What Regulators Found When They Actually Looked
Yesterday I wrote about the gap between standard M&A due diligence and blockchain AML screening the wallet history your deal team never checked. Several readers responded with a version of the same question: how bad is it actually? How contaminated can a crypto payment business really be?
The enforcement record from the past twelve months answers that question with considerable specificity. Four cases, all publicly documented, all from 2025. Taken together, they describe a threat landscape that M&A professionals evaluating crypto-adjacent businesses have no margin to ignore.
The Benchmark Case: Coinbase Europe
Start with the most credible anchor, because it’s the most instructive. In November 2025, the Central Bank of Ireland fined Coinbase Europe €21.5 million the largest AML penalty in Irish regulatory history, and the first enforcement action the Central Bank has taken against a cryptocurrency firm.
The violation wasn’t deliberate concealment. Three coding errors in Coinbase’s transaction monitoring system caused five of its twenty-one monitoring scenarios to stop functioning. The result: over 30 million transactions, valued at €176 billion, went unmonitored for approximately twelve months. That figure represents roughly 31% of all Coinbase Europe transactions during the affected period.
When Coinbase eventually ran those transactions through the corrected system, it identified 184,790 requiring further compliance review. Of those, approximately 2,700 suspicious transaction reports were filed with the Irish Financial Intelligence Unit. The Central Bank’s settlement document noted that these reports contained suspicions associated with money laundering, fraud, drug trafficking, cyberattacks, and child sexual exploitation.
The original sanction was €30.6 million, reduced to €21.5 million under a settlement discount scheme.
Per the Central Bank’s own statement, it took Coinbase Europe nearly three years to fully complete the retrospective monitoring of the affected transactions. Three years.
The Coinbase case matters for M&A professionals precisely because Coinbase is a well-capitalized, publicly listed, compliance-conscious exchange. The lesson isn’t that Coinbase was corrupt. The lesson is that even a sophisticated VASP with substantial compliance investment can generate years of monitoring gaps from a handful of technical misconfiguration errors — and that those gaps will contain genuinely serious criminal activity. If that’s the baseline for a major legitimate operator, the due diligence implication for smaller, less-resourced targets should be obvious.
The Infrastructure Case: Garantex and Grinex
If Coinbase Europe represents compliance failure at the legitimate end of the spectrum, Garantex represents the deliberate infrastructure that illicit flows depend on.
Garantex was originally registered in Estonia in 2019. Estonia revoked its license in February 2022 due to deficient AML controls. OFAC first sanctioned the exchange in April 2022. None of this stopped it from operating. Per OFAC’s August 2025 re-designation, Garantex processed over $100 million in transactions linked to illicit activity since 2019, servicing ransomware groups including Conti, Black Basta, LockBit, NetWalker, and Ryuk. The State Department’s broader assessment puts Garantex’s total transaction volume between April 2019 and March 2025 at $96 billion in cryptocurrency.
In March 2025, a multinational law enforcement operation led by the U.S. Secret Service seized Garantex’s primary domain and froze over $26 million in cryptocurrency. Two administrators were indicted; one was arrested in India while on vacation. The operation did not end Garantex’s activities.
Per TRM Labs, Garantex’s leadership had a contingency plan in place before the seizure. Kyrgyzstan corporate records show that Grinex Garantex’s successor exchange — was incorporated in December 2024, three months before the March disruption. Days after the seizure, Telegram channels affiliated with Garantex began promoting Grinex, with a nearly identical interface and the same operational personnel. A ruble-backed stablecoin called A7A5, backed by deposits at sanctioned Russian bank Promsvyazbank, was deployed to transfer Garantex customer funds to Grinex and restore access.
OFAC sanctioned Grinex in August 2025, along with three Garantex co-founders and six partner companies across Russia and Kyrgyzstan. Per Elliptic, the A7A5 token processed aggregate transfers valued at $41.2 billion. Grinex facilitated billions in cryptocurrency transactions within months of its creation.
