DOJ, FinCEN Reach Resolutions With Virtual Asset Trading Platform Over AML Violations

In December, the DOJ and FinCEN announced concurrent resolutions with Paxful, a US-based online virtual currency trading platform, relating to Bank Secrecy Act/AML violations.

In the DOJ matter, Paxful, which no longer operates in the US, pleaded guilty to a three‑count criminal information alleging conspiracies with two senior executives to willfully fail to maintain an effective AML program (from July 2015 through at least November 2019), operate an unlicensed money transmitting business and violate the Travel Act. The DOJ determined that the appropriate criminal fine was $112.5 million, but that fine was reduced to $4 million based on Paxful’s inability to pay. The DOJ alleged that Paxful had engaged in a conspiracy with two senior executives: co-conspirator 1 (who served as president/CEO) and Artur Schaback (who served as chief technology officer/chief operating officer/chief product officer). Schaback had previously pleaded guilty to criminal charges in relation to AML deficiencies at Paxful. 

In the parallel civil action, FinCEN issued a consent order against Paxful based on willful violations of the BSA for the period February 2015 to April 2023 and assessed a $3.5 million civil money penalty (crediting $1.75 million against the DOJ criminal fine). 

In announcing the guilty plea, acting Assistant Attorney General Matthew R. Galeotti of the DOJ’s Criminal Division stated that “Paxful made millions of dollars in part by knowingly moving cryptocurrency for the benefit of fraudsters, extortionists, money launderers and purveyors of prostitution” and highlighted that Paxful “attracted its criminal clientele by promoting its lack of anti-money laundering controls and its deliberate decision not to identify its customers.” Similarly, FinCEN Director Andrea Gacki noted that “[f]or years, Paxful disregarded its BSA obligations and facilitated transactions associated with illicit activity and high-risk jurisdictions, such as Iran and North Korea.”

The enforcement actions underscore the continued expectations by DOJ and FinCEN that virtual asset platforms maintain compliant AML programs, adhere to MSB registration requirements and file suspicious activity reports (SARs) as necessary.

Financial Services

Compliance Doesn’t Block Innovation. Your Mindset Does.

by Carlos Martins

October 7, 2025

Moving fast and breaking things works in software; it poses catastrophe in financial services

Read moreDetails

DOJ criminal resolution

The DOJ alleged that from Paxful’s founding in July 2015 through at least November 2019, Paxful and the co-conspirators conspired to willfully fail to “establish, develop, implement, and maintain an effective AML program” as required by the BSA and FinCEN’s BSA regulations for money services businesses (MSBs), alleging that Paxful “did not have an AML program.”

According to DOJ, the company failed to fulfill the basic requirements of an AML program over a multi-year period, including by:

• Failing to designate a compliance officer responsible for AML (until November 2018).
• Failing to provide AML training for employees (until June 2019).
• Failing to “file a single SAR,” despite being aware of suspicious and criminal activity by Paxful customers (until November 2019).
• Failing to provide for independent compliance testing or auditing on AML (until September 2020).
• Allowing customers to open Paxful accounts and trade and transfer funds on the website without sufficient KYC and customer identification.
• Marketing Paxful to customers as a platform that did not require KYC.
• Failing to establish transaction monitoring controls related to money laundering, sanctions, prostitution, and terrorist financing, among other criminal activity.
• Misleading financial institutions and companies about Paxful’s AML program, “knowing that their program was non-existent and insufficient.”
• Presenting an AML program to third parties that was “adapted from the AML policy of a university,” knowing that the stated programs were not implemented or enforced at Paxful.
• Making exceptions to AML and KYC policies based on Paxful customers’ trading volumes and their relationships with the co-conspirators.

Relationship with Backpage

The second and third counts related specifically to Paxful’s relationship with Backpage, a website that was “an online advertising platform for illicit prostitution” before it was seized by the DOJ in April 2018, and a similar site from April 2018 to December 2022.

