Blockchain technology (BT), in fact, is the most common DLT scheme behind cryptocurrencies [ 5 ]2 and its structural role within the topic at hand revolves around it being at the core of the Bitcoin ecosystem, which can be seen as a path nder in the crypto sphere. Indeed, it is widely recognized that BT's properties responded to socio-economic queries that were pursuing decentralized and disintermediated structures that could allow transactions to be performed with no need of a trusted central party [43].

The relevant algorithm-based \consensus protocol" was described as leading to crowdsourced functions of validation and auditing, which led several European institutions to acknowledge its disintermediation-wise worth [62]. BT's unprecedented, albeit partly disputable, degrees of veri ability, transparency, inalterability, trust and security stirred up interest in the most diverse elds and appealed governments and stakeholders from all over the world [9, 19, 40]. Parallelly, however, projects such as IOTA most interestingly wish to take these features to the next level by employing blockchain-unrelated DLTs { e.g. a type of DLT called Directed Acyclic Graph, the Tangle { to the end of appropriately targeting the Internet of Things (IoT) industry by pursuing secure data monetization from connected devices [51].

The deep conceptual and architectural impact of these innovations was underlined by crafting a broader notion: the \Internet of Value(s) (IoV)". The IoV comprises cryptocurrencies and purportedly labels the infrastructure of the next generation of Internet, compared with the more traditional \Internet of Information" [59].3 Whereas the latter enables people to directly send information to one another, the IoV removes any fences to the direct participation of everyone to the global (digital) economy by embedding an economic layer in the Web [16, 41]. 2

On the one hand, this innovative way of processing payments catered for the need to nd alternative solutions to traditional nancial institutions. One of the main purported goals behind this monetary (r)evolution, in fact, was the opening of nancial opportunities to the unbanked and non-traditional investors by mitigating their troubles in accessing the ordinary banking system because of its risk-averting principles and consequent de-risking approach.4 Accordingly, crypto ecosystems were praised as conductive to nancial inclusion and at a lower regulatory cost [59, 68].

From a risk perspective, however, it cannot come as a surprise that the very same lower - and possibly non-existent - degree of access control causes these instruments and their anonymitywise features to be perceived as highly vulnerable to be exploited for most diverse and large-scale illicit purposes. Generic references may encompass transactions on the dark web, scams, ransomware, malware, hacking and identity theft, market manipulation and fraud, Ponzi schemes, online gambling, nancing of criminal and terrorist activities, etc [19, 27, 35, 37, 68]. Some of these aspects were brought into the spotlight by the widely known and well-publicized Silk Road case; the subsequent increased crypto-risk awareness arguably played a role in the shutdown of Darknet markets such as Alphabay, Valhalla and Wall Street Market.

2From a technical and de nitional standpoint, \virtual currency" and \cryptocurrency" are not synonyms. However, despite the paramount need for conceptual clarity in the crypto realm, for the sake of the narrative they are used interchangeably in this paper. In compliance with the EU regulatory approach, local and complementary currencies fall outside the scope of this work.

3The notion of IoV is argued to depict the Internet as a space to transfer and store any conceivable value; blockchain would make it possible by ensuring the security, decentralization, e ciency and transparency of such storage [59].

4De-risking refers to the reduction in the provision of banking (and related) services to people and places that are perceived as too risky by relevant institutions [16].

Over and beyond, Virtual Currencies (VCs) were found to generate signi cant money laundering and terrorist nancing risks [21, 27]; the primary concern is the extent to which they can be easily resorted to in order to engage in these illicit practices. For this reason, a growing number of domain-speci c regulation attempts was spurred, against the backdrop of a broader set of legislative and regulatory actions targeting DLTs from a technology-based perspective, on the grounds that they often put the logic behind existing legal regimes to the test [45, 49].

Essentially, the diversity of relevant legal initiatives ranges from crypto-speci c legislation to interpretative instances of existing legal frameworks in light of new technologies; hence, the state-of-the-art highlights a bipartite scenario comprising both a pro-active and a reactive approach to regulatory scrutiny and intervention [40, 49]. The latter distinction may arguably play a signi cant role in paving a way forward for a more suitable and e ective attitude to any discussion concerning the regulation of crypto stakeholders. 3

The Financial Action Task Force (FATF)5 is the most prominent international organization in the Anti-Money Laundering (AML) and Counter-Terrorist Financing (CFT) landscape and has been issuing speci c guidelines for VCs and Virtual Assets (VAs)6 since 2014; it is currently working towards strengthening the application of its Recommendations to DLTs.

More speci cally, in October 2018 nancial activities involving VAs were explicitly included in the scope of the FATF Recommendations and in June 2019 an Interpretive Note to Recommendation 15 ("New Technologies") provided some further clari cations [28, 30]. On the same occasion, the experts drafted an update of relevant guidelines concerning the Risk-Based Approach (RBA)7 to VCs, whereby emphasis was put on examples of risk indicators concerning transaction obfuscation and relevant inability to perform customer identi cation [28].

Within this framework of measures, crypto regulatory e orts target a set of entities labelled as \Virtual Asset Service Providers (VASPs)". Interestingly, according to the FATF Glossary, a VASP is \any natural or legal person who is not covered elsewhere under the Recommendations, and as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person: i) exchange between virtual assets and at currencies, ii) exchange between one or more forms of virtual assets, iii) transfer of virtual assets, iv) safekeeping, and/or administration of virtual assets or instruments enabling control over virtual assets; and v) participation in and provision of nancial services related to an issuer's o er and/or sale of a virtual asset". Most notably, therefore, pursuant to ii), crypto-to-crypto exchanges are included in the scope of FATF provisions.

