Cryptomus: 2,593 violations, CAD 176.9M, and why a full-KYC payment processor solves nothing

The raw figure, and the detail that matters

On October 16, 2025, FINTRAC, Canada's anti-money laundering authority, issued an administrative monetary penalty of CAD 176,960,190 against Xeltox Enterprises Ltd, the legal entity operating the Cryptomus platform. This amount is the largest sanction in the regulator's history, across all industries. It represents more than five times the previous record, imposed on Binance in May 2024 for CAD 6 million.

The official tally published on FINTRAC's website on October 22, 2025 cites 2,593 distinct violations of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. This surprisingly precise number deserves to be read in its components rather than as an aggregate.

Component 1: 1,068 STR failures

During the period from July 2024, Cryptomus failed to submit 1,068 Suspicious Transaction Reports when the operator had reasonable grounds to suspect a link to money laundering or terrorist financing. FINTRAC explicitly breaks down the nature of these transactions: trafficking in child sexual exploitation material, fraud, ransomware payments, and sanctions evasion.

These four categories are not accidental. Brian Krebs' reporting on Krebs On Security, published October 22, 2025, identifies Cryptomus since 2023 as one of the three main processors used by Russian-speaking darknet marketplaces and ransomware operators. The service is cited in numerous TRM Labs and Chainalysis analyses as a leading cash-out infrastructure for criminal flows.

Component 2: 7,557 unreported Iran transactions

From July 1 to December 31, 2024, Cryptomus failed to report 7,557 transactions originating from Iran. These operations should have been treated as high-risk under a specific Canadian ministerial directive regarding flows linked to the Islamic Republic of Iran. This failure is qualitatively more serious than the simple STR default, because it falls within an explicit sanctions regime.

FINTRAC does not specify the cumulative amount of these transactions. A reasonable estimate, averaging reference volumes on the platform at the time, places the order of magnitude between several tens and a few hundred million equivalent USD dollars.

Component 3: 1,518 transactions above the threshold

Over the same period, Cryptomus failed to report 1,518 virtual cryptocurrency transactions exceeding the 10,000 Canadian dollar threshold. These operations are by design subject to automatic reporting, similar to the American Currency Transaction Report. The failure requires no contextual analysis; it is mechanical.

The sum of the three main components approaches 10,000 distinct failures. The official count of 2,593 violations aggregates these failures into legal categories, which explains the numerical gap.

Component 4: an insufficient AML program

FINTRAC further noted that Cryptomus's policies and procedures were "incomplete and inadequate," unsuited to actual operations, and not kept up to date. This line is not a detail. It means the failure does not stem from occasional breakdowns but from a compliance architecture that is structurally defective.

Editorial reading

Cryptomus publicly presents itself as a fully KYC-compliant payment processor. Sumsub is its verification solution. The site lists its certifications and its transparency notice. All this apparatus, which should theoretically position Cryptomus as a safe choice for a legitimate merchant, did not prevent the platform from becoming the subject of the heaviest AML sanction in Canadian history.

The lesson is not that KYC is useless. The lesson is that KYC as a checkbox says nothing about the quality of post-onboarding transaction monitoring. In the Cryptomus case, onboarding was formally compliant. The problem began afterward, when transactions should have triggered alerts and reports, and did not.

Position of the directory

Cryptomus is listed here with a rating of 2.5 out of 10, a privacy score of 5 out of 100, and a trust score of 60 out of 100. These figures are not generous, nor will they become so. The service is a visible full-KYC payment processor, which is not inherently disqualifying for a user seeking transparent collection in a regulated jurisdiction. But including it in a privacy-oriented directory amounts to signaling to the user that this service is not an anonymous choice, and that it otherwise carries a documented operational risk.

For the end user, the concrete calculus is threefold. If you are a merchant looking to accept crypto while remaining compliant in a Western jurisdiction, Cryptomus remains functional, but prefer an operator with a clean legal record. If you are a privacy-conscious user looking to buy or sell crypto, Cryptomus is not the right tool. If you already have dormant funds on Cryptomus, recovery remains possible but document every step, as the platform's operational profile remains under regulatory pressure.