How Stolen ACH is converted to Crypto

The intersection of traditional banking and decentralized finance has created a high-speed "laundromat" for cybercriminals. One of the most prevalent schemes today involves the conversion of stolen ACH (Automated Clearing House) funds into cryptocurrency—a process designed to turn reversible bank transfers into irreversible digital assets.

Here is a breakdown of how this pipeline operates and what is being done to stop it.

1. The Breach: Harvesting ACH Credentials

The process begins with the theft of banking details. Criminals don't just want your password; they need your routing and account numbers. In 2026, this is typically achieved through:

• Business Email Compromise (BEC): Impersonating vendors or executives to redirect legitimate B2B payments.

• Phishing & Infostealers: Using malware to capture keystrokes or session tokens, allowing bypass of traditional multi-factor authentication (MFA).

• Synthetic Identity Fraud: Creating "Frankenstein" identities to open new accounts that act as temporary holding pens for stolen funds.

2. The Conversion: From Fiat to Crypto

Once the hackers have control, the goal is speed. The ACH network has a critical "reversal window," so the thief must move the money before the victim or the bank flags the fraud.

1. The "Mule" Account: Stolen funds are often moved from the victim’s bank to a "money mule" account—a secondary bank account owned by a seemingly innocent person or a shell company.

2. The Ramp-Up: From the mule account, the criminal initiates a transfer to a Centralized Exchange (CEX) or a P2P (Peer-to-Peer) marketplace.

3. The Instant Buy: As soon as the ACH credit hits the exchange, the criminal buys a highly liquid or privacy-focused asset (like Bitcoin, Ethereum, or Monero).

3. Obfuscation: Hiding the Trail

Once the funds are in crypto, the "chain of custody" becomes much harder for traditional banks to follow. To break the link further, criminals use:

• Peel Chains: Sending small amounts of crypto through hundreds of different wallets in a rapid-fire sequence.

• Bridges: Moving assets from one blockchain to another (e.g., Ethereum to Solana) to complicate cross-chain tracing.

• Mixers (though decreasing): While services like Tornado Cash have faced heavy sanctions, decentralized "swapping" services are often used to achieve similar results.

4. The 2026 Defense: New NACHA Rules

The tide is turning. As of March 20, 2026, the NACHA Operating Rules have been updated with a "holistic" approach to fraud.

• Monitoring "False Pretenses": For the first time, banks are required to monitor not just unauthorized logins, but also "authorized" transfers made under false pretenses (like being tricked by a fake vendor).

• RDFI Responsibility: Receiving banks (the ones getting the stolen money) are now mandated to monitor incoming credits for signs of mule activity, such as a sudden high-dollar deposit into a dormant account.

• Standardized Labels: Transactions must now use specific descriptors like PAYROLL or PURCHASE, making it easier for AI-driven systems to spot an "out-of-character" ACH transfer.