_edited.png)
A New Vision for Financial Crime Detection
Daqiq is built for the evolving landscape of financial crime, combining advanced analytics with intuitive design to empower compliance teams.
Dynamic Intelligence
​A digital-first tool that tracks and adapts to evolving financial crime behaviors in real-time.
Compliance-Focused
Built specifically for compliance teams, risk professionals, and financial crime investigators.
Living Taxonomy
An adaptive system that evolves with new threats, ensuring you're always ahead of emerging patterns.
Intuitive Design
Sophisticated enough for intelligence units, yet clean and accessible for analysts at any experience level.
53
Total Typologies
48
FATF Identified
5
Emerging Typologies
6
Thematic Categories
Browse Financial Crime Behaviors
A clean, standardized index of financial crime methods. Condensed from hundreds of repetitive entries into a single, searchable resource.
Stay Ahead of What's Next
Exclusive, research-backed typologies that spotlight the newest shifts in financial crime behavior.
Cryptojacking Treasury Streams
Government aligned APT groups hijack computing power from compromised servers, cloud instances or licensed mega farms to mine privacy coins. The mined cryptocurrency is peeled, mixed and converted to cash to fund sanctioned regimes.
Tools/Assets:
Hijacked CPU/GPU hash-power, Monero, Bitcoin
Stage:
Multi-Stage
Primary Actors/Channels:
State sponsored mining operations, compromised infrastructure, crypto exchanges and OTC cash out networks
Flash Loans & Yield Farming Obfuscation
Criminal actors use DeFi flash loans and yield farming to launder illicit funds. Tokens are rapidly borrowed, swapped and repaid within a single transaction, while stolen crypto is cycled through liquidity pools or vaults to appear as legitimate gains, obscuring its origin.​
Tools/Assets:
Flash loan smart contracts, liquidity pools, yield farms, decentralized exchanges (DEXs)
Stage:
Layering
Primary Actors/Channels:
DeFi hackers, technical money launderers using arbitrage
State-Backed Intrusion-Driven Revenue
State backed APT groups steal, extort, mine or manufacture value through network intrusions, then convert and launder it across fiat and crypto rails. The funds move through mixers, bridges and DeFi venues to bypass sanctions and finance national objectives. Operations span coordinated compromises and rapid value conversion across many asset types.
Tools/Assets:
Stolen fiat funds, cryptocurrency ransoms (BTC, XMR), hacked exchange or bridge tokens, illicitly mined coins, digital gaming assets
Stage:
Multi-Stage
Primary Actors/Channels:
State sponsored APT groups and affiliates, illicit financial networks, DeFi and on chain laundering services, gray market trading venues
Credential/Access-Brokerage for RaaS Revenue-Sharing
State affiliated operators sell or lease high level network access to ransomware as a service crews, earning up front fees and a share of ransom payments. This converts intrusion capabilities into recurring revenue while bypassing sanctions through crypto based payouts.
Tools/Assets:
High privilege enterprise credentials, reverse proxy tunnels, revenue share smart contracts and wallet splits
Stage:
Multi-Stage
Primary Actors/Channels:
State sponsored access brokers, dark web marketplaces, private communication channels for ransomware affiliates
DePIN Reward-Gaming/Synthetic-Activity Laundering
Fraud rings manipulate decentralised physical infrastructure networks by spoofing location, signals or usage data to inflate token rewards. Proceeds are routed through chained wallets, swapped to stablecoins and cashed out, disguising illicit gains as legitimate network activity.
Tools/Assets:
Native network tokens (HNT, MOBILE, FIL, DIMO, PCN, HONEY) and spoofing hardware or scripts
Stage:
Multi-Stage
Primary Actors/Channels:
Organised DePIN reward farms, automated node or device fleets, crypto exchanges and OTC desks
Coming Soon...
Financial crime tactics are constantly evolving, with new methods emerging across traditional and digital markets. We continuously monitor global trends, threat intelligence and illicit finance innovations to keep this resource current and ensure you have the latest insights.
Live Threat Intelligence
Stay ahead of emerging financial crime patterns with real-time alerts and notifications. These updates spotlight shifts within established typologies, tracking new tools, methods, and infrastructure that evolve known schemes without introducing entirely new typologies.
Coming Soon...
Financial crime tactics are constantly evolving, with new methods emerging across traditional and digital markets. We continuously monitor global trends, threat intelligence and illicit finance innovations to keep this resource current and ensure you have the latest insights.
