Source of Funds Methodology

Bitcoin source of funds is the hardest part of CBI. We built around it.

Most CBI firms treat Bitcoin wealth as a compliance problem they will deal with after the engagement letter is signed. That posture is why most Bitcoin files stall at the Financial Intelligence Unit. 21 CBI documents Bitcoin source of funds as the engagement, not as a hurdle inside it.

Citizenship by Investment (CBI) is a legal pathway in which a sovereign nation grants citizenship in exchange for a government-approved financial contribution. Every CBI program in the world requires a verified source-of-funds package; without it, the application does not enter government screening. For Bitcoiners, the source-of-funds package is the largest single piece of work in the engagement.

This page is the public version of how 21 CBI assembles that package. It is not a teaser. It is the methodology, written so a Bitcoiner can audit our approach before engaging and so a Financial Intelligence Unit can verify our discipline after submission. Show, do not tell.

Download the PDF methodology

PDF, ~38 KB. Ungated. Same content as this page, formatted for offline reading.

01 / The Problem

Why source of funds is the hardest CBI step for Bitcoiners.

The standard CBI source-of-funds package was built for fiat wealth. Bank statements, salary records, audited business accounts, inheritance documentation, real-estate sale records. Each of those is a known artifact with a counterparty that can attest to it. Financial Intelligence Units (the government bodies that conduct due diligence on CBI applications) have decades of pattern-matching on what a fiat source-of-funds package looks like.

Bitcoin breaks every assumption in that pipeline. There is no centralised counterparty for self-custody. The bank statement is the blockchain, and the bank statement is the address you do not want to disclose by default. Early-cycle exchanges where many Bitcoiners first acquired position no longer exist; their records went down with the entities. Mining income arrives as coinbase transactions, not as W-2 line items. Off-chain trades, peer-to-peer purchases, and atomic swaps leave no third-party trail. UTXOs are reorganised, consolidated, and split across years; the audit trail is real but it is not the format a CBI compliance officer was trained to read.

The result is predictable. A Bitcoiner who can document a $5M position to themselves in five minutes (here is the seed, here is the descriptor, here is the chain) submits a CBI application and watches it sit in due diligence for six months while the FIU asks questions that have no clean fiat-shaped answer. By the time the file clears, the price has moved, the program threshold has moved, or the applicant has moved on. The friction is not regulatory hostility. It is a format mismatch.

Closing the format gap is the work. That is what this methodology documents.

02 / The Bar

What Financial Intelligence Units actually look for.

Every CBI program operates under an FIU or an equivalent due-diligence body. Vanuatu uses the Vanuatu Financial Intelligence Unit (VFIU). São Tomé routes through the Unidade de Cidadania por Investimento e Doação (UCID), based in Dubai. Türkiye routes through the Ministry of Interior with Provincial Directorate oversight. El Salvador routes through The Bitcoin Office of El Salvador with sanctions and adverse-screening checks at the General Directorate of Migration and Foreigners. Malta runs the Residency Malta Agency four-tier review and (for Citizenship by Merit) the Community Malta Agency. The body changes; the standard does not.

Every one of those bodies is looking for the same five things in a Bitcoin source-of-funds package:

A complete and verifiable origin trail. Where did the Bitcoin come from? Purchase, mining, peer-to-peer transfer, business income, inheritance, hard fork. Every entry point named and documented.
A custody chain from origin to current control. Exchange to self-custody, wallet consolidations, multisig setups, hardware-wallet rotations. Every meaningful movement explained.
Reconciliation between disclosed positions and on-chain reality. What you say you hold matches what the chain shows you control. Discrepancies are the single most common rejection reason.
Risk-screened counterparties. The addresses your funds came from and went to have been checked against sanctions lists, darknet markers, ransomware addresses, and mixer activity. Where any counterparty raises a flag, it is named and contextualised before the FIU finds it.
Tax and reporting compliance in your jurisdiction of tax residence. Filed returns, where applicable. FBAR and FATCA for US persons. Equivalent disclosures for CRS-participating jurisdictions where account-level reporting applies.

That is the standard. It is not designed to fail Bitcoin-native applicants. It is designed to fail bad actors. A clean self-custody position with documented exchange purchases and a coherent audit trail clears the standard. A position assembled over a decade with no records, opaque wallet transitions, and no persistent metadata fails it. The difference is documentation, not the position itself.

03 / The Process

The 21 CBI seven-step source-of-funds process.

This is what we do, in order, on every Bitcoin file we take. Each step has an output document that goes into the final FIU submission package.

