This article summarises findings from a FinancialCrime.org investigation into money laundering techniques being shared on the dark web and encrypted messaging platforms. The manual analysed below was discovered during monitoring of Russian-language cybercriminal channels. Details of the channels, threat actors, and infrastructure identified during this investigation were provided to relevant law enforcement and regulatory authorities.
Investigation Background
This investigation is a companion to our examination of the dark web marketplace for verified crypto accounts. That investigation documented the supply side — who sells verified exchange accounts, what they cost, and how the identity supply chain works. This one documents the operational side — what criminals actually do with dirty crypto once they have it, and how they attempt to move it from tainted wallet to usable cash without triggering the AML controls that exchanges and financial institutions have put in place.
The distinction matters. The verified accounts investigation showed that criminals can acquire clean identities for as little as $200. This investigation shows how those identities fit into a broader laundering workflow — one that the cybercriminal underground is actively documenting, refining, and sharing.
During several months of monitoring Russian-language cybercriminal forums and Telegram channels in mid-to-late 2023, I discovered what participants in these communities describe as the “most complete manual for withdrawing a crypto that does not pass AML verification.” The manual, attributed to a user or channel operating under the handle “Rags to Riches,” provides a step-by-step operational guide for laundering Bitcoin that has been flagged — or would be flagged — by blockchain forensics tools as linked to criminal activity.
What follows is my analysis of that manual: its methodology, its technical sophistication, its assumptions about how AML controls work, the specific tools and services it recommends, and — critically — where its techniques succeed and where they fail against current investigative capabilities. My goal is not to provide a how-to guide for criminals. The manual already exists and is freely circulating. My goal is to ensure that compliance professionals, investigators, and regulators understand exactly what they are up against.
The State of Crypto Laundering in 2023
Before examining the manual, it is worth understanding the threat landscape in which it circulates.
Chainalysis’s mid-year 2023 update reported that crypto inflows to known illicit entities were down 65% compared to the previous year, while flows to high-risk entities — primarily mixers and non-compliant exchanges — were down 42%. Scam losses, the largest category, had declined by roughly $3.3 billion.
These numbers are encouraging on their face. But they carry an important caveat that Chainalysis itself acknowledges: the statistics reflect only wallet addresses that the firm was able to identify as illicit. The depth of Chainalysis’s blind spots — the volume of criminal activity flowing through wallets that have not yet been attributed — is unknown. And data from crypto security firm De.Fi warned that recovery of illicit-origin crypto assets was becoming harder, not easier, despite the overall decline in reported crime.
The uncomfortable possibility — one that the manual I discovered tends to confirm — is that criminals are not simply committing less crime. Some of them are getting better at hiding it. The existence of detailed, step-by-step laundering guides that are freely available and actively discussed in cybercriminal communities suggests that the sophistication of the laundering layer is advancing alongside the detection tools designed to defeat it.
This is the adversarial dynamic I have written about elsewhere: every improvement in detection produces an adaptation in evasion. The manual I found is evidence of that adaptation in real time.
How I Found the Manual
The manual surfaced during monitoring of a Russian-language Telegram channel that functions as both a dark web link aggregator and an informational resource for hackers and privacy-focused internet users. The channel republishes content from across the cybercriminal underground — tutorials, tool recommendations, operational security guides, and service advertisements — serving as a curated feed for its subscribers.
On January 31, 2023, the channel published a post attributed to a user or channel operating under the handle “Rags to Riches.” The post was framed as a comprehensive guide to withdrawing cryptocurrency that would fail AML screening — that is, Bitcoin whose on-chain history links it to ransomware, darknet market transactions, theft, scam proceeds, mixer outputs, or other activity categories that blockchain forensics tools flag as illicit.
The manual is structured around a two-phase model that the author labels “Reception/Storage” and “Cleaning/Output.” This structure mirrors the classic money laundering framework — placement and layering/integration — adapted for the specific constraints of cryptocurrency laundering. What makes it operationally useful (and therefore dangerous) is its specificity: it names actual tools, actual services, and actual platforms, and it addresses the specific technical challenges that each step of the laundering process presents.