As far as the supranational level is concerned, the frequently mentioned European Union 5th AML Directive [21] addresses VCs and mandates Member States to regulate them. More 5The FATF is an intergovernmental organization and it is both a policy making and enforcement body. It addresses national competent authorities and sets international standards seeking to combat money laundering, terrorist nancing and other threats to the international nancial system. Notably, its Recommendations outline a comprehensive framework of measures whose implementation is called for in order to combat money laundering and terrorist nancing.

6The FATF Glossary de nes a "virtual asset" as "a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes. Virtual assets do not include digital representations of at currencies, securities and other nancial assets that are already covered elsewhere in the FATF Recommendations."

7The RBA is a pivotal concept in the AML/CFT realm; it requires relevant preventive and mitigatory measures to be commensurate with the risks identi ed. Consequently, all stakeholders involved (e.g. the EU commission, national authorities, supervisory authorities, obliged entities, etc) are demanded to carry out preliminary risk assessments. speci cally, it labels " at-to-crypto exchanges" and "custodian wallet service providers"8 as reporting/obliged entities, by listing them amongst other more traditional regulated categories like nancial institutions and professionals.

Indeed, even if Article 3(18) of the consolidated version of the AML Directive de nes VCs as \a digital representation of value that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency and does not possess a legal status of currency or money, but is accepted by natural or legal persons as a means of exchange and which can be transferred, stored and traded electronically", Article 2(3)(g) limits its scope to \providers engaged in exchange services between virtual currencies and at currencies".

All in all, by enclosing these new set of "institutions" as "reporting entities" the Directive makes them subject to AML/CFT obligations. Given the nature of a directive as a EU legal instrument, relevant provisions may to some extent be tailored by Member States during relevant transposition processes. Nevertheless, relevant duties encompass, inter alia, appropriate registration and/or licensing procedures, Know Your Customer (KYC), Customer Due Diligence (CDD), up-to-date record-retention, internal procedures, ongoing monitoring - e.g. transaction scrutiny - and Suspicious Transaction Reporting (STR). Relevant mechanisms of monitoring, supervision and sanctions are also outlined by the abovementioned frameworks.

In a nutshell, obliged entities are preliminarily requested to conduct individualized risk assessments, which require to take into consideration a plethora of elements, such as targeted customers, o ered products and services, geographical areas involved. Subsequently, in light and on the basis of the development of a comprehensive risk pro le, they must implement and maintain consistent controls and monitoring e orts [68].

STR, on the other hand, is an instance of the well-known \active cooperation" duties, as a possible outcome of prior assessment and supervision tasks, which overall comprise both \active" and \passive" provisions. Also in the crypto context, CDD requires to identify - and take reasonable measures to verify the identity of - transaction parties and counterparties, such as customers (or any person purportedly acting on their behalf) and bene cial owners, as well as to assess purpose and intended nature of the business relationship [49].9 More speci cally, from a data analytics perspective, AML/CFT transaction monitoring controls include aggregation requirements and detection of structuring payments [35]. 4

A conclusion may already be drawn; even within blockchain-powered disintermediated ecosystems, and despite inherent crypto-speci c socio- nancial goals, the general tendency is to keep focusing on gateways and gatekeepers to/from the traditional regulated nancial system, the so-called \chokepoints" [28]. The explicit goal of the 5th AML Directive, for instance, is to allow competent authorities to monitor the use of VCs through relevant obliged entities [21], albeit it is concurrently acknowledged that their inclusion in the AML/CFT compliance sphere is not su cient to enforce supervision on all crypto transactions [21]. In a nutshell, in fact, at least two sets of arguments may possibly challenge this approach.

First, a massive tension can be detected between the need for nancial transactions to comply with originator/bene ciary information-related regulations and the nature of VCs as a privacy-oriented instrument. It is widely acknowledged that cryptocurrencies were imagined and created to keep intermediaries out of the picture; thus, the conceptual origin of the 8Article 3(19) of the Directive de nes \custodian wallet provider" as \an entity that provides services to safeguard private cryptographic keys on behalf of its customers, to hold, store and transfer virtual currencies".

9Tracing the customer's IP address may be arguably demanded when Enhanced CDD is required [28]. crypto economy is seemingly and empirically at odds with identifying middlemen to be held accountable in the area of ensuring transparency of nancial transactions. Interestingly, it has been straightforwardly argued that there is a structural incompatibility between the concept of transparency within non-centralized systems and nancial regulatory transparency rules, since the latter oppose any opaqueness concerning the origins of funds, reasons for operations and relevant bene cial owners [51]. This friction appears as of topical importance because next generation DLTs are foreseen to take the ongoing revolution beyond peer-to-peer computer networks up to potentially including every Internet of Things (IoT)-connected device, while ever-evolving payment-related innovations keep defying legislative attempts [45].

Secondly, the same tech design of VCs arguably mismatches traditional approaches to AML/CFT regulation. Unsatisfactory legal results are caused by a diverse array of reasons, such as: (a) distributed governance mechanisms of VCs and relevant accountability levels vary signi cantly,10 (b) crypto transactions involve both traditional intermediaries and other actors, (c) their lifecycle features a multi-layered stakeholdership,11 (d) it is di cult to assess which innovative ecosystems properly belong to the nancial services sphere, (e) their cross-border nature and structures lead to major jurisdictional issues.