Unlicensed money transmitting business 

The DOJ alleged that from its founding in July 2015 through at least December 2022, Paxful and co-conspirators conspired to “knowingly” conduct or manage an “unlicensed” money transmission business, which DOJ defined, per 18 U.S.C. § 1960(b)(1)(C), as a money transmission business that “involves the transportation and transmission of funds that are known to … have been derived from a criminal offense and are intended to be used to promote or support unlawful activity[.]” 

According to the DOJ, the co-conspirators “sought to do business with websites they knew were engaged in advertising illegal prostitution and commercial sex services in the United States,” including Backpage and a similar site. As evidence that Paxful knew that Backpage advertised and profited from illegal prostitution, DOJ cited conversations between Paxful employees and undercover law enforcement agents. For example, in November 2016, a Paxful employee “provided advice to an undercover law enforcement agent about how to contact [Backpage] to discuss advertisements. In or around one week later, the undercover agent created a fake prostitution advertisement and posted it on [Backpage] using the ‘Pay With Paxful’ widget and bitcoin from a Paxful account.” 

The DOJ further alleged that the co-conspirators communicated with Backpage customers to assist them in opening Paxful accounts “from which they could send bitcoin to [Backpage] for commercial sex advertisements.” Moreover “[i]n various criminal proceedings, Backpage and its owners and operators admitted that Backpage advertised and profited from illegal prostitution, including illegal sex work depicting minors.”

Travel Act conspiracy

The DOJ alleged that from its founding in July 2015 through at least December 2022, Paxful and the co-conspirators conspired to violate the Travel Act through an interstate “business enterprise involving prostitution.” According to the DOJ, among other things, the co-conspirators communicated with Backpage employees, including over email, about “ways to improve their business collaboration” and “created and disseminated guides for customers associated with [Backpage], instructing them on how to use Paxful to purchase bitcoin to send to [Backpage].” DOJ further noted that the co-conspirators “created a ‘landing page’ on Paxful’s website for customers seeking payment services for commercial sex advertisements on [Backpage]” and allowed “customers seeking to send virtual currency to [Backpage] and [a similar site] to open accounts and transmit bitcoin to the sites for commercial sex advertisements.”

According to DOJ, as a result of Paxful and its co-conspirators’ payment processing for Backpage and a similar site, “Paxful facilitated the transfer of over $15 million worth of virtual currency from its escrow wallet to [Backpage] and over $2 million worth of virtual currency from its escrow wallet to [a similar site] on behalf of Paxful customers.” 

DOJ-mandated remediation

Under the plea, Paxful agreed to a $4 million criminal fine and extensive compliance and reporting undertakings. The agreement requires Paxful to review, enhance, implement and maintain a comprehensive compliance program designed to detect, deter and prevent money laundering, terrorist financing and other illicit finance risks. This includes a high-level commitment to compliance by the board and senior management; relevant policies, procedures and internal controls; transaction monitoring and reporting; risk-based identification and verification; compliance leadership with appropriate resources and direct reporting lines to internal audit and relevant management committees; formal insider risk controls; training and guidance; confidential reporting mechanisms; mechanisms to incentivize compliance and discipline violations; and periodic and risk-based reviews and testing of compliance programs.

FinCEN consent order

FinCEN determined that, from on or about Feb. 3, 2015 through April 4, 2023, Paxful willfully failed to: maintain its MSB registration; develop and implement an effective AML program; and identify and timely report suspicious activity. Paxful allowed its MSB registration to lapse for 974 days while continuing operations; had no written AML program until 2019; operated for years without a qualified AML officer, training or adequate independent testing; and did not file any SARs for over four years. FinCEN found pervasive programmatic gaps across Paxful’s compliance controls, including those related to KYC, transaction monitoring, geofencing/geo‑spoofing and high‑risk product coverage (notably prepaid access).  According to FinCEN, even after Paxful implemented a written AML program in July 2019, the program “remained deficient,” including because “the policies Paxful established did not sufficiently account for the risks associated with its business lines.”