Phase 1: Staging the Dirty Bitcoin
The manual opens with a frank acknowledgment of the problem: “First, we need to get our Bitcoins somewhere, which will not pass verification.” The “verification” the author refers to is AML screening — the process by which compliant exchanges and financial service providers scan incoming deposits against blockchain forensics databases to determine whether the funds have connections to known illicit activity.
The author’s assessment of the threat landscape is accurate. Modern AML screening tools — Chainalysis KYT, TRM Labs, Elliptic, and others — can identify deposits that originate from or have passed through addresses associated with ransomware, darknet markets, sanctioned entities, mixers, and other high-risk categories. Compliant exchanges screen deposits against these tools and can freeze or reject funds that exceed their risk thresholds. As I discussed in my article on how investigators trace crypto on public blockchains, the transparency of Bitcoin’s public ledger is both its strength as a financial system and its vulnerability for criminals.
The manual’s response to this challenge is to establish a staging wallet — a holding environment where dirty Bitcoin can be received, held, and subdivided before being moved into the laundering pipeline. The manual identifies two requirements for this staging wallet: it must not perform any AML checks on incoming funds, and it must generate a unique, one-time address for each incoming transaction (to prevent address clustering by blockchain analysts).
The Electrum cold wallet
The manual recommends the Electrum wallet as the staging tool of choice.
Electrum is a legitimate, open-source Bitcoin wallet that has been in operation since 2011. It is not a criminal tool — it is used by millions of legitimate Bitcoin holders for its lightweight architecture, hardware wallet compatibility, and cold storage capabilities. The manual recommends it precisely because it is a non-custodial wallet: the user controls their own private keys, and no third party screens incoming transactions.
This is an important distinction for compliance professionals to understand. Electrum does not perform AML screening because it is not an exchange or a custodial service. It is software that enables direct interaction with the Bitcoin blockchain. No regulatory framework requires self-hosted wallets to screen transactions, and no technical mechanism exists to force them to do so. The Travel Rule and AML requirements apply to VASPs — virtual asset service providers — not to software.
The manual recommends operating Electrum within a security-hardened environment to avoid leaving forensic traces that could link the laundering activity to the criminal’s real identity.
TAILS operating system and the OpSec stack
The manual advises running Electrum inside a virtual machine or sandbox that routes all traffic through the Tor network, with a VPN as an additional layer. Specifically, it recommends TAILS — The Amnesic Incognito Live System.
TAILS is a portable operating system that boots from a USB drive, routes all internet traffic through Tor by default, and is designed to leave no forensic trace on the host computer. When the session ends, all data is erased. The operating system is not inherently criminal — it is used by journalists, human rights activists, and privacy-conscious individuals worldwide. Edward Snowden famously recommended it. But its amnesic architecture makes it attractive to criminals for the same reasons it is valuable to dissidents: it eliminates the local evidence trail.
The Electrum wallet comes pre-installed on TAILS, which means a criminal can boot TAILS from a USB drive on any computer, access their staging wallet, receive and redistribute dirty Bitcoin, shut down, and leave no trace on the machine. No browser history, no wallet files, no log data. For a forensic investigator examining the computer after the fact, the session never happened.
The recommended OpSec stack — TAILS + Tor + VPN + Electrum — is a layered defence against both blockchain analysis and traditional digital forensics. It is also, I should note, essentially the same operational security configuration recommended in legitimate privacy guides. The tools are neutral. The application determines whether they serve privacy or criminality.
My assessment: the staging phase described in the manual is technically sound. A self-hosted wallet on TAILS, accessed through Tor and a VPN, does effectively prevent both the staging platform from screening incoming funds and law enforcement from linking the wallet activity to a specific device or location through conventional digital forensics. The dirty Bitcoin enters a holding environment that is functionally invisible to compliance systems.
The limitation is that the Bitcoin itself remains dirty. It has not been laundered. The blockchain record still shows funds flowing from tainted addresses to the Electrum staging wallet. The next phase is where the laundering begins.
Phase 2: Cleaning and Cash-Out
The manual’s second phase addresses the core challenge: converting dirty Bitcoin — which would be flagged or frozen at any compliant exchange — into usable fiat currency. The manual proposes two primary methods, which can be used independently or in combination.
