Chain Hopping: How It Works, Red Flags, and How to Detect It

**

What is Chain Hopping?

Chain hopping is a money laundering technique in which illicit cryptocurrency proceeds are converted across multiple blockchain networks in rapid succession to obscure their origin and break the on-chain audit trail. It sits squarely within the layering phase of the classic AML three-stage model: placement, layering, integration. The goal is to exploit the discontinuous transaction histories between different blockchains, making it extremely difficult for investigators to trace funds from their criminal source to their final destination.

The technique became widespread as decentralized exchange infrastructure and cross-chain bridge protocols matured through 2020 and 2021. By July 2020, FATF had formally identified rapid cross-chain asset conversion as a high-risk typology in its virtual asset red flag guidance. Europol's 2022 Internet Organised Crime Threat Assessment noted chain hopping as a standard obfuscation technique used by ransomware groups, darknet market operators, and state-sponsored actors.

Chain hopping is distinct from cryptocurrency mixer laundering in one important way: it doesn't depend on a centralized mixing service that regulators can target and shut down. It uses decentralized cross-chain bridges, atomic swap protocols, or DEX aggregators, which makes infrastructure-level blocking much harder. The gap between different blockchains' transaction histories is what makes the technique attractive. A transaction starts on Bitcoin, converts to Monero via a cross-chain swap, then re-emerges on Ethereum as an apparently clean token, with no direct on-chain link between the original and final addresses visible to a standard blockchain explorer.

How does Chain Hopping work?

The sequence generally runs in four stages.

Stage 1: Origin chain. The criminal receives or aggregates funds on one blockchain, usually Bitcoin or Ethereum, from a predicate crime: ransomware payment, proceeds from a darknet market, or an exchange hack. This is often the only stage where the funds are directly traceable to the crime event.

Stage 2: First conversion. Funds move through a cross-chain bridge, atomic swap protocol, or a centralized exchange operating with minimal KYC. Privacy coins are frequently introduced at this stage. Monero is the most common choice because its transaction graph is opaque by design, unlike Bitcoin or Ethereum where all transfers are publicly visible.

Stage 3: Second or third hop. The funds re-emerge on a different blockchain with a fresh address cluster that has no direct transaction history linking it to the origin chain. The criminal may repeat this step across one or two additional chains before arriving at the intended destination.

Stage 4: Integration. Funds convert back to a high-liquidity asset (USDT, ETH, BTC) and exit through a fiat off-ramp or fund further criminal infrastructure.

Illustrative scenario: A ransomware group receives 50 BTC from a victim company. Within six hours, they use a DEX bridge to convert 48 BTC into Monero at a non-KYC exchange. The Monero is sent to a fresh wallet cluster. Three days later, those funds are swapped via a second bridge to USDC on Ethereum, deposited into a DeFi protocol briefly for apparent yield activity, then withdrawn to a new Ethereum address and gradually converted to fiat through a high-volume exchange in a jurisdiction with limited AML enforcement. The Bitcoin addresses are publicly traceable. The Monero segment is analytically opaque. The Ethereum addresses show no blockchain connection to the original 50 BTC.

This is why chain hopping pairs so naturally with decentralized finance laundering and why ransomware groups specifically favor privacy chains as an intermediary hop.

Red flags and indicators

Effective detection depends on combining transaction-level signals with account and network-level context.

Transaction-level signals

• Rapid conversion from one blockchain to another within minutes of receipt, with no apparent trading rationale
• Use of privacy coins (Monero, Zcash, Dash) as an intermediary asset at any point in the sequence
• Cross-chain bridge transactions followed immediately by fresh address clustering on the destination chain
• Transaction amounts sized just below KYC thresholds at each conversion point, consistent with the smurfing and structuring logic adapted to crypto
• Round-number conversions between chains with no market-rate explanation

Account-level signals

• Customer accounts suddenly active on a second blockchain not previously used
• Multiple accounts at the same VASP executing coordinated cross-chain transfers in the same window
• Customer converting a large proportion of holdings to privacy coins without investment rationale

Network-level signals

• Graph analysis placing a known high-risk address in the transaction ancestry, separated by one or two conversion events
• Multiple hops completed within 15 minutes across at least two different blockchains
• Bridge addresses flagged by blockchain analytics vendors receiving from flagged source clusters

Behavioral signals

• Customer queries about cross-chain bridge functionality shortly before executing large transfers
• Account access from an unusual location immediately before multi-chain activity
• Refusal or inability to explain the purpose of cross-chain conversions during enhanced due diligence

Notable real-world cases

United States v. Ilya Lichtenstein and Heather Morgan (2022): The DOJ charged the couple with laundering approximately 119,754 Bitcoin, valued at around $4.5 billion at the time of seizure, stolen in the 2016 Bitfinex hack. Investigators documented extensive use of chain hopping, DEX protocols, and privacy coin conversions to break the transaction trail over six years. The case showed that even sophisticated multi-chain obfuscation can be reconstructed through persistent blockchain analysis. Full details at the DOJ press release.