Failure to register as an MSB

FinCEN determined that Paxful initially registered as an MSB on July 27, 2015, and was required to renew that registration by Dec. 31, 2016. Paxful did not renew its registration until Sept. 3, 2019, but continued to operate its hosted wallet and P2P money transmission services between Jan. 1, 2017, and Sept.  2, 2019. FinCEN concluded that Paxful therefore operated as an unregistered MSB for 974 days in violation of 31 U.S.C. § 5330 and 31 C.F.R. § 1022.380. FinCEN noted that the former CTO later admitted to allowing the registration to lapse while Paxful continued money transmission activity.

AML program failures

FinCEN found that Paxful had no written AML program until July 2019 — over four years after beginning operations — and that the program “remained deficient even after Paxful implemented one.” Across the relevant period (February 2015 through April 2023), Paxful’s program lacked risk‑commensurate policies, procedures and internal controls; failed to provide for timely and effective transaction monitoring; was not appropriately implemented by staff; and failed to detect, escalate or report numerous red flags associated with illicit finance, including ransomware, child sexual abuse material (CSAM), darknet markets, hostile nation‑state actors and terrorist financing.

• KYC: According to FinCEN, Paxful did not require KYC prior to February 2019, which “contributed to the establishment and maintenance of relationships with high-risk customers that conducted significant volumes of activity without appropriate risk mitigation.” For example, Paxful processed over 4 million transactions (valued at over $24 million) involving Backpage. Moreover, FinCEN explained that Paxful “actively solicited” Backpage’s business by “advertis[ing] how Backpage customers could create accounts on Paxful to sell advertisements on the Backpage platform.” According to FinCEN, “Paxful did not file a single SAR on this activity, even after the government seized Backpage in 2018.” Post-February 2019, Paxful announced new mandatory KYC requirements for its users. According to FinCEN, “these controls were deficient, applying only to users with activity that exceeded $1,500 without any controls to identify users who sought to evade these controls by structuring transactions.”
• Unregistered MSB activity: FinCEN found that Paxful identified the risks posed by smaller unregistered P2P exchangers using Paxful, but failed to implement effective policies, procedures or internal controls to prevent exploitation by such exchangers. Although Paxful’s written program referenced obtaining MSB registrations from customers, in practice it did not implement controls to identify or mitigate unregistered MSB activity, nor did it file required SARs.
• Geographic spoofing: FinCEN determined that Paxful failed to implement effective controls to identify or address “geographic spoofing,” including the use of VPNs to mask IP addresses and locations. Prior to January 2018, Paxful “failed to implement any meaningful IP restrictions on customer activity,” including for high‑risk or sanctioned jurisdictions, such as North Korea, Iran, Syria and Cuba. Paxful’s own assessment identified over 1,500 accounts opened between May 2015 and August 2018 with IP addresses in Iran, Syria, Cuba, Crimea or Sudan. According to FinCEN, Paxful’s “ineffective geo-spoofing controls also failed to identify tens of millions of users that logged in to its trading platform with U.S. IP addresses,” even though users were actually located abroad, including “significant volumes of users from Nigeria and China.”
• Transaction monitoring: FinCEN found that Paxful offered hundreds of payment methods and multiple convertible virtual currencies (CVCs) without commensurate transaction monitoring. According to FinCEN, “even minimal transaction monitoring was not in place until at least 2018, more than three years after Paxful began operating,” and written transaction monitoring procedures were not adopted until July 2019. Even then, the policies “did not adequately address all of Paxful’s products and services, and left significant gaps in reviewing transactions made in prepaid access cards.” Although Paxful acquired additional blockchain analytics tools in March 2020, it “omitted coverage for several CVCs offered on its platform, meaning Paxful continued to fail to appropriately monitor all of the CVC offered on its platform.” According to FinCEN, Paxful had no ability to identify and report suspicious activity in more than 15 CVCs, including Dogecoin, Ripple, Ethereum, Tron and Tether.
