As a reminder, the Financial Crime Enforcement Network’s (FinCEN) Residential Real Estate rule (the “Real Estate Rule”) is effective March 1, 2026. The Real Estate Rule was originally to take effect December 1, 2025, but FinCEN’s subsequently announced a temporary exemptive relief, extending the effective date until March.  We have previously blogged about the Real Estate Rule here and here.  

To recap, the Real Estate Rule institutes a new reporting form, the “Real Estate Report” which imposes a nation-wide reporting requirement for certain non-financed transfers of residential real estate to legal entities or trusts. Beginning March 1st, the “reporting person” must file the Real Estate Report electronically through FinCEN’s BSA E-Filing System. The Real Estate Rule provides a “cascading” reporting structure that requires at least one person involved in the real estate transaction to file the Real Estate Report.  

The Real Estate Rule has been subject to various lawsuits, including one case in Florida that argues the constitutionality of the rulemaking. In that Florida case a recent Magistrate Judge’s Report and Recommendation concluded that the Real Estate Rule was statutorily authorized by the Bank Secrecy Act and recommended summary judgment be granted to the Department of the Treasury. The Plaintiff has objected to the Magistrate Judge’s Report. Despite the pending lawsuits, and as of now, the Real Estate Rule appears to be on track for the March effective date.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch.  Please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.

In response to the continued rise of payment card skimming, the United States Secret Service conducted one of its most expansive enforcement efforts to date, launching a nationwide initiative aimed at identifying and removing illicit skimming devices before stolen data could be used for fraud.

What is Card Skimming and How Does it Work?

The Federal Bureau of Investigation (FBI) describes card skimming as the use of “devices illegally installed on or inside ATMs, point-of-sale (POS) terminals, or fuel pumps [to] capture card data and record cardholders’ PIN entries.” Skimmers may be inserted inside the card reader, placed over the point-of-sale terminal as an overlay, or concealed along internal wiring. Because many of these devices allow the compromised payment terminals to function normally, victims often have no idea that their information has been stolen.

Once obtained, the Secret Service notes that the stolen card data is encoded onto another magnetic-stripe card, enabling unauthorized purchases and withdrawals using the victim’s account information. The FBI estimates that skimming costs U.S. consumers and financial institutions more than $1 billion annually.

EBT Fraud as a Primary Target

Electronic Benefits Transfer (EBT) cards have become a particular focus of skimming operations. Unlike most consumer credit cards, EBT cards generally lack chip technology, making them significantly easier for criminals to compromise. As of early 2024, the FBI reported that no state had implemented chip-enabled EBT cards.

The lack of robust security features and predictable monthly deposit schedules make EBT cards especially vulnerable. According to the FBI, scammers often withdraw EBT cash benefits shortly after funds are loaded, often between midnight and 6 a.m. the day the benefits become available. Low-income households that rely on these benefits are disproportionately affected, and reimbursement for lost funds is often limited.

Inside the Secret Service’s 2025 Nationwide Crackdown

To address the escalating threat, the Secret Service partnered with federal, state and local law enforcement agencies to conduct a series of coordinated enforcement and outreach operations throughout 2025. According to the agency, the initiative resulted in:

  • 22 operations conducted nationwide
  • More than 9,000 businesses visited
  • Nearly 60,000 ATMs, gas pumps, and point-of-sale terminals inspected
  • 411 illegal skimming devices identified and dismantled
  • An estimated $428.1 million in potential fraud losses prevented

Operations spanned major metropolitan areas as well as smaller cities, including: Los Angeles, New York City, Washington, D.C., Anchorage, Boston, Orlando, Charlotte, Buffalo, San Diego, San Antonio, Baltimore, Tampa, Atlanta, Savannah, Memphis, Miami and Pittsburgh. Several cities saw multiple rounds of inspections.

Rather than waiting for fraud reports to surface, this initiative relied on proactive, in-person inspections. Agents frequently uncovered skimming devices even when business owners believed their terminals were secure. 

Investigators noted that skimmers can be installed in seconds, sometimes as a store clerk briefly turns their attention away from payment terminals. The FBI has warned that fraudsters may intentionally divert employees’ attention, such as by requesting items from behind the counter. Much of this activity is linked to transnational criminal groups, and store employees are typically unaware that devices have been installed.

In addition to removing skimmers, agents also educated business owners on identifying signs of tampering. In some cases, scammers returned to reinstall devices within days, or even hours, of an inspection.  Because of the outreach component, however, owners were able to detect and report the new devices quickly.

Consumer Protection: What to Watch For

Both the Secret Service and the FBI emphasize that basic vigilance can significantly reduce the risk of falling victim to a fraudulent skimming scheme. Recommended precautions include:

  • Inspection of card readers for loose, crooked, damaged or scratched components
  • Use tap-to-pay or chip-enabled cards whenever possible
  • When using a debit card, run it as credit to avoid entering a PIN; if a PIN is required, shield the keypad
  • Be especially alert in tourist areas with high transaction volume
  • Prefer indoor, well-lit ATMs, which are less susceptible to tampering

What Comes Next?

The Secret Service made clear that its 2025 initiative represents the beginning of an expanded and ongoing effort. The agency plans to continue enforcement and outreach into 2026 and beyond, working with domestic law enforcement partners to dismantle the criminal networks enabling these schemes.

As Assistant Director of the U.S. Secret Service’s Office of Field Operations, Kyo Dolan, noted, these actions are designed to remove skimmers “before criminals can recover the stolen card numbers they contain,” while also targeting the organizations behind the schemes.

