Canada's financial intelligence watchdog has imposed its largest-ever penalty against a cryptocurrency platform, fining Vancouver-based Cryptomus C$176.96 million ($126 million) for widespread failures to report thousands of suspicious transactions linked to serious criminal activity including child sexual abuse material, ransomware payments, and sanctions evasion.
The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) announced the administrative monetary penalty against Xeltox Enterprises Ltd., which operates the Cryptomus payment platform, on Wednesday.
The fine, issued October 16, dwarfs the agency's previous record—a C$19.6 million penalty imposed on cryptocurrency exchange KuCoin in September 2025.
Systemic Compliance Failures
FINTRAC's investigation uncovered what regulators described as systemic disregard for Canada's anti-money laundering framework. The agency identified 1,068 instances where Cryptomus failed to submit suspicious transaction reports during July 2024 for transactions involving known darknet markets and virtual currency wallets tied to trafficking in child sexual abuse material, fraud, ransomware payments, and sanctions evasion.
"Given that numerous violations in this case were connected to trafficking in child sexual abuse material, fraud, ransomware payments and sanctions evasion, FINTRAC was compelled to take this unprecedented enforcement action," said Sarah Paquet, director and CEO of FINTRAC, in a statement.
The violations extended beyond suspicious activity reporting. FINTRAC found that Cryptomus failed to report 1,518 large virtual currency transactions exceeding the C$10,000 threshold during July 2024 - a fundamental reporting requirement under Canadian law designed to create financial trails for large value movements.
Iran Sanctions Violations
Perhaps most serious from a national security perspective, regulators discovered that Cryptomus failed to report 7,557 transactions originating from Iran between July and December 2024.
Under ministerial directives, cryptocurrency platforms must treat financial transactions associated with the Islamic Republic of Iran as high-risk, requiring identity verification of senders and beneficiaries, enhanced due diligence, transaction record-keeping, and mandatory reporting to FINTRAC.
The platform allegedly fulfilled none of these obligations, potentially creating channels for sanctions evasion - a critical national security concern as Western nations maintain financial restrictions against Iran for its nuclear program and regional activities.
Links to Russian Cybercrime Ecosystem
The enforcement action comes ten months after investigative reporting by KrebsOnSecurity revealed that Cryptomus functions as the payment processor for dozens of Russian cryptocurrency exchanges and websites offering cybercrime services.
Blockchain analyst Richard Sanders documented 122 cybercrime services using Cryptomus, including bulletproof hosting providers, sites selling compromised email and financial accounts, anonymity services, and anonymous SMS platforms.
Sanders' research found that at least 56 Russian cryptocurrency exchanges were using Cryptomus to process transactions, with names like casher[.]su, flymoney[.]biz, and obama[.]ru. These platforms, built for Russian-speaking customers, advertised the ability to anonymously swap cryptocurrencies and exchange digital assets for cash in accounts at Russia's largest banks - nearly all of which face sanctions from the United States and other Western nations.
Blockchain analytics firm Chainalysis confirmed to KrebsOnSecurity that Cryptomus has been used by criminals of all types for money laundering and purchasing goods and services. "We see threat actors engaged in ransomware, narcotics, darknet markets, fraud, cybercrime, sanctioned entities and jurisdictions, and hacktivism making deposits to Cryptomus," the company stated.
Phantom Corporate Presence
Investigations into Cryptomus's corporate structure revealed troubling anomalies. A July 2024 joint investigation by CTV National News and the Investigative Journalism Foundation found that the street address for Cryptomus parent company Xeltox Enterprises was listed as the home of at least 76 foreign currency dealers, eight money services businesses, and six cryptocurrency exchanges.
The address - a three-story building in Vancouver that formerly housed a bank and now contains a massage therapy clinic and co-working space - suggests that most entities registered there have no physical presence in Canada. It remains unclear whether Cryptomus or Xeltox Enterprises maintain any actual operations in the country.
United Kingdom corporate records for the company's former name, Certa Payments Ltd., show incorporation at a London mail drop in December 2023, with a 25-year-old Ukrainian woman in the Czech Republic listed as sole shareholder and director.
Escalating Enforcement Landscape
The Cryptomus fine represents a dramatic escalation in FINTRAC's enforcement posture. During the 2024-25 fiscal year, the agency issued 23 violation notices totaling more than $25 million in penalties - the largest number in one year in its history. Since receiving legislative authority to impose penalties in 2008, FINTRAC has issued more than 150 penalties.
The timing is significant. Canada faces scrutiny ahead of a November 2025 audit by the Financial Action Task Force (FATF), the Paris-based international body that evaluates countries' anti-money laundering and counter-terrorist financing systems. The Cryptomus enforcement demonstrates Canada's commitment to robust oversight of virtual asset service providers.
Cryptomus had already faced regulatory sanctions before this penalty. The British Columbia Securities Commission temporarily banned the firm from trading securities and other market activities in May 2025.
Inadequate Compliance Infrastructure
Beyond the reporting failures, FINTRAC found that Cryptomus maintained "incomplete and inadequate" compliance policies and procedures, creating deficiencies in ongoing monitoring and know-your-client obligations.
The platform failed to develop and maintain proper compliance programs, conduct adequate risk assessments, and notify authorities about changes to business information - all mandatory requirements under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act.
Legal experts familiar with the case described the penalty as effectively removing Cryptomus from the Canadian market. "This is a death sentence for a firm of that size," one Toronto-based compliance attorney told FinanceFeeds. "The scale of non-reporting here goes beyond negligence - it's systemic disregard."
Final thoughts
The record fine underscores regulators' determination to bring cryptocurrency platforms under the same compliance standards applied to traditional financial institutions.
Following major enforcement actions against Binance (C$6 million in 2024) and KuCoin (C$19.6 million in September 2025), the Cryptomus penalty signals that Canadian authorities will no longer tolerate platforms that enable criminal activity through inadequate controls.
For the global cryptocurrency industry, Canada's aggressive stance mirrors enforcement trends across G7 nations, where compliance violations now carry penalties comparable to those in traditional banking.
As virtual asset service providers registered in Canada face increased reporting burdens and enforcement risks, the Cryptomus case establishes a precedent for how regulators may treat platforms operating under weak compliance structures.