This summer, Roman Storm, co-founder of the infamous cryptocurrency mixer Tornado Cash, was convicted in federal court in New York of conspiring to operate an unlicensed money transmission business.
Prosecutors hailed Storm’s conviction as a major victory in the fight against crypto money laundering, but the reality is more complicated.
For years, regulators have treated mixers like Tornado Cash as the ultimate money laundering threat. Anonymous, opaque, and seemingly tailor-made for criminals, it’s easy to believe that these tools are driving the majority of crypto money laundering. But the numbers tell a different story.
The most popular crypto money laundering engines are not cash mixers, they are centralized exchanges: large branded trading platforms that are licensed, regulated, and openly connected to the global banking system. These exchanges appear highly regulated and well monitored, touting compliance teams and Know Your Customer (KYC) verification checks; However, in practice, they allow criminal activity to worsen, functioning as the main entry and exit route for dirty cryptocurrencies.
To truly combat crypto money laundering, regulators must focus their efforts on tightening KYC requirements and policing centralized exchanges where most money laundering takes place.
Centralized Exchanges Are Laundry Centers
Throughout 2024, the majority of illicit crypto funds headed to centralized exchanges, according to a 2025 Chainalysis report.
Centralized exchanges are where criminals go to convert their dirty cryptocurrencies into spending money. They are the final step in most laundering schemes: the point at which illicit funds are exchanged for dollars, euros or yen and moved to real banks.
Criminals gravitate toward these platforms for the same reason that legitimate traders do: liquidity, speed, and global reach. A mixer like Tornado Cash can obfuscate funds on-chain, but it cannot convert them to cash and move them to a bank account; only an exchange with deep liquidity and fiat connections can do so. Centralized exchanges often rely on compliance programs that are under-resourced, poorly enforced, or undermined by permissive jurisdictional rules, allowing illicit transactions to go undetected.
High-profile law enforcement cases have highlighted how systemic this problem is. The US Department of Justice’s 2023 settlement with Binance revealed that the prominent exchange had processed transactions linked to ransomware, darknet markets, and sanctioned entities. The exchange has since boosted compliance efforts, spending $213 million on the split in 2023. BitMEX was similarly sentenced to a $100 million fine after pleading guilty to violations of the Bank Secrecy Act (BitMEX founders and former executives Arthur Hayes, Ben Delo and Samuel Reed pleaded guilty to related charges and were later pardoned by the president of the United States, Donald Trump).
Focusing regulatory energy on mixers and letting exchanges remain the primary gateways for illicit funds is like closing the windows and leaving the front door wide open.
KYC is not the silver bullet we make it out to be
Know Your Customer (KYC) rules are the cornerstone of cryptocurrency compliance. On paper, they promise to keep bad actors out by verifying identities, scrutinizing transactions, and flagging suspicious activity. In reality, they are often a box-ticking exercise, a thin veneer of diligence that gives regulators the illusion of security while sophisticated criminals find ways around it.
Weak KYC processes are a problem. Some exchanges accept low-quality ID documents or rely on automated systems that can be tricked with deepfakes or stolen data. Others outsource their compliance entirely, turning it into a contractual checkbox rather than an active safeguard. Even when the process works, it cannot prevent certain launderers from using mules, fake accounts or shell companies to pass initial checks.
But the biggest defect is structural. KYC is designed to examine individual accounts, not to detect laundering patterns at scale. A sanctioned entity may never open an account in its own name. Instead, it will distribute transactions among dozens of intermediaries, routing funds through layers of seemingly legitimate accounts until they reach an exchange that converts them into fiat money. By the time funds reach the compliance team’s radar, they have often passed through so many hands that the paper trail appears clean.
This is why enforcement actions against major exchanges continue to reveal the same inconvenient truth: compliance doesn’t fail because the rules don’t exist; It is failing because the systems that enforce them are reactive, under-resourced, and easy to manipulate.
Strengthening centralized exchanges against money laundering
Centralized exchanges will always be attractive targets for money launderers because they sit at the junction of cryptocurrencies and fiat money. That makes law enforcement not just a matter of policy, but also a matter of design. Real progress means moving beyond tokenistic KYC checks to systems that detect laundering patterns in real time, across all accounts and across all jurisdictions.
That starts with resourcing compliance teams to match the scale of the platforms they monitor. It means closing loopholes that allow exchanges to operate from permissive jurisdictions while serving high-risk markets, and holding executives personally liable for fraud when controls fail. Regulators must require and verify that exchanges share actionable intelligence with each other and with authorities, so that criminals cannot simply jump from one platform to another without detection.
This is much more difficult than attacking those who mix money.
None of this will be easy, but it is the only way to address whitewashing where it actually occurs. Until the exchanges tighten at a structural level, law enforcement actions will continue to be reactive and billions in illicit funds will continue to leak out the doors.