Low Risk
ALERT ID: 2025-08-UGC-01
Symbolic Service Scams Using Static Platforms
Related To: Online Platform Fraud, Ecommerce and Marketplace Diversion
Executive Summary:
Fraud actors are leveraging minimalist static websites and encrypted messaging apps to market emotionally manipulative or symbolic service offerings in exchange for cryptocurrency. These schemes include spiritual spells, hacking-for-hire promises, or fake scam recovery services. Victims are asked to send funds in advance via crypto, often through unverified emails or Telegram accounts. While the service themes vary, the underlying structure is consistent: low-value payment fraud scaled through cloned infrastructure and reused wallet addresses. This model reflects a broader trend of pseudo-service storefronts replacing traditional ecommerce fraud with emotionally targeted deception.
Medium Risk
ALERT ID: 2025-08-UGC-02
Dark Web Snuff Content Monetization Ecosystem
Related To: Virtual Asset Layering and Anonymity Tools Typology
Executive Summary:
This alert highlights a significant evolution within virtual asset layering typologies, where criminal actors operating on the dark web are using decentralized infrastructure, high-value paywalls, and wallet rotation in place of traditional mixers and privacy tools. Instead of relying on advanced blockchain obfuscation methods, these operators monetize extreme content through structured access fees and repeated payment fragmentation across mirrored sites. The laundering process is built into the architecture of the platform itself, allowing fund flows to be layered and anonymized through persistent infrastructure, wallet hygiene, and cross-promotion via encrypted channels.
Medium Risk
ALERT ID: 2025-08-UGC-03
IS Digital Financing Tactics Evolve Toward Anonymous Micro-Laundering Models
Related To: Terrorism Financing Through Non Profit Misuse and Micro Loans
Executive Summary:
Islamic State (IS) continues to demonstrate resilience in its online presence through a decentralized network of dark web sites, cryptocurrency wallets, and Telegram infrastructure. While most coverage of IS infrastructure focuses on propaganda and recruitment, new findings show a deliberate evolution in how the group manages financial support. The use of Monero wallets embedded across dozens of static onion sites, coupled with Telegram bots and secure messengers, suggests a shift toward anonymous micro-donation models that resemble cybercriminal micro-laundering tactics. These patterns reflect a blending of ideological fundraising with the technical sophistication of digital financial crime, warranting renewed attention to how terrorism financing may mimic or exploit broader financial typologies.
High Risk
ALERT ID: 2025-08-UGC-04
Industrialized Pig Butchering Scams Expanding Across Regions
Related To: Romance Investment and Pig Butchering Scams Typology
Executive Summary:
Transnational crime syndicates are running large-scale pig butchering scam compounds that combine romance fraud with fake investment platforms to steal billions in cryptocurrency. These operations, once concentrated in Southeast Asia, are now expanding into Africa and other regions. Criminal networks are coercing trafficked workers into executing highly organized schemes, often supported by professionalized services and AI-enabled targeting. Victims are groomed over weeks or months through social media or messaging apps before being directed to fraudulent crypto investment sites that display fabricated profits to prompt further deposits. The evolution shows a shift toward industrial-scale infrastructure, cross-border collaboration between criminal actors, and increasingly sophisticated social engineering, making this a priority threat for financial institutions and law enforcement.
Global Financial Crime Watch
Stay ahead with curated coverage of breaking developments in the financial crime landscape. This section highlights news, legal changes, and enforcement actions from around the world, providing context to how these events intersect with established typologies and ongoing threat trends.
About The Research Project
Anatomies of Evasion
Towards A Living Taxonomy of Financial Crime
​Global anti-money laundering efforts continue to be shaped by static frameworks such as the FATF typologies, which were intended to raise awareness but have proven insufficient in capturing the complexity and evolution of financial crime. Research shows that despite near universal compliance, detection rates remain negligible and intelligence sharing fragmented, with typologies often inconsistent and lacking standardization.
Daqiq (to scrutinize) emerged from the project to address this gap, transforming from a traditional research study into a living repository of illicit finance methods. By offering a continuously updated, standardized taxonomy built on multi-method research, Daqiq advances understanding, detection, and monitoring of financial crime in ways that static models cannot, moving the field toward a more dynamic and evidence based approach.
Building a Global Corpus
We compiled 394 typologies from FATF and FSRB reports (2017–2023). After removing duplicates and cleaning the text, 289 unique entries formed the working dataset for analysis.
Clustering and Taxonomy Design
Using TF-IDF vectorization and hierarchical clustering, we grouped entries into coherent families. Manual refinement produced a standardized taxonomy of 48 typologies.
Capturing Emerging Virtual Assets
Eighty-four crypto-related entries were re-clustered at higher granularity, yielding 15 refined subtypes spanning mixers, DeFi platforms, NFTs, and gaming environments.
