
Legal Analysis: Major Revisions to Anti-Money Laundering Law and Current Security Risks for Six Key Sectors in the Web3 Industry
TechFlow Selected TechFlow Selected

Legal Analysis: Major Revisions to Anti-Money Laundering Law and Current Security Risks for Six Key Sectors in the Web3 Industry
Web3 industry inherently faces significant security risks due to its decentralized architecture, reliance on smart contracts, and user-managed private keys. These characteristics introduce vulnerabilities such as smart contract exploits, phishing attacks, and irreversible transaction errors. Decentralized applications (dApps) often contain coding flaws that can be leveraged by attackers to drain funds, while the anonymity and permissionless nature of blockchain networks make it difficult to trace or recover stolen assets. Additionally, the Web3 ecosystem poses substantial money laundering risks. The pseudonymous transactions enabled by blockchain technology allow bad actors to obscure the origins of illicit funds. Services such as decentralized exchanges (DEXs), cross-chain bridges, and privacy-enhancing tools like mixers further complicate tracking efforts by regulators and law enforcement. These mechanisms enable the conversion and movement of digital assets across chains and jurisdictions without centralized oversight, increasing the potential for misuse in financing illegal activities. As regulatory frameworks struggle to keep pace with technological innovation, the lack of Know Your Customer (KYC) and Anti-Money Laundering (AML) compliance in many Web3 platforms amplifies systemic financial crime risks.
Author: Shao Shiwei
This section examines the inherent security risks within the Web3 industry and its potential use as a money laundering tool from the perspective of six major sectors in Web3. It aims to reveal potential threats within the industry and raise awareness among practitioners regarding anti-money laundering (AML) risks and legal compliance.
Public blockchains, cross-chain bridges, trading platforms, wallets, DeFi, and NFTs represent the six primary sectors of the Web3 industry. In 2023 alone, these sectors experienced 435 security incidents, resulting in losses totaling approximately $7.983 billion USD (around 57.8 billion RMB).
Public Blockchains
Overview:
A public blockchain is a decentralized cloud server built using blockchain technology, designed to host and run various decentralized applications (dApps). It serves as the foundational network infrastructure for Web3, with notable examples including BTC, ETH, BSC, and SOL. Achieving high decentralization, strong security, and high performance simultaneously remains the ultimate goal for all public blockchains—yet this forms an "impossible trinity." For instance, the Bitcoin blockchain sacrifices performance to achieve decentralization and security, while Ethereum trades off security for decentralization and performance.
According to incomplete statistics, there were 194 public blockchains in existence by December 2023. In terms of ecosystem market capitalization, data from CoinGecko shows that Ethereum, BNB Chain, and Solana rank top three. The total market cap of all public blockchain ecosystems has now surpassed one trillion USD. As of December 2023, the public blockchain sector experienced 13 security incidents, accumulating asset losses exceeding $280 million USD.
Currently, numerous public blockchains are interconnected through cross-chain bridge technologies. This interconnectivity means that if one blockchain encounters an issue, the impact can rapidly spread to other connected chains, triggering chain reactions. Such rapid propagation not only exacerbates the severity of problems but also complicates resolution efforts, posing serious threats to the stability and security of the entire public blockchain ecosystem.
Case Study:
On October 7, 2022, the smart contract platform BNB Chain suffered a hacker attack. Within just two hours, hackers minted 2 million BNB tokens out of thin air and transferred them across chains. They then used decentralized exchanges (DEXs) on respective blockchains to exchange the forged "fake BNB" for real funds, amounting to over $700 million USD.
Cross-Chain Bridges
Overview:
Since individual public blockchains operate independently, investors engaging in investment, staking, or other activities across different chains face limitations due to varying consensus mechanisms. When users need to consolidate or transfer assets between chains, cross-chain technology becomes essential. A cross-chain bridge acts as a critical "bridge" enabling technical and asset transfers—it is not a physical structure but rather a set of protocols and technologies allowing users to move assets across different public blockchains. According to statistics, during the first half of 2022 alone, seven attacks on cross-chain bridges resulted in total losses of approximately $1.1359 billion USD.
According to Chainalysis data, illicit actors increasingly exploited bridging protocols for money laundering in 2023, particularly following cryptocurrency thefts. As shown in the chart, bridging protocols received $743.8 million USD in cryptocurrencies from illegal addresses in 2023, compared to $312.2 million USD in 2022. For example, the North Korean hacking group Lazarus Group has combined cross-chain bridges with mixer technologies as a key method for laundering stolen funds.