Although skimming fraud remains a pervasive threat, proactive and coordinated enforcement can meaningfully disrupt it. For consumers and businesses alike, awareness, vigilance and early detection remain the first line of defense.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. And please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.

In December, the Department of Treasury’s Financial Crimes Enforcement Network (FinCEN) announced a $3,500,000 civil penalty against Paxful, Inc. and Paxful USA, Inc. (“Paxful”), pursuant to a consent order.

Paxful is an exchanger of convertible virtual currencies (“CVC”), operating both a CVC wallet service and a marketplace for peer-to-peer (“P2P”) buyers and sellers of CVC. The company describes itself as “the world’s largest P2P marketplace,” enabling users to buy and sell digital currencies across 140 markets with hundreds of payment methods, send cash or cryptocurrency instantly, and “become a peer-to-peer market maker.” According to the consent order, between February 2015 and April 2023, Paxful conducted transactions with over 4 million users, including over 50 million trades valued at a total of several billion dollars. These transactions ranged across products including CVC, prepaid access cards, and fiat currencies. In that time period, Paxful’s customers engaged in over 20 million external crypto transactions worth more than $10 billion.

In the order, Paxful admitted to three types of violations. First, Paxful failed to maintain its registration with FinCen. Second, it failed to implement an effective AML program. Third, it failed to identify and report suspicious activity. Paxful agreed to pay a $3,500,000 civil penalty for these violations, which FinCEN described as “egregious” and having “caused extensive possible harm to the public.”

Failure to Register as a Money Services Business

The Bank Secrecy Act (“BSA”) requires all “money services businesses” to register with FinCEN as an MSB within 180 days of beginning operations, and to renew its registration every two years. Paxful is treated as an MSB because it is a “money transmitter,” one of seven categories of businesses required to register as MSBs. While Paxful initially registered with FinCEN in July 2015, it allowed its registration to lapse. MSBs are required to renew their registrations by the last day of the calendar year before two-year renewal period—here, Paxful was required to re-register by December 31, 2016. It failed to do so until September 3, 2019, and therefore operated as an unregistered MSB for 974 days.

Failure to Develop, Implement, and Maintain an Effective AML Program

Much of the consent order details Paxful’s failure to implement a compliant AML program. At the outset, Paxful did not have any AML program in place for its first four years of operation, only implementing a program for the first time in February 2019. The program Paxful eventually implemented still fell short of FinCEN’s requirements in numerous respects, including:

  • Know your customer protocols. The know your customer (“KYC”) protocols Paxful put in place only applied to users whose activity exceeded $1,500, and Paxful made no effort to prevent users from evading controls by structuring transactions around this minimum.
  • Customers acting as unregistered MSBs. While Paxful identified a risk that smaller P2P exchangers could use Paxful, it did not implement controls to identify unregistered MSBs.
  • Geographic spoofing. Paxful did not assess customers’ locations, or take any action to identify circumstances where users used geographic spoofing to hide their true location—in many cases concealing activity from locaitons the government considers high-risk jurisdictions. 
  • Transaction monitoring. Although Paxful’s products and services could be used for money laundering, its AML program provided no mechanism for the company to identify and report suspicious activity, as required by law.
  • Prepaid access transactions. Paxful operates a prepaid access program, which was a substantial portion of its business. Between May 2015 and December 2019, the top payment methods on the platform were iTunes and Amazon prepaid access cards. Despite knowing that illicit actors were exploiting this market, Paxful prioritized its development, and failed to implement controls to monitor and illicit activity taking place within it.
  • North Korean, Iranian, and terrorist finance transactions. One result of Paxful’s failure to implement sufficient internal controls is that it facilitated transactions with what the consent order describes as hostile nation-states and state-sponsored cybercriminals, including from Iran and North Korea. The Lazarus Group, which is designated a North Korean state-sponsored cyber-criminal group, conducted thousands of trades on Paxful’s platform. Paxful took no steps to address this for several years after receiving law enforcement inquiries about it.
  • Compliance Officer. Although MSBs are required to designate a person ensure compliance with internal compliance programs and the BSA, Paxful operated without any designated compliance officer. When it did begin listing a compliance officer, that individual had never received any BSA or AML training, and during that person’s tenure, Paxful still had what the government describes as “egregious lapses in compliance.”
  • Independent Testing. MSBs must obtain independent reviews of their compliance program, with the scope and frequency depending on the risks associated with the MSB’s services. Paxful only conducted one test in the multi-year period at issue on the consent order, which the government described as “not even remotely commensurate with the volume of transactions processed or risks associated with the products and services offered by Paxful.”

Failure to Report Suspicious Activity

The consent order states that Paxful “facilitated transactions involving over $500 million in suspicious activity[.]” These transactions were associated with ransomware attacks, darknet and other illicit marketplaces, unregistered MSBs, child sexual abuse material, elderly financial exploitation, terrorist financing, high-risk jurisdictions, and stolen funds or other illicit proceeds. Despite this, Paxful did not file a single suspicious activity report before November 2019, and its reporting after that date remained deficient.

BSA Violations and Penalty

The consent order noted that Paxful employees had identified and discussed many of these deficiencies with senior leadership, who in some instances dismissed the concerns, and in other instances claimed that the concerns would be addressed. In some circumstances, the consent order states that Paxful leadership instructed employees not to raise or report issues, and that Paxful employees actively worked to build its relationships with and presence on high-risk platforms. For example, Paxful actively sought to be utilized on Backpage.com, a platform well-known for its role in promoting sex trafficking, including child sexual abuse, even after its widespread illicit activity was made public by a government investigation.

