Crypto Kiosks in the Crosshairs: Fraud, Money Laundering, and the Compliance Crisis

Money laundering and fraud are increasingly creeping into everyday life through Bitcoin ATMs and other digital currency kiosks, and it’s all happening right in plain sight. These machines—once considered fringe tech curiosities—are now common fixtures in gas stations, convenience stores, and shopping centers. But as they’ve become more mainstream, they’ve also become ideal tools for scam payments and illicit financial activity. With criminals exploiting glaring weaknesses in oversight, banks and regulators are struggling to contain the collateral damage. The U.S. Financial Crimes Enforcement Network (FinCEN) has issued an urgent warning: convertible virtual currency (CVC) kiosks are at the heart of a dangerous surge in money laundering, placing both financial institutions and ordinary people at escalating risk.

The explosion in scam-related payments and money laundering via CVC kiosks is impossible to ignore. These kiosks—commonly referred to as crypto ATMs—have been embraced for their convenience, offering a simple on-ramp into digital assets. But that ease of use has brought serious vulnerabilities. Processing billions of dollars annually, and with tens of thousands of units now operational across the U.S., Europe, and other regions, CVC kiosks have drawn sharp scrutiny from law enforcement and financial regulators. Scam payments and traditional money laundering are now frequently intertwined, and these machines are often the vehicle for both.

At their core, CVC kiosks facilitate the conversion of cash into crypto or vice versa—often requiring nothing more than a phone number or a scanned ID to complete a transaction. Criminals have taken full advantage of this. Scammers impersonating tech support agents, romantic partners, or government officials routinely direct victims to deposit cash into these kiosks. The funds are then immediately transferred to digital wallets under criminal control, sometimes routed through kiosks in multiple jurisdictions to obscure their origin. This tactic, known as “layering,” is a fundamental stage in money laundering schemes, and kiosks are increasingly favored for this process. Both FinCEN and the Financial Action Task Force (FATF) have raised alarms about the role kiosks play in enabling drug trafficking, tax evasion, and organized crime.

The lack of strong customer due diligence, uneven enforcement of the Bank Secrecy Act (BSA), and weak transaction monitoring systems have created fertile ground for abuse. In the U.S., authorities have traced illicit activity back to CVC kiosks operated by drug trafficking organizations, who structure deposits to stay beneath mandatory reporting thresholds. Compliance officers in banks are now regularly flagging deposits linked to scams—many targeting elderly victims who are told to use kiosks to resolve fabricated tech issues or government fees.

FinCEN has responded by ramping up regulatory pressure. In its latest notice, the agency emphasizes the growing urgency of the threat and calls on all financial institutions—including banks, credit unions, payment processors, and kiosk operators—to intensify efforts to identify and report suspicious activity. FinCEN highlights three key areas of concern: scam payments, cybercrime, and money laundering tied to organized crime groups.

Globally, the pattern is strikingly similar. In the UK, the Financial Conduct Authority (FCA) has carried out high-profile raids on unlicensed kiosks. Authorities in Spain and Germany have dismantled laundering networks that funneled millions of euros through clusters of crypto ATMs—networks made possible by poor oversight and inconsistent Know Your Customer (KYC) enforcement. Australia's financial watchdog AUSTRAC and Canada’s FINTRAC have both revised their guidelines to require stronger onboarding and mandatory suspicious transaction reporting from kiosk providers.

Across jurisdictions, regulators are echoing a common warning: “CVC kiosks are a weak link in the global fight against illicit finance.” FATF’s latest guidance and mutual evaluation reports repeatedly flag crypto ATMs as high-risk entities, urging harmonized licensing regimes, stricter ID checks, and real-time monitoring systems as essential measures to combat fraud and laundering.

But enforcement gaps persist. In the United States, not all states enforce strong money services business (MSB) oversight. Many kiosks are operated by small companies that lack the financial and technological resources to run comprehensive anti-money laundering (AML) programs. Some even deliberately design their machines to accept structured transactions that fall below ID or reporting thresholds. Banks servicing these operators also face “de-risking” dilemmas, with several well-known account closures occurring after compliance breaches linked to kiosk activity.