Lazarus Group / North Korea (ongoing): The UN Security Council Panel of Experts has documented North Korea's systematic use of chain hopping to launder cryptocurrency stolen from exchanges and financial institutions. The 2024 Panel report (UN Document S/2024/215) estimated North Korea stole approximately $3 billion in crypto between 2017 and 2023. Cross-chain conversion through DEX bridges and privacy coins was a consistent feature of each laundering campaign.

FATF Virtual Assets Red Flag Report (2020): FATF's July 2020 report formally identified rapid cross-chain conversion as a typology warranting SAR filing, with specific guidance on how VASPs should treat privacy-coin intermediary transactions. Available at https://www.fatf-gafi.org/en/publications/Methodsandtrends/Red-flag-indicators-virtual-assets.html.

FinCEN Advisory FIN-2019-A003: FinCEN's May 2019 advisory on convertible virtual currency explicitly addressed cross-chain and privacy-coin conversion as areas of heightened SAR obligation for money services businesses and VASPs. Available at https://www.fincen.gov/sites/default/files/advisory/2019-05-09/FinCEN%20CVC%20Advisory%20FINAL%20508.pdf.

How to detect Chain Hopping

Detection requires layering rule-based alerts, graph analysis, and behavioral monitoring. No single method covers the full typology.

Rule-based detection is the starting point. Set threshold alerts for cross-chain bridge transactions above defined size thresholds. Flag direct interactions with known high-risk bridge contracts or unregulated DEX aggregators. Apply velocity checks on privacy-coin conversions: any account moving to or from Monero, Zcash, or Dash in a rolling 7-day window should trigger enhanced review automatically. These rules catch the obvious cases. They won't catch the sophisticated ones alone.

Graph-based and network analysis is where most detection value sits. Blockchain analytics vendors maintain hop-aware tracing that follows fund paths across chains where bridges leave verifiable cross-chain receipts. Configure your analytics to alert on funds within three hops of a flagged cluster, not just direct contact. Chain hopping typically places one or two bridging transactions between the criminal source and the apparent clean destination, so a two-hop or three-hop threshold is appropriate.

Behavioral analytics adds the account layer. Peer-group comparison against similar customer profiles surfaces anomalous cross-chain activity. A retail crypto investor converting significant holdings to privacy coins is statistically rare relative to their cohort. Combine this with login anomaly detection, device fingerprinting, and geographic signals to correlate behavioral shifts with transaction timing.

SAR coordination matters here. The multi-chain nature of chain hopping means the full transaction path often spans multiple institutions' reporting. Participation in information-sharing programs like FinCEN's Section 314(b) significantly improves the chance of pattern detection across firms.

This typology regularly appears alongside layering and is often combined with money mule networks at the fiat exit stage, which is worth accounting for in your detection model design.

Which regulations cover Chain Hopping

FATF Recommendation 15 requires all jurisdictions to apply AML/CFT obligations to virtual asset service providers. Updated guidance issued in 2021 explicitly addresses cross-chain and DeFi risks. Full text and guidance available at https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Guidance-rba-virtual-assets-2021.html.

EU MiCA (Markets in Crypto-Assets Regulation) and the revised Transfer of Funds Regulation, both in force from 2024, require VASPs operating in the EU to apply full KYC on transfers above 1,000 EUR and to report suspicious cross-chain activity to their national FIU.

FinCEN's Bank Secrecy Act requirements, reinforced by the 2020 CVC ANPRM and provisions in the 2022 Infrastructure Investment and Jobs Act, make clear that US money services businesses must file SARs on transactions involving unhosted wallets and cross-chain conversions with laundering indicators.

The UK's POCA 2002 and the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (MLR 2017) apply to UK-registered cryptoasset firms. The FCA requires registered firms to have controls capable of detecting cross-chain obfuscation.

Institutions operating in multiple jurisdictions should also review the sanctions evasion via shell companies dossier: chain hopping is a consistent technique in sanctions evasion schemes and triggers parallel reporting obligations under OFAC and UN Security Council measures.

How FluxForce detects Chain Hopping

Aiden Flux monitors cross-chain bridge transactions in real time and applies behavioral analytics to flag accounts executing rapid multi-chain sequences within configurable time windows. Nova Sentinel runs network graph analysis across transaction history and traces fund paths up to five hops from a flagged address across supported blockchains. When a pattern matches, the system generates a full evidence package with decision explanations attached. Automated SAR drafting initiates immediately. Book a demo at fluxforce.ai to see chain hopping detection in action.

**