Based on these actions and deficiencies, FinCEN found that Paxful willfully violated the BSA and associated regulations, specifically finding:

  1. Paxful willfully failed to register as an MSB in violation of 51 U.S.C. § 5330 and 31 C.F.R. § 1022.380;
  2. Paxful failed to develop, implement, and maintain an effective AML program reasonably designed to prevent its programs from being used to facilitate money laundering and the financing of terrorist activities in violation of 31 U.S.C. § 5318(h)(1) and 31 C.F.R. § 1022.210; and
  3. Paxful willfully failed to accurately, and timely, report suspicious transactions to FinCEN, in violation of 31 U.S.C. § 5318(g)(1) and 31 C.F.R. § 1022.320.

In discussing its decision to impose a civil money penalty, FinCEN noted the “egregious” nature of the violations, which it determined “caused extensive possible harm to the public.” FinCEN further discussed that it determined there was a “culture of noncompliance throughout” Paxful, whose leadership were aware of their obligations under the BSA and still failed to comply. Based on these, and other factors, FinCEN imposed a $3.5 million civil penalty.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. And please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.

On January 9, 2026, U.S. Treasury Secretary Scott Bessent announced a series of new federal actions  focused on schemes to defraud federal aid programs. Treasury’s announcement follows a series of high-profile investigations involving alleged fraud tied to federally funded programs, such as the Feeding Our Future scheme to defraud the Federal Child Nutrition Program in Minnesota. That scheme relied on sophisticated financial activity, including rapid movement of funds, use of nonprofit and shell entities, and international transfers designed to conceal the source and use of government money.  The government estimates that the Feeding Our Future scheme cost taxpayers an estimated $250 million.

Treasury’s initiative signals an enhanced approach to fraud enforcement that places banks squarely on the front lines to detect and deter financial fraud.  As a result, financial institutions should expect heightened regulatory scrutiny, increased information requests, and closer coordination between bank examiners and law enforcement—particularly where institutions serve nonprofits or customers engaged in high-volume or cross-border transactions. 

What does Treasury’s fraud initiative entail?

A central feature of the initiative is intensified oversight of financial institutions’ Bank Secrecy Act (BSA) and anti-money laundering (AML) compliance. FinCEN has already issued investigative demands to money services businesses in Minnesota and has indicated that banks serving nonprofits, tax-exempt organizations, and other customers that receive or distribute government-related funds may also face closer examination.

In addition, FinCEN has issued targeted alerts identifying red flags associated with fraud involving government programs. Treasury is specifically targeting international wires and similar pass-through bank transfers that move government or nonprofit-related funds quickly out of accounts in amounts or patterns inconsistent with the bank customer’s stated purpose. Treasury has made clear that these alerts are intended to inform transaction monitoring and examiner expectations.

Treasury is also expanding training for federal, state, and local law enforcement on the use of financial intelligence, including Suspicious Activity Reports (SARs), in fraud investigations.

What are the implications for financial institutions?

Treasury has emphasized that institutions are expected not only to file SARs, but to identify emerging fraud typologies early and adjust controls accordingly.

Financial institutionsshould confirm that systems and procedures are capable of capturing required data elements accurately and escalating potentially suspicious activity promptly.

As a result, banks should expect SAR filings to be used more actively in investigations, placing added importance on narrative quality, internal consistency, and timeliness.

In light of Treasury’s initiative, banks should consider taking the following steps in the near term:

  • Reassess BSA, AML, and fraud risk assessments with a specific focus on government benefits, nonprofit customers, and pandemic-era funding streams.
  • Review transaction monitoring rules and alert thresholds to ensure alignment with FinCEN’s identified fraud red flags.
  • Evaluate SAR filing practices, including timeliness, narrative quality, and escalation procedures.
  • Confirm operational readiness to comply with Geographic Targeting Order reporting requirements and related data integrity obligations.
  • Prepare compliance, legal, and operations teams for potential regulatory examinations, subpoenas, or law enforcement inquiries.


Ballard Spahr brings deep, firsthand experience to advising financial institutions facing heightened fraud and AML scrutiny.   Drawing on this experience, Ballard Spahr advises banks and financial institutions on BSA/AML compliance, fraud risk mitigation, regulatory examinations, and responses to government investigations—helping clients anticipate enforcement priorities and address issues before they escalate. In matters involving potential violations, we conduct internal investigations and assist in responding to administrative, civil or criminal investigations, government enforcement actions, and related civil litigation by private parties regarding fraud schemes. We help clients evaluate risk, strengthen compliance frameworks, respond to supervisory and enforcement actions, and navigate complex, multi-agency inquiries.

Rushmi Bhaskaran, a partner in Ballard Spahr’s White Collar Defense and Investigations Group, previously served as an Assistant U.S. Attorney in the Southern District of New York, where she investigated, prosecuted, and tried a wide range of white collar fraud matters, including those involving allegations of money laundering and violations of the Bank Secrecy Act.

Matthew Ebert, counsel in Ballard Spahr’s White Collar Defense and Investigations Group, previously served as Chief of the Fraud and Public Corruption Section at the U.S. Attorney’s Office for the District of Minnesota, where he played a leading role in the federal investigation and prosecution of the Feeding Our Future fraud scheme that is an impetus for Treasury’s anti-fraud initiatives.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch.  Please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.

