This summer, Roman Storm, the co-founder of the infamous crypto mixer Tornado Cash, was convicted in New York federal court of conspiring to operate an unlicensed money transmission business.
Prosecutors celebrated Storm’s conviction as a major victory in the fight against money laundering, but the reality is more complicated.
For years, regulators have treated mixers like Tornado Cash as the ultimate money laundering threat. Anonymous, opaque, and seemingly tailored for criminals, it’s easy to believe that these tools drive the majority of crypto money laundering. But the numbers tell a different story.
The most popular crypto-launderers are not money mixers, they are centralized exchanges: large, brand-name trading platforms that are licensed, regulated, and openly connected to the global banking system. These exchanges appear to be highly regulated and well monitored, touting compliance teams and “Know Your Customer” (KYC) verification checks; But in practice, they allow criminal activity to abound and serve as the primary entry and exit for dirty crypto.
To truly combat crypto-money laundering, regulators must focus their efforts on strengthening KYC requirements and monitoring the centralized exchanges where most money laundering takes place.
Centralized exchanges are hubs for money laundering
Throughout 2024, the majority of illicit crypto funds were directed to centralized exchanges, according to a 2025 Chainalysis report.
Centralized exchanges are where criminals turn to convert their dirty crypto into usable money. They are the final step in most money laundering schemes: the point where illicit funds are exchanged for dollars, euros or yen and moved into real banks.
Criminals gravitate to these platforms for the same reason legitimate traders do: liquidity, speed and global reach. A mixer like Tornado Cash can blur funds on-chain, but it can’t turn them into cash and move them to a bank account – only an exchange with deep liquidity and fiat connections can do that. Often, centralized exchanges rely on compliance programs that are under-resourced, poorly enforced, or undermined by permissive jurisdictional rules, allowing illegal transactions to slip through.
High-profile enforcement cases have revealed how systemic this problem is. The US Department of Justice’s 2023 settlement with Binance revealed that the prominent exchange had processed transactions linked to ransomware, darknet markets and sanctioned entities. The exchange has since stepped up compliance efforts, spending $213 million on the division in 2023. BitMEX was also fined $100 million after it pleaded guilty to violations of the Bank Secrecy Act (BitMEX founders and former executives Arthur Hayes, Ben Delo and Samuel Reed pleaded guilty to Donald Trump.
Focusing regulatory energy on mixers while allowing exchanges to remain the primary fiat gateway for illicit funds is like locking the windows while leaving the front door open.
KYC is not the silver bullet we pretend it is
Know Your Customer (KYC) rules are the cornerstone of crypto compliance. On paper, they promise to keep out bad actors by verifying identities, screening transactions and flagging suspicious activity. In reality, they are often a box-ticking exercise, a thin veneer of diligence that gives regulators the illusion of security while sophisticated criminals find ways around it.
Weak KYC processes are a problem. Some exchanges accept low-quality identity documents or rely on automated systems that can be cheated with deepfakes or stolen data. Others outsource their compliance entirely, making it a contractual tick rather than an active protection. Even when the process works, it cannot prevent determined launderers from using mules, straw accounts or shell companies to pass initial checks.
But the bigger flaw is structural. KYC is designed to examine individual accounts, not to detect large-scale money laundering patterns. A sanctioned entity may never open an account in its own name. Instead, it will spread transactions across dozens of intermediaries, routing funds through layers of seemingly legitimate accounts until they land on an exchange that converts them to fiat. By the time the funds hit the compliance team’s radar, they have often passed through so many hands that the paper trail feels clean.
This is why enforcement actions against major exchanges keep revealing the same uncomfortable truth: compliance doesn’t fail because the rules don’t exist; it fails because the systems that enforce them are reactive, resource-poor, and easy to game.
Hardening centralized exchanges against money laundering
Centralized exchanges will always be attractive targets for money launderers because they sit at the intersection of crypto and fiat. That makes enforcement not just a matter of policy, but of design. Real progress means moving beyond token KYC checks to systems that detect money laundering patterns in real time, across accounts and across jurisdictions.
That starts with resourcing compliance teams to match the scope of the platforms they monitor. That means closing legal loopholes that let exchanges operate from permissive jurisdictions while serving high-risk markets, and holding managers personally liable for fraud when controls fail. Regulators must require and verify that exchanges share actionable intelligence with each other and with law enforcement, so that criminals cannot simply jump from one platform to another undetected.
This is much more difficult than targeting money mixers.
None of this will be easy, but it is the only way to tackle money laundering where it actually happens. Until the exchanges are hardened at the structural level, enforcement measures will remain reactive and billions in illicit funds will continue to slip through the gates.