One of the main controversies tainting the current approach is that it arguably does not consistently address the issue of crypto-to-crypto exchanges often being under a di erent regulatory framework than crypto-to- at ones [35].12

In light of these inconsistencies, institutions such as the European Banking Authority (EBA) put forward { albeit incidentally { innovative approaches to the mitigation of crypto risks, namely a private/public co-regulation regime grounded on \regulated self-regulation" [23, 42]. The latter is to be implemented through the so-called \regulation-through-code" mechanism, along the lines of the concept of \regulation by design". Besides, an AML/CFT \self-declaration" role of the same crypto users and market participants was suggested, and is being assessed at the EU level [21].

In general terms, it is arguably incorrect to take for granted that disruptive technology equals disrupted law [34]. Nevertheless, a commonly agreed upon feature of BTs is to implement tasks that are traditionally performed by law and legal institutions [46], as well as to carry an alternative vision of the economic system [40]. These elements give rise to foresee principle-wise alterations grounded on the transposition of socio-economic interactions to a virtual, potentially horizontally-structured and hyper-connected world. Similarly, the inherent structure of these tech solutions seemingly leads to a deep power shift amongst stakeholders and possibly to a socalled \emergent technocracy" [40], thereby ostensibly challenging legislative frameworks and relevant accountability schemes. 5

Many crypto-related legislative and regulatory actions were argued to insu ciently acknowledge context-speci c technical aspects. Besides some comments on traditional approaches possibly being unreasonable in the crypto landscape [41], other critics challenged both the choice of which entities to include in the scope of AML/CFT obligations and the claimed level of anonymity and 10Namely, internal governance mechanisms range between the poles of fully public distributed ledgers and private ledgers [42].

11Players involved, in fact, range from users to miners to exchanges to trading platforms, wallet providers, coin investors and o erors [25].

12As recently underlined, however, under the FATF framework virtual-to-virtual and virtual-to- at transactions are supposedly both covered by the relevant Standards [28]. privacy of DLT-based nancial applications. In spite of common misconceptions, in fact, major VCs such as Bitcoin and Ether are pseudonymous rather than anonymous and the same was suggested for Libra [ 3, 44, 66 ]. Even if no real-world identities are involved, there are ways to link public addresses to real identities [ 2, 22, 33, 43 ].13 Concurrently, blockchain analysis techniques were enhanced over time and allow for a certain traceability of transaction ows; transacting in most popular VCs was found to leak information that can be used for de-anonymization purposes [ 2, 49 ].14 Besides, the address used { i.e. the public key {, the transferred amount and other metadata are permanently and publicly stored on the ledger [66].

From a traceability and accountability standpoint, pseudonymity needs to be contextualized within the framework of results that are achievable by crypto/blockchain forensics. The issue at hand entails reference to the set of tools aimed at de nitively or statistically matching actual users to transactions performed by crypto-IDs and possibly spotting unique identi ers to individuals [ 1, 49, 58 ]. Forensic experts, in fact, can extract data from a transaction, receive the history of a speci c address and use this information to engage in \follow the money" activities, to the end of possibly detecting the use of VCs by analyzing the retrieved data [37]. The conceptual and explainability-related impacts of these intelligence strategies may only be grasped by delving into how speci c techniques { such as transaction-graph analysis, user activities/address clustering, clustering heuristics, transaction ngerprinting by leveraging publicly available and o -network information, web-scraping and OSINT tools - have been developed and re ned to this end.15 Reference is not limited to Bitcoin forensics; data-exploitation strategies were deployed also on the Ethereum blockchain { notably to detect smart Ponzi schemes [14, 17] { and discussions are ongoing for non BT-based DLTs [57].

Moreover and most interestingly, studies were presented to assess the feasibility of using publicly available information and machine learning techniques to map Bitcoin transactions, model the di erence between licit and illicit ones from an AML screening standpoint, and possibly predict which transactions are legal and illegal [60, 68].16 From a legal standpoint, it is thought-provoking to notice how such analyses, e.g. their data collection and evaluation phases, were challenged from a privacy violation perspective, while at the same time they were defended by leveraging on the fact that they would actually make AML compliance easier and cheaper by exploiting BT's abovementioned features [60].

These arguments show a compelling paradox generated by the way (non-privacy-enhanced) DLTs relate to the nancial sphere. On the one hand, their pseudonymous nature provides the opportunity of engaging in illicit activities while hiding in plain sight. On the other hand, however, their very same data tech schemes and subsequent public availability allow for law enforcement experts to successfully deploy more e ective, and also possibly crowdsourced, forensic analysis techniques [68]. This ambiguity is arguably enrooted in the basic features of BTs, giving rise to even more con icting and counter-intuitive scenarios. From an AML compliance perspective, in fact, the use of such distributed systems is parallelly deemed to provide degrees of traceability and credibility for a reliable registration of AML information [67].

13As for Libra, the protocol does not link accounts to real-word identities; the Calibra wallet, however, seemingly requires AML/KYC [ 3, 44 ].

14This was also demonstrated by the arrests concerning the Wall Street Market [ 1, 58 ] 15On transaction-graph analysis:[33, 48]; On user activities clustering:[47]; On clustering heuristics [ 4, 43, 53 ]; On transaction ngerprinting using p.a. information:[33]; On using o -network information:[43, 53]; On webscraping and OSINT tools:[ 1 ]. For a more comprehensive outlook:[37].

