Redirecting Crypto Exchanges To Fight — Rather Than Facilitate — Crypto Scams In Southeast Asia – Analysis
By ISEAS - Yusof Ishak Institute
By David Lam
In 2025, crypto crime in Southeast Asia came to a head, prompting a wave of landmark enforcement actions. The Philippines charged former mayor Alice Guo with 62 counts of money laundering after uncovering her role in one of the largest crypto scam compounds in the Philippines.[1] Cambodian-Chinese national Chen Zhi was indicted for operating a network of forced labour scam compounds in Cambodia and allegedly laundering over US$15 billion in Bitcoin.[2] Separately, Thailand seized roughly US$300 million in assets tied to crypto scam networks, including those of individuals with reported connections to high-ranking officials.[3] The UN Office on Drugs and Crime now reports that Southeast Asian scam centres steal almost USD 40 billion annually, while also tragically trafficking hundreds of thousands of victims to operate them.[4]
Combating crypto scams and money laundering is multifaceted and involves complex geopolitical considerations. Yet, one of the key gateways facilitating this illicit activity is crypto exchanges. These platforms – such as Indodax in Indonesia and Bitkub in Thailand – are widely used for buying and selling cryptocurrencies. However, since crypto exchanges also enable users to send crypto over various blockchains; they are the primary on-ramps through which victims send funds to scammers who can move crypto on blockchains without identity verification.[5] Conversely, crypto exchanges are the primary off-ramps through which scammers convert stolen crypto into cash, often through money mule accounts.
Regulating crypto exchanges is therefore critical. The major ASEAN economies analysed here have established baseline controls aligned with the Financial Action Task Force (FATF) — the intergovernmental body mandated to combat money laundering and terrorist financing. However, that baseline is failing, as evidenced by the continued proliferation of crypto crimes.[6] At the same time, several Southeast Asian countries have taken aggressive actions to regulate crypto exchanges, demonstrating additional important tactics to combat scams and illicit finance.
This paper argues that Southeast Asian governments should do three things on this front: expand the risk-based approach to explicitly target scams and mule accounts, impose shared liability on exchanges, and build a regional blacklist infrastructure. It starts by examining the regulations currently in place in Indonesia, Malaysia, the Philippines, Singapore and Thailand,[7] then makes the case for additional regulations of crypto exchanges, and concludes by considering opportunities for enhanced enforcement and regional cooperation.
THE STATE OF CRYPTO EXCHANGE REGULATION IN SOUTHEAST ASIA
Implementation of FATF Recommendations
Regulation of crypto exchanges in Southeast Asia is largely guided by FATF. Its mandate is to preserve “the integrity of the financial system,” and, toward that end, it has issued recommendations covering money laundering, terrorist financing, and financing of weapons proliferation.[8] While FATF recommendations are not binding, they are influential. FATF separately assesses the countries’ implementation of its recommendations; countries with significant deficiencies are classified as “blacklist”, while countries working with FATF to fix deficiencies are classified as “grey list”. In Southeast Asia, Myanmar is blacklisted, while Laos and Vietnam are on the grey list.[9] Countries on these lists are subject to increased monitoring, screening and even disassociation from interfacing foreign banks. As such, these countries have the incentive to implement proper anti-money laundering (AML) and counter financing of terrorism (CFT) controls so that they can more effectively participate in the global financial system.
In 2021, FATF issued an updated set of baseline recommendations for countries to regulate Virtual Asset Services Providers (VASPs), which include crypto exchanges.[10] First, countries must establish a system for registering and examining VASPs operating within their borders, to ensure that they have jurisdiction to enforce relevant regulations. As for the regulations themselves, FATF utilises a risk-based approach (RBA) which provides VASPs with the flexibility to institute their own set of AML and CFT measures in response to their independent assessment of risks.[11] The risk-based approach, in contrast to a rules-based approach, enables VASPs to prioritise better where to best-allocate AML and CFT resources.
While the risk-based approach is central to FATF’s recommendations, there are still specific rules for VASPs. These include conducting customer due diligence (CDD) and Know-Your-Customer (KYC) identity verification, monitoring transactions, and filing suspicious transaction reports to local authorities. One of FATF’s key rules is the Travel Rule, which requires a sending financial institution to transmit transaction details, including sender and recipient names, addresses and account information, to the receiving institution.[12] The purpose of the Travel Rule is to curtail anonymous transactions, which are attractive to criminals seeking to launder funds.
