Crypto Compliance Alert: Bithumb Freezes Heleket Transactions Over AML/CFT Risks and Alleged Cryptomus Connections
1-Minute Briefing
South Korean crypto exchange Bithumb has announced an immediate restriction on all virtual-asset deposits and withdrawals connected to the overseas crypto payment processor Heleket. According to Bithumb’s official notice published on 21 May 2026, the decision was based on suspected links to money laundering and terrorist-financing activities, citing South Korean AML obligations and virtual-asset user-protection regulations as justification.
The development goes beyond a routine compliance update. It highlights a growing concern within the crypto sector: payment processors operating as merchant-service platforms may also function as laundering infrastructure for sanctioned actors, darknet-related transactions, cybercrime operations, and high-risk offshore ecosystems.
Key Findings
Immediate Restriction By Bithumb
Bithumb confirmed that all deposits and withdrawals involving Heleket have been blocked effective 21 May 2026. The restrictions reportedly took effect immediately following the exchange’s internal compliance assessment.
TRM Labs Connects Heleket To Cryptomus
In April 2026, blockchain intelligence firm TRM Labs stated with high confidence that Heleket was likely established and operated by Cryptomus or individuals connected to its control structure. The assessment reportedly relied on several indicators, including:
- overlapping infrastructure,
- shared branding elements,
- timing of platform launches,
- personnel overlap,
- and significant on-chain transactional relationships.
Cryptomus Already Faced Major AML Enforcement
Cryptomus previously became the subject of major regulatory scrutiny after Canada’s FINTRAC imposed a record CAD 176.96 million administrative AML/CFT penalty against Xeltox Enterprises Ltd., the company operating as Cryptomus.
Authorities cited extensive compliance failures, including:
| Violation Area | Alleged Failure |
|---|---|
| Suspicious Transaction Reporting | Failure to submit required STRs |
| Large Virtual Currency Reporting | Missing mandatory transaction filings |
| Risk Monitoring | Weak AML supervision systems |
| Sanctions Controls | Inadequate sanctions-related controls |
| High-Risk Transaction Handling | Exposure to darknet and ransomware flows |
Garantex Exposure Raises Additional Concerns
TRM Labs also reported that early liquidity associated with Heleket wallets allegedly originated from Garantex, the Russia-linked crypto exchange sanctioned by OFAC.
The timeline surrounding Garantex includes:
| Date | Event |
|---|---|
| April 2022 | OFAC sanctions Garantex |
| March 2025 | U.S. DOJ announces coordinated disruption of Garantex infrastructure |
| April 2026 | TRM links Heleket liquidity flows to Garantex exposure |
Bithumb Faces Its Own Regulatory Pressure
The move also comes while Bithumb itself remains under increasing AML scrutiny in South Korea. Earlier in 2026, authorities imposed a reported 36.8 billion won penalty tied to AML violations involving transfers connected to unregistered overseas virtual-asset service providers.
A Seoul court later suspended a planned six-month partial business restriction, although public reporting surrounding the financial penalty remained less definitive.
Compliance Analysis
The Heleket matter illustrates how crypto payment processors may operate as an intermediary layer between regulated exchanges and high-risk counterparties.
Unlike conventional exchanges, processors frequently present themselves as neutral infrastructure providers offering:
- merchant checkout systems,
- API integrations,
- settlement wallets,
- payment routing,
- and cross-border transfer services.
However, where KYC and AML procedures are weak, selectively enforced, or intentionally fragmented, such infrastructure can become an operational shield for users unable to access regulated exchanges directly.
The assessment published by TRM Labs is notable because it reportedly relies on multiple indicators rather than a single technical overlap. The alleged relationship between Cryptomus and Heleket appears based on:
- infrastructure similarities,
- branding overlap,
- common operational timing,
- personnel connections,
- and blockchain transaction analysis.
From a compliance perspective, this suggests a possible continuity-of-control scenario rather than the emergence of a genuinely independent processor.
If accurate, Heleket may represent a parallel infrastructure layer created to maintain transactional access after Cryptomus came under elevated regulatory scrutiny.
FINTRAC Findings Increase Regulatory Weight
The FINTRAC enforcement action against Cryptomus significantly strengthens the compliance concerns surrounding the ecosystem.
Canadian authorities reportedly identified 2,593 violations across multiple compliance categories, including failures connected to:
- suspicious transaction reporting,
- darknet-market activity,
- ransomware-related flows,
- fraud proceeds,
- sanctions evasion,
- CSAM-related transaction indicators,
- and transactions associated with Iran.
The regulator additionally concluded that Cryptomus failed to maintain adequate AML/CFT controls across several operational areas.
Red Flags For Exchanges, Banks, and Payment Institutions
The Heleket/Cryptomus structure contains multiple indicators that compliance teams would typically classify as elevated-risk behavior.
Key Compliance Red Flags
- emergence of a new payment brand following enforcement pressure on a related processor;
- overlapping infrastructure or operational personnel between supposedly separate entities;
- wallet liquidity linked to sanctioned or disrupted exchanges;
- exposure to ransomware, darknet markets, cybercrime services, or sanctions-evasion activity;
- offshore corporate structures with limited transparency;
- cross-border merchant-processing activity without visible beneficial-ownership controls.
These concerns extend beyond crypto exchanges and may affect:
- banks,
- EMIs,
- payment institutions,
- stablecoin issuers,
- wallet providers,
- OTC desks,
- and VASPs connected to settlement or liquidity infrastructure.
Scam-Or Project Assessment
Bithumb’s decision reflects a broader shift in crypto-sector compliance enforcement. Regulatory focus is increasingly moving beyond centralized exchanges toward the infrastructure layer connecting:
- processors,
- wallets,
- merchant gateways,
- OTC liquidity,
- settlement systems,
- and sanctioned ecosystems.
Heleket may become an important test case for how exchanges respond when blockchain-intelligence firms identify potentially high-risk processors before regulators formally impose sanctions or enforcement measures.
For Scam-Or Project, the situation reinforces a recurring pattern: significant financial-crime exposure in crypto increasingly exists within the transactional rails between exchanges, processors, merchants, and offshore liquidity systems rather than exclusively at the exchange level itself.
Call For Information
Scam-Or Project invites insiders, compliance professionals, former employees, payment-industry sources, and affected users with information regarding Heleket, Cryptomus, Garantex-related transaction flows, processor wallet infrastructure, merchant onboarding, or exchange integrations to submit information through the Scam-Or Project Complaints channel.