Method 1: Peer-to-peer exchange via Onion Market
The first cash-out method involves transferring Bitcoin from the Electrum staging wallet to Onion Market, a Telegram-native peer-to-peer cryptocurrency exchanger.
Onion Market operates as a peer-to-peer platform built into Telegram’s messaging infrastructure. It supports Bitcoin, Monero, Litecoin, and TON (Telegram’s native cryptocurrency). Critically, it performs no AML or KYC checks. It is not registered as a money services business or VASP in any jurisdiction. It functions as a matching service between buyers and sellers, facilitating no-KYC transactions and direct crypto-to-card withdrawals.
The manual notes that users “can withdraw money to the card right from here” — meaning that a criminal can convert Bitcoin to fiat and deposit it directly onto a payment card without passing through any identity verification or AML screening.
However, the manual includes an important caveat that reveals the author’s understanding of the forensic trail. While Onion Market will not block tainted transactions, it will “record the connection of the ‘dirty’ transaction with the card.” This means that if Onion Market’s records are ever seized by law enforcement (as happened with other Telegram-based services), the link between the dirty Bitcoin deposit and the cash-out card would be recoverable.
The manual’s mitigation for this risk is to use a “drop card” — a payment card registered in someone else’s name, typically operated by a money mule who takes a percentage of the laundered funds as commission. This connects directly to the verified accounts marketplace I documented in my companion investigation. The purchased verified accounts and their associated cards are, in many cases, the same drop cards that laundering manuals like this one recommend.
The manual also notes that, as an alternative, funds could be sent through a mixer before entering the exchanger — adding a blockchain obfuscation layer before the P2P transaction.
My assessment: Onion Market and services like it represent a genuine challenge for AML enforcement. They operate outside any regulatory framework, perform no screening, and exist within an encrypted messaging platform that is resistant to monitoring. The primary vulnerability is the platform’s own records — if seized, they provide a roadmap connecting dirty deposits to cash-out endpoints. The secondary vulnerability is the drop card: money mules are operationally unreliable, and card-based withdrawals create touchpoints in the traditional banking system that are subject to transaction monitoring. A pattern of ATM withdrawals on a card that receives crypto-sourced deposits is a detectable signal for banks and card networks, even if the exchange platform itself is invisible.
Method 2: Chain-breaking through Monero conversion
The manual’s second — and more sophisticated — cash-out method involves converting Bitcoin to Monero (XMR) as an intermediate step. The manual describes this as the technique that will “unequivocally break our connection with the original money.”
This is where the manual demonstrates the most technically informed understanding of how blockchain forensics actually works. As I explained in my article on blockchain forensic techniques, investigators trace Bitcoin by following transaction chains on the public ledger — from tainted source address through intermediate hops to the eventual deposit at an exchange or service where the funds can be attributed to an identity. Every step of a Bitcoin transaction is permanently visible.
Monero is fundamentally different. It uses three privacy technologies that together make transaction tracing substantially more difficult. Ring signatures mix each transaction with decoy inputs, obscuring the true sender. Ring Confidential Transactions (RingCT) hide the amounts being transferred. And stealth addresses generate one-time receiving addresses that cannot be linked to the recipient’s public wallet address. As a result, Monero transactions are opaque by default — the sender, receiver, and amount are all obscured.
The manual’s chain-breaking logic is straightforward: convert dirty Bitcoin to Monero (at which point the blockchain trail goes dark), hold the Monero briefly, then convert back to Bitcoin or directly to fiat through a service that accepts Monero deposits. The conversion from Bitcoin to Monero is the forensic chokepoint — once the funds are in Monero, the on-chain trail that Bitcoin’s public ledger provides to investigators is severed.
The manual specifically recommends Bitpapa for the Monero-to-fiat conversion.
Bitpapa is a UAE-registered cryptocurrency exchange that offers peer-to-peer trading across more than 100 payment methods. The manual highlights several features that make Bitpapa attractive for laundering: it accepts Monero deposits, it offers P2P exchange with direct card withdrawals, and — critically — it does not require mandatory identity verification. Registration requires only an email address.
