The Financial Crimes Enforcement Network (Fincen) issued
Often referred to as "Bitcoin ATMs," these ATM-like machines allow customers to exchange real money for digital currency. While CVC kiosks offer convenience for consumers accessing virtual currency, scammers and other illicit actors heavily exploit them.
Criminals increasingly use CVC kiosks to defraud victims. The Federal Bureau of Investigation's (FBI) Internet Crime Complaint Center (IC3) reported nearly 11,000 complaints in 2024 involving CVC kiosks, with reported victim losses totaling approximately $246.7 million.
This figure represents a nearly doubling in the number of complaints over 2023 and a 31% annual increase in reported victim losses.
Arkansas Attorney General Tim Griffin highlighted the challenge in
Scammers typically direct consumers to deposit money into these kiosks, often by creating a false sense of urgency, claiming compromised accounts, or demanding payment for back taxes or missed court appearances.
Once money enters the kiosk, it is usually gone. "There is no way of getting it back," according to the statement from Griffin's office. Transactions are quick, immediate, and frequently untraceable, offering "no legal protections or government-insured protections."
Elder fraud and sophisticated scam tactics
CVC kiosk scams disproportionately impact older adults. According to
Scammers often initiate contact through unsolicited phone calls, impersonating banks, government agencies or tech support.
Fincen Director Andrea Gacki emphasized this predatory behavior in
Scammers exploit the speed and difficulty of reversing CVC transactions. Although transaction fees can range from 7% to 20%, the exchange for the scammers is a swift and often irreversible receipt of funds from the victim.
Criminals provide victims with detailed, step-by-step instructions, often staying in constant contact by phone or online until the payment is complete.
They frequently direct victims to circumvent reporting thresholds and transaction limits by structuring cash deposits into multiple, smaller transactions or by splitting payments across different CVC kiosks.
In one example Fincen highlighted, a California man faced charges for participating in a multinational fraud conspiracy that led a 70-year-old retiree to deposit approximately $55,700 into CVC kiosks as part of a larger $1.49 million scam.
Non-compliant operators pose significant risk
CVC kiosk operators generally function as money services businesses (MSBs) and must register with Fincen under the Bank Secrecy Act. However, the rapid growth of CVC kiosks in the U.S. has coincided with substantial rates of non-compliance with rules about anti-money laundering and countering the financing of terrorism, according to Fincen.
The agency said some operators fail to register with Fincen, lack effective programs for fighting money laundering and terrorism funding, and do not collect required customer identification. Fincen also said some operators provide false information to other financial institutions to acquire accounts or engage in money laundering by structuring transactions.
In a notable case, Kais Mohammad, who operated an illegal CVC MSB called Herocoin, was sentenced to 24 months in federal prison for exchanging up to $25 million, some on behalf of criminals.
Mohammad, a former bank employee, "intentionally failed to register his company with Fincen," according to the agency, and did not maintain an effective anti-money laundering program, file currency transaction reports, conduct customer due diligence, or file suspicious activity reports.
His CVC kiosk machines allowed customers to conduct transactions "without requiring any identification," according to Fincen.
Red flags and reporting requirements for financial institutions
Fincen noted that banks and credit unions must file a SAR for any transaction or pattern of transactions of at least $2,000 if they know, suspect or have reason to suspect it involves illegal activity, evades regulations, lacks a lawful purpose or facilitates criminal activity.
Banks and credit unions must also monitor for structuring, which is when scammers evade the $2,000 limit for SAR reports with slightly smaller transactions.
When filing a SAR related to these activities, Fincen requested financial institutions include the key term "FIN-2025-CVCKIOSK" in SAR field 2 (the name of this field on the form is "Filing Institution Note to Fincen") and the narrative.
Fincen also "strongly encourages" voluntary information sharing among financial institutions under Section 314(b) of the USA PATRIOT Act to help prevent identity theft and fraud schemes.
Fincen urged financial institutions to look out for red flags to detect and report suspicious activity.
Red flags from customers
Banks and credit unions should see red flags when a customer withdraws substantial amounts of cash from their bank or retirement account and indicates that a person on the phone or internet directed them to deposit these funds into a CVC kiosk.
An older customer with no prior CVC-related activity conducting a high-value transaction or series of transactions with a CVC kiosk operator should also draw scrutiny.
A customer using a debit card to make multiple payments to a CVC kiosk operator, all just below the currency transaction report limit, is also a warning sign.
Red flags from CVC kiosk operators
Any bank should scrutinize CVC kiosk business customers it works with to ensure the operators are registered with Fincen as a money services business and comply with state licensing requirements.
A CVC kiosk operator that fails to collect required customer and transaction information, or advertises transactions without identification or with only a phone number or email address, may also be violating regulations.
A business customer that charges unusually high transaction fees relative to other legitimate operators or has opaque rates constitutes a red flag.
A CVC kiosk business customer that structures cash transactions below the suspicious activity report or currency transaction report threshold should also draw scrutiny.