Origin discovery.We map every entry point through which Bitcoin entered your control. Exchange accounts (active and defunct), mining payouts, peer-to-peer purchases, business income, gifts, hard-fork claims, airdrops, OTC trades. Each entry point is timestamped and documented to the most authoritative record available.
Custody mapping.We chart every wallet, hardware device, multisig setup, and Lightning channel that has held or moved the engagement funds. Wallets unrelated to the engagement stay private; only the funding path is disclosed. The map is the structural backbone of the package.
Documentation collection.We pull exchange records (CSV exports, monthly statements, annual tax forms), bank statements showing fiat outflows to exchanges, contemporaneous emails confirming early purchases, mining pool payout histories, electricity bills as operating-cost evidence, and any tax filings that touch the position. This is the most time-consuming step on most files; it is also the most consequential.
On-chain analysis.We run the engagement custody addresses through Chainalysis Reactor and TRM Labs to generate the transaction-graph and the counterparty risk score. We document the analysis output, name any flagged counterparties (sanctioned addresses, darknet markets, mixers), and prepare contextual explanations. We do not bury risk flags; we surface them with explanations the FIU can verify independently.
Reconciliation.We tie the documented acquisitions to the current on-chain position. Every Bitcoin claimed in the package is matched to a chain-verifiable receipt at an address you control. Unaccounted balances are either documented as a separate acquisition or pulled from the engagement. The output is a reconciliation table that an FIU analyst can read in fifteen minutes.
Pre-audit package.We compile the origin trail, custody map, documentation pack, on-chain analysis, and reconciliation table into a single submission package formatted to the destination program's FIU template. We attach a signed cover memo summarising the package and naming the analyst (Adam personally signs every package). We pre-audit the package internally against the program's published rejection criteria before submission.
Submission and iteration.We submit through the program's authorised channel (direct for our El Salvador agency, through licensed partners for other programs) and stand by for FIU follow-up questions. Most clean Bitcoin files clear in one review cycle. Complex files (pre-2017 origins, defunct exchanges, mixer history) typically take two cycles. We respond to FIU questions inside seventy-two hours of receipt.

The output of step seven is a cleared file. The output of step one through six is what makes step seven possible.

04 / The Tools

On-chain analysis: what we run, what it shows, what it does not.

Chainalysis Reactor handles transaction-graph analysis. We feed in the engagement custody addresses and trace funds back to their origin counterparties. The output is a directed graph of fund movements, annotated with entity labels where Chainalysis has them (exchanges, payment processors, custody providers). For most CBI submissions the Reactor output is the on-chain backbone of the package.

TRM Labs handles risk scoring. The same addresses are checked against TRM's risk indicators (sanctions exposure, darknet markets, mixer activity, scam patterns). The output is a per-address risk profile that we surface to the FIU pre-emptively. Where TRM flags a counterparty, we document the context (a flagged exchange address may simply be the exchange's hot wallet, not a risk indicator on the applicant).

Where the position predates institutional analytics coverage (early-cycle addresses from 2013 to 2016, addresses on chains or custom explorers that were never indexed by Chainalysis or TRM), we build the analysis manually against the public blockchain. We use public block explorers, archived web pages of defunct services, and contemporaneous Bitcoin Talk forum threads to reconstruct the origin context. The output is a written analyst narrative attached to the package as supporting documentation.

Tooling is an input. The judgement that assembles a defensible narrative is what makes a package clear. We have seen FIU reviewers wave through positions with mixer history because the context was named cleanly; we have seen FIU reviewers reject clean positions because the analyst memo waved through a flag without explanation. The package is a written argument, not a screenshot dump.

05 / US Persons

Exchange records and Form 1099-B integration for US persons.

US citizens and Lawful Permanent Residents start from a position of strength on the source-of-funds package, even where the FATCA (Foreign Account Tax Compliance Act) and FBAR (FinCEN Form 114) regimes feel like a burden in daily life. The IRS already holds a documentary trail for any Bitcoin position the applicant has reported correctly. The standard 21 CBI workflow for US persons reuses that paper trail as the backbone of the source-of-funds package.

The inputs we pull from existing US filings:

Form 8949 and Schedule D. Per-transaction capital-gains reporting that ties every Bitcoin disposition to a cost basis and a sale date. We map this against on-chain transaction history.
Form 1099-B from US exchanges. Coinbase, Kraken, Gemini, and other US-licensed exchanges issue Form 1099-B for qualifying activity. The 1099-B is third-party-attested evidence that the FIU treats as canonical.
FBAR (FinCEN Form 114) for foreign accounts. Any non-US exchange account holding more than $10,000 in aggregate at any point in a year triggers FBAR filing. The filed FBAR is evidence of disclosure discipline.
Form 8938 (FATCA Statement of Specified Foreign Financial Assets). Higher threshold than FBAR; same documentary value. Foreign exchange accounts above the FATCA threshold appear here.
Self-employment Schedule C or business returns. Where Bitcoin acquisition is via business income or mining operated as a trade, the corresponding business return is the income source documentation.

The CBI program wants the same information the IRS already has on file, presented in a different format. If there are unreported gains, unfiled FBARs, or missing Form 8938 disclosures, we tell the prospect to fix the underlying tax issue with a qualified US tax attorney before we file the CBI application. We do not paper over compliance gaps; the FIU finds them and rejects the file, and the prospect now has both a rejected CBI file and a known tax exposure.

For US persons whose endpoint is renunciation of US citizenship after the second passport is in hand, the source-of-funds package built for the CBI engagement is the same package that supports the IRC Section 877A mark-to-market analysis Exitly performs at renunciation. Build it once, use it twice.

06 / UTXO Documentation

UTXO-level documentation for self-custody positions.

Self-custody