This summer, Roman Storm, the co-founder of infamous crypto mixer Tornado Cash, was convicted in New York federal court of conspiring to operate an unlicensed money-transmitting business.
Prosecutors celebrated Storm’s conviction as a major victory in the fight against crypto money laundering, but the reality is more complicated.
For years, regulators have treated mixers like Tornado Cash as the ultimate money laundering threat. Anonymous, opaque, and seemingly tailor-made for criminals, it’s easy to believe these tools are driving the majority of crypto money laundering. But the numbers tell a different story.
The most popular crypto money laundering engines aren’t cash mixers, they’re centralized exchanges: big, brand-name trading platforms that are licensed, regulated, and openly connected to the global banking system. These exchanges appear highly regulated and well supervised, touting compliance teams and “Know Your Customer” (KYC) verification checks; however, in practice, they allow criminal activity to fester, functioning as the primary on and off-ramps for dirty crypto.
To truly combat crypto money laundering, regulators need to focus their efforts on bolstering KYC requirements, and policing the centralized exchanges where most money laundering takes place.
Centralized exchanges are laundering hubs
Throughout 2024, the majority of illicit crypto funds were routed to centralized exchanges, according to a 2025 Chainalysis report.
Centralized exchanges are where criminals turn to convert their dirty crypto into spendable cash. They are the final step in most laundering schemes: the point where illicit funds are swapped for dollars, euros, or yen and moved into real banks.
Criminals gravitate to these platforms for the same reason legitimate traders do: liquidity, speed, and global reach. A mixer like Tornado Cash can obfuscate funds on-chain, but it can’t turn them into cash and move them into a bank account — only an exchange with deep liquidity and fiat connections can do that. Often, centralized exchanges rely on compliance programs that are under-resourced, poorly enforced, or undermined by permissive jurisdictional rules, allowing illicit transactions to slip through the cracks.
High-profile enforcement cases have exposed just how systemic this problem is. The U.S. Justice Department’s 2023 settlement with Binance revealed that the prominent exchange had processed transactions tied to ransomware, darknet markets, and sanctioned entities. The exchange has since boosted compliance efforts, spending $213 million on the division in 2023. BitMEX was similarly sentenced to a $100 million fine after it pleaded guilty to Bank Secrecy Act violations (BitMEX’s founders and former executives Arthur Hayes, Ben Delo and Samuel Reed pleaded guilty to related charges and were later pardoned by U.S. President Donald Trump.).
Focusing regulatory energy on mixers while letting exchanges remain the primary fiat gateways for illicit funds is like locking the windows while leaving the front door wide open.
KYC isn’t the silver bullet we pretend it is
Know Your Customer (KYC) rules are the cornerstone of crypto compliance. On paper, they promise to keep bad actors out by verifying identities, screening transactions, and flagging suspicious activity. In reality, they’re often a box-ticking exercise, a thin veneer of diligence that gives regulators the illusion of security while sophisticated criminals find ways around it.
Weak KYC processes are one problem. Some exchanges accept low-quality identity documents or rely on automated systems that can be tricked with deepfakes or stolen data. Others outsource their compliance entirely, turning it into a contractual checkbox rather than an active safeguard. Even when the process works, it can’t stop determined launderers from using mules, straw accounts, or shell companies to pass initial checks.
But the bigger flaw is structural. KYC is designed to vet individual accounts, not to detect laundering patterns at scale. A sanctioned entity might never open an account in its own name. Instead, it will spread transactions across dozens of intermediaries, routing funds through layers of seemingly legitimate accounts until they land at an exchange that converts them into fiat. By the time the funds hit the compliance team’s radar, they’ve often passed through so many hands that the paper trail feels clean.
This is why enforcement actions against major exchanges keep revealing the same uncomfortable truth: compliance isn’t failing because the rules don’t exist; it’s failing because the systems enforcing them are reactive, under-resourced, and easy to game.
Hardening centralized exchanges against money laundering
Centralized exchanges will always be attractive targets for launderers because they sit at the junction of crypto and fiat. That makes enforcement not just a matter of policy, but of design. Real progress means moving beyond symbolic KYC checks to systems that detect laundering patterns in real time, across accounts, and across jurisdictions.
That starts with resourcing compliance teams to match the scale of the platforms they monitor. It means closing legal loopholes that let exchanges operate from permissive jurisdictions while serving high-risk markets, and holding executives personally accountable for fraud when controls fail. Regulators must demand, and verify, that exchanges share actionable intelligence with each other and with law enforcement, so criminals can’t simply hop from one platform to another undetected.
This is much harder than targeting cash-mixers.
None of this will be easy, but it’s the only way to tackle laundering where it actually happens. Until exchanges are hardened at the structural level, enforcement actions will remain reactive, and billions in illicit funds will keep slipping through the gates.
