THE DARK SIDE OF CASH APP: BLOCK'S SYSTEMATIC FAILURES IN AML AND FRAUD PROTECTION
On April 10, 2025, the New York State Department of Financial Services (NYDFS) imposed a $40 million penalty on Block, Inc. (formerly known as Square) for significant violations of anti-money laundering (AML) regulations and consumer protection laws related to its Cash App platform (New York State Department of Financial Services [NYDFS], 2025). The consent order highlighted how Block's rapid growth outpaced its compliance infrastructure, creating vulnerabilities in its ability to effectively monitor and report suspicious transactions. As a law enforcement investigator who has witnessed Cash App's increasing presence in criminal investigations, the findings in this consent order confirm what many in the field have observed: Cash App has become a significant conduit for illicit financial activities due to multiple systemic compliance failures.
Background on Block and Cash App
Block, Inc., a publicly-traded financial services and technologies company with $21.91 billion in revenue in 2023, has been licensed to operate money transmission services in New York State since 2013. In June 2018, the Department issued Block a BitLicense, permitting it to conduct Virtual Currency Business Activity, which enabled Bitcoin transactions through its Cash App platform (NYDFS, 2025).
Cash App is a peer-to-peer money transmission service that allows users to send and receive fiat currency and, since 2018, Bitcoin (NYDFS, 2025). With over 50 million consumers using Cash App to spend, send, store, and invest money as of early 2025 (Conference of State Bank Supervisors [CSBS], 2025), it has become one of the most widely used payment platforms in the United States. However, this popularity has also made it attractive to criminal actors seeking to exploit weaknesses in its compliance systems.
Serious AML Program Deficiencies
The NYDFS investigation uncovered multiple significant deficiencies in Block's Bank Secrecy Act/Anti-Money Laundering program. According to the consent order, "the MT Exam and the VC Exam, as well as the subsequent enforcement investigation, identified serious compliance deficiencies with respect to Block's Bank Secrecy Act/Anti-Money Laundering program. These failures include insufficient Know-Your-Customer and transaction monitoring processes, and a backlog of Suspicious Activity Reports during 2018-2021, which together created a high-risk environment vulnerable to exploitation by criminal actors" (NYDFS, 2025, p. 2).
Transaction Monitoring and SAR Filing Failures
One of the most alarming findings was Block's significant backlog in processing transaction monitoring alerts and filing Suspicious Activity Reports (SARs). Between 2018 and 2021, Block accumulated a transaction monitoring backlog that grew from approximately 18,000 alerts in 2018 to over 169,000 by 2020. This extensive backlog was caused by Block's inability to predict the impact of Cash App's growing customer base on alert volumes and staffing needs (NYDFS, 2025, p. 6).
A review conducted by the Department revealed that between February 2021 and September 2022, SARs for both Bitcoin and fiat transactions were at times filed over a year after the alerts were first generated. The average number of days between the date of the transaction monitoring alert and the SAR filing was 129 days (NYDFS, 2025, p. 7). This significant delay meant potential criminal activity could continue unimpeded while awaiting review.
Cryptocurrency Monitoring Deficiencies
The investigation uncovered particularly concerning deficiencies in Block's monitoring of cryptocurrency transactions. Block utilized information from two vendors to block and alert transactions with exposure to terrorism-associated wallets. However, Block's system did not generate alerts on Bitcoin transactions until the recipient's wallet had more than 1% exposure to terrorism-connected wallets, and Block did not automatically block transactions to wallets with exposure to terrorism-connected wallets until the exposure exceeded 10% (NYDFS, 2025, p. 7).
This approach created a significant vulnerability as any amount of funds transferred to terrorism-connected wallets is illegal, and setting threshold alerts above 0% without a risk-based analysis falls short of regulatory requirements (NYDFS, 2025, p. 8).
The Department also determined that existing service providers and employees were not subject to subsequent screening against updated OFAC sanctions listings. In 2021, Block reported fifteen rejected Bitcoin transactions late with OFAC during the examination period. Further, prior to 2023, Block did not conduct OFAC screening for restricted accounts (NYDFS, 2025, p. 8).
Mixer Transactions Improperly Rated
A particularly troubling finding from a law enforcement perspective was Block's inadequate monitoring of cryptocurrency mixer transactions. Cryptocurrency mixers, often referred to as tumblers, are designed to enhance privacy by mingling coins from various sources to disguise their origin and destination (IDNow, 2024). While these services have legitimate uses for privacy, they are also frequently exploited for illicit purposes.
Mixers are used by criminals to obscure the trail of their funds, making detection incredibly challenging. The untraceable and anonymous features make them highly susceptible to abuse by criminal and sanctioned actors, posing a threat to national security (IDNow, 2024).
Despite NYDFS guidance identifying mixers as a high-risk typology, Block risk-rated transactions identified as having exposure to mixers as "medium" risk, rather than the "high" risk rating that would be appropriate given their potential for abuse (NYDFS, 2025, p. 9).
KYC Failures and Account Abuse
The NYDFS investigation also revealed critical weaknesses in Block's Know-Your-Customer (KYC) and Customer Due Diligence (CDD) processes. Block did not have a formal KYC refresh process to identify changes to a customer's initial KYC information. More troublingly, customers opened multiple accounts using different email addresses and phone numbers, thereby bypassing the transaction limits Block places on certain accounts or individuals (NYDFS, 2025, pp. 9-10).
