Staking rewards following Ethereum’s Shanghai upgrade have made it easier for investigators to spot counterintuitive behavior by ETH holders.


With its historic Merge event in September, Ethereum has become a proof-of-stake blockchain. The mechanism now used to confirm transactions relies on validators staking their Ether ETH $1,905. Ethereum’s March upgrade, codenamed Shanghai, finally enabled stakers to withdraw their locked Ether.

The Ethereum ecosystem’s “investment themes” have included a) decentralized finance (DeFi) b) stablecoins c) Bitcoin (via wrapped versions of BTC) and d) non-fungible tokens (NFTs). With the upgrade, the network also began providing fixed-income assets.

There are currently several ways people make money on or using Ethereum. Broadly, they can be grouped into “investment themes,” including: a) decentralized finance (DeFi); b) stablecoins; c) Bitcoin BTC$27,890 (via wrapped versions of BTC); and d) nonfungible tokens (NFTs). Following Shanghai, the network began to offer fixed-income assets.


Risk-free rate

Yield is one of the core pillars of traditional finance (TradFi). A rise or fall in yield leads to an increase or decrease in the perceived risk of other financial assets. Thus, movements in the benchmark rate set by the United States Federal Reserve provide the rationale behind investment decisions, in general.

Accordingly, compliance professionals use trends in the risk-free rate to detect irrational movement of funds in capital markets, as such fund flows might be attempts to launder money. The reasoning here is that launderers of illicit funds do not actively chase financial gains like regular investors, as the sole purpose of money laundering is to obfuscate the trail of dirty money.

With Ethereum’s staking yield denoting the “risk-free rate” of the crypto ecosystem, the Shanghai upgrade may have enhanced the state of crypto forensics.


TradFi forensics focuses on activity — crypto forensics focuses on entities

Financial crime risk in TradFi is managed using automatic systems that alert institutions to probable illicit use of financial assets. While data scientists design and deploy models to raise red flags over suspicious transactions, investigation teams still must assess resultant leads and evaluate if Suspicious Activity Reports (SARs) need to be filed.

An interesting point of contrast between forensics for TradFi and crypto is that the latter focuses more on the criminal entity than the activity itself. In other words, investigators analyze networks of crypto wallets to identify transfers of criminal assets.

Money laundering occurs in three stages: a) Placement: proceeds of crime enter the financial system; b) Layering: complex movement of funds to obscure the audit trail and sever the link with the original crime; and c) Integration: criminal proceeds are now fully absorbed into the legal economy and can be used for any purpose.


For crypto assets, it is convenient to design solutions to detect the placement of illicit assets. This is because most laundered money originates from crypto-native crimes such as ransomware attacks, DeFi bridge hacks, smart contract exploits and phishing schemes. In all such offenses, a perpetrator’s wallet addresses are readily available. Consequently, once a crime has been committed, relevant wallets are monitored to analyze asset flows.

In contrast, forensic experts working for, say, a bank do not have any visibility into the offense — such as human or drug trafficking, cybercrime or terrorism — when criminal proceeds are being injected into a bank’s ecosystem. This makes detection extremely difficult. Hence, most Anti-Money Laundering (AML) solutions are designed to identify layering.


Ethereum’s staking rewards make it easier to detect unusual activity

To design solutions to detect layering, it is imperative to think like criminals, who craft complex flows of funds to obfuscate the money trail. The time-tested approach to exposing such activity is to spot the irrational movement of assets. This is because money laundering does not have the goal of generating profit.

With Ether’s post-Shanghai staking yields providing benchmark interest rates for crypto, we can formulate baseline risk-reward structures. Armed with this, investigators can systematically spot financial behavior running counter-intuitive to trends in the benchmark rate.


To illustrate, there might be a pattern where an address or a group of addresses that points toward an entity that consistently takes on high risk while earning below the risk-free rate. A situation like that would almost certainly be investigated at a bank.

Case in point, such a transaction surveillance architecture can be used to detect the wash trading of NFTs. Here, multiple market participants collude to carry out numerous NFT trades with the goal of layering criminal assets or manipulating prices. Since earning profits is not the intention behind the vast bulk of these transactions, such activity will raise a red flag.

Similarly, in a situation where proceeds of terrorism are being layered via DeFi protocols, detection of irrational asset movements can provide substantial leads to investigators, even without knowledge of the actual crime.


Financial crime and DeFi

Traditional capital markets are often used to covertly move funds to circumvent sanctions and finance terrorist activity. Analogously, DeFi ecosystems present an attractive target for financial crime due to the ability to move vast sums of assets between jurisdictions using blockchain.

Further, there has been a significant shift in activity from centralized exchanges to decentralized exchanges due to recent fiascos like the collapse of FTX. This increase in DeFi volumes has made it easier for illegal flows to remain obscure.

Even more compelling is the introduction of better compliance controls by centralized crypto service providers – often mandated by regulators – which are likely driving criminals to seek out new channels for money laundering.

Consequently, illicit flows to DeFi could originate from an expanded set of crimes. This paradigm shift in crypto markets will require forensics teams to increase their capabilities of investigating complex fund flows across diverse protocols without prior knowledge of the source of criminal assets.

Accordingly, compliance efforts need to pivot around the discovery of layering typologies. In fact, with the rapid progress in blockchain interoperability, systematic surveillance to detect criminal transfers has become even more crucial.

Our ability to detect suspicious activity in crypto is less than ideal, partly due to crypto’s extreme price volatility. The volatility renders static risk thresholds ineffective and can enable money laundering to go undetected. In this sense, if and when Ethereum sets a benchmark rate, it will provide a means of establishing baseline rationality for fund flows and thus spotting outliers.