• Prepaid access transactions: FinCEN concluded that Paxful did not implement appropriate policies, procedures and internal controls to “meaningfully monitor and report illicit activity taking place in its prepaid access sales across its platform,” even though prepaid access sales were a “substantial portion” of Paxful’s overall business. According to FinCEN, from May 2015 through December 2019, iTunes and Amazon prepaid access cards were the top payment methods through Paxful, totaling over $1.7 billion. In 2020, CVC‑to‑prepaid access trades constituted over half of total weekly bitcoin volume (approximately $20 million per week). FinCEN cited internal communications in which then‑management knowingly encouraged use of the platform to dispose of “scammed iTunes cards.”
• Transactions involving North Korea, Iran and terrorist financing: FinCEN found that Paxful’s failures in KYC, geolocation controls and transaction monitoring enabled transactions with “hostile nation-states and state-sponsored cyber criminals from Iran and North Korea.” According to FinCEN, Paxful processed thousands of trades by Lazarus Group member Yinyin Tian between October 2017 and November 2018; identified dozens of transactions with Iranian actors later designated by OFAC; permitted trading in Venezuela’s “Petro” CVC despite US prohibitions on such transactions; and permitted transactions associated with a fundraising campaign for al‑Qaeda in January 2019.
• Compliance officer: FinCEN determined that Paxful lacked a qualified individual responsible for day‑to‑day BSA/AML compliance through 2018. Paxful listed its then‑CEO as chief compliance officer during that period despite no “BSA/AML‑specific training” or “appropriate experience to meet the compliance obligations under the BSA.” 
• Independent testing: FinCEN found that Paxful conducted “only a single independent [AML] test” during the entire relevant period, a frequency far below what would be commensurate with Paxful’s risk profile and transaction volumes. According to FinCEN, “[a]ppropriate independent testing performed on a recurring basis would have identified AML program gaps and potentially suspicious transactions that went unreported.”
• SARs: FinCEN identified hundreds of suspicious transactions for which Paxful failed to timely and accurately file SARs, noting that Paxful did not file a single SAR until November 2019. Failures spanned multiple typologies and high‑risk counterparties, including at least 26 ransomware strains (including SamSam, Trickbot and BitPaymer); CSAM marketplaces (including Backpage, Welcome to Video and Dark Scandals); darknet markets (including AlphaBay); at least 13 unregistered CVC mixers (including Helix) with equivalent value of over $35 million transacted; designated individuals and virtual asset service providers in Iran and North Korea; and large‑scale fraud rings (including MMM and Black Axe). FinCEN highlighted leadership resistance to SAR obligations, including “instructing employees not to file SARs on suspicious activity” and concluded that these systemic failures deprived law enforcement and national security agencies of “crucial reporting” across priority threat areas.

FinCEN resolution

FinCEN imposed a $3.5 million civil money penalty and credited $1.75 million against Paxful’s DOJ payment, leaving $1.75 million payable to Treasury. In assessing the penalty, FinCEN emphasized the egregious nature and systemic duration of the violations; harm to national security priorities through failures to file SARs; management complicity and a “culture of non‑compliance”; and financial benefit derived from growth fueled by high‑risk activity without adequate controls. Mitigating considerations included subsequent leadership changes in 2023, a SAR remediation backlog filing effort, cooperation during the investigation and the absence of prior criminal, civil or regulatory enforcement action against Paxful. FinCEN did not impose any compliance requirements.

Key takeaways

The DOJ resolution focused on the company’s willful failure to establish an AML program, including its failure to file a single SAR until November 2019 — conduct similar to that at issue in prior DOJ resolutions with several non-US virtual asset platforms. The DOJ resolution also included charges focused on the company’s extensive partnership with a third party, Backpage, that it knew was engaged in criminal activity. The FinCEN resolution, applying a civil standard, swept more broadly and encompassed deficiencies in the company’s AML program for years after it was established in 2019. 

Paul, Weiss associate Jacob Wellner contributed to this report.