In 2025, the Nevada Gaming Commission (Commission) and the Nevada Gaming Control Board (NGCB) launched one of the most significant enforcement waves in state history, imposing nearly $27 million in fines against three of the Las Vegas Strip’s largest operators: Caesars Entertainment, MGM Resorts, and Resorts World Las Vegas. Each case centered on failures to detect and prevent suspicious gambling activity tied to convicted bookmaker Mathew Bowyer, whose presence across multiple properties exposed systemic weaknesses in anti-money laundering (AML) programs. The enforcement actions highlight regulators’ growing insistence on robust compliance practices and a culture of vigilance within the gaming industry.

Caesars Entertainment Enforcement Action

The most recent fine, approved on November 20, 2025, ordered Caesars Entertainment to pay $7.8 million following a five-count NGCB complaint. The complaint alleged that Caesars permitted Bowyer to gamble freely across its properties for more than seven years, despite mounting red flags and evidence that other casinos had banned him as early as 2017. Caesars formally designated Bowyer as a “high risk” customer in 2019 yet failed to bar him until January 2024. Regulators described the company’s conduct as a systematic negligence, emphasizing that Caesars allowed Bowyer to win and lose millions without verifying his source of funds. The fine was set at roughly three times Bowyer’s net losses at Caesars, ensuring the company did not profit from its failures.

The Commission was notably frustrated by ongoing compliance issues across major operators, viewing Bowyer’s case as a clear example of broader weaknesses in oversight. The decision to impose penalties, supported by a vote of 4-to-1, underscored both the seriousness of the violations and a strong intent to prevent similar problems going forward.

MGM Resorts Enforcement Action

Earlier in the year, MGM Resorts faced its own enforcement action. In April 2025, the Commission approved an $8.5 million fine against MGM following a 10-count NGCB complaint. The complaint alleged that MGM permitted Bowyer and another illegal bookmaker, Wayne Nix, to gamble at MGM Grand and The Cosmopolitan between 2015 and 2018. Regulators noted that MGM executives had suspicions about Bowyer’s source of income as early as 2015, and in 2018 a customer warned MGM that Bowyer was attempting to poach gamblers from its casinos. Despite these warnings, MGM failed to act decisively. The complaint highlighted leadership failures under former MGM executive Scott Sibella, who allowed bookmakers to pay debts in cash and gamble millions without proper AML checks. MGM admitted wrongdoing and pledged reforms, with the Commission approving the fine unanimously.

Resorts World Las Vegas Enforcement Action

Resorts World Las Vegas faced the largest penalty of the three operators. In March 2025, the property agreed to pay $10.5 million following a 12-count NGCB complaint alleging severe AML deficiencies, and the Commission formally approved the fine. Regulators found that Resorts World allowed individuals with ties to illegal bookmaking and gambling-related felony convictions to gamble freely. The fine was the second-largest in Nevada history, behind Wynn Resorts’ $20 million penalty in 2019. The case was particularly notable given Resorts World’s status as a $4.2 billion property that opened in 2021 with modern infrastructure and the expectation of strong compliance systems. Regulators emphasized that even new properties with advanced technology are not immune from scrutiny if compliance programs fail to meet expectations.

Regulator Expectations

Taken together, the three fines illustrate regulators’ frustration with systemic AML failures across operators. Commissioners emphasized that operators must do more than maintain technical compliance programs; they must foster a culture of vigilance that prioritizes integrity over revenue. The Bowyer cases collectively demonstrate that regulators expect operators to proactively monitor high-risk patrons, escalate red flags promptly, and verify sources of funds. The enforcement trend also signals that regulators will not hesitate to impose multimillion-dollar penalties when operators fail to act decisively.

Industry Implications

The implications for the industry are significant. First, the fines underscore the importance of enhanced due diligence for high-risk patrons. Regulators expect operators to verify sources of funds, particularly when patrons engage in high-stakes play or exhibit patterns consistent with suspicious activity. Second, the cases highlight the need for clear escalation protocols. Caesars, MGM, and Resorts World each failed to act on red flags in a timely manner, allowing Bowyer to gamble millions over extended periods. Third, the enforcement actions demonstrate the value of independent audits. Regular reviews can help operators identify gaps in AML programs and remediate deficiencies before they attract regulatory attention.

Beyond technical compliance, the cases emphasize the importance of organizational culture. Regulators criticized operators for prioritizing revenue over compliance, suggesting that leadership must set the tone for vigilance and accountability. MGM’s case tied failures to specific executives, underscoring the role of leadership in shaping compliance outcomes. Caesars and Resorts World faced criticism for organizational cultures that allowed high-risk patrons to gamble freely despite clear warning signs.

The reputational damage associated with these fines is also significant. Caesars, MGM, and Resorts World each faced public embarrassment, with executives admitting their programs were “unacceptable.” The fines were widely reported in industry and mainstream media, reinforcing the perception that AML failures undermine the integrity of Nevada’s gaming industry. For operators, reputational harm can be as damaging as financial penalties, affecting relationships with regulators, investors, and customers.

Looking ahead, operators should expect continued scrutiny from regulators. The Bowyer cases suggest that regulators are focused not only on individual patrons but also on systemic weaknesses in compliance programs. Operators should anticipate more aggressive enforcement, particularly around high-stakes patrons and cash-intensive play. Regulators are likely to demand evidence that operators are proactively monitoring activity, escalating red flags, and verifying sources of funds.