The recommended flow is: dirty Bitcoin → Electrum staging wallet → Onion Market (BTC to XMR conversion) → Bitpapa (XMR to fiat, withdrawn to card). The chain-break occurs at the BTC-to-XMR conversion. Everything before that point is traceable on the Bitcoin blockchain. Everything after it is, from a blockchain forensics perspective, a new and unconnected set of transactions.
My assessment: the Monero chain-break is the most effective technique described in the manual, and it represents a genuine challenge for investigators. While academic research has identified theoretical weaknesses in Monero’s privacy model — particularly in transactions that use the minimum ring size — practical tracing of Monero transactions remains substantially harder than tracing Bitcoin. The technique is not foolproof: the BTC-to-XMR conversion itself is a forensic event that blockchain analysts can observe (a deposit of Bitcoin to a service known to offer Monero swaps, followed by a withdrawal of the Bitcoin by the service), and intelligence on Monero swap services is an area of active development by analytics firms. But the fundamental limitation remains: once funds enter the Monero blockchain, the transaction graph that investigators depend on goes dark.
The Bitpapa recommendation is notable for a different reason. Bitpapa is a UAE-registered entity operating a P2P exchange with no mandatory KYC. The UAE has been under increasing pressure from the Financial Action Task Force (FATF) to strengthen its AML framework, and the existence of UAE-registered exchanges that facilitate no-KYC trading is precisely the kind of regulatory gap that the FATF’s ongoing evaluation process is designed to identify. Whether Bitpapa’s operating model will survive increased regulatory scrutiny remains to be seen — but as of the time of this investigation, it represented a functional cash-out endpoint for laundered crypto.
Community Discussion: Operational Intelligence from the Comments
One of the most valuable aspects of monitoring cybercriminal communities is reading the comments. The manual itself provides a baseline methodology, but the community response — the critiques, refinements, and alternative suggestions — reveals the collective operational knowledge of the criminal user base.
The post generated 17 positive reactions, three clown emojis (indicating some users considered it amateurish or well-known), one dismissive reaction, and 11 comments. The mixed reception is itself informative: it suggests that the manual’s techniques are considered competent but not cutting-edge by the community’s more experienced members.
One commenter noted that similar cash-out services were being actively marketed on Rutor — the darknet forum that has emerged as the most prominent Russian-language marketplace following the takedown of Hydra by German and U.S. authorities in April 2022. The reference to Rutor suggests that the laundering-as-a-service ecosystem is not limited to DIY guides; it includes full-service providers who will launder funds for a commission, using techniques similar to those described in the manual.
A more substantive contribution came from a user operating under the handle “Ivett DarkWave Witch,” who advised that transitioning from crypto to cash-based payment rails increases risk exposure and that drop cards should be used when transacting through Bitpapa. This comment is operationally significant for two reasons.
First, it confirms that experienced users in these communities understand the risk topology: cash-out is the most dangerous phase of the laundering process because it creates touchpoints in the regulated financial system (bank card networks, ATM operators, payment processors) that are subject to monitoring. This understanding is consistent with what AML investigators know from studying the full laundering pipeline — the cash-out stage is where most laundering operations are detected.
Second, the recommendation to use drop cards at Bitpapa reinforces the connection between this manual and the verified accounts marketplace documented in our companion investigation. The two markets are complementary: the verified-account market provides the clean identities, and the laundering manuals provide the operational methodology for using them.
Alternative wallets and evolving OpSec
Beyond the manual itself, my monitoring identified ongoing discussions in the same and adjacent channels about wallet selection for operational security. Community members recommended Trust Wallet, MetaMask, and Blue Wallet as alternatives to Electrum for different stages of the laundering process.
Trust Wallet was recommended for its multi-chain support — enabling users to hold and swap tokens across multiple blockchains within a single interface, which facilitates the cross-chain hops that complicate blockchain tracing. MetaMask was recommended for its integration with decentralised exchanges (DEXs) and DeFi protocols, which enable token swaps without the KYC requirements of centralised exchanges. Blue Wallet was recommended for its Lightning Network support, which enables faster and potentially less traceable Bitcoin transactions through payment channels that settle off-chain.
These recommendations reveal a community that is actively tracking the capabilities and limitations of blockchain forensics tools and adapting its toolkit accordingly. The conversation is not static. It evolves in response to enforcement actions, analytics improvements, and the emergence of new privacy-enhancing technologies.
