ACAMS CCAS - Certified Cryptoasset Anti-Financial Crime Specialist Examination

A 51% attack refers to a situation where a single miner or group controls more than 50% of the blockchain network’s computational (hashing) power. This majority control allows them to manipulate the blockchain ledger by double-spending or blocking transactions.

This term is widely recognized in blockchain security contexts and is referenced in typology papers on crypto financial crime risks, including those issued by UAE authorities and FATF.

Supporting extracts:

DFSA AML thematic reviews mention the risk of manipulation and double spending in blockchains susceptible to 51% attacks.

Typology reports on cryptoasset risks highlight computational power concentration as a core vulnerability.

“51% refers to the percentage of total mining power or computational power in the network” is the standard definition across crypto AML/CFT frameworks【31.92._TFS_Typology_Paper_Eng__4.pdf; AMLCFT_Guidance_for_FIs.pdf】.

Thus,Cis correct.

Misconfigured or poorly designed smart contracts can enable rug pull scams, where developers create fraudulent decentralized finance (DeFi) projects or tokens and then withdraw liquidity or funds abruptly, leaving investors with worthless assets.

Phishing (A) and SIM attacks (B) relate to social engineering and telecom fraud, respectively, and ransomware (D) is malware demanding payment. Rug pulls specifically exploit smart contract vulnerabilities.

The DFSA and AML thematic reviews on crypto highlight rug pull scams as a key operational and financial crime risk linked to smart contract vulnerabilities.

Anonymity red flags in crypto include the use of:

Decentralized or hardware wallets (A): These wallets are often unhosted and can facilitate anonymous transfers across borders, complicating AML controls.

Mixing services (B): These obscure transaction trails by blending multiple users’ funds, enhancing anonymity and increasing ML risk.

Privacy-oriented email services (C), fraudulent scheme-linked assets (D), and unusual sign-on activity (E) are also risk indicators but not specifically tied to anonymity in cryptoasset transactions.

AML guidance and thematic reviews emphasize A and B as key anonymity-related red flags.

Unhosted wallets allow direct user control without third-party oversight, making them harder to monitor and more vulnerable to misuse.

Arestricted blockchainis one where participation—either in transaction validation, data access, or both—is limited to selected entities rather than being open to the public.

Consortium blockchain (D)is a common type of restricted blockchain in which multiple pre-approved organizations collectively manage the network. It offers partial decentralization but with controlled membership, making it suitable for regulated environments such as financial services, supply chain tracking, and interbank settlements.

Other options explained:

Hybrid (A):Combines elements of public and private chains, but not necessarily “restricted” in the strict governance sense.

Public (B):Open to anyone to join, read, and write data; not restricted.

Private (C):While private blockchains are also restricted, in AML/CFT guidance, “restricted blockchain” generally refers to consortium arrangements involving multiple vetted participants, rather than a single organization’s closed chain.

Regulatory and technical literature in DIFC/ADGM contexts note thatconsortium blockchainsallow for compliance controls, participant vetting, and transaction monitoring—making them particularly suitable for financial ecosystems where controlled access is essential.

Upon identifying customer engagement with unhosted wallets or P2P transfers, the first step a VASP should take is tocollect and assess dataon such transactions. This assessment helps determine if these activities fall within the firm's risk appetite and what enhanced controls or actions may be needed.

Immediate account freezing (B) is not the first step without assessment; neither is allowing transfers (A) without risk consideration. Enhancing risk frameworks (D) is important but follows from an initial data-driven risk assessment.

Relevant guidance:

FATF Recommendations and DFSA AML Module require VASPs to maintain a risk-based approach that begins with data collection and risk assessment on unhosted wallet transactions.

The DFSA’s 2023 Dear MLRO letters and thematic reviews stress proportionality and evidence-based responses rather than immediate punitive measures.

Enhanced due diligence (EDD) and risk mitigation measures, including potentially freezing accounts, come after assessment of the risk level【AML/VER25/05-24: Sections 4.1, 6.4, 13; 20230406Dear_MLRO_Letter_re_IEMS.pdf】.

Hence,Cis the appropriate first action.

Management must consider a comprehensive set of features when evaluating virtual asset products and services, including:

Ability for other VASPs to utilize the service (A):This increases risk exposure as services may be used indirectly by unknown parties.

Ability to mingle funds within wider pools (B):Mixing services or pooled wallets increase anonymity and laundering risk.

Regulatory expectations (C):Management must ensure compliance with all applicable laws and guidelines.

Transaction volumes (D):High transaction volumes can increase operational risk and require enhanced monitoring.

The DFSA AML and COB Modules, as well as FATF guidance, stress that a risk-based approach requires consideration of all these features in product/service risk assessments.

FATF Recommendation 13 (Correspondent Banking and Similar Relationships) and its application to VASP–VASP relationships require enhanced due diligence before onboarding. This is because such arrangements carry elevated ML/TF risk, especially in cross-border settings.

Required CDD practices include:

Assess the nature and purpose of the VASP relationship (C):Understand why the relationship is being established and the expected services/products.

Obtain approval from senior management (D):Senior management oversight ensures risk is accepted at the appropriate governance level.

Assess the VASP’s supervision and if a license/registration is needed (E):Confirm regulatory oversight, licensing, and compliance with AML/CFT obligations.

Options A and B arenotcore FATF requirements for CDD in this context — local authority approval may be a domestic regulatory requirement in some countries, but not a FATF baseline, and profitability assessment is a business decision, not an AML measure.

Money laundering risk increases if the business operates in or near high-risk jurisdictions (D) or regions associated with narcotics production (C), as these are common sources of illicit funds.

An increase in volume and users (A) or supporting various cryptoassets (B) alone does not necessarily increase ML risk. Recent licensing (E) may indicate regulatory compliance, potentially lowering risk.