Practical Steps for Operators

To mitigate regulatory risk and strengthen compliance programs, operators should implement enhanced due diligence protocols for high-risk patrons, including mandatory source-of-funds verification. They should establish clear escalation procedures to ensure red flags are acted upon promptly and consistently. Regular independent audits can help identify gaps and remediate deficiencies. Ongoing training for compliance staff and frontline employees is essential to reinforce vigilance and accountability. Finally, operators should benchmark AML practices against industry peers and regulatory expectations to ensure programs remain robust and adaptive.

The Bowyer-related fines against Caesars, MGM, and Resorts World underscore regulators’ intolerance for AML failures. Operators must treat compliance as a strategic priority, recognizing that lapses can trigger multimillion-dollar penalties and lasting reputational harm. The enforcement actions highlight regulators’ expectation that operators foster a culture of vigilance, where integrity is prioritized over revenue. For the gaming industry, the lesson is clear: AML compliance is not optional, and failure to act decisively on suspicious activity will carry significant consequences.

Ballard Spahr’s Gaming Industry Group and Anti-Money Laundering Practice provide comprehensive guidance to public and private sector clients navigating the evolving regulatory landscape. Our team advises on Bank Secrecy Act and anti-money laundering compliance, assists with governmental inquiries, investigations, enforcement proceedings, licensing matters, internal risk assessments, policy development, training programs, transactional due diligence, technology integration for compliance monitoring and reporting, and crisis management in response to active investigations.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch.  Please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.

The U.S. Department of Treasury’s Financial Crimes Enforcement Network (FinCEN) released its latest Financial Trend Analysis (FTA) this month, reporting data from banks and other financial institutions showing that, following a recent surge, the number of reported ransomware incidents and payment amounts dipped slightly in 2024. High-profile ransomware attacks frequently appear in the news and the impact can be severe: in just the last month, news broke that an e-tailer company was knocked offline for 45 days following one attack, and cities and towns across the U.S. lost access to their emergency alert systems after another.

Data indicates reality matches the perception—ransomware attacks surged to their highest levels in 2023, with a total of 1,512 reported incidents and $1.1 billion in reported ransom payments, a staggering 77 percent increase in total payments from the prior year. This continued a trend of increased malicious activity that first appeared in 2021, in which FinCEN received reports of approximately 1,400 incidents and nearly $1 billion in payments, more than double the previous year. Indeed, the three-year review period for the FTA (January 2022–December 2024) saw a total of 7,395 ransomware-related reports, totaling more than $2.1 billion in payments, while during the entire previous nine-year period (2013 through 2021), FinCEN received only 3,075 reports totaling approximately $2.4 billion in ransomware payments.

One year does not make a trend but the latest data show signs for cautious optimism. In 2024, companies reported a total of 1,476 ransomware incidents, and approximately $734 million in ransomware payments. The median ransomware payment also decreased, from $175,000 in 2023 to $155,257 in 2024. FinCEN attributes this decrease in part to U.S. and U.K. law enforcement disrupting high-profile ransomware groups in December 2023 and February 2024.

No industry is immune from the threat of attack, but the FTA identified that financial services, manufacturing, and healthcare industries reported both the greatest number of incidents and highest amount of aggregate payments sent to ransomware actors during the review period. Retail and legal services reported the next highest amount of overall incidents; meanwhile, science and technology and retail rounded out the highest reported total payments.

Other key findings reported in the FTA include:

  • The data revealed 267 distinct ransomware variants used in attacks during 2022 – 2024, the most prevalent being Akira, ALPHV/BlackCat, LockBit, Phobos, and Black Basta.
  • Ransomware actors most often used The Onion Router (“Tor”) to communicate with their victims, reported in 67 percent of ransomware incidents during the reporting period. TOR uses encryption and layered network infrastructure to allow users to browse the internet anonymously and conceal their identity and point of origin.
  • Bitcoin (BTC) remains the prominent payment method of choice for ransomware actors, accounting for 97 percent of the reported ransomware transactions.

The financial threat to companies posed by ransomware is no secret. Data reported to FinCEN indicates that, although the vast majority of payments demanded by ransomware actors are below $250,000, individual demands can exceed $5 million. But the risk doesn’t end with the actual ransom payment—companies face increasing legal liability as well. According to one report from 2023, nearly one in five ransomware attacks resulted in a lawsuit against the victim company. Class actions against companies for failure to prevent or disclose ransomware breaches abounded in 2025, after several litigations arising from earlier breaches led to costly settlements.  

Therefore, it is as important as ever for companies to take steps to prevent, detect, and respond effectively to ransomware attacks. As FinCEN summarizes, “ransomware is a complex cybersecurity problem requiring a variety of preventive, protective, and preparatory best practices.” The FTA references several resources, including the Cybersecurity and Infrastructure Security Agency’s (CISA) website StopRansomware.gov, the National Security Agency’s (NSA) Ransomware Guide, and the National Institute of Standards and Technology’s (NIST) Data Integrity Project.

FinCEN publishes FTAs pursuant to section 6206 of the Anti-Money Laundering Act of 2020, 31 U.S.C. § 5318(g)(6)(B), which requires periodic reporting of threat pattern and trend information derived from data reported to FinCEN under the Bank Secrecy Act. The AML Blog has posted on previously-issued FTAs here and here.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. And please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.

