To: FATF Virtual Asset Contact Group
Regarding: Revisions to R.16/INR.16 Recommendations for Virtual Assets Travel Rule (TR) – Urgent Concerns and Alternative Solutions
Executive Summary
In contrast to users of traditional financial products and services, the current application of the Travel Rule (TR) to virtual assets poses significant risks to users. The TR threatens the financial security and the physical security of cryptocurrency holders.
TR creates a correlation risk for virtual asset users that other financial services customers do not, by exposing current account balances and transaction histories tied to their physical addresses. This creates an unprecedented correlation risk. We believe these risks posed to the average virtual asset user outweigh the purported benefits.
The Travel Rule, as it currently applies to cryptocurrency, does not account for technological advances that would be more effective and efficient at stopping illicit finance on virtual asset platforms.
This document outlines these risks, proposes alternative solutions, and urges the FATF to reconsider the current implementation of the TR for digital assets.
Introduction
Since the FATF has agreed not to bring VASPs directly into the scope of R.16, the Travel Rule Information Sharing Alliance (TRISA) has prepared the following feedback and recommendations for the Virtual Asset Contact Group (VACG) to consider in future updates. Initially designed for traditional financial systems, the TR is ill-suited for the unique characteristics of blockchain technology, creating vulnerabilities not present in traditional finance.
Correlation Risk Caused by Applying Travel Rule to Blockchain Transactions
The Crypto Travel Rule is dangerous because it applies banking regulations to digital asset transactions permanently stored on public ledgers. This legacy rule creates an existential threat for asset users because it serves as a honeypot for criminals and foreign governments, imposing a correlation risk that other banking customers do not face.
The TR was devised in the context of an earlier generation of technology. It does not translate well to the cryptocurrency generation. Applying the Travel Rule to virtual asset transactions creates risks that are not present in traditional financial services because bank ledgers are private, and virtual assets are on public ledgers. By requiring VASPs to send the customer’s name, physical address, public blockchain address, and other unique identifiers, it links this Personally Identifiable Information (PII) to public transaction history and account current balances on the blockchain.
Globally, the Financial Action Task Force (FATF) recommended a 1000-dollar threshold, and early adopters, including Singapore and Switzerland, require travel rule data exchange for all transactions, regardless. EU VASPs must also capture this highly sensitive data from unhosted wallets. Many VASPs will require Travel Rule exchanges for all transactions to ensure and ease compliance.
This data is an easy and convenient source – a rich “honeypot”– for violent criminals, phishing, extortionists, hackers, fraudsters, and pig butchers because, unlike the banking travel rule, the virtual asset travel rule links current account balances and transaction history to their physical addresses, enabling bad actors to correlate the names, locations and wealth of their victims.
Feared Outcome:
Implementation of the Travel Rule as proposed will likely accelerate socially engineered theft and fraud, which could reach tens of billions of dollars annually, causing immeasurable harm to the legitimate owners of virtual assets and potentially funding evil acts against society at large.
Large cryptocurrency holders will be targets of physical violence at home and while traveling to speak at conferences. David Balland CEO of Ledger, was recently held for ransom and lost a finger in the kidnapping.
Better Ways to Combat Virtual Asset Money Laundering and Terrorist Financing
The Travel Rule does not fit the technology innovations and payment flows associated with virtual assets. Moreover, it does not significantly help stop the use of digital assets in criminal activity, whether it’s ransomware, pig butchering, or other scams and illicit activities.
All digital asset transactions are stored on immutable, public blockchains that record blockchain addresses, transaction IDs (hashes), and the amounts transacted. Blockchain addresses are pseudo-anonymous and can be de-anonymized by analytics, VASPs, and social engineering.
Although VASPs use blockchain analytics for AML, there is often a delay in the movement of crypto and the collection and correlation of attribution data. As in cybersecurity, using indicators versus evidence would improve the money laundering catch rate. Numerous vetted sources of indicators of criminal activity are ignored and should be incorporated, including trusted data from the crypto-ISAC, SEAL-ISAC, Ransomwhe.re, and vetted DUNE dashboards.