The M&A implication here is less direct than the Coinbase case but equally important. Any acquisition target that transacted with Garantex-linked infrastructure — even as an intermediary hop rather than a direct counterparty — carries OFAC exposure that will surface in post-closing compliance reviews. The blockchain record of those transactions is permanent. The question is whether an acquirer discovers it before or after signing.
The Layering Case: Cryptomixer
Between November 24 and 28, 2025, German and Swiss law enforcement agencies — supported by Europol’s Joint Cybercrime Action Taskforce and Eurojust — dismantled Cryptomixer, seizing three servers in Zurich, the cryptomixer.io domain, over 12 terabytes of operational data, and €25 million in Bitcoin.
Cryptomixer had operated since 2016. Per Europol, it processed over €1.3 billion in Bitcoin across its operational lifetime, serving ransomware groups, darknet marketplace vendors, drug and weapons trafficking operations, and payment card fraud rings. North Korea-linked attackers were among its customers, per TRM Labs analysis.
The technical mechanism matters for understanding due diligence exposure. Cryptomixer operated by pooling deposited funds from multiple users for randomized periods, then redistributing equivalent amounts to destination addresses at random times. This breaks the blockchain transaction trail the specific coins that go in can no longer be traced to the coins that come out. After mixing, funds were typically transferred to exchanges or converted to fiat through ATMs and bank accounts.
The 12 terabytes of seized operational data including transaction logs and wallet mappings will support follow-on investigations across multiple jurisdictions. Law enforcement now holds a record of every wallet that deposited into Cryptomixer and every wallet that received distributions from it.
For due diligence purposes, the Cryptomixer case illustrates exactly what transaction pattern analysis is designed to detect: funds routed through mixing infrastructure leave specific behavioral signatures — short holding periods before forwarding, fan-out distribution patterns, address clustering behavior inconsistent with normal transactional use. An acquisition target whose wallets show systematic mixer exposure isn’t necessarily criminal. But it carries compliance risk that an acquirer needs to price before closing, not discover afterward.
The Scale Case: EUR 600 Million in European Investment Fraud Networks
The fourth data point comes from European authorities’ dismantling of fraud networks that laundered approximately EUR 600 million through fake cryptocurrency investment platforms and global crypto flows. These operations used complex routing through exchanges and wallets — repeated transfers to high-risk exchanges, mixer integration, jurisdictional layering through multiple countries — to move proceeds from investment fraud into the legitimate financial system.
This case category is less specifically documented in public enforcement records than the three above, but it establishes an important framing point: the contamination in crypto payment flows isn’t limited to ransomware and darknet markets. Investment fraud — which targets ordinary retail victims and institutional investors equally — generates comparable laundering volumes routed through the same exchange infrastructure that legitimate businesses use.
What the Pattern Means for Acquirers
Four enforcement actions. Twelve months. Coinbase Europe’s monitoring gaps touched €176 billion in transactions. Garantex processed $96 billion in total volume over six years, with documented illicit flows to every major ransomware group operating in that period. Cryptomixer processed €1.3 billion since 2016 and held transaction records for every wallet that used it. European fraud networks moved EUR 600 million through exchange infrastructure that overlaps with legitimate payment processing.
The practical implication isn’t that every crypto payment business is compromised. Most are not. The implication is that the infrastructure legitimate businesses operate within has been systematically used by actors who are now subjects of active enforcement, and that the blockchain records of those interactions are permanent and increasingly accessible to regulators.
The Central Bank of Ireland’s Coinbase action signals that European regulators have moved from issuing guidance to issuing fines. AMLA, the new EU Anti-Money Laundering Authority, will begin directly supervising high-risk cross-border crypto firms in 2025-2026. The EU AMLR, taking effect July 2027, extends AML obligations to crypto asset service providers in ways that will materially affect the compliance posture of any EU-connected acquisition target.
An acquirer who closes on a crypto-adjacent business without conducting blockchain AML screening is accepting unknown exposure in a regulatory environment that is actively tightening. The enforcement record from the past twelve months documents exactly what that exposure looks like when regulators find it first.