This week the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) made headlines with their announcement of a $176.9 million fine imposed on Xeltox Enterprises Ltd., based out of British Columbia and operating the Cryptocurrency Exchange Cryptomus. This record-setting fine stands as a significant message to the cryptocurrency sector that compliance with all applicable laws will now be mandatory rather than elective for crypto companies.
Through their investigation, FINTRAC discovered that Xeltox Enterprises Ltd. did not tag over 1,000 different transfers connecting them directly to illicit activities such as child pornography and dark web sales.
A Historic Precedent
The $177 million penalty is not merely a smidgeon of money; it makes history in Canadian regulatory actions. To understand how significant this penalty is, it dwarfs the previous record for the largest penalty issued by FINTRAC, approximately $20 million issued in the prior month to Peken Global Ltd., the operator of the KuCoin exchange.
Over the past several years, critics have repeatedly stated that fines imposed by regulators upon profitable entities operating in cryptocurrency represent merely one element of the “cost of doing business” in the cryptocurrency sector. The recent major action that FINTRAC has taken against Cryptomus indicates a, some may argue, ‘new normal’ for regulatory enforcement in Canada that includes the imposition of fines that will destroy or threaten the viability of the business. FINTRAC is communicating clearly that any illicit fund movement entities will face financial penalties that will put their ability to operate at risk.
Darknet Markets and Dangerous Ties
The details of the infractions paint a grim picture of the platform’s operations. According to FINTRAC Director and CEO Sarah Paquet, the agency identified 1,068 specific instances where Cryptomus failed to submit suspicious transaction reports (STRs) for transfers involving known darknet markets and wallets linked to severe criminal activity.
“Given that numerous violations in this case were connected to trafficking in child sexual abuse material, fraud, ransomware payments and sanctions evasion, FINTRAC was compelled to take this unprecedented enforcement action,” Paquet stated.
Darknet markets, which operate on encrypted networks to sell illegal goods ranging from drugs to stolen data, rely on cryptocurrencies to mask the identities of buyers and sellers. According to regulators who state that cryptomus has not reported transactions, cryptomus has functioned as a blind conduit for criminal proceeds and has made it difficult for law enforcement to locate those who commit crimes.
Ignoring Global Sanctions
Based on the assertion indicated by Cryptomus’s data, this company did not meet the criterion of being regulated following leading practices or establish its business within acceptable global practices with respect to regulation and adherence to standards.
In addition, Cryptomus processed numerous transactions that originated from countries considered by the United States Government to be at risk for money laundering and terrorism financing activity. From July 1, 2024, to December 31, 2024, Cryptomus conducted 7,557 transactions with an origin from Iran. Under current Financial Reporting Regulations, any Financial Transaction conducted between Canada and the government of Iran is classified as high risk because the activity is believed to involve illicit activities, therefore Financial Institutions that conduct business with Iran must perform due diligence to verify the identity of individuals sending and receiving funds and provide the appropriate risk mitigation and compliance evidence. FINTRAC’s findings indicate that Cryptomus never fulfilled any of the above-mentioned due diligence obligations, and as such, allowed the majority of Ali’s transactions through its business operations without completing any review or analysis, thereby validating the findings of global oversight regulators of Coutries engaging in such transactions with Iran in violation of the laws of the Countries engaging in such transactions.
Systemic Compliance Failures
The investigation also identified a much larger cultural non-compliance problem that ran deep within Cryptomus. It was not just that they failed to report 1,518 individual suspicious activities, but that Cryptomus also did not report 1,518 transactions during July 2021 that exceeded the minimum $10,000 reporting threshold.
In Canada under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, all money service businesses are required to maintain strict records of large transfers in order to prevent money laundering. FINTRAC has critiqued Cryptomus’s internal policies for being “incomplete and inadequate” and as having no basic “know-your-client” (KYC) precautions that would allow the company to perform ongoing due diligence on existing business relationships. Without these precautions in place, Cryptomus allowed anonymous capital movement and money laundering to occur without any effective means of oversight.
A Year of Aggressive Enforcement
Cryptomus has now received the largest-ever fine imposed by the United States Government. This record-breaking penalty follows a year of increased regulatory scrutiny and enforcement action taken against many business owners. Throughout the 2024-25 fiscal year, FINTRAC has issued 23 violation notices to businesses that violated the regulations, resulting in record penalties that exceeded $25 million prior to the judgment against Cryptomus.
Cryptomus has faced regulatory scrutiny before. The Britisch Colombia Securities Commission suspended Cryptomus from trading in Securities (May 2022) therefore, this growing amount of trouble for Cryptomus has resulted in the imposition of a very large financial penalty on the company. Regulators are continuing to crack down on the industry; therefore, it is clear that there is no longer a “wild west” atmosphere in Canada with respect to cryptocurrencies.