Case Studies:
1. Ronin Chain Funds Theft
On the evening of March 29, 2022, funds on the Ronin chain—the blockchain behind the blockchain game Axie Infinity—were stolen. The actual breach occurred on March 23 but was not discovered until March 29. The attack resulted in losses of approximately $624 million USD (including 173,600 ETH and 25.5 million USDC), marking the most costly cross-chain bridge security incident to date. The stolen funds could not be recovered, and ultimately, Axie Infinity and its development company Sky Mavis compensated affected users.
2. Cross-Chain Projects Used for Money Laundering
On August 10, 2022, blockchain analytics firm Elliptic reported that the cross-chain protocol RenBridge had been used in money laundering transactions involving at least $540 million USD in illicit funds.
On May 21, 2023, Zhao Jun, CEO of the prominent cross-chain project Multichain, was taken into custody by Chinese police from his home and lost contact with the global Multichain team. Public media reports indicate that Multichain's arrest was linked to large-scale money laundering activities on behalf of criminal organizations.
Trading Platforms
Overview:
Trading platforms, also known as digital currency exchanges or cryptocurrency exchanges, primarily provide services such as buying and selling virtual currencies, storing and managing users' digital assets, and offering crypto lending services. According to CoinGecko data, there were 887 cryptocurrency exchanges by December 2023, including 224 centralized exchanges (CEXs), 663 decentralized exchanges (DEXs), and 94 derivative trading platforms. In 2023, cryptocurrency exchanges experienced 19 security incidents, resulting in cumulative asset losses exceeding $1.2 billion USD.
Case Study:
On November 21, 2023, the U.S. Department of Justice announced that Binance Holdings Limited, operator of the world’s largest cryptocurrency exchange Binance.com (commonly referred to as Binance), admitted to involvement in suspected money laundering, unlicensed money transmitting, and sanctions violations. Binance agreed to pay $4.3 billion USD in penalties ($2.5 billion USD in forfeited assets and $1.8 billion USD in criminal fines). Additionally, Binance founder and CEO Changpeng Zhao acknowledged failing to maintain an effective anti-money laundering program and resigned from his position as CEO.

At 4:36 PM on November 21, Binance founder Changpeng Zhao posted on X (formerly Twitter) that he had resigned as CEO of Binance that day, stating, “I made mistakes, and I must take responsibility.”