The prosecution of the developers behind Samourai Wallet illustrates how U.S. authorities are broadening their approach to privacy‑focused cryptocurrency tools. In April 2024, the U.S. Attorney’s Office for the Southern District of New York announced charges against Keonne Rodriguez, Samourai’s chief executive, and William Lonergan Hill, its chief technology officer. The indictment alleged that Samourai facilitated more than $2 billion in Bitcoin transactions, including $237 million in criminal proceeds, with over $100 million tied to darknet markets. By late 2025, both pleaded guilty: Rodriguez was sentenced to five years, Hill four, on conspiracy counts related to money transmission and money laundering.

Statutory Basis for the Charges

The convictions rested on two statutes traditionally applied to custodial financial services but now extended to non‑custodial crypto tools.

  • 18 U.S.C. § 1960 criminalizes operating an unlicensed money transmitting business. Historically, this applied to custodial services holding or transferring funds for customers. Samourai was different: users retained control of their private keys, while the software facilitated transactions. Prosecutors argued that features such as Whirlpool and CoinJoin, privacy techniques mixing coins from multiple users, amounted to money transmission by obscuring fund origins. They pointed to Samourai’s fee structure, promotional materials, and darknet outreach as evidence of intent.
  • 18 U.S.C. § 1956 covers conspiracy to commit money laundering. Prosecutors contended that Samourai’s design and marketing encouraged concealment of criminal proceeds, citing communications and promotional materials aimed at illicit users.

Enforcement Trends: Samourai vs. Tornado Cash

Samourai is part of a broader enforcement trend targeting privacy‑enhancing crypto tools. The Tornado Cash prosecution in 2023 raised parallel issues but in a different technological and legal context. (See our additional blog posts about Tornado Cash here, here, here, and here.)

Tornado Cash, built on Ethereum smart contracts, posed the challenge of immutability: once deployed, the code operated autonomously, and developers argued they lacked control over user activity. This immutability became central to defenses and civil litigation, with courts questioning whether autonomous code could be treated as “property” subject to sanctions. By contrast, Samourai’s active coordinator service and ongoing updates gave prosecutors a foothold to argue that its developers exercised meaningful operational control. This distinction allowed the government to frame Samourai’s conduct not as passive publication of code but as active facilitation of illicit finance.

Tornado Cash litigation tested the boundaries of OFAC’s sanctions authority under IEEPA, ultimately resulting in judicial limits on designating immutable smart contracts. Samourai, however, was pursued under traditional criminal statutes, extending their application to non‑custodial wallets and raising questions about fair notice given FinCEN’s prior guidance.

Legal Questions Raised

These prosecutions highlight unresolved constitutional and statutory issues. If Tornado Cash and Samourai represent two ends of the spectrum—immutable code versus actively maintained software—courts must now contend with how far existing law can extend to decentralized technologies. At stake are broader questions of liability, statutory interpretation, and constitutional protections such as speech and due process. The central question is whether publishing and maintaining privacy‑focused code remains speech under the First Amendment, or whether it becomes criminal conduct when paired with active promotion toward illicit use.

Tornado Cash Litigation: OFAC Sanctions and DOJ Charges

Tornado Cash faced a dual track of enforcement: criminal charges against its developers and administrative sanctions against its code.

In Van Loon v. Department of the Treasury (5th Cir. 2024), plaintiffs challenged OFAC’s authority. (See our blog post here.) The Fifth Circuit ruled that sanctioning immutable Tornado Cash smart contracts exceeded OFAC’s statutory authority under IEEPA, limiting designation of autonomous code as “property.” The decision underscored the difficulty of applying traditional law to decentralized technology, though it did not categorically immunize all crypto protocols from sanctions.

This judicial pushback illustrates the limits of sanctions law when applied to autonomous protocols. Parallel developments in FinCEN guidance further complicate matters, as longstanding custodial versus non‑custodial distinctions intersect uneasily with prosecutorial theories advanced in Samourai.

FinCEN Guidance

FinCEN has generally distinguished custodial from non‑custodial wallets. Its 2019 guidance (FIN 2019 G001) stated that entities providing only software without asset custody are not subject to registration or Bank Secrecy Act requirements applicable to money services businesses. In 2024, FinCEN withdrew proposed rules that would have imposed KYC obligations even for non‑custodial wallet providers, reinforcing earlier interpretations.

Yet during proceedings against Samourai’s founders, prosecutors reportedly asked FinCEN whether CoinJoin or non‑custodial wallets qualified as “money transmission.” FinCEN answered “no,” but charges proceeded regardless. This divergence raises constitutional questions about fair notice and the consistency of regulatory versus prosecutorial positions.

Comparative Analysis: Samourai and Tornado Cash

Placing Samourai and Tornado Cash side by side reveals how enforcement risks diverge depending on technological design, regulatory posture, and evidentiary focus. Tornado Cash’s defense rested on immutability, emphasizing that once deployed, developers lacked the ability to control user activity. This argument framed the project as autonomous code rather than an ongoing service. By contrast, prosecutors in Samourai highlighted the wallet’s active coordinator service, continuous updates, and targeted marketing as evidence of meaningful developer involvement.

Regulatory approaches also diverged. Tornado Cash was primarily challenged through OFAC’s sanctions authority under IEEPA, a strategy that met judicial resistance when courts questioned whether immutable smart contracts could be designated as “property.” Samourai, however, was pursued under traditional criminal statutes (§ 1960 and § 1956) despite FinCEN’s guidance suggesting such tools were outside money transmission rules.

Evidence in each case points to fundamentally different enforcement approaches. In Tornado Cash, the defense leaned on the impossibility of control, arguing that immutability precluded intent. In Samourai, prosecutors relied on direct evidence of intent, pointing to promotional materials, darknet outreach, and fee structures as proof that the wallet was designed to attract illicit use.