Since they are cryptocurrencies and DeFi enables programmable layering and laundering of virtual assets at unprecedented speeds, technologically advanced tools, including AI and kill switches, must be deployed to combat Virtual Asset Money Laundering (VAML). Tether, Circle, and others have demonstrated how effective kill switches can be in preventing losses.
The bulk of VAML/TF is from the proceeds of crypto crimes. Reducing and blocking the proceeds of these crimes is the most effective way to reduce VAML. VASPs, DApps, and wallets are juicy targets for cybercriminals, as evidenced by the $1.5B Bybit theft in 2025, on top of $2.4B in 2024 crypto heists, $500M in drained wallets, and over 5,000 ransomware attacks.
The North Korean Lazarus group has refined high-velocity Virtual Asset Money Laundering techniques used to move $160 million, which was funneled through illicit channels. Approximately 68% of the funds were laundered within a week. The Lazarus Group used a multi-pronged approach to obfuscate the trail of the stolen funds:
- Conversion to bitcoin
- Use of mixers
- Decentralized Exchanges and Cross-Chain Bridges
- Layering Through Intermediary Wallets
Controls and Know Your Customer (KYC) requirements on VASPs, the traditional off-ramps, have tightened, and laundering has migrated to the path of least resistance: DeFi.
Recommendations for Updating The Virtual Asset Travel Rule
Based on the correlation risks the virtual asset users face under the travel rule, the use of public ledgers to record transactions, and significant advances in artificial intelligence and zero-knowledge proofs. TRISA offers these ten recommendations:
- Minimize Data Sharing: Limit the data required for TR compliance to the absolute minimum (e.g., name, address, and transaction identifier (hash).
- Encrypt Data: Encrypt all Travel Rule data in motion and at rest.
- Integrate Analytics with Indicators: Combine blockchain analytics with indicators of compromise.
- Utilize AI for AML: Employ AI to identify money laundering and layering patterns.
- Deploy Kill Switches: Implement kill switches at VASPs and DApps.
- Proof of Reserves and Liquidity: Mandate VASPs to publish proof of reserves and liquidity.
- SBOMs: Require Software Bill of Materials (SBOMs) for VASPs, DApps, and wallets.
- Secure Information Sharing: Establish secure information-sharing mechanisms with vetted counterparties.
- Zero-Knowledge Proofs: Accept Zero-Knowledge Proofs for proof of control of un-hosted wallets.
- Digital Identity: Replace physical documentation requirements with robust digital identity solutions and Zero-Knowledge Proofs.
Conclusion
The Travel Rule is ill-suited for the unique characteristics of blockchain technology and creates vulnerabilities not present in traditional finance. This document outlines these risks, proposes alternative solutions, and urges the FATF to reconsider the current implementation of the TR for digital assets. We urge the FATF to adopt a more nuanced, technology-driven approach that prioritizes user security and leverages the unique capabilities of blockchain technology.
We welcome feedback and invite you to continue the dialogue with the VACG. You’re also welcome to join one of our weekly working group calls.
Regards,
Travel Rule Information Sharing Alliance
John Jefferies, Co-Chairman TRISA on behalf of the Working Group
Additional information and links
Deeper Analysis of Fund Laundering Velocity Following Bybit Cryptocurrency Heist Attributed to Lazarus Group
https://docs.google.com/document/d/1QbI2QLMNlZ2ir0dHMcn27ePlGeM-PmqOCg99Ww7VGgw/edit?usp=sharing
$100M Ledger Kidnapping: How Crypto Millionaires Became Crime Targets
https://www.forbes.com/sites/boazsobrado/2025/01/25/the-100m-wrench-attack-how-crypto-millionaires-became-crime-targets/
Kidnapped co-founder of French crypto firm Ledger had his hand mutilated
Toronto crypto company CEO kidnapped, held for $1M ransom before being released
https://www.cbc.ca/news/canada/toronto/kidnapping-toronto-businessman-cryptocurrency-1.7376679
How phishing attacks target crypto whales: The Blast Network case
https://cointelegraph.com/learn/articles/how-phishing-attacks-target-crypto-whales
Ledger Users Targeted by Phishing Emails: Phishing attacks are becoming a major problem in the crypto world
https://www.altcoinbuzz.io/cryptocurrency-news/beware-ledger-users-targeted-by-phishing-emails/