The U.S. Department of Justice stated that Binance failed to implement an effective anti-money laundering program. For years, Binance allowed users to open accounts and conduct transactions without requiring any identity information beyond an email address. U.S. sanctions laws prohibit Americans from transacting with clients in sanctioned jurisdictions, including Iran. Nevertheless, Binance failed to implement controls preventing U.S. users from trading with Iranian users. Between January 2018 and May 2022, Binance’s deliberate failures enabled over $898 million USD in transactions between U.S. users and users typically residing in Iran.
“Binance turned a blind eye to its legal obligations in pursuit of profit. Its willful neglect allowed funds to flow through its platform to terrorists, cybercriminals, and child abusers,” said U.S. Treasury Secretary Janet Yellen. “Today’s historic penalties and oversight mark a milestone for the virtual currency industry in ensuring compliance with U.S. laws and regulations. Any institution, wherever located, that seeks to benefit from the U.S. financial system must meet requirements designed to protect us all from terrorists, foreign adversaries, and criminals—or face consequences.” According to tech website GeekWire, Judge Jones stated in court that Binance’s specific violations of federal banking secrecy laws were “unprecedented in number, scale, and magnitude” and that the company was “essentially blind” to potential terrorist financing and drug trafficking.
On April 30, 2024, Binance founder and former CEO Changpeng Zhao was sentenced to four months in prison for failing to prevent money laundering on the exchange.
Wallets
Overview:
Web3 wallets, also known as cryptocurrency wallets or digital asset wallets, are tools for storing, managing, and using digital currencies. According to statistics, there were 153 digital wallet projects as of December 2023. In 2023, digital wallets experienced 35 security incidents, resulting in cumulative asset losses exceeding $600 million USD.
Money laundering crimes related to digital wallets mainly manifest in two ways: First, inadequate wallet security leading to hacker attacks and user fund losses; second, the anonymity and cross-border nature of digital wallets—requiring only an address (a string of numbers and letters) without KYC verification or intermediary services like banks—make them inherently suitable tools for criminals to launder money.
Case Studies:
1. Hot Wallet Breach
Alphapo is a centralized cryptocurrency payment service provider for gambling, e-commerce, subscription services, and other online platforms. On July 23, 2023, Alphapo’s hot wallet was hacked, resulting in losses of approximately $60 million USD, including Ethereum, TRON, and BTC. The stolen funds were first swapped for ETH on Ethereum and then bridged to Avalanche and BTC networks.
2. China’s First Digital RMB Money Laundering Case Cracked
On November 2, 2021, public security authorities in Xinmi City, Henan Province cracked a telecommunications and internet fraud case where the fraud ring used Digital RMB for money laundering to evade detection. This marked the first case in China involving the use of Digital RMB for money laundering since its pilot launch.
DeFi: The Epicenter of Blockchain Anti-Money Laundering Risks
Overview:
DeFi, or Decentralized Finance, refers to decentralized protocols used to build open financial systems. The current DeFi ecosystem features a wide variety of projects, categorized by function into trading, lending, asset management, stablecoins, financial infrastructure, insurance, derivatives, and trading platforms. According to statistics, DeFi remains the most frequently targeted sector across all Web3 projects. In 2023, there were 282 DeFi-related security incidents, accounting for 60.77% of all incidents, with losses reaching $773 million USD.

Most DeFi products are built on smart contracts and interaction protocols, with code typically open-source. As the DeFi ecosystem grows larger, increasing composability and asset sharing among different DeFi products have led to rising security concerns. According to a report by international blockchain firm Chainalysis, DeFi’s share of funds sent from illegal addresses to cryptocurrency service providers continues to grow. In 2021, DeFi projects received nearly 1900% more illicit funds than in 2020, representing 19% of all monitored illicit flows. By 2022, DeFi protocols had become the largest recipients of illicit funds, receiving 69% of all funds sent from addresses associated with criminal activity.

Case Study:
North Korean Hackers Using DeFi Protocols for Money Laundering
According to a 2021 case provided by Chainalysis, after stealing over $91 million USD in cryptocurrency from centralized exchanges, the North Korean hacker group Lazarus Group used multiple DeFi protocols to launder the funds. Chainalysis noted that the hackers initially stole various ERC-20 tokens, which they then exchanged for Ethereum via different DeFi protocols. They subsequently sent the ETH to mixers, used DeFi protocols again to swap them into Bitcoin (BTC), and finally transferred the BTC to several centralized exchanges to cash out.

NFTs
Overview:
NFTs (Non-Fungible Tokens) are unique digital assets stored on blockchains, characterized by uniqueness, scarcity, and indivisibility. They are primarily used in gaming, art, domain names, and similar areas. According to incomplete statistics, the NFT sector experienced 44 security incidents by December 2023, resulting in cumulative asset losses of approximately $62 million USD.
Case Study: NFT Wash Trading
According to Chainalysis, during the third and fourth quarters of 2021, the majority of illicit cryptocurrency assets related to NFTs originated from scam-associated addresses. These addresses purchased NFTs using cryptocurrencies, and significant amounts of stolen funds were also funneled into NFT marketplaces.

Analysis confirmed that 262 addresses belonged to habitual NFT wash traders. Among them, 152 did not profit, while the remaining 110 earned nearly $8.9 million USD through wash trading.

Note: Data in this article is sourced from industry research reports by OKLink, LingShi Tech, SlowMist, Chengdu LinkAge, Zhifan Tech, and others.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News










