South Korea’s leading cryptocurrency exchange Bithumb has imposed an immediate, blanket block on all virtual asset deposits and withdrawals involving overseas payment platform Heleket, effective today, citing suspected involvement in money laundering and terrorism financing.
The move comes as international blockchain intelligence confirms Heleket is almost certainly a rebranded successor to Cryptomus, a Russia-linked payment processor that received a record-breaking $177 million AML penalty from Canadian regulators last year.
The notice, issued by Bithumb directly to its users this morning, states:
“As the overseas payment platform Heleket is suspected of being involved in illegal activities such as money laundering and financing of terrorism, Bithumb plans to restrict deposits and withdrawals to comply with Anti-Money Laundering laws and protect customer assets.”
The transaction blocking covers all virtual asset deposit and withdrawal transactions with Heleket, with immediate effect. Bithumb cited compliance with the Act on Reporting and Use of Specific Financial Information and the Virtual Asset User Protection Act—specifically Article 17, Paragraph 4 of the Enforcement Decree—as the legal basis for the restriction.
Who Is Heleket—and Why It Matters
Heleket is not a name that most crypto users would recognize. That anonymity is, according to blockchain intelligence firm TRM Labs, entirely by design.
TRM assesses with high confidence that Cryptomus and Heleket—two payment processors that enable the purchase of goods and services with cryptocurrency, in addition to operating as exchange services—are operationally linked, based on shared infrastructure, branding, personnel overlap, liquidity sourcing, and coordinated on-chain activity.
Heleket was likely developed by the administrators or affiliates of Cryptomus in order to continue laundering crypto at scale, including to facilitate sanctions evasion.
The origin story begins with a Canadian regulatory action. In October 2025, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) issued a record-breaking penalty of almost CAD 177 million against Cryptomus, a Russia-linked cryptocurrency payment processor and exchange, for multiple violations of money laundering and terrorist financing legislation. Cryptomus implemented mandatory KYC controls in February 2025, prior to the penalty, causing disquiet amongst its user base and a subsequent reduction in volumes—with on-chain volume dropping from $153 million in January 2025 to $86 million in March.
Their likely solution to increased regulatory scrutiny, as determined through TRM analysis of on-chain and open-source data, was to set up an alternate service that would offer the same services to the same user base—without comprehensive KYC controls—under the name Heleket.
What TRM Labs Found On-Chain
The intelligence behind Bithumb’s decision is not speculative. TRM Labs published a detailed technical assessment on April 20, 2026 — a month before Bithumb’s block—laying out the on-chain evidence in granular detail.
Between 2022 and 2025, TRM observed Cryptomus processing hundreds of millions of dollars in transactions associated with illicit actors, child sexual abuse material vendors, terrorist financing networks, human trafficking operations, and sanctions evasion—including transacting heavily with the now-closed sanctioned Russian exchange Garantex and Iranian exchanges.
Heleket, since its inception in January 2025, has continued to service illicit activity—primarily linked to sanctions evasion—alongside exposure to Russian darknet markets and continued activity from cybercrime service providers that likely migrated from Cryptomus.
Heleket shows elevated illicit exposure relative to peers, with nearly five times the average observed across payment service providers in TRM data. The case reflects a broader enforcement evasion pattern identified in TRM’s 2026 Crypto Crime Report, in which Russia-linked services relaunch parallel or identical services following regulatory action.
The liquidity connection is particularly damning. Heleket and Cryptomus share the sanctioned Russian payment processor Garantex in common as a liquidity provider—a connection that makes the claim of operational independence between the two entities legally and financially implausible.
TRM concluded that Cryptomus launching a parallel service is almost certainly designed to continue facilitating illicit activity—even under scrutiny—by shifting over a user base to a service they can nominally claim is not related to them. The evidence, however, clearly shows that the two are deeply intertwined.
The “Russian Rebrand” Pattern
Bithumb’s action on Heleket is part of a broader pattern that TRM Labs has documented across Russia-linked crypto services in 2025 and 2026. TRM’s 2026 Crypto Crime Report identified the past year as the “year of the Russian rebrand,” noting multiple illicit finance actors in Russia — including Garantex — that relaunched either parallel or identical services in response to enforcement action.