Table 1: Implementation of FATF Baseline Recommendations for Crypto Exchanges
| Requirements | Indonesia | Malaysia | Philippines | Singapore | Thailand |
| Registration & inspections | Yes | Yes | Yes | Yes | Yes |
| Risk-based approach | Basic | Basic | Basic | Basic + specific crypto risks, e.g., obfuscation technologies | Basic |
| Customer due diligence | Yes | Yes | Yes | Yes, but independent data provider for verification not required | Yes |
| Travel rule | Basic | Basic | Enhanced; added due diligence for accounts transacting with self-hosted wallets | Enhanced; verification of ownership for transactions with self-hosted wallets | In progress |
| Transaction monitoring | Yes | Yes | Yes | Yes | Yes |
| Suspicious transaction reports | Yes | Yes | Yes | Yes | Yes |
The five countries analysed have implemented almost all the FATF baseline recommendations (see Table 1). According to FATF’s 2025 VASP implementation update, only Thailand had not fully implemented the Travel Rule. Its full implementation was undoubtedly accelerated after Prime Minister Anutin Charnvirakul announced a directive in January 2026 for the Thai Securities and Exchange Commission (SEC) to strictly enforce the Travel Rule for crypto exchanges.[14] Correspondingly, the Thai SEC released Travel Rule plans for crypto exchanges in March 2026, with implementation targeted after a period of public consultation.[15]
Of the countries analysed, Singapore and the Philippines go beyond a minimal implementation of FATF’s recommendations by adding further specificity to the risk-based approach. For example, FATF’s guidelines identify AML and CFT risks from the use of anonymity-enhancing technologies such as privacy coins and mixers. However, only Singapore explicitly requires that these anonymising technologies be considered in VASP risk assessments.
Furthermore, these two countries have additional Travel Rule requirements for VASPs.[16] Singapore requires VASPs to verify customers’ ownership of self-hosted wallets. In the Philippines, VASPs are required to conduct enhanced due diligence whenever a customer transacts with self-hosted wallets.
It should be noted that FATF’s baseline recommendations do not explicitly address scams or money mules who enable scammers to cash out using crypto exchanges. Instead, FATF requires that VASPs’ risk-based approach be informed by particular risks highlighted in periodic national risk assessments (NRAs) issued by a country’s overseeing authority. National risk assessments in the region, and across the globe, have indeed identified scams and money mule accounts as significant money laundering typologies,[17] and exchanges are therefore expected to adjust their risk-mitigating policies and procedures accordingly.
However, the continued year-over-year growth of crypto scams demonstrates that the FATF framework is insufficient.[18] Fundamentally, FATF’s broad mandate to preserve “the integrity of the financial system” is a different goal from preventing fraud and protecting scam victims. Under FATF, exchanges are liable for compliance failures such as deviations from their own AML procedures or failure to file suspicious transaction reports, which occur downstream from the occurrence of fraud and other criminal activity. An anti-scam focused approach, as discussed in the following sections, should address this gap directly, imposing more heavily on VASPs specific and proactive duties oriented toward scam prevention.
Additional Crypto Exchange Regulations Beyond FATF
A few Southeast Asian countries have implemented measures that go beyond the baseline FATF recommendations (see Table 2). The most notable are found in the Philippines’ 2024 Anti-Financial Account Scamming Act (AFASA) and Thailand’s 2025 Emergency Decree on Measures for the Prevention and Suppression of Technological Crimes, No. 2.