16The licit or illicit nature of each transaction was assessed through heuristic processes if no other data points were available [68].

On a broader level, the issue of VC-related \privacy" is far from straightforward, just as its relationship with adjacent concepts such as secrecy, traceability and pseudonymity. Studies have tackled privacy impacts of Bitcoin implementations, where an important di erence was underlined between activity unlinkability and pro le indistinguishability [ 4 ]. In order to draw a comprehensive picture of the crypto monetary landscape from the standpoint at hand, different cryptocurrencies should be scrutinized in light of how their technical aspects evolved beyond shared - albeit di erently textured - traits such as distributed consensus, transaction transparency and party entity abstraction. Because the relevant focus has generally been on blockchain-based VCs, the issue is usually confronted by breaking the issue down to pieces of blockchain-embedded information as to determine whether they are private or public.

More speci cally, three aspects were deemed relevant in this regard: (a) privacy of identity or user-identity privacy : it relates to the concept of anonymity and it entails assessing the link to a real-world identity, drawing a parallel between \public and private keys" of Bitcoin-like virtual currencies and the concepts of \username and password" [ 4 ]; (b) privacy of transaction data/information: it is a mutable concept and relates to the fact that data is represented di erently in di erent blockchains, di erent aspects may be private from a third-party observer, di erent types of information can be private to di erent extents [ 4 ]; (c) privacy of the total blockchain state: di erent attributes of the total blockchain state can be private to di erent extents [ 4 ].

Moreover, two sets of elements - a) sharpened intelligence methods, and b) concerns expressed by crypto-privacy advocates - spawned the development of the so-called \privacy coins". The most popular examples may be Monero and Zcash; the underlying goal is to provide true anonymity by embedding privacy-enhancing mechanisms. The need for heightened anonymity was interestingly contextualized within the conceptual pursuit of true fungibility amongst VCs, a feature that could otherwise be tarnished by the immutability of relevant records [16]. Hence, unlike what happens on the Bitcoin blockchain, these secrecy-reinforced instruments do not keep unencrypted records of data such as wallet addresses and transactions amounts.

From a categorization perspective, three main methods have been identi ed to obfuscate nancial ows: (a) mixing/tumbling-based approaches ; (b) zero-knowledge based privacy ; (c) user best practices [63, 64, 65]. As far as embedded enhancements are concerned, Zcash reaches a high degree of privacy by making use of \zero-knowledge proofs" { namely, the Zero-Knowledge Succinct Non-Interactive Argument of Knowledge, or zk-SNARK {, whereas Monero is slightly less anonymous but implements more intensively tested techniques of ring signatures.

Interestingly enough, the \Zero Knowledge Proof" method, and the relevant possibility to preserve con dentiality on selected data (so-called \shielded" operations), was argued to pursue the union between two underlying objectives of many blockchains: to provide both user anonymity and transparency of operations [51]. As much as such a junction may seem counterintuitive and de nitely dangerous from an AML and illegal transactions perspective - not to mention radically challenging relevant legal and regulatory frameworks in the nancial transparency sphere, as previously mentioned -, its existence must be acknowledged and addressed.

Parallelly, Zcash o ers selective transparency of transactions and it was originally de ned as follows: \Bitcoin is like HTTP for money, Zcash is HTTPS". Besides, another cryptocurrency, DASH, might also be arguably labelled as a \privacy coin". As for non-blockchain-based currencies, the possibility of enhancing IOTA's privacy protocols notwithstanding its quantum resilient hash-based signatures is being closely investigated [54, 57].

These arguments show how there is in fact no binary - public vs. anonymous - solution, which highlights the need to apply a exible and structured legal reasoning while confronting the \anonymity set" of di erent blockchains. For instance, it can be argued that Monero's anonymity set is signi cantly larger than Bitcoin's [ 4 ]. In any case, a parallel assessment can be carried out as far as non-blockchain-based cryptocurrencies are concerned, where the analysis potentially holds signi cant di erences.17

On top of the possibility to enhance the degree of anonymity at an infrastructural level, relevant users were also found to resort to so-called "best practices". The latter entail the use of anonymizers, such as The Onion Router (TOR), proxies and VPNs, the Invisible Internet Protocol (I2P) or Dark Wallet to hide the origin of the transaction or employing a new address for every payment [37, 63]. Concurrently, in the wake of Silk Road's takedown, darknet markets themselves started deploying more sophisticated techniques to make it more di cult for authorities to e ectively intervene [45]. 7

A rst way to look at the relationship between VCs and money laundering is most empirical. ML is traditionally de ned as involving three di erent stages: a) placement : dirty money needs to be placed into the nancial system, if not already in it; b) layering : its illegal origin needs to be concealed through as many complex transactions as possible; c) integration: funds need to be integrated in the nancial system as cleaned. It is possible to analyze how crypto monetary instruments may be e ciently employed in all of these steps.

Namely, a crypto-based placement phase may be eased by the low-risk opportunity to rapidly open and access VC accounts, thereby pseudo-anonymously engaging in the relevant conversion and consolidation of illicit proceeds. Furthermore, the cross-border nature of these instruments facilitates layering across multiple exchanges, especially in the context of trade-based ML. As far as the integration stage is concerned, relevant risks are argued to expand in relation to the growing variety of goods that can be purchased with VCs; this phase is also aided by resorting to hardware wallets. The interconnection with unregulated and crypto-to-crypto traded ICOs further increases the overall risk; naturally, in fact, all these nancial hazards are seemingly more serious in the context of unregulated areas of the crypto ecosystems [35].