Understanding the mechanics of how fraud and money laundering intersect at these kiosks is critical for compliance officers. FinCEN’s notice, along with typology reports from global authorities, identifies several recurring schemes. In scam payments, for instance, victims are contacted by fake tech support agents, phony romantic partners, or impersonators of government officials—all of whom instruct them to deposit cash into nearby kiosks. The kiosk processes the transaction, converting it to crypto and sending it to the scammer via QR code.

Then there’s layered laundering. Criminal groups break up large sums of cash into smaller, less suspicious amounts, deposited at various kiosks to avoid detection. The funds are converted into crypto, shuffled between wallets, then off-ramped into foreign accounts or used to buy goods and services. Synthetic ID fraud is another major vector: some operators, knowingly or otherwise, accept fake or stolen identification documents to enable anonymous, high-value transactions. International police agencies like Interpol and Europol have flagged cases in which human trafficking proceeds were laundered through CVC kiosks, citing the anonymity and speed of cross-border transfers as key enabling factors.

FinCEN, the FATF, and other watchdogs have identified several red flags: multiple transactions that sit just below identification or reporting thresholds; repeated deposits made at different kiosk locations within a short time span; large deposits from first-time users or individuals with no history of digital asset activity; transactions tied to wallets flagged by law enforcement; and operators who fail to file Suspicious Activity Reports (SARs) or maintain records of beneficial ownership.

Recent case studies underscore the scale of the threat. In California, a 2025 investigation uncovered a cluster of kiosks linked to over $6 million in tech support scam losses, most involving elderly victims. In Madrid, authorities dismantled a laundering ring that funneled millions in drug proceeds and tax evasion money through crypto ATMs.

FinCEN’s message is unequivocal: compliance officers, banks, and kiosk operators must treat this threat with the seriousness it demands. “Check-the-box” compliance is no longer sufficient. Instead, regulators expect proactive, tech-driven, and ongoing vigilance.

Key expectations include implementing robust KYC protocols directly at the kiosk. Even low-value transactions should trigger real-time ID verification, possibly including biometrics or database checks, to combat synthetic identity fraud. Transaction monitoring systems should be automated and capable of identifying structuring behavior, rapid use of multiple kiosks, or links to high-risk wallets. SAR filing must be timely and thorough, especially when transaction patterns align with known scam or laundering typologies. Banks are expected to conduct rigorous due diligence before onboarding kiosk operators, including verifying MSB registration, reviewing AML program quality, and conducting site visits or independent audits.

Public education is also critical. Banks and kiosk operators alike should invest in campaigns to warn consumers—particularly seniors—about common scams and the dangers of sending money via crypto kiosks.

Meanwhile, regulatory tightening continues on the global stage. The European Union’s Sixth Anti-Money Laundering Directive (6AMLD) and the upcoming Markets in Crypto-Assets Regulation (MiCA) promise to impose harsher penalties and greater oversight on virtual asset service providers, including kiosk operators. Australia’s proposed reforms are expected to further restrict anonymous cash-to-crypto transactions.

On the technological front, innovation is happening—but unevenly. Startups are deploying AI-powered solutions that analyze transaction flows, detect suspicious wallets, and automate ID verification. Yet many smaller kiosk operators struggle to afford or implement these tools, leaving them out of step with regulatory expectations.

For banks and financial institutions, the takeaway is clear. CVC kiosks may offer convenience and access, but they also bring serious financial crime risk. Those servicing kiosk operators must treat them as high-risk clients and adjust their compliance frameworks accordingly. This includes updating risk assessments, tracking transaction activity, and working closely with law enforcement and industry peers to stay ahead of emerging typologies.

Failure to heed FinCEN’s warnings could result in severe penalties, license revocations, and irreparable reputational damage. But the consequences go far beyond regulation. The victims of these schemes—often elderly, often financially vulnerable—are suffering real, devastating losses.

The path forward demands collaboration, investment in compliance technology, and bold regulatory action. Only then can financial institutions and kiosk operators play their part in protecting the integrity of the financial system from the growing threat of fraud and laundering. As the data shows, the stakes are high—and the cost of inaction is already painfully clear.

By fLEXI tEAM