Enriching with Operational Attributes
Each typology was annotated with its dominant laundering stage, characteristic tools or assets, and primary actors or channels, creating an operational coding frame that links behavior, method, and context.
The Emerging Typologies
To identify new and emerging typologies, we reviewed grey literature and recent academic papers (2025) using targeted search strings around financial crime innovation (ex: “financial crime” AND (“emerging” OR “novel” OR “rising”) AND (“typology” OR “scheme” OR “pattern”)), then validated findings through open-source reporting and technical attack analyses. Only behaviors supported by multiple independent cases were elevated to typology status, while those overlapping with existing categories were collapsed back into the core taxonomy. This process surfaced five distinct emerging patterns, each mapped with attributes spanning asset class, actors, laundering stage, method, technique, and core action.​​
The Importance of Crime Scripts
Crime scripts provide a structured analytical framework that decomposes complex offenses into sequential stages, from preparation to exit. Within criminology and intelligence studies, this approach is valued because it exposes the procedural mechanics of crime and identifies potential points for disruption and prevention.
In this study, crime scripts were constructed for the five emerging typologies using academic literature, grey reports, and attack analyses. Each was organized into five stages: Preparation and Set-Up, Entry and Infiltration, Execution, Cash-Out and Conversion, and Exit and Post-Condition. This systematic mapping transforms typologies from descriptive categories into operational intelligence, enabling a clearer understanding of how schemes function in practice and where defensive interventions can be most effective.
A Scoping Review On The Tools Used To Combat Financial Crime
This scoping review systematically mapped peer-reviewed literature (2020–2024) on the tools, methods, and systems used to combat financial crime typologies. Following the Arksey and O’Malley framework, refined by Levac and guided by the Joanna Briggs Institute, the process drew on six major databases and adhered to PRISMA-ScR reporting standards. From over 1,407 records initially retrieved, 42 studies met the final inclusion criteria and were coded through a multi-cycle synthesis.
What We Looked At
Included
-
Peer-reviewed journal articles, book chapters, and conference proceedings
-
Published between 2020 and 2024, in English
-
Focused on financial crime typologies (traditional or emerging, such as TBML, terrorist financing, shell companies, crypto laundering, NFT wash trading)
-
Described or evaluated tools, methods, systems, or frameworks for prevention, detection, investigation, or disruption
-
Relevant to institutional actors (banks, FIUs, regulators, forensic teams, VASPs)
Excluded
-
Non–peer-reviewed sources (blogs, news, working papers)
-
Studies before 2020 or not in English
-
Generic fraud detection studies using benchmark datasets without typology link (Kaggle dataset)
-
Purely conceptual or theoretical works without methodological or technical detail
Who & What We Focused On
-
Population: Institutions and actors engaged in combating financial crime (FIUs, regulators, banks, compliance units, forensic analysts, VASPs).
-
Concept: Tools, methods, systems, and analytical frameworks used to prevent, detect, investigate, or disrupt financial crime typologies.
-
Context: Peer-reviewed academic studies published between 2020 and 2024 across criminology, law, finance, and data science.
How We Did It
We searched three major database (Scopus, IEEE Xplore and SpringerLink) using structured Boolean queries tailored to each. From 1,407 initial records, duplicates and irrelevant studies were removed. After screening titles, abstracts, and full texts, 42 studies were included in the final dataset. ​​​
Example Search String
TITLE-ABS-KEY(
("financial crime" OR "money laundering" OR "terrorist financing" OR "proliferation financing" OR "illicit finance" OR "illicit financial flows" OR "trade-based money laundering" OR "shell company" OR "professional enabler" OR "real estate laundering" OR "money mule" OR hawala OR "structured cash" OR "charity abuse" OR "politically exposed" OR "sanction evasion" OR "nonprofit misuse" OR ransomware OR "dark web" OR "cryptocurrency laundering" OR "blockchain forensics" OR "virtual asset laundering" OR mixer OR "privacy coin" OR "cross-chain swap" OR "NFT laundering" OR "wallet compromise" OR "credential brokerage" OR "play to earn scam" OR "crypto fundraising" OR "virtual asset provider")
W/5 (combat* OR prevent* OR detect* OR investigate* OR disrupt* OR monitor* OR trace OR enforce OR prosecute OR identify OR respond OR flag)
)
AND TITLE-ABS-KEY(tool* OR method* OR technique* OR system* OR analytic* OR model* OR framework OR "network analysis" OR "transaction monitoring" OR "typology detection" OR "entity resolution" OR "forensic accounting" OR "risk scoring" OR "open source intelligence" OR OSINT OR "threat intelligence")