Of particular concern was Block's oversight of Cash App "restricted" accounts that are only permitted to transact in fiat under a certain limit and do not require the customer to pass full Identity Verification. Block did not prohibit opening of restricted Cash App accounts that shared attributes such as an email, phone number, device, and/or financial instrument with customers that were denylisted for being the subject of a SAR. This allowed bad actors to re-enter Block's platform (NYDFS, 2025, p. 10).
The scale of this problem is illustrated by a shocking example from the consent order: a SAR was filed for $1.6 million with 91 subjects that were holders of 16,811 accounts with 19,518 transactions (NYDFS, 2025, p. 10).
In an even more alarming case, as part of a 2022 internal investigation, Block self-identified over 8,000 accounts linked to a Russian criminal network. The approximately 25-30 subjects involved were able to open 8,359 Cash App accounts using falsified information, auto-generated email addresses and phone numbers before the conduct was detected by Block (NYDFS, 2025, p. 10).
Prior Regulatory Actions
The April 2025 consent order represents the culmination of a series of regulatory actions against Block regarding Cash App's compliance deficiencies. Earlier in 2025, Block paid $80 million to settle similar allegations with 48 other state financial regulators (TRON Weekly, 2025).
Under BSA/AML rules, financial services firms are required to perform due diligence on customers, including verifying customer identities, reporting suspicious activity, and applying appropriate controls for high-risk accounts. State regulators found Block was not in compliance with certain requirements, creating the potential that its services could be used to support money laundering, terrorism financing, or other illegal activities (CSBS, 2025).
Additionally, in February 2024, whistleblowers alleged that Cash App had "no effective procedure" to establish the true identity of customers between 2016 and 2022, describing "a shadow financial system beyond the reach of regulators" where due diligence on Cash App's users was negligible (NBC News, 2024).
Law Enforcement Perspective
As a law enforcement investigator, these findings align with what many of us have observed in criminal investigations across the country. Cash App has increasingly appeared as a financial conduit in various criminal schemes due to its ease of use, rapid growth, and inadequate compliance controls.
The Secret Service has noted a significant increase in fraud occurring through payment apps like Cash App, with criminals exploiting these platforms for money laundering (CNBC, 2020). Criminals frequently utilize these apps to move funds between accounts quickly, making transactions difficult to trace.
Cash App's popularity has made it a target for numerous scams, including cash-flipping schemes, fake payment scams, and fraudulent investment opportunities, particularly involving cryptocurrency (CNBC, 2023). These schemes have become increasingly prevalent in criminal investigations.
The cryptocurrency functionality of Cash App has been particularly problematic from a law enforcement perspective. Criminals use Bitcoin transactions through platforms like Cash App and then utilize mixers to distance themselves from their illicit funds, enabling activities such as money laundering, financing terrorism, and evading sanctions (IDNow, 2024). Block's failure to properly risk-rate and monitor these types of transactions has hampered efforts to detect and prevent such activities.
Conclusions: Implications for Future Compliance
The $40 million penalty and requirement for Block to engage an independent monitor highlight the seriousness of these violations. Adrienne A. Harris, Superintendent of NYDFS, emphasized that "all financial institutions, whether traditional financial services companies or emerging cryptocurrency platforms, must adhere to rigorous standards that protect consumers and the integrity of the financial system" (PYMNTS, 2025).
This consent order serves as a significant warning to financial technology companies that rapid growth cannot come at the expense of regulatory compliance. The findings demonstrate how inadequate compliance systems can create vulnerabilities that are exploited by criminal actors, and the consequences—both financial and reputational—that can result.
The remediation required by the consent order includes appointing an independent monitor to oversee Block's compliance activities for a period of twelve months (NYDFS, 2025). This oversight, combined with Block's commitment to enhanced controls, may help address the vulnerabilities that have made Cash App a preferred platform for certain criminal activities.
As investigators, we must remain vigilant about the use of payment apps and cryptocurrency services in criminal schemes. The systemic deficiencies identified in Block's compliance programs suggest that we can expect to continue seeing Cash App appear in investigations of money laundering, fraud, and other financial crimes until these issues are fully addressed.
References
Conference of State Bank Supervisors. (2025, January 15). State regulators issue $80 million penalty to Block, Inc., Cash App for BSA/AML violations. https://www.csbs.org/newsroom/state-regulators-issue-80-million-penalty-block-inc-cash-app-bsaaml-violations
CNBC. (2020, November 18). Criminals launder coronavirus relief money, exploit victims through popular apps. https://www.cnbc.com/2020/11/18/criminals-launder-coronavirus-relief-money-exploit-victims-through-popular-apps.html
CNBC. (2023, March 24). Report claims 'criminal activity and fraud run rampant' on Cash App—what users need to know. https://www.cnbc.com/2023/03/24/report-alleges-cash-app-fraud.html
IDNow. (2024, October 14). Crypto mixer money laundering: Is the risk worth the reward? https://www.idnow.io/blog/crypto-mixer-money-laundering-risk-reward/
NBC News. (2024, February 16). Federal regulators are probing whether Cash App leaves door open to money launderers, terrorists. https://www.nbcnews.com/business/personal-finance/whistleblowers-cash-app-leaves-door-open-money-laundering-terror-rcna138958
New York State Department of Financial Services. (2025, April 10). Consent order in the matter of Block, Inc. and Block of Delaware.
PYMNTS. (2025, April 10). Block fined $40 million for Cash App's anti-money laundering failures. https://www.pymnts.com/aml/2025/block-fined-40-million-for-cash-apps-anti-money-laundering-failures/
TRON Weekly. (2025, April 10). New York regulators impose $40 million fine on Block, Inc. for Cash App violations. https://www.tronweekly.com/regulator-fine-blockinc-cash-app-violations/