The updates arrive seven weeks before tranche 2 anti-money laundering obligations begin on July 1, 2026, expanding AUSTRAC’s regulatory perimeter to real estate professionals, lawyers, accountants, conveyancers, dealers in precious metals and additional virtual asset service providers. AUSTRAC also reported that illicit tobacco is approaching a higher money laundering risk rating after generating billions of dollars in laundered proceeds, with violence linked to organized crime efforts in the market.
Three Updates Land Seven Weeks Before Tranche 2 Captures Lawyers, Accountants and Real Estate
The three updates, covering money laundering, terrorism financing and proliferation financing, serve as companions to AUSTRAC’s national risk assessments published in 2024. Each is described in the source documents as a point-in-time reassessment of how channels and threats identified in the 2024 documents are being exploited. The release coincides with the start of new obligations under Australia’s reformed Anti-Money Laundering and Counter-Terrorism Financing Act 2006, which took effect for currently regulated entities on March 31, 2026. Obligations for tranche 2 entities begin on July 1, 2026.
The tranche 2 expansion captures real estate professionals, conveyancers, dealers in precious metals, stones and products, lawyers, accountants, trust and company service providers and additional virtual asset service providers, according to the AUSTRAC money laundering update. The reform brings 80,000 to 90,000 new reporting entities into the regime, according to Norton Rose Fulbright, against approximately 17,000 entities currently regulated. Moody’s estimated the post-reform regulated population at roughly 100,000 entities, a fivefold expansion of AUSTRAC’s perimeter.
The money laundering update reclassified several risk categories. AUSTRAC reported that illicit tobacco, previously assessed as a medium money laundering threat, is “approaching a higher ML risk rating”, driven by rising volumes, links to cash-intensive businesses and remittance providers, and what AUSTRAC described as widespread arson attacks and multiple homicides connected to organized crime groups asserting control over the market. The agency also flagged convergence across remittance, virtual asset, bullion-dealing and cash services as a continuing pathway for criminal exploitation.
AI Joins the Laundering Toolkit Across Money Laundering, Terrorism and Proliferation Financing
.png?width=1024)
For the first time across all three update documents, AUSTRAC categorized AI as a cross-cutting accelerant rather than a single channel. The money laundering update identified AI applications including identity fabrication and impersonation, fake document generation, scam proceeds laundering, automated obfuscation of laundering activity, and transaction structuring designed to mimic legitimate customer behavior. AUSTRAC stated that AI is enabling sophisticated laundering methods with lower barriers to entry, and is being applied to trade-based schemes and the operation of shell entities that present as legitimate businesses.
The proliferation financing update named four specific AI use cases by sanctioned-state actors: automating the creation and management of shell and front-company networks, generating fictitious entities, producing falsified trade, shipping and corporate documentation, and optimizing sanctions and export-control evasion across multiple jurisdictions. The terrorism financing update described AI as “further accelerating transaction speeds and complexity” against the backdrop of Australia’s real-time payment system, which AUSTRAC noted reduces response windows for suspicious transaction interdiction.
The Australian assessment lands amid a broader global pattern in identity fraud. According to UK government estimates cited by identity verification firm Sumsub, the number of deepfakes shared globally rose from approximately 500,000 in 2023 to an estimated 8 million in 2025. Sumsub’s Identity Fraud Report 2025-2026 reported a 180% year-over-year rise in the sophistication of multi-layered fraud schemes that combine deepfakes, AI-generated identities and social engineering.
To be sure, AUSTRAC did not quantify the share of money laundering activity in Australia attributable to AI-enabled techniques and did not publish enforcement statistics linking specific actions to AI typologies. The risk update is qualitative and forward-looking rather than a statistical assessment.
$2 Billion DPRK Bybit Theft Highlights the DeFi and Stablecoin Visibility Gap
The proliferation financing update carried the most concrete quantitative claim across the three documents. AUSTRAC disclosed that DPRK-linked actors stole more than US$2 billion in cryptocurrency from Bybit, one of the world’s largest cryptocurrency exchanges, in 2025. The agency described this as “the largest known instance of state-linked crypto revenue generation globally.” AUSTRAC also cited Royal United Services Institute (RUSI) analysis that DPRK groups accounted for roughly half of the nearly US$4 billion stolen across the virtual asset ecosystem in 2022, with proceeds funding the country’s ballistic missile program.
AUSTRAC stated that virtual assets are increasingly used by proliferation financing networks as a means of value transfer embedded within otherwise legitimate trade, financial and corporate activity, rather than as a standalone financing mechanism. The agency named stablecoins specifically, citing their peg to external assets such as the US dollar and their use within trade-like financial activity. Australia’s open and trade-integrated economy, AUSTRAC stated, increases exposure to this risk.
The money laundering update identified decentralized finance platforms and offshore virtual asset service providers as growing structural risks. AUSTRAC noted that regulatory obligations for virtual asset service providers are concentrated on fiat on- and off-ramps, the conversion points between traditional money and digital assets, leaving gaps in visibility for crypto-native transactions and decentralized activity. Money laundering networks, AUSTRAC stated, are capable of rapid conversion between virtual assets and international transfers with limited reliance on regulated conversion points.
The Australian regulator has acted on similar concerns in the past nine months. In August 2025, AUSTRAC ordered Binance Australia to appoint an external auditor over what the agency described as serious AML/CTF control concerns. AUSTRAC directed similar audits at payment platforms Airwallex Designated Business Group in January 2026 and MHITS Limited in April 2026, and refused to renew the registration of independent remittance provider Yellow Sands Trading earlier this year. The historical context for Australian enforcement remains the A$1.3 billion penalty imposed on Westpac in 2020 over more than 23 million breaches of the AML/CTF Act, the largest civil penalty in Australian history at the time.
Methodology note: All AUSTRAC figures, statements and risk categorizations presented in this article are sourced from the three AUSTRAC publications dated May 12, 2026, the Money laundering update 2026, the Terrorism financing update 2026 and the Proliferation financing update 2026. The estimate of 80,000 to 90,000 new tranche 2 reporting entities is sourced from Norton Rose Fulbright; the estimate of approximately 17,000 currently regulated entities and the post-reform total of approximately 100,000 are sourced from Moody’s and aggregator data. Global deepfake volume estimates are from UK government data cited by Sumsub. The sophistication growth rate (180% year-over-year) is from Sumsub’s Identity Fraud Report 2025-2026. FM Intelligence has not independently verified the AUSTRAC figures or the third-party estimates. The AUSTRAC risk updates are point-in-time qualitative assessments and not statistical surveys. Where this article cites AUSTRAC analytical claims, the underlying basis is set out in the original publications.