Evaluating Each Technique Against Current AML Capabilities
Having walked through the manual step by step, I want to offer a frank assessment of where each technique succeeds and fails against the current state of AML tools and investigative capabilities. This is the analysis that I believe compliance teams, regulators, and investigators most need.
Electrum staging on TAILS: effective against platform-level screening
The staging phase works. A self-hosted wallet does not screen incoming funds, and no regulatory framework compels it to. The TAILS/Tor/VPN stack provides strong protection against device-level forensics. The primary limitation is that the Bitcoin transactions themselves remain visible on the public blockchain — an investigator with access to blockchain analytics can see the funds moving from a tainted address to the staging wallet. They cannot, without additional intelligence, link the staging wallet to a specific person or device.
Detection opportunity for investigators: while the staging wallet’s operator is anonymous, the wallet’s addresses can be monitored. If the same staging wallet is reused across multiple laundering operations — a common operational security failure — the accumulated transaction history can provide clustering intelligence and volume estimates.
Onion Market P2P exchange: partially effective, operationally fragile
Telegram-based P2P exchangers defeat exchange-level AML screening by operating outside the regulated ecosystem entirely. However, they introduce three vulnerabilities.
First, the platform’s own records are a seizure risk. If law enforcement gains access to the Telegram channel’s infrastructure, bot logs, or admin devices, the link between dirty deposits and cash-out endpoints is recoverable. The takedown of Hydra demonstrated that even seemingly robust criminal infrastructure can be seized.
Second, the cash-out to a card creates a touchpoint in the regulated financial system. Card networks, issuing banks, and payment processors all operate their own monitoring systems. A card that receives frequent crypto-sourced deposits and is used for ATM withdrawals in a pattern inconsistent with normal consumer behaviour will generate alerts.
Third, the use of money mules and drop cards introduces human unreliability. Mules get caught, cooperate with law enforcement, or simply steal the funds. This is the oldest vulnerability in the money laundering process, and crypto has not eliminated it.
Detection opportunity for compliance teams: monitor for card-based deposits originating from unregulated P2P platforms, particularly when combined with rapid ATM withdrawals or transfers to other accounts.
Monero chain-break: highly effective against current blockchain analytics
The BTC-to-XMR conversion is the most technically challenging technique for investigators to defeat. Current blockchain analytics tools cannot trace transactions within the Monero blockchain with the same reliability as Bitcoin. The chain-break effectively severs the on-chain provenance trail.
The primary detection opportunities exist at the conversion points — the moment when Bitcoin is deposited into a service that offers Monero swaps, and the moment when Monero is deposited into a service for conversion back to fiat or Bitcoin. Analytics firms are developing heuristics to identify these patterns (e.g., a Bitcoin deposit to a known swap service followed by a Monero withdrawal of equivalent value), but the technique remains effective against most current tools.
Detection opportunity for exchanges: flag deposits that originate from addresses associated with known BTC-to-XMR swap services, and apply enhanced due diligence to accounts that receive funds through these pathways. This is an area where collaboration between blockchain analytics providers and exchanges is critical.
Bitpapa and no-KYC exchanges: effective until regulatory pressure closes the gap
Exchanges that operate without mandatory KYC provide a functional cash-out endpoint that bypasses identity-based controls entirely. Their continued availability depends on the regulatory environment in their jurisdiction of registration — in Bitpapa’s case, the UAE.
Detection opportunity for regulators: map the landscape of no-KYC and minimal-KYC exchanges, assess their jurisdictional compliance obligations, and apply supervisory pressure through mutual evaluation processes (FATF, regional bodies) and bilateral engagement.
The Bigger Picture: Money Laundering as a Service
The manual I discovered is not an isolated document. It is one artefact in what the cybercriminal underground increasingly describes as the “money-laundering-as-a-service” (MLaaS) economy — a comprehensive ecosystem of tools, services, guides, and infrastructure that enables criminals with technical skills to launder proceeds, and criminals without technical skills to purchase laundering as a service.