From a strict AML/CFT legal perspective, however, a further step is very signi cant; most notably, crypto mixing/tumbling services are a key element in this sphere, to the extent that the advent of Bitcoin mixing shaped the notion of "cryptocurrency laundering" or "cryptocleansing" from a conceptual standpoint [ 1 ].18 This privacy-enhancing technique leverages on the fungibility of VCs and consists of combining inputs and outputs of di erent transactions into a larger one, in order to sever the links between addresses of senders and recipients [63]. Hence, they make use of temporary false crypto wallet addresses to re-route transactions and obfuscate the traceability chain [36].

These services cannot only be found in the online world as embedded features of \privacy coins"; rather, other platforms o er them as-a-service, to the end of enabling users of lessanonymous VCs to obscure identi ability of tainted coins [63]. In recent times, a more advanced type of exchanges provide their services without requiring any login or veri cation [36]. 17With reference to IOTA: [57] 18Common mixing services providers: Bitmixer.io, SharedCoin, Blockchain.info, Bitcoin Laundery, Bitlaunder, Easycoin [32].

Furthermore, Fig.1 shows how it is concurrently possible to convert Bitcoins into less trackable altcoins via an AML/CFT unregulated crypto-to-crypto mixer after obtaining them via a regulated at-to-crypto exchange. Subsequently, anonymity-enhanced cryptocurrencies (AECs) may be used to buy illicit goods on the Dark Web, possibly through the deployment of user best practices and precautions such as resorting to the TOR browser or VPNs, using encrypted email services, setting up anonymous e-wallets, parceling out the total amount of owned cryptocurrencies to several di erent wallets.

Thus, studies have highlighted di erent phases of the so-called crypto-cleansing, which both state and non-state actors were deemed to engage into: (1) from at currency to primary VC (through a basic exchange via traditional bank accounts or by cash through VC ATMs); (2) mixing from primary coins to privacy-enhanced altcoins (through an advanced exchange); (3) layering tactics through multiple AECs, exchanges and addresses; (4) integration, withdrawing the cleansed funds from the crypto world, possibly through a hardware crypto wallet [36].

However, the money ow may actually go in the opposite direction as well, and this is another idea behind virtual-to-virtual layering schemes, that are unfortunately getting a foothold in recent years [28].

Recent years have shown how blockchain space and legal order feature numerous interconnections, as well as how the transformative character of DLTs causes signi cant and extensive points of friction with incumbent legal systems. As far as the payment sphere is concerned, e orts are being expended to encourage evolution while trying to mitigate the risk of destabilizing the banking and nancial sector. State-of-the-art legal instruments to safeguard the latter transparency-wise, in fact, empirically emerge as challenged by transformations brought about by crypto tools; this research paper highlighted how some technical features that are praised functionality-wise give rise to thoroughly unpleasant scenarios.

Arguably, the feasibility of anonymity-enhanced ecosystems complying with state-of-theart AML/CFT regulations appears as rather weak. Recent FATF guidelines on how to apply relevant Recommendations may be referred to as a prime example of this. Furthermore, it is to be noted that the same organization has called for participating jurisdictions to forbid VASPs from engaging in activities that involve anonymity-enhancing technologies if unable to manage and mitigate relevant risks [28], which means their so-called "obligation to abstain" from undertaking the operation is triggered.

At the same time, inherent features of the IoM seem to ideologically mismatch legal objectives aiming at anticipating changes in criminal activities [27], giving rise to major controversies. It was argued that AML/KYC requirements could go to the detriment of opportunities o ered to the unbanked or non-traditional investors [66].

Concurrently, while the current AML/CFT framework relies on the \active cooperation" of the so-called \obliged entities", the IoM is de nitely developing beyond gateways and gatekeepers. Relevant transfers do not always involve regulated third parties or bene ciaries, and recent regulatory e orts have targeted not only VAs that are convertible to at money but also VAs that are convertible to another VA [28, 49]. The actual role and accountability attached to entities included in the scope of the 5th AML Directive, together with the e ectiveness of this choice, need further scrutiny.19 Consistently, scholars and authorities have started discussing the actual feasibility of forcing the crypto-world into a system of \approved parties" [49].

In any case, even if we try to abide by the traditional principles informing the AML/CFT framework(s) and especially when we take into consideration the recent FATF RBA guidelines, it seems pivotal to understand what may be the best prospective regulatory approaches to crypto-to-crypto mixers and advanced exchanges. These platforms, in fact, seemingly pose the most signi cant money laundering and terrorist nancing risks; even though they have the possibility to access their own trades and wallets balances, however, imposing any speci c regulatory burden on them would likely involve huge jurisdiction-wise controversies [36]. 9

When assessing the inherent (in)compatibility between current approaches and changes set forth by blockchain-based payment and its most recent transparency and privacy-wise evolutions, it seems desirable to take into account the need for legislative actions to focus on individual cases rather than merely being technology-based. Due to the diversity of DLT-based or even blockchain-based utilities, in fact, it was noted that legal e orts ought to be grounded on the concrete function of each speci c tool. On a parallel level, it is worth mentioning that all crypto-related open questions actually relate to a broader issue: the very same role and nature of regulation in the Internet landscape has always been far from straightforward [41].