Table 2: Additional Crypto Exchange Regulations Beyond FATF Baseline
| Requirements | Indonesia | Malaysia | Philippines | Singapore | Thailand |
| Scam and fraud prevention measures | No | No | Yes; VASPs required to have a “fraud risk management system” | No | In progress (2025 Emergency Decree) |
| Mule account prevention measures | No | No | Yes; explicitly mentioned in AFASA | Mule typology discussed as a potential risk area | Yes; Explicit regulation by Thai SEC (2025) |
| Crypto address blacklist | No | No | No | No | Yes; mule accounts flagged in data repository |
| Exchange shared liability for customer losses | No | No | Yes | No; liability only for fiat phishing scams | Yes |
The Philippines’ AFASA is the most comprehensive. AFASA requires regulated financial institutions, including VASPs, to implement fraud risk management systems “to identify and block suspicious or fraudulent online transactions.”[20] This system should make use of a diverse set of data, such as: transaction velocity and thresholds, account information changes, geolocation, and behavioural anomalies. AFASA’s rules also delineate specific tasks such as requiring financial institutions to engage in “continuous data analysis, risk assessments, adaptive rule adjustments…and proactive monitoring of fraud patterns.”[21]
Thailand’s Emergency Decree contains explicit regulations for VASPs to prevent money mule activity.[22] This is particularly important since the Ministry of Digital Economy and Society estimates that there have been over one million money mule accounts operating in the country.[23] Thailand’s aggressive measures to combat mule accounts include comparing customer activity against a blacklist of blockchain addresses associated with cybercrimes.[24] The blacklist is managed by the Technology Crime Suppression Center, an agency formed under Thailand’s Emergency Decree, with expanded powers replacing those of the former Anti-Online Scam Operation Center. [25]
To compel exchanges to proactively identify and prevent scam activity, both the Philippines’ AFASA and Thailand’s Emergency Decree hold VASPs jointly liable for customer losses, together with account holders and third-party entities, where such losses are attributable to non-compliance with AML and anti-scam regulations. In the Philippines, this shared liability applies to losses arising from money mule and account takeover activity.[26] Thailand’s Emergency Decree holds crypto exchanges liable for customer losses from “technological crimes,” including scams, unless they can prove compliance with prevention standards set by relevant authorities.[27]
ENHANCING THE RISK-BASED APPROACH FOR REGULATING CRYPTO EXCHANGES
The recommendations in this Section build on the fact that VASPs have access to a wealth of data — both publicly available on-chain and in their proprietary platform data — that must be leveraged to identify and prevent scams. The goal of these measures is to compel VASPs to actively fight scams and the money mule accounts that enable them, rather than merely complying with baseline AML regulations. This Section builds on the Philippines’ AFASA and Thailand’s 2025 Emergency Decree, which provide models for how anti-scam and anti-mule account regulations can and need to be implemented beyond a general FATF risk-based framework.
The proposed measures fall under two categories: i) specific focus areas under a risk-based approach and ii) additional regulations beyond the risk-based approach.
Adding Specific Focus Areas Under the Risk-Based Approach
The baseline FATF risk-based approach requires crypto exchanges to broadly consider the risks they face from money laundering, terrorist financing, and financing of weapons proliferation. This Section proposes an enhanced risk-based approach that requires exchanges to specifically include three areas of focus: scams, money mules and blockchain obfuscation techniques (see Table 3). Since these recommendations fit within a risk-based approach, crypto exchanges can adopt them with minimal disruption to existing compliance regimes.
There is precedent from Singapore in specifying focus areas under the risk-based approach. While the other countries examined only require licensed VASPs to consider risks from money laundering — broadly specified — in their RBA, the Monetary Authority of Singapore’s VASP guidelines include eleven specific categories that crypto exchanges must consider, such as the use of anonymity-enhancing technologies or the volumes and values of customer transactions. In line with RBA, MAS does not specify the exact solution for how VASPs should address a particular risk, but legally obliges VASPs to consider and mitigate against that given risk.[28]
The first proposed focus area applies the risk-based approach to scams, utilising both public blockchain data and proprietary VASP platform data. For example, related to blockchain data, VASPs have the ability to observe commonly used blockchain addresses that send inducement payments to investment scam victims, which gives victims the false sense that their fictitious investment schemes are generating income.[29] Flagging these payments, freezing them, and notifying customers that they are being scammed would significantly curtail scamming activity. As an example of using in-house platform data, crypto exchanges could use demographic and behavioural data to flag, freeze and notify accounts belonging to elderly customers — who account for less than 10% of crypto users but disproportionately almost 40% of crypto crime losses[30] — whose usage patterns are inconsistent with crypto trading but instead consistent with scamming activity.[31]
The second proposed focus area under a risk-based approach is money mules. This regulation should also specify the need to use both public blockchain and proprietary platform data. As specified in the Philippines’ AFASA, crypto exchanges have access to a wealth of data to detect and disrupt mule accounts, including geolocation, transaction patterns, mobile device information, IP addresses, and deposits and withdrawals to other blockchain addresses directly associated with mule accounts.