The components of this ecosystem include the staging tools (self-hosted wallets, TAILS, Tor), the mixing services (ChipMixer, Tornado Cash, Sinbad, and their successors), the P2P exchangers (Onion Market and dozens of others), the privacy coins (Monero, Zcash), the no-KYC exchanges (Bitpapa and others), the verified account marketplace (providing clean identities for cash-out), and the operational guides (like the Rags to Riches manual) that tie everything together.
Each component has been the subject of enforcement action. ChipMixer was seized in March 2023. Tornado Cash’s developer was convicted. Garantex was taken down by joint U.S.-European action. Samourai Wallet’s founders pleaded guilty. Each takedown disrupts one node in the ecosystem. And each time, the ecosystem adapts — new mixers emerge, new P2P platforms appear, new guides are written.
This is the fundamental challenge of combating crypto laundering: the criminal infrastructure is modular, distributed, and adaptive. Dismantling one service does not dismantle the capability. It forces a migration. The manual I found is evidence of this adaptability — it recommends current tools and current platforms, and the community discussion that surrounds it reflects real-time adjustments to the enforcement landscape.
What Compliance Teams Should Watch For
Based on my analysis of this manual and the broader laundering ecosystem it describes, I recommend that compliance teams at exchanges and financial institutions monitor for the following indicators.
Deposits from self-hosted wallets with short transaction histories. The staging wallet pattern described in the manual produces addresses that receive funds from tainted sources, hold them briefly, and then forward them to an exchange or service. These addresses will typically have short histories (days to weeks between first receipt and first spend) and simple transaction patterns (receive, hold, send — without the varied activity characteristic of a genuine user’s wallet).
Deposits with indirect exposure to mixing services. Current blockchain analytics tools can identify deposits that have passed through known mixers, but the manual’s technique involves additional intermediary hops between the mixer and the exchange deposit. Compliance teams should consider not only direct mixer exposure but also indirect exposure — funds that are two or three hops removed from a mixer, particularly when those intermediate hops involve self-hosted wallets with the profile described above.
Bitcoin deposits following BTC-to-XMR swap patterns. While the Monero chain-break is effective, the conversion from BTC to XMR and back to BTC produces characteristic patterns at the swap endpoints. Deposits that originate from addresses associated with known swap services — or that exhibit the timing and amount patterns characteristic of cross-chain conversion — warrant enhanced scrutiny.
Card-based withdrawals following crypto-sourced deposits. For banking and card-issuing institutions, monitor for payment cards that receive deposits from crypto platforms (particularly unregulated P2P platforms) and are then used for rapid ATM withdrawals or transfers to other accounts. This pattern is consistent with the drop-card methodology described in the manual.
Accounts that exhibit behavioural characteristics inconsistent with their KYC profile. As documented in our companion investigation, many of the accounts used for cash-out are purchased verified accounts operated by someone other than the verified holder. Behavioural analytics — monitoring for geographic anomalies, device changes, and activity pattern shifts — are the primary defence against this technique.
Conclusion
The Rags to Riches manual is not sophisticated by the standards of state-sponsored laundering operations like those conducted by North Korea’s Lazarus Group. It is a mid-level operational guide aimed at individual criminals or small groups with moderate technical skills. But that is precisely what makes it significant for the compliance community.
The most dangerous laundering is not the most sophisticated. It is the most common. The techniques described in this manual — staging in self-hosted wallets, P2P exchange through unregulated platforms, chain-breaking through Monero conversion, cash-out through no-KYC exchanges using drop cards — are accessible to anyone with basic crypto literacy and a few hundred dollars to invest in the required tools and accounts. The manual is free. The accounts cost $200–$900. The privacy tools are open-source. The total cost of a functional laundering infrastructure is less than $1,500.
The compliance response must be proportionate to the threat. Static, one-time KYC verification at account opening is necessary but insufficient. The laundering ecosystem has learned to work around it. The defence must be continuous, behavioural, and collaborative — across exchanges, across analytics providers, across jurisdictions, and between the crypto industry and traditional financial institutions whose payment networks provide the final cash-out layer.
The details of this investigation — including channel identifiers, manual content, and associated infrastructure — have been shared with relevant law enforcement and regulatory authorities.
If you have information about crypto laundering techniques, dark web laundering services, or the money-laundering-as-a-service economy, I would like to hear from you. Reach out at [email protected]. For more on how to submit information, see our tips page.