More speci cally, however, scholars have identi ed three categories blockchain-based implementations may belong to with respect to their legal impacts: (a) recycle box; (b) dark box; (c) sandbox [45]. The rst set of instruments are usually implemented by AML/CFT-regulated actors and are overall compatible with existing legal frameworks, hence requiring only minor 19It is also interesting to resort to blockchain analytic service providers to validate source of wealth and obtain a risk rating when performing Enhanced CDD [49]. adaptations;20 at the opposite side, the dark box category features use cases whose objectives are fundamentally illegal.21 In between, a set of transformative innovations defy existing legal schemes because compliance would destroy the speci c implementation; their objective is not illegal, but they involve risks that ought to be regulated.22 Consistently, regulatory sandbox for blockchain was argued to call for four distinctive features: global reach, cross-sectoral exibility, start-up friendly operating structure, use of case-tailored parameter-setting practices [45]. This categorization may provide a useful tool to apply the case-based legislation approach in a sensitive manner. The comprehensive or piecemeal outlawing option is also to be taken into account, as well as critics underlining that the only way to perform it would be to shut down the Internet altogether.

With reference to innovative legal approaches, it seems advisable to carry out a comprehensive analysis of the underlying ratio behind the EBA's idea of creating a \scheme governance authority". This entity would ensure accountability to regulators and supervisors; its setup would be mandatory for VC schemes wishing to be regulated as a nancial service and interact with regulated nancial services [23]. The idea might be contextualized within the broader discussion on self-regulation, co-regulation and code-based regulation as ways to provide appropriate domain-speci c legal solutions to the Internet sphere [41]. Nonetheless, as compliance with such a requirement could challenge the very same existence and conceptual origin of VCs, as well as it could run the risk of destroying the whole structure, compatibility needs to be carefully assessed. The bedrock of the "regulation-through-code" reasoning, which makes it potentially relevant to the IoM landscape, is that assessed tools belong to the cyberspace landscape, which was argued to be a realm where code complements or even substitutes law from a normative order standpoint [40].

Consistently, a similar review should target the feasibility, advantages and disadvantages of involving cryptocurrency users and market participants in AML/CFT compliance, to the end of mitigating relevant risks by establishing themselves as governance authorities [25, 42].

All in all, the analysis at hand is de nitively aiming at a moving target. This element cannot be overlooked and was convincingly argued to cause the so-called "risk of over tting", i.e. the risk that rules may be technologically outdated when they enter into force. The actual dangers daunting the crypto world, in fact, largely relate to the speci c use criminals make of virtual currencies, which in turns empirically depends on their ever-evolving anonymity features, relevant degrees of blockchain-embedded privacy, and on regulation and law enforcement strategies [27, 49, 40]. On an additional but parallel level, the same concept of "legal over tting" may give rise to thoroughly ine cient rules if they were to be too speci cally tailored to the needs of individual cases to be foreseeably applied to ever-evolving technologies. Thus, (too speci c) case-based legislation may be burdened by its own set of risks.

As a nal note, since the nancial sector has arguably been the rst area of systematic application of BTs [40], focusing on the anonymity and transparency aspects of the IoM and cryptocurrencies may provide impactful legislative and regulatory insights also with broader reference to the so-called \Blockchain 2.0" implementations such as smart contracts and blockchainbased organizations. The broader framework of such disruption relates to how BT, among other ideas, was argued to be structurally informing the so-called \Internet 3.0" phase [16].

20For instance, blockchain-based interbank settlement systems such as the Ripple network and the so-called \blockchain banking" [45].

21Such as the abovementioned online drugs or weapons markets, human tra cking, money laundering, terrorist nancing, tax evasion, etc [45].

22For instance because they bypass regulated entities, such as in the DAO case [45].

AEC AML

BT CDD CTF DLT EBA EC

EU FATF

I2P IoM IoT IoV KYC

ML OSINT

RBA STR TOR VA

VC VASP

Anonymity-Enhanced Cryptocurrency

Anti-Money Laundering Blockchain Technology

Customer Due Diligence

Counter-Terrorist Financing Distributed Ledger Technology European Banking Authority

European Commission

European Union Financial Action Task Force

Invisible Internet Project

Internet of Money Internet of Things Internet of Value(s) Know Your Customer

Money Laundering Open-Source Intelligence

Risk-Based Approach Suspicious Transaction Report

The Onion Router

Virtual Asset

Virtual Currency

Virtual Asset Service Provider [8] Arner, W.D, Zetsche, D.A., Buckley, R.P., Barberis, J.N. (2019):The Identity Challenge in Finance: From Analogue Identity to Digitized Identi cation to Digital KYC Utilities. European Business Organization Law Review. Asser Press. [9] Arun, J.S., Cuomo, J., Gaur N. (2019): Blockchain for business. Discover how blockchain networks are transforming companies, driving growth, and creating new business models. Pearson Education. [10] Athanassiou P.L. (2019): Tokens and the Regulation of Distributed Ledger Technologies: Where Europe Stood in the Last Quarter of 2018. Journal of International Banking Law and Regulation, Volume 34, Issue 3, pgg. 105-114. Thomson Reuters and Contributors [11] Avgouleas, E., Chiu, I.H-Y., Schammo, P. (2019): Editorial. European Business Organization Law

Review. Asser Press. [12] Bambara J.J., Allen P.R. (2018): Blockchain. A practical guide to developing business, law, and technology solutions. McGraw Hill Education [13] Barone, R., Masciandaro, D. (2019): Cryptocurrency or usury? Crime and alternative money laundering techniques. European Journal of Law and Economics. Springer [14] Bartoletti, M., Carta, S., Cimoli, T., Saia, R. (2019): Dissecting Ponzi schemes on Ethereum: identi cation, analysis, and impact. Future Generation Computer System.