Finally, crypto exchanges must specifically consider money laundering risks from obfuscation technologies, not only from obvious anonymising channels such as privacy coins and mixers, but also from decentralised blockchain platforms that are commonly used by crypto traders, such as decentralised exchanges and cross-chain bridges. In particular, researchers have found that decentralised exchanges such as Tokenlon and Uniswap have been extensively used by pig butchering scammers to obfuscate their tracks.[32]
Table 3: Additional Risk-Based Regulations for Crypto Exchanges
| Recommendation | Example | Impact |
| I. Scams: Assess and develop appropriate mitigation measures against risks related to scams, including but not limited to phishing scams, impersonation scams, investment scams, romance scams and sextortion scams; measures should include analysis of both i) proprietary crypto exchange customer data and ii) blockchain data | Philippines | High |
| II. Money Mules: Assess and develop appropriate mitigation measures against risks related to customer accounts being used as money mules; measures should include analysis of both i) proprietary crypto exchange customer data and ii) blockchain data | Philippines | High |
| III. Obfuscation Techniques:Assess and develop appropriate mitigation measures against risks related to the use of blockchain obfuscation techniques, including but not limited to the use of privacy coins, mixers, bridges, decentralised exchanges, and unregistered VASPs | Singapore | Medium-high |
Additional Regulations
To augment VASP incentives and capabilities in scam and mule account prevention, countries should implement additional regulations and rules (see Table 4). FATF and financial crimes regulators generally prefer using a risk-based approach for regulating financial institutions to allow them to have autonomy to allocate resources to the highest-priority mitigating measures. At the same time, there are certain rules that can have a significant impact in curtailing illicit financial activity, as evidenced by the Travel Rule.
The highest-impact way to give crypto exchanges the incentive to actively fight scams and money mules is through a shared liability framework, as implemented in the Philippines’ AFASA and specified in Thailand’s 2025 Emergency Decree. Making VASPs jointly responsible for customer losses moves them from passive compliance towards an active role in prevention. Singapore’s 2024 Shared Responsibility Framework — though limited to phishing scams involving fiat currency — provides an example for how financial institutions can be held accountable in implementing specific scam prevention measures, including: account holder alerts, a real-time fraud surveillance system, and blocking transactions that cross a specified threshold for accounts flagged by the surveillance system.[33]
ASEAN countries should also augment the Travel Rule requirements for VASPs. Cryptocurrencies pose challenges to Travel Rule implementation due to the prevalence of peer-to-peer payments involving self-hosted wallets. In March 2026, FATF released a report on cryptocurrency risks which highlights how illicit actors make use of peer-to-peer transactions using self-hosted wallets to launder funds.[34] The FATF report identifies several measures that have been either imposed by countries or implemented by VASPs:
- Limiting the amount of funds that can be transferred to self-hosted wallets;
- Applying enhanced due diligence for transactions with self-hosted wallets (as required in the Philippines);
- Using blockchain analytics to assess the risk level of wallets interacting with customer self-hosted wallets;
- Not allowing customers to transact with self-hosted wallets; this means that customers can only transact on the blockchain with wallets belonging to licensed VASPs.
This last measure, limiting blockchain deposits and withdrawals to only licensed VASPs, should be reserved for scenarios where crypto money laundering is severe. Only allowing customers to transact on the blockchain with other licensed VASPs would ensure implementation of the Travel Rule for all transactions and curtail anonymous transactions. However, it would preclude users from participating in the crypto ecosystem and using decentralised blockchain applications such as decentralised trading exchanges and cross-chain bridges.