The creation of Heleket to facilitate ongoing no-KYC services with illicit actors may be by design, providing Cryptomus with a sufficient degree of separation to enable plausible deniability of connections to illicit activity. However, if the two entities are connected, this could negate Cryptomus’ appeal to FINTRAC.
The mechanics of the rebrand are straightforward: a regulated entity absorbs enforcement action and implements KYC that drives away its illicit user base, and a nominally separate successor entity appears, offering the same no-KYC service to the same users. Regulators are left having to reconstruct the connection from scratch. Bithumb’s decision to act on TRM’s intelligence—rather than waiting for a formal sanction—represents exactly the kind of proactive compliance posture that Korean regulators have been demanding following the exchange’s own AML difficulties earlier this year.
Bithumb’s Own AML Pressure
The timing of Bithumb’s Heleket block is not coincidental. The exchange has been operating under heightened regulatory scrutiny since March 2026, when the Financial Intelligence Unit (FIU) found that Bithumb neglected identity verification in roughly 6.59 million cases and facilitated approximately 45,000 transactions with 18 overseas platforms that lacked proper registration, resulting in a $24.8 million penalty and a proposed six-month partial operational suspension.
The FIU’s core finding — that Bithumb had conducted transactions with unregistered foreign partners — makes the Heleket block read as a direct, visible compliance response. Heleket is precisely the kind of unregistered overseas operator that the FIU found Bithumb had previously failed to screen out. Blocking it immediately and publicly, with a notice citing the specific legal provisions violated, is the exchange demonstrating to its regulator that it has internalized the lesson.
Bithumb has also been running a broader security awareness campaign since May 14, warning users about AI-powered phishing attacks, deepfake video calls, and fake customer support scams targeting Korean crypto investors. The Heleket block fits within a wider posture of proactive user protection messaging that the exchange has adopted following its regulatory difficulties.
What This Means for Users
Bithumb’s notice is explicit on practical implications. All existing and new virtual asset deposit and withdrawal transactions with Heleket are blocked with immediate effect. Users who have funds in transit between Bithumb and Heleket at the time of the block may face recovery difficulties.
The exchange specifically warned: “Please be aware that using unverified overseas services may make it difficult to recover damages in the event of incidents such as hacking or suspension of deposits and withdrawals.”
That language carries particular weight given Heleket’s track record. User reviews on Trustpilot as recently as two weeks ago describe funds being frozen by Heleket’s own internal “AML checks” with no path to recovery — a pattern consistent with TRM’s assessment of the platform’s illicit exposure. One reviewer described depositing 0.05 BTC on April 24, 2026, only to have the transaction blocked by Heleket’s AML system, with independent AML services showing the assets as low-risk—but Heleket refusing to return the funds.
The Broader Korean Regulatory Context
South Korea has moved aggressively on crypto AML compliance since the Virtual Asset User Protection Act came into full force in 2024. The Act introduced a mandatory framework for exchanges to monitor counterparty risk, report suspicious transactions, and restrict dealings with unregistered overseas virtual asset service providers. Article 17, Paragraph 4 of the Enforcement Decree—the provision Bithumb cited in its Heleket notice—specifically addresses this last category.
South Korea’s Financial Intelligence Unit has been actively identifying exchanges that deal with unregistered overseas operators and have not fully checked customers, with Bithumb among those found to have compliance gaps earlier this year. The Heleket block is the clearest signal yet that Korean exchanges are acting on FIU pressure—not waiting for the regulator to identify violations, but preemptively restricting counterparties that present AML risk.
For the broader crypto industry, the pattern is significant: a blockchain intelligence report published in April, a Korean exchange block in May—with TRM’s April 20 Cryptomus-Heleket assessment serving as the visible intelligence trigger for Bithumb’s May 21 action. The gap between intelligence and enforcement action is narrowing. And for platforms like Heleket that rely on the time between being identified and being blocked to continue processing volume, that narrowing gap is the real regulatory story.
Also Read: THORChain Shares Exploit Report Revealing $10.7M Vault Breach by New Node