Retrieved from: https://arxiv.org/pdf/1703.03779.pdf [15] Casey, M., Crane, J., Gensler, G., Johnson, S., Narula, N. (2018): The Impact of Blockchain Technology on Finance: A Catalyst for Change. International Center for Monetary and Banking Studies. [16] Casey, M.J., Vigna P. (2018): The Truth Machine: the Blockchain and the Future of Everything.

St. Martin's Press. [17] Chen, W., Zheng, Z., Ngai, E.C., Zheng, P., Zhou, Y. (2019): Exploiting Blockchain Data to Detect Smart Ponzi Schemes on Ethereum. IEEE Access.

Retrieved from: https://www.semanticscholar.org [18] Danzmann, M. (2019): Why State Currencies Will Not Be Replaced by Cryptocurrencies. Journal of International Banking Law and Regulation, Volume 34, Issue 8, pgg. 272-278. Thomson Reuters and Contributors. [19] Dion-Schwarz, C., Manheim, D., Johnston, P.B. (2019): Terrorist Use of Cryptocurrencies. Technical and Organizational Barriers and Future Threats. Rand Corporation.

Retrieved from: https://www.rand.org/ [20] Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the nancial system for the purposes of money laundering or terrorist nancing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC [21] Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the nancial system for the purposes of money laundering or terrorist nancing, and amending Directives 2009/138/EC and 2013/36/EU [22] Dupont, J., Squicciarini, A.C. (2015): Towards De-Anonymizing Bitcoin by Mapping Users Location. Retrieved from: https://dl.acm.org/citation.cfm?id=2699128 [23] European Banking Authority (July 2014): EBA Opinion on \Virtual Currencies".

Retrieved from: https://eba.europa.eu [24] European Banking Authority (January 2019): Report with advice for the European Commission on crypto-assets. Retrieved from: https://eba.europa.eu [25] European Parliament (July 2018): Cryptocurrencies and blockchain. Legal context and implications for nancial crime, money laundering and tax evasion.

Retrieved from: http://www.europarl.europa.eu [26] European Securities and Market Authority (January 2019): Advice. Initial Coin O erings and

Crypto-Assets. Retrieved from: https://www.esma.europa.eu [27] Europol (2019): Do criminals dream of electric sheep? How technology shapes the future of crime and law enforcement. European Union Agency for Law Enforcement Cooperation.

Retrieved from: https://www.europol.europa.eu [28] FATF (June 2019): Guidance for a Risk-Based Approach: Virtual Assets and Virtual Asset Service

Providers. Retrieved from: https://www.fatf-ga .org [29] FATF (June 2015): Guidance for a Risk-Based Approach: Virtual Currencies.

Retrieved from: https://www.fatf-ga .org [30] FATF (rev. June 2019): International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation. The FATF Recommendations.

Retrieved from: http://www.fatf-ga .org [31] FATF (June 2019): Public Statement on Virtual Assets and Related Providers.

Retrieved from: http://www.fatf-ga .org [32] FATF (June 2014): Virtual Currencies: Key De nitions and Potential AML/CFT Risks. Retrieved from: https://www.fatf-ga .org [33] Fleder, M., Kester, M.S., Pillai, S.U. (2015): Bitcoin Transaction Graph Analysis.

Retrieved from: https://arxiv.org/pdf/1502.01657.pdf [34] Fradera, F. (2018): Conference Report on `Digital Revolution: Data Protection, Arti cial Intelligence, Smart Products, Blockchain Technology and Virtual Currencies. Challenges for Law in Practice'. European Review of Private Law, 5-2018: 707-712. [35] French, T., Stettner, B. (2019): Anti-Money Laundering Regulation of Cryptocurrency: U.S. and Global Approaches. The International Comparative Legal Guide to: Anti-Money Laundering 2019.

Allen Overy. Retrieved from: https://www.allenovery.com [36] Fruth, J. (2018): Crypto-cleansing: strategies to ght digital money laundering and sanctions evasion. Financial Regulatory Forum. Reuters. Retrieved from: https://www.reuters.com [37] Furneaux, N. (2018): Investigating Cryptocurrencies. Understanding, extracting, and analyzing blockchain evidence. Wiley. [38] Girasa, R. (2018): Regulation of cryptocurrencies and blockchain technologies. National and international perspectives. Palgrave Studies in Financial Services Technology. Palgrave Macmillan. [39] Giuliano, M. (2018): La Blockchain e gli Smart Contracts nell'innovazione del diritto nel terzo millennio". Il diritto dell'informazione e dell'informatica. Year XXXIV, n. 6, pgg. 989-1039. Giu re [40] Hacker, P., Lianos, I., Dimitropoulos, G., Eich, S. (2019): Regulating Blockchain: Techno-Social and Legal Challenges { An introduction. Forthcoming. Oxford University Press.

