Part 5 — the close — of our "AML Typologies for Crypto" series. The earlier typologies were about moving dirty money. This one is about where a lot of it is created: DeFi, where the theft and the first laundering hop often happen in the same transaction.
DeFi's composability — anyone can call any contract, and bundle many calls atomically — is its strength and its attack surface. The same properties that let a protocol offer permissionless lending let an attacker borrow millions with no collateral for the length of one transaction, manipulate a price, and walk away with the difference. And the same permissionlessness that lets anyone launch a token lets anyone abandon one. Here are the three dominant patterns and how the funds are followed afterward.
Flash-Loan Attacks
A flash loan lets anyone borrow a large sum with no collateral, on the single condition that it is repaid within the same transaction — if it isn't, the whole transaction reverts as if it never happened. Attackers use this borrowed capital to move markets: borrow millions, use them to skew the price in a thin liquidity pool or a protocol that relies on a manipulable price oracle, exploit the now-wrong price (drain a lending market, mint underpriced assets), repay the loan, and keep the profit — all atomically. The protocol is left insolvent; the attacker spent nothing but gas. Because it is one transaction, there is no window to intervene; the defence is upstream (oracle and design hardening) and downstream (tracing the proceeds).
Rug Pulls and Exit Scams
Where flash loans exploit other people's contracts, rug pulls abuse trust in your own:
- Liquidity rug — developers launch a token, attract liquidity into a pool, then withdraw all of it (or sell a hidden dev allocation), collapsing the price to zero and leaving holders with worthless tokens
- Honeypot rug — the contract is written so buyers can purchase but not sell; the "market" is a trap and only the deployer can extract value
- Exit scam — a project (or a "yield" platform) operates long enough to accumulate deposits, then the team disappears with the funds
All three end the same way on-chain: a sudden, large extraction to deployer-controlled addresses, followed immediately by laundering — usually a sprint through mixers, bridges, and the peel chains and cross-chain hops covered earlier in this series.
The exploit transaction is the start of the trace, not the end of the story
For an investigator or a CASP receiving deposits, the on-chain exploit is a beginning: the attacker now has to move the proceeds, and that movement is followable. The proceeds of a flash-loan attack or a rug pull don't evaporate — they flow to addresses that, sooner or later, try to reach a cash-out. The typologies in this series reappear here in sequence, and tracing through them is how stolen DeFi funds are recovered or frozen.
Following the Proceeds
How BA does it. BA traces exploit and rug-pull proceeds from the originating contract through the laundering stack — peel chains, mixers, bridges — across 80+ chains, attributing counterparties against a graph of 1B+ labelled addresses and surfacing the cash-out points where the funds meet a regulated service. A deposit that descends from a known exploit address is flagged on that provenance, so a CASP doesn't unknowingly bank the proceeds. For the path from such a trigger to a filed report, see From On-Chain Trigger to FIU SAR in 48 Hours.
This closes our "AML Typologies for Crypto" series — peel chains, cross-chain hops, mixers, NFTs, and DeFi exploits: five obfuscation patterns, each of which lengthens the trail without erasing it.
Trace exploited and rug-pulled funds from the contract to the cash-out
Screen wallets, monitor entities, and generate compliance reports with 1B+ labeled addresses and 305+ data sources.
See Investigation Solutions