Countries should also implement a blacklist, such as that introduced in Thailand, where exchanges are not allowed to transact with blockchain addresses or individuals flagged for illicit financial activity.[35] Given that scams are not within the purview of anti-money laundering authorities, this blacklist should ideally be managed by a specialised agency tasked with combating online scams and technological crimes, such as Thailand’s recently formed Technological Crimes Suppression Centre.[36] Malaysia has introduced a similar mule account blacklist through its National Scam Response Centre established in 2022.[37]
For additional coverage, countries should also blacklist blockchain platforms known to facilitate scams and money laundering. These include platforms such as Huione Guarantee, an online marketplace processing over US$24 billion in transactions tied to money laundering services, stolen personal data, and other products and services used by scammers.[38] Other platforms to blacklist include mixers such as Tornado Cash which has been extensively used by North Korean hackers to launder stolen funds.[39] Implementation of a blacklist should consider not just direct transfers between a blacklisted entity and a VASP, but also transfers that utilise multiple transactions between self-hosted wallets, or that pass through platforms such as decentralised exchanges used to obfuscate laundered funds.
Table 4: Additional Proposed Regulations for Crypto Exchanges
| Recommendation | Example | Impact |
| IV. Shared liability: Make crypto exchanges jointly liable, together with users and other involved parties, for customer losses from scams | Philippines, Thailand | High |
| V. Augmented Travel Rule for P2P: Require enhanced due diligence from customers transacting with self-hosted P2P wallets | Philippines, Singapore | Medium-high |
| VI. Blacklist: Implement blacklist for addresses tied to illicit activity, e g., known mule accounts, scam services platforms (e.g. Huione Guarantee), mixers (e.g., Tornado Cash) | Malaysia, Thailand | Medium-high |
CONCLUSION AND ADDITIONAL CONSIDERATIONS
Southeast Asian countries can significantly amplify their anti-scam efforts by compelling crypto exchanges to proactively join the fight. Exchanges are not merely the primary gateways through which scam funds flow — they are also the custodians of valuable on-chain and platform intelligence needed to detect and disrupt those flows. The most actionable steps require exchanges to implement fraud and mule account monitoring systems grounded in an explicit risk-based mandate and joint exchange liability.
New regulations are only as good as their enforcement — and enforcement in the region has been mixed. The countries analysed have issued cease-and-desist orders to over 50 unlicensed exchanges operating within their borders.[40] For example, Malaysia and the Philippines have banned Binance — the world’s largest crypto exchange, which previously paid over US$4 billion to the US government to settle charges related to AML violations[41] — using social media and website blockers.[42] Regulators should also block cash transfers between customer bank accounts and unregistered offshore exchanges, like Binance, since technical workarounds can easily circumvent website blocks.[43]
Enforcement of crypto exchange regulations requires more than simply blocking unregistered exchanges. Regulators must also regularly examine registered exchanges and hold them accountable for non-compliance. Here, the record is thin, with only two AML enforcement actions observed in the countries analysed. Thailand cited one exchange for inadequate KYC;[44] Malaysia, acting on a tip from its National Scam Response Centre, found a second had failed to apply its RBA, conduct proper ongoing due diligence, and flag mule accounts.[45] Given the volume of suspicious activity documented in regional national risk assessments, having only two cases across the countries analysed points to a notable enforcement deficit.
Finally, ASEAN countries should enhance cooperation through sharing blacklists of blockchain addresses associated with illicit financial activity. All five countries analysed in this Report have national anti-scam or anti-financial crimes units, which are the ideal coordinating bodies for such information sharing.[46] These units would nonetheless need to coordinate with their local counterparts overseeing crypto exchanges, which in the countries analysed include securities regulators, central banks, and anti-money laundering offices.
Crypto scams are a regional problem, with criminal networks operating across borders in the region. Sharing actionable intelligence on illicit addresses would unmask criminal actors to more authorities and more exchanges across the region — and deprive them of the anonymity that makes these schemes possible.
For endnotes, please refer to the original pdf document.
- About the author: David Lam is Visiting Fellow with the Regional Economic Studies Programme at ISEAS — Yusof Ishak Institute. He was formerly managing director of a firm providing expert crypto and blockchain consulting to regulatory and law enforcement agencies. The author would like to thank Cassey Lee for his helpful comments and Peh Ko Hsu for his research assistance. All omissions and errors remain his own.
- Source: This article was published by ISEAS — Yusof Ishak Institute.
