bridging stablecoins across chains (e.g., TRON to Ethereum and to Solana) and wrap/unwrap stablecoins prior to off ramp, inserting additional contracts and router hops that degrade traceability;
11. Stablecoins combined with mixers, anonymity-enhanced coins or privacy wallets to enhance anonymity during the layering stages;
12. Transactions in VAs originating from or directed towards persons/addresses or settled by means of instruments or accounts that appear to be linked, directly or indirectly, to the deep web or in any case to other risky contexts (e.g. mixing, tumbling, unauthorised gambling operators);
13. Proceeds are funnelled through brokered P2P markets and informal OTC desks that accept cash, gift cards, or third-party bank transfers, converting to stablecoins that are layered across multiple wallets before reconverting on an exchange account.

 

Gambling Case Studies

The report includes key case studies as well as flags and mitigations for the reader.

Online Gambling Case Study: What happened?

Funds originated from online gambling platforms using virtual assets. These funds were quickly converted into stablecoins through a custodian wallet hosted by a VASP in France. After conversion, the stablecoins were converted into fiat currency and spread across several bank accounts. The VASP, recognising suspicious behaviour, filed an STR to the French FIU.

The VASP identified that the individuals used online casinos in ways that did not match their customer profile, lifestyle, or financial situation. The rapid conversion of gambling-derived virtual assets into stablecoins had no legitimate economic purpose, indicating an attempt to obscure the source of funds.

The case illustrates how gambling activity can be abused as a “layering” step in money laundering. Criminals may use online gambling platforms not for the intended purpose, but as a value transfer mechanism alongside VASPs and stablecoin conversion to “clean” illicit proceeds by adding multiple layers of obfuscation. This gives the illicit funds the appearance of legitimate gambling winnings. It also reflects how financial crime exploits the gap between sectors (in this instance, online casinos, VASPs and banks).

For operators, this reinforces the need for:

• Analytics on source exposure.
• “Hops” analysis; and
• Quality CDD to enable operators to assess whether gambling activity is consistent with the customer profile or declared source of wealth; and
• Consideration of what happens before and after funds touch their platform.  

 

What should Operators do?

Although the use of stablecoins is not, by itself, indicative of criminal activity, operators should anticipate increasing exposure to stablecoin‑related illicit activity and reflect this within their risk assessments.

Technology Risk Assessments (TRAs) should address VA/VG‑specific threats and set out how stablecoin and unhosted wallet-related risks are mitigated.

Operators should integrate blockchain analytics solutions to assess wallet‑level risk before accepting deposits. Where deposits or exposure to virtual asset-derived funds form more than a minimal proportion of an operator’s business, either in‑house analytics or reputable third‑party tools should be deployed to provide enhanced oversight. These tools should be capable of tracing cross‑chain flows and identifying layered smart‑contract activity.

Where virtual assets are accepted via a payment provider, operators must ensure that the provider is compliant with FATF standards, including Recommendation 15 (“New Technologies”), which extends AML/CFT requirements to virtual assets and VASPs.

Operators should use the identified risk indicators to detect suspicious stablecoin activity. Red flags should be built into transaction‑monitoring systems, and staff should be trained on the relevant typologies.

Unhosted‑wallet stablecoin deposits should be treated as inherently high‑risk.

Operators should apply source‑exposure analytics to identify interactions with mixers, high‑risk exchanges, or sanctioned jurisdictions, and should scrutinise multi‑hop transactions, particularly where the transaction pattern appears designed to obscure the origin of funds.

Enhanced due diligence must be undertaken for all high‑risk customers, including obtaining reasonable assurance regarding the player’s source of wealth. The GSC expects operators to apply more stringent measures to VA/VG‑related source‑of‑funds and source‑of‑wealth checks.

 

Useful Resources:

GSC Virtual Assets/Goods Guidance

2026 Isle of Man VA/VASP Report (NRA)

2026 Isle of Man Money Laundering NRA

2026 Isle of Man Money Laundering in Gambling Report (Gambling NRA)

FATF VA/VASP Typology Report

 

Glossary:

Blockchain	A blockchain is like a ledger of transaction activity. All on-chain activity (eg. transactions) is logged on the blockchain. Different coins can be on different chains. The biggest blockchains (by trade volume) are Ethereum, Solana, BSC and TRON.
Chain-hopping	Chain-hopping is going between various ledgers in an attempt to obfuscate (layering) the origin of the original transaction.
DeFi	Decentralised Finance
DEX	Decentralised Exchange
Fiat	Fiat is a “traditional” currency. Eg. the British Pound (£) or US Dollar ($)
Hosted/unhosted wallets	What is a hosted wallet? Hosted wallets, also called custodial wallets, involve a third party holding the private cryptographic keys on behalf of the user. This is typically an exchange like Coinbase or a specialised custody provider.  Hosted wallets function analogously to traditional bank accounts, with a known, regulated entity responsible for safekeeping the assets and maintaining records of beneficial ownership. What is an unhosted wallet? Unhosted wallets, also referred to as self-hosted, non-custodial or private wallets, place private key management directly in the user's hands without intermediary involvement.  The wallet owner maintains complete control over their cryptographic keys and, by extension, their digital assets. No third party can restrict access, freeze funds or provide transaction history to regulators or law enforcement without the owner's cooperation.
OTC brokers	“Over the Counter” brokers. They facilitate Peer-to-peer transactions directly, rather than through a centralised exchange. Decentralised intermediaries for P2P transactions.
Stablecoins	Stablecoins are Virtual Assets that are linked directly to the value of a traditional currency, such as the USD.