AND NOT TITLE-ABS-KEY("credit card" OR "payment card" OR dataset OR Kaggle OR "benchmark dataset" OR "image classification" OR "speech recognition" OR "face recognition" OR "medical imaging" OR "nanoparticles" OR "spectroscopy" OR "porous structure" OR "hydrogen storage" OR "metaverse concert" OR "food dehydration" OR "piano" OR "agriculture yield" OR "battery performance" OR "alloy synthesis")
AND PUBYEAR > 2023
AND (LIMIT-TO(LANGUAGE, "English"))
AND (LIMIT-TO(DOCTYPE, "ar") OR LIMIT-TO(DOCTYPE, "cp"))
The Extraction Sheet
Study Context
-
author(s)
-
title
-
publication year
-
location
-
date data was collected
-
type of evidence sources
Methods & Approach
-
aim of article
-
methodology
-
methods
-
data collection
Findings & Insight
-
result of study
-
summary
-
recommendation
-
typology addressed
-
crime lifecycle stage
Tools & Application
-
system name
-
tool type / technology class
-
institutional actor(s)
-
tools
-
key thematic tags
-
design notes or implementation guidance
Advancing the Intelligence Behind Financial Crime Detection
Between 2020 and 2024, academic literature shows a clear shift from static rule-based monitoring toward advanced analytics and hybrid systems, reflecting the same pressures driving innovation in compliance and intelligence today. While traditional rules and red flag indicators remain essential, they are increasingly undermined by high false positives. Studies demonstrate that machine learning models such as Random Forest and XGBoost consistently outperform older classifiers, and unsupervised methods like Isolation Forest and Local Outlier Factor have been successful in detecting hidden risks such as terrorist financing within remittance flows. Hybrid frameworks that integrate typology features with machine learning are especially promising, reducing noise while enhancing detection. Deep learning approaches, including LSTMs and graph neural networks, are emerging but continue to face challenges around explainability and data access.
Network and graph analysis stand out as particularly powerful for exposing complex structures that underlie financial crime. Research shows these techniques can identify illicit shell companies with near 90 to 98 percent accuracy, trace money mule clusters, and map terrorist financing flows. In the digital asset space, blockchain forensics is advancing rapidly, with models detecting illicit Bitcoin activity, revealing mixer “fingerprints,” and uncovering NFT wash trading through abnormal trading loops.
For Daqiq, the implications are clear: the most effective anti-financial crime strategies draw on a broad toolkit. This includes AI-enhanced trade document analysis, statistical anomaly detection in remittance corridors, open-source intelligence for ownership and dark web tracing, and privacy-preserving approaches such as federated learning for cross-institution collaboration. The evidence confirms that a multi-layered, intelligence-driven approach is essential for staying ahead of evolving financial crime typologies.
The Global Scale of Financial Crime
Illicit finance accounts for trillions in annual flows, cutting across human trafficking, narcotics, terrorism, and systemic fraud. Money laundering is estimated at up to five percent of global GDP. Cybercrime alone is projected to reach ten trillion dollars annually by 2025, with ransomware costs rising steeply year over year. Organized scams, corporate fraud, and cyber-enabled extortion continue to expand their reach, while enforcement operations expose only a fraction of the activity.
US $346.7 billion
Tied to Human Trafficking
(2023 Estimation)
US $782.9 billion
Tied to Drug Trafficking
(2023 Estimation)
US $11.5 billion
Tied to Terrorist Financing
(2023 Estimation)
Beneath the Global Numbers
Analysis of more than 2,500 illicit onion sites shows that financial crime online is not random but highly structured. Investment scams and cloned card services dominate the ecosystem, while sexual exploitation, counterfeit operations, and membership communities diversify its reach. From thousands of Bitcoin addresses, just over 1,100 were confirmed as operator-controlled, and the top ten campaigns alone accounted for tens of Bitcoins in profit, spanning multiple illicit categories at once.
Illicit shops also reveal a skewed economy: a handful of long-running operations capture most of the revenue, while thousands of smaller shops vanish quickly with little impact. This creates the illusion of a vast decentralized market when in reality the majority of flows are concentrated in professionalized actors. For investigators, this means enforcement often targets low-value shops while the real hubs remain resilient.
By 2021, this concentration became starkly visible. Sexual abuse markets pulled in more than $94 million, financial crime around $10 million, and drugs about $1.5 million. Hydra, a single marketplace, processed nearly half a billion dollars alone. These flows did not remain contained to the dark web but moved through chokepoints like Binance and Huobi, showing how illicit actors rely on mainstream exchanges to cash out.