Taken together, the comparison demonstrates that enforcement is not uniform but highly contingent. Immutable protocols test the limits of sanctions law, while actively maintained wallets are subject to broader applications of criminal statutes. The broader lesson is that privacy‑preserving technologies, whether autonomous or developer‑driven, now face heightened scrutiny, with liability theories evolving to match the technical contours of each project.

Conclusion

The Samourai convictions signal a shift in how federal authorities apply existing statutes to decentralized and non‑custodial technologies. By extending provisions traditionally aimed at custodial services to privacy‑focused wallets, prosecutors demonstrated a willingness to reinterpret statutory language considering evolving technical design. This approach may deter illicit finance, but it also raises unresolved constitutional questions about fair notice, due process, and the boundary between protected speech and criminal conduct.

More broadly, the trajectory of enforcement against Samourai and Tornado Cash underscores that privacy‑preserving tools, whether autonomous protocols or actively maintained software, are now within the sights of regulators and prosecutors. Liability theories are likely to adjust to each project’s design, reflecting ongoing enforcement developments.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch.  Please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.

We blogged earlier this year about Attorney General Pam Bondi’s February 5, 2025 memorandum focusing the U.S. Department of Justice’s attention squarely on Mexican cartels, and about subsequent steps the Trump Administration has taken to follow through on that prioritization.  In the latest such effort, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) has issued a Notice of Proposed Rulemaking (NPRM) pursuant to Section 311 of the USA PATRIOT Act, which would prohibit U.S. financial institutions from processing any transactions which involve any of ten specific Mexican casinos (referred to collectively in the NPRM as the “Gambling Establishments”).  The casinos in question, spread across four Mexican states, are owned by three separate Mexican companies; however, FinCEN states in the NPRM it “assesses that the Gambling Establishments are ultimately controlled by a criminal group with a longstanding and transactional financial relationship in which the Gambling Establishments facilitate money laundering for the benefit of the Cartel de Sinaloa (Sinaloa Cartel)” – a drug trafficking organization which President Trump designated as a terrorist group on the first day of his second term, and which the Drug Enforcement Administration (DEA), in its 2024 National Drug Threat Assessment, characterized as being one of two cartels “at the heart” of the U.S. synthetic opioid crisis.

In the NPRM, FinCEN declares that “reasonable grounds exist for concluding that transactions involving the Gambling Establishments are of primary money laundering concern” after considering certain relevant factors – that the casinos allegedly make monthly disbursements to the Sinaloa Cartel, as well as additional illicit payments to senior cartel members carefully arranged (in amounts and timing) “to prevent documentable connections” between the casinos; and that the money laundering allegedly facilitated by the casinos benefits the Sinaloa Cartel, which is (as framed in the NPRM) a major driver of the U.S. opioid crisis – thus constituting, in the words of the NPRM “a significant threat to U.S. national security.”

The “meat” of the NPRM is Section 1010.665(b) of the proposed rule, imposing a “special measure” to combat the instant problem. Section (b)(1) would impose a prohibition on covered financial institutions (e.g. banks, securities brokers and dealers, and mutual funds) “opening or maintaining in the United States any correspondent account for or on behalf of a foreign banking institution if such correspondent account is used to process a transaction involving any of the Gambling Establishments.” Section (b)(2) would require that a covered financial institution go beyond basic due diligence when assessing its foreign financial institution clients, as it calls for “apply[ing] special due diligence to its correspondent accounts that is reasonably designed to guard against such accounts being used to process transactions involving the Gambling Establishments[,]” and specifies that such enhanced due diligence must include both sending written notice to foreign financial institution customers that they must not provide the casinos with access to their correspondent accounts and implementing screening mechanisms to identify correspondent account transactions involving the casinos.

FinCEN notes in the NPRM that various alternatives were considered to the blanket prohibition on the opening or maintaining of correspondent accounts, but that “[b]ecause of the nature, extent, and purpose of the obfuscation engaged in” by the casinos, any efforts to require additional information collection – e.g., reporting obligations, beneficial ownership identification, or enhanced know-your-customer (KYC) requirements – would ultimately be inadequate in addressing the paired goals of (a) protecting the U.S. financial system from risk and (b) impacting the Sinaloa Cartel’s ability to profit from its illicit activities.

The press release announcing the NPRM stated that it was being promulgated “in coordination with the Government of Mexico” – importantly for cross-border relations, as implementation of this rule may severely deplete willingness of U.S. financial institutions to do business with Mexico-based financial institutions and businesses in light of the heightened scrutiny required.

            If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. And please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.

On November 4, 2025, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated eight individuals and two entities for their involvement in laundering funds derived from illicit schemes originating in the Democratic People’s Republic of Korea (DPRK).  These activities included cybercrime operations and information technology (IT) worker fraud, both connected to revenue streams supporting North Korea’s nuclear weapons and ballistic missile programs.

North Korean Cybercrime, IT Worker Sanctions Evasion

The OFAC announcement identified cybercrime as a major mechanism for DPRK-affiliated actors to obtain funds outside legitimate financial channels.  Reports estimate that these actors have stolen over $3 billion—primarily in cryptocurrency—using, among other methods, advanced malware techniques and social engineering tactics.  OFAC’s November 4th announcement identified sanctioned individuals and financial entities pursuant to its authority under Executive Orders 13694 (as amended), 13810, as well as other relevant orders, for providing material assistance or support for illicit cyber activities, engaging in commercial conduct that generates revenue for the DPRK, and/or facilitating transactions involving the property or interests in property of designated entities.

Additionally, OFAC noted ongoing fraudulent activities involving North Korean IT workers operating abroad.  Despite prohibitions outlined in Paragraph 17 of United Nations Security Council Resolution 2375 against granting work authorizations to DPRK nationals absent UN approval, these individuals reportedly continue to earn income globally by obfuscating their identities when engaging with freelance platforms and employers.  According to the Multilateral Sanctions Monitoring Team report titled, “The DPRK’s Violation and Evasion of UN Sanctions Through Cyber and Information Technology Worker Activities,” at least a portion of the earnings generated by the IT teams are used in support of  DPRK objectives, including weapons development and production, domestic infrastructure projects, and the procurement of consumer goods.

Blocking Requirements and Financial Networks Targeted by OFAC Sanctions

Under the new sanctions, all property or interests in property belonging to the designated parties that are within the United States or under possession or control of U.S. persons are blocked and must be reported to OFAC.  Entities directly or indirectly owned (individually or collectively at least fifty percent) by one or more blocked persons also become subject to blocking requirements.  Unless specifically authorized by an OFAC license or exempted by regulation, transactions involving sanctioned individuals or entities are generally prohibited if conducted by U.S. persons or occur within, or transit through, the United States.

Financial institutions and other organizations may face secondary sanctions risk if they engage in certain transactions with sanctioned parties, including providing funds, goods, services (or receiving such contributions from those individuals or entities) even if not intentionally facilitating sanctionable conduct.

Among those recently designated by OFAC are key North Korean financial institutions along with several senior representatives. These include:

  • Jang Kuk Chol and Ho Jong Son, bankers at U.S.-designated First Credit Bank, managed funds, including $5.3 million in cryptocurrency, on behalf of the designated institution;
  • Korea Mangyongdae Computer Technology Company along with its current president U Yong Su, organizing IT worker delegations to China and employing Chinese nationals as banking proxies;
  • Ho Yong Chol facilitated $2.5 million transfer in U.S. dollars (USD) and Chinese yuan (CNY) on behalf of the U.S.-designated Korea Daesong Bank;
  • Han Hong Gil, employee at U.S.-designated Koryo Commercial Bank, facilitated $630,000 in transactions on behalf of U.S.-designated Ryugyong Commercial Bank;
  • U.S.-designated Foreign Trade Bank (FTB) chief representative Jong Sung Hyok;
  • Ri Jin Hyok, also a representative of FTB, facilitated transactions worth over $350,000 in USD, CNY, and euros through a front company;
  • Choe Chun Pom, official at U.S.-designated Central Bank of DPRK, facilitated transactions worth over $200,000; and
  • Ryujong Credit Bank engaged in sanctions evasion activities, including remitting North Korea’s foreign currency earnings, money laundering, and conducting financial transactions for overseas North Korean workers.

These designations illustrate methods employed by DPRK-linked networks such as deploying front companies abroad, leveraging international proxies for banking activity intended to obscure transaction originators/beneficiaries, moving earnings from overseas IT workforces into state channels via complex cross-jurisdictional arrangements, as well as utilizing digital assets for sanctions evasion purposes.

Compliance Implications for Financial Institutions and AML Practices

For industry practitioners focused on anti-money laundering compliance, including banks and fintech providers, this regulatory action highlights continued expectations regarding enhanced due diligence practices around high-risk geographies and typologies associated with state-sponsored illicit finance activity.  Monitoring customer onboarding processes for indicators like frequent use of freelance hiring platforms under suspicious circumstances is among several areas cited by authorities where vigilance is warranted given current trends.

In summary: The November 2025 designations reflect evolving approaches used in DPRK-related money laundering schemes across digital asset ecosystems and traditional financial systems alike.  Regulatory compliance teams should evaluate existing frameworks governing exposure risk assessment relative to updated guidance while ensuring processes align with current reporting/blocking obligations where applicable under U.S., UN-sanctioned measures, or similar regimes implemented elsewhere internationally.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch.  Please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.

On November 6, 2025. Keonne Rodriguez, the co-founder of the cryptocurrency mixer Samourai Wallet, was sentenced for to 60 months in federal prison for the crime of conspiring to operate an unlicensed money-transmitting business in violation of 18 U.S.C § 371. The two-count indictment, filed on February 14, 2024, alleged that Defendants Rodriguez and William Lonergan Hill developed, marketed, and operated a cryptocurrency mixing service know as Samourai Wallet, an unlicensed money transmitting business that earned millions of dollars by laundering over $100 million dollars of crime proceeds originating from illegal dark web markets.

Defendant Rodriquez pled guilty to Count II (Conspiracy to Operate a Money transmitting Business) on July 29, 2025. The next day, Defendant Hill plead guilty to Count II. The defendants both entered to preliminary orders of forfeiture and money judgment to forfeit $237,832,360.55 (representing the amount of property involved in Count II of the indictment) and make a payment to the United States in the amount of $6,367,139.69 before the sentencing date. Count I (Conspiracy to Commit Money Laundering) was dismissed as a part of the plea deals.

At the sentencing, Defendant Rodriguez’s right, title and interest in $6,367,139.69 in U.S. currency, samouraiwallet.com and Samourai Wallet Google Play Application was forfeited to the United States. In addition to the 60 months prison sentence, the Court fined Defendant Rodriquez $250,000. Defendant Hill is scheduled to be sentenced on November 19, 2025.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch.  Please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.