iGaming Financial Crime Patterns: Identifying Money Laundering Typologies in Online Gambling

Money laundering through online gambling is not a single technique but a family of methods, each exploiting different features of the gambling environment. FATF's 2009 report on money laundering through the gambling sector, updated with further guidance in 2018, identifies online gambling as a medium-to-high risk sector for money laundering, with specific risk factors including the global reach of online platforms, the variety of payment methods accepted, and the player-versus-operator transaction structure that can obscure the ultimate movement of funds. Understanding the specific typologies is essential for building an AML programme that detects actual financial crime rather than generating noise from benign high-value players.

Typology 1: Deposit-and-Withdraw (Minimal Wagering)

The simplest and most common money laundering typology in online gambling involves depositing illicit funds, conducting minimal wagering to create the appearance of genuine gambling activity, and then withdrawing the balance as apparently legitimate gambling proceeds. The criminal accepts a small loss (the amount wagered minus any winnings) as the cost of washing the funds.

The detection signature is characteristic: large deposits followed by low-stakes wagering, followed by a withdrawal request for a balance close to the original deposit. The ratio of wagered amount to deposited amount is low — a legitimate gambler wagers multiple times their deposit amount over the session; a money launderer may wager only 5–10% of the deposited amount before requesting withdrawal.

Transaction monitoring rules should flag accounts where the cumulative wagered amount is below a defined percentage of the cumulative deposit amount, particularly where the deposit amounts are large. This flag should trigger a review of the account's betting history and a source of funds inquiry before the withdrawal is processed.

Typology 2: Chip Dumping in Poker

In poker games, two or more accounts controlled by the same criminal group deliberately play against each other, with one player (the "recipient") winning chips from the others. The losing accounts deposit illicit funds; the winning account accumulates chips that can be withdrawn as apparently legitimate poker winnings. The transaction chain obscures the origin of the funds — the recipient's winnings appear to come from fellow poker players, not from a direct deposit.

Detecting chip dumping requires analysis of network relationships between accounts — identifying accounts that share device fingerprints, IP addresses, registered addresses, or payment methods, and then examining whether those accounts have a statistically anomalous win/loss relationship. A player who consistently loses to the same small set of opponents, at a rate significantly worse than expected given their action, should be flagged for investigation.

The data required for this analysis is available in the poker hand history logs, which record every action at every table. Operators with large poker ecosystems should implement graph analysis tools that continuously map the win/loss relationships between accounts and surface clusters of accounts with anomalous transfer patterns.

Typology 3: Smurfing via Multiple Accounts

Smurfing — using multiple accounts to break a large sum into smaller transactions below monitoring thresholds — is a standard money laundering technique adapted to online gambling. A criminal group operates multiple player accounts, each depositing amounts below the operator's CDD trigger threshold. The aggregate deposits across all accounts significantly exceed the threshold, but no individual account triggers review.

Effective smurfing detection requires entity resolution — the ability to identify multiple accounts controlled by the same individual or group. This requires matching on device fingerprints, IP addresses, payment instruments, behavioural biometrics, and registered identity details. Modern fraud platforms such as Featurespace or NICE Actimize can perform real-time entity resolution that links apparently separate accounts through shared technical and behavioural indicators.

The CDD trigger thresholds in the operator's AML policy should apply at the entity level, not the account level. Where entity resolution identifies that multiple accounts are linked, the aggregate deposit across all linked accounts should be used to determine whether CDD is required, even if no individual account has reached the threshold independently.

Typology 4: Stolen Card-Funded Deposits with Legitimate Withdrawal

A variation of the deposit-and-withdraw typology involves using stolen card details to fund gambling deposits. The criminal deposits illicit funds using stolen cards (which the cardholder will subsequently chargeback), wagers minimally, and withdraws to a legitimate bank account. The net effect is that the bank account receives funds that originated as card fraud, with the gambling platform as the intermediary that converts the stolen card proceeds to a bank transfer.

This typology is primarily detected through the chargeback management process: a pattern of accounts where deposits are subsequently charged back by cardholders, followed by withdrawals to bank accounts, is a strong indicator. Operators should monitor the relationship between chargebacks and withdrawals at the account level, flagging accounts where chargebacks occurred after withdrawal requests were made.

Transaction Monitoring Rules for iGaming

The Gambling Commission's AML guidance and the broader MLR17 framework require operators to implement transaction monitoring proportionate to their risk profile. For online casino operators, effective transaction monitoring rules include:

• Rapid deposit-and-withdraw pattern: cumulative deposits above £X within 24 hours followed by a withdrawal request within Y hours of the last deposit
• Low wagering ratio: wagered amount below Z% of deposited amount at time of withdrawal request
• Multiple account indicators: deposits from payment instruments used on other accounts in the platform
• Jurisdiction risk: deposits from IPs in high-risk jurisdictions or VPNs, particularly where the player's registered address is in a low-risk jurisdiction
• Unusual payment method combinations: deposit via one method type, immediate withdrawal via a different method type or account name

These rules must be tuned regularly against actual case outcomes — rules that generate too many false positives consume compliance resource without value; rules calibrated too tightly miss genuine financial crime. The tuning process should use the outcomes of SAR investigations to refine alert thresholds, creating a feedback loop between the investigation team and the transaction monitoring system.