This summer, Roman Storm, co-founder of notorious crypto mixer Tornado Cash, was convicted in New York federal court of conspiring to operate an unlicensed money-transmission business.
Prosecutors celebrated Storm’s conviction as a major victory in the fight against crypto money laundering, but the reality is more complex.
For years, regulators have regarded mixers like Tornado Cash as the ultimate money laundering threat. Anonymous, opaque, and tailor-made for criminals, it’s easy to believe that these tools are driving the majority of crypto money laundering. But the figures tell a different story.
The most popular crypto money laundering engines are not cash mixers, they are centralized exchanges: large, brand-name trading platforms that are licensed, regulated, and openly connected to the global banking system. These exchanges appear to be highly regulated and well-supervised, boasting compliance teams and “know your customer” (KYC) verification checks; However, in practice, they allow criminal activity to flourish while acting as the primary on- and off-ramps for dirty crypto.
To truly tackle crypto money laundering, regulators need to focus their efforts on strengthening KYC requirements and monitoring centralized exchanges where most money laundering occurs.
Centralized exchanges are laundering hubs
According to a 2025 Chainalysis report, during 2024, the majority of illicit crypto funds were diverted to centralized exchanges.
Centralized exchanges are where criminals convert their dirty crypto into spendable cash. They are the final step in most laundering schemes: the point where the illicit funds are swapped for dollars, euros or yen and transferred to real banks.
Criminals are attracted to these platforms for the same reasons as legitimate traders: liquidity, speed, and global reach. A mixer like Tornado Cash can obfuscate on-chain funds, but it cannot turn them into cash and transfer them to a bank account – only an exchange with deep liquidity and a fiat connection can do that. Often, centralized exchanges rely on compliance programs that are under-resourced, poorly enforced, or weakened by permissive jurisdictional regulations, allowing illicit transactions to slip through the cracks.
High-profile enforcement cases have highlighted how systemic this problem is. The US Justice Department’s 2023 settlement with Binance revealed that the major exchange had processed transactions involving ransomware, darknet markets and sanctioned entities. The exchange has since boosted compliance efforts, spending $213 million on the divestiture in 2023. BitMex was similarly sentenced to a $100 million fine after pleading guilty to violating the Bank Secrecy Act (Bitmex founders and former executives Arthur Hayes, Ben Delo, and Samuel Reed pleaded guilty to related charges and were later pardoned by US President Donald Trump.)
Focusing regulatory energy on mixers while allowing exchanges to remain the primary fiat gateway for illicit funds is like closing the windows while leaving the front door open.
KYC is no big deal we pretend
Know Your Customer (KYC) regulations are the cornerstone of crypto compliance. On paper, they promise to keep bad actors out by verifying identities, checking transactions, and flagging suspicious activity. In reality, they are often box-ticking exercises, a thin veil of diligence that gives regulators the illusion of security while sophisticated criminals find ways around it.
Weak KYC processes are a problem. Some exchanges accept low-quality identification documents or rely on automated systems that can be tricked with deepfakes or stolen data. Others outsource their compliance entirely, turning it into a contractual checkbox rather than a proactive security. Even when the process works, it may not stop determined launderers from using mules, straw accounts or shell companies to pass initial checks.
But the biggest flaw is structural. KYC is designed to check individual accounts, not detect large-scale laundering patterns. An approved institution can never open an account in its own name. Instead, it will spread transactions among dozens of intermediaries, sending the funds through layers of seemingly legitimate accounts until they reach an exchange that converts them into fiat. By the time funds arrive on the compliance team’s radar, they have often passed through so many hands that the paperwork appears neat and tidy.
That’s why enforcement actions against major exchanges continue to reveal the same inconvenient truth: compliance is not failing because the rules don’t exist; It is failing because the systems that implement them are reactive, under-resourced, and easy to game.
Strengthening centralized exchanges against money laundering
Centralized exchanges will always be attractive targets for launderers because they sit at the junction of crypto and fiat. This makes enforcement not just a matter of policy, but a matter of design. Real progress means moving beyond token KYC checks to systems that detect laundering patterns in real time, across all accounts and across jurisdictions.
This starts with providing compliance teams with resources to match the scale of the platforms they monitor. This means closing legal loopholes that let exchanges operate from permissive jurisdictions when serving high-risk markets, and holding executives personally liable for fraud when controls fail. Regulators should demand and verify that exchanges share actionable intelligence with each other and with law enforcement, so that criminals cannot move from one platform to another without detection.
This is much more difficult than targeting cash-mixers.
None of this will be easy, but it is the only way to combat laundering where it actually occurs. Unless exchanges are tightened at the structural level, enforcement action will remain reactive and billions of illicit funds will continue to slip through the door.