Canadian regulators have issued the largest penalty in the history of the country’s financial-intelligence system, ordering a cryptocurrency exchange to pay almost CAD$177 million after auditors discovered thousands of unreported transactions linked to criminal activity and high-risk jurisdictions.
FINTRAC, Canada’s financial-intelligence unit, announced on Wednesday that it will fine Xeltox Enterprises Ltd. for multiple breaches of federal anti-money-laundering rules. The B.C.-incorporated company operates as Cryptomus and previously carried the name Certa Payments Ltd. Regulators said the business repeatedly failed to flag suspicious transfers and did not follow enhanced-risk procedures that apply to transactions involving Iran.
The penalty exceeds FINTRAC’s earlier record, which involved about $20 million in fines levied against Peken Global Ltd., the operator of the KuCoin platform, in September. FINTRAC said Cryptomus ignored obligations that every reporting entity must meet under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act.
Auditors found 1,068 instances in July 2024 where Cryptomus did not report transactions connected to darknet markets and virtual-currency wallets known for criminal ties.
These transfers involved activity associated with child exploitation, fraud schemes, ransomware payments and attempts to evade international sanctions. The agency said the number and severity of these omissions left it with no choice but to issue an unprecedented enforcement action.
FINTRAC’s director and CEO, Sarah Paquet, said the pattern of failures demanded a strong response. She noted that the criminal links created a serious compliance breach that required immediate sanction, although she did not describe the penalties as punitive. Instead, she said the goal was to enforce the law and protect the financial system from becoming a channel for exploitation.
Read more: Soluna and Canaan partner on 20-Megawatt renewable-powered crypto mining hub
Read more: British Columbia puts AI and crypto on notice with power restrictions and mining ban
Agency connects major violations into Iran
Darknet markets operate as hidden online platforms where illegal services and goods are frequently bought and sold. These sites often rely on anonymity tools and virtual currencies, which make tracing identities difficult. Cryptomus processed transactions involving several of these markets without filing mandatory suspicious-activity reports. Regulators said this lapse removed crucial information that could have supported police investigations.
The agency also cited major violations connected to Iran. Between July 1 and December 31, 2024, Cryptomus handled 7,557 transactions that originated in that country. Ministerial directives require businesses to treat financial dealings linked to the Islamic Republic of Iran as high risk.
Companies must verify the identity of people sending or receiving money, apply enhanced due-diligence checks, record detailed information and report these transactions to FINTRAC. However, the agency said Cryptomus ignored every one of those obligations.
Additionally, regulators found that Cryptomus failed to report 1,518 large virtual-currency transfers in July 2024. Canadian law requires companies to file a report when a transaction reaches or exceeds $10,000. Regulators said the business did not submit any filings connected to these large movements of digital assets.
The agency also examined the firm’s internal controls. Investigators concluded that Cryptomus had weak and incomplete policies that did not meet regulatory standards. They found gaps in how the firm conducted ongoing monitoring and know-your-client checks. These practices are considered essential for detecting suspicious behaviour and preventing criminals from using regulated services.
FINTRAC also said these combined lapses amounted to significant breaches that harmed Canada’s ability to track financial crime.
Read more: Citadel invests in Kraken as crypto exchange prepares for IPO next year
Read more: HIVE Digital expands AI cloud with Dell partnership and Bell deployment
FINTRAC increased monetary penalties in recent years
The agency stressed that every entity covered by the anti-money-laundering framework must keep detailed records, verify client identity and alert authorities when transactions meet reporting thresholds. Regulators said Cryptomus did not meet any of these points in the examined period.
The penalty marks the latest sanction issued against the firm. In May, the B.C. Securities Commission temporarily barred Cryptomus from trading securities or engaging in several market activities after it said the company failed to comply with provincial rules.
FINTRAC has increased its use of monetary penalties in recent years. In the 2024–25 fiscal period, the agency issued 23 notices of violation to businesses across Canada. These notices carried more than CAD$25 million in penalties. Regulators said the high number reflected a shift toward stronger enforcement and more detailed examinations. They also said the crackdown aimed to strengthen the country’s defences against money laundering and terrorist financing.
The punishment issued to Cryptomus dwarfs past actions. FINTRAC’s previous fines mostly involved banks, casinos, real-estate brokers and payment-processing firms. These businesses fall under the same federal law and must meet similar rules. However, regulators said cryptocurrency firms face added scrutiny because digital-asset transactions can move quickly and anonymously across borders. Consequently, these firms are more attractive to groups seeking to hide the origin of illicit funds.
The company operates internationally and offers a range of cryptocurrency payment tools. It has not previously disclosed how it monitors customer activity or screens transactions. Regulators said their review found little evidence that the company invested in a strong compliance program.
.
joseph@mugglehead.com