Retrieved from: https://papers.ssrn.com [41] Herian, R. (2019): Regulating Blockchain: Critical Perspectives in Law and Technology. Routledge. [42] Hofert, E. (2019): Regulating Virtual Currencies: Shortcomings of the EU Framework. Computer

Law Review International. 1:2019 pgg. 10-15. OttoSchmidt [43] Lischke, M., Fabian, B. (2016): Analyzing the Bitcoin Network: the First Four Years. Future

Internet. MDPI. Retrieved from: https://www.semanticscholar.org [44] Lopp, J. (2019): How Will Facebook's Libra \Blockchain" Really Work? One Zero. Medium.com.

Retrieved from: https://onezero.medium.com [45] Maupin, J.A. (2017): Mapping the Global Legal Landscape of Blockchain and other Distributed Ledger Technologies. Forthcoming in CIGI Academic Paper Series. Retrieved from: https://papers.ssrn.com [46] Moslein, F. (2018): Con icts of Laws and Codes: De ning the Boundaries of Digital Jurisdictions.

Retrieved from: https://papers.ssrn.com [47] Neudecker, T., Hartenstein, H. (2017): Could Network Information Facilitate Address Clustering in Bitcoin? Retrieved from: https://fc17.ifca.ai [48] Ober, M., Katzenbeisser, S., Hamacher, K. (2013): Structure and Anonymity of the Bitcoin

Transaction Graph. Retrieved from: https://www.mdpi.com/1999-5903/5/2/237/htm [49] Paesano, F. (2019): Working Paper 28. Regulating cryptocurrencies: challenges considerations.

Basel Institute on Governance. Retrieved from: https://www.baselgovernance.org [50] Perugini, M.L., Spada, M.C. (2018): Distributed Ledger Technologies e Sistemi di Blockchain.

Diritto dell'Informatica e delle Nuove Tecnologie. DirICTo. Cendon / Book. Key Editore. [51] Quiniou, M. (2019): The Advent of Disintermediation. ISTE and Wiley. [52] Rahmatian, A. (2019): Electronic Money and Cryptocurrencies (Bitcoin): Suggestions for De nitions. Journal of International Banking Law and Regulation, Volume 34, Issue 3, pgg. 115-121.

Thomson Reuters and Contributors. [53] Reid, F., Harrigan, M. (2012): An Analysis of Anonymity in the Bitcoin System.

Retrieved from: https://arxiv.org/pdf/1107.4524.pdf [54] Sarfraz, U., Alam, M.M., Zeadally, S., Khan, A. (2018): Privacy Aware IOTA Ledger: Decentralized Mixing and Unlinkable IOTA Transactions. Computer Networks.

Abstract retrieved from: https://www.researchgate.net [55] Sarzana di S. Ippolito, F., Nicotra, M. (2018): Diritto della Blockchain, Intelligenza Arti ciale e

IoT. Wolters Kluwer [56] Sotiropulou, A., Ligot S. (2019): Legal Challenges of Cryptocurrencies: Isn't It Time to Regulate the Intermediaries? European Company and Financial Law Review 5/2019: 652-675. [57] Tennant, L. (2017): Improving the Anonymity of the IOTA Cryptocurrency.

Retrieved from: https://laurencetennant.com/papers/anonymity-iota.pdf [58] The Cryptocurrency Consultant (2019): Crypto Forensics. How the Blockchain convicts criminals.

The Startup. Medium.com. Retrieved from: https://medium.com [59] The Cryptocurrency Consultant (2019): What is the Internet of Values? A story of the Web 3.0 and cryptocurrencies. The Startup. Medium.com. Retrieved from: https://medium.com [60] The Cryptocurrency Consultant (2019): Analyzing Money Laundering on the Bitcoin Blockchain.

The Startup. Medium.com. Retrieved from: https://medium.com [61] The Law Society (2017): \Blockchain: The Legal Implications of Distributed Systems". Horizon

Scanning. [62] Yermack, D. (2017): Corporate Governance and Blockchains. Oxford Review of Finance, 2017: 7-31. [63] Yi, S., Zhang, Y. (2018): Privacy in Cryptocurrencies: An Overview. Medium.com. Retrieved from: https://medium.com [64] Yi, S., Zhang, Y. (2018): Privacy in Cryptocurrencies: Mixing-based Approaches. Medium.com.

Retrieved from: https://medium.com [65] Yi, S., Zhang, Y. (2019): Privacy in Cryptocurrencies: Zero-Knowledge and zk-SNARKs.

Medium.com. Retrieved from: https://medium.com [66] Wachsman (2019): Answering One of Blockchain's Biggest Questions: Anonymity or

Pseudonymity? Medium.com. Retrieved from: https://medium.com [67] Wang, H., Ma, S., Dai, H.N., Imran, M., Wang, T. (2019): Blockchain-based data privacy management with Nudge theory in open banking. Future Generation Computer Systems.

Retrieved from: https://doi.org/10.1016/j.future.2019.09.010 [68] Weber, M., Domeniconi, G., Chen, J., Weidele, D.K.I., Bellei, C., Robinson, T., Leiserson, C. (2019): Anti-Money Laundering in Bitcoin: Experimenting with Graph Convolutional Networks for Financial Forensics. KDD '19 Workshop on Anomaly Detection in Finance. Retrieved from: https://arxiv.org/pdf/1908.02591.pdf [69] Zetzsche, D.A., Buckley R.P., Arner D.W.: The Distributed Liability of Distributed Ledgers: Legal Risks of Blockchain. University of New South Wales Law Research Series. Retrieved from: http://www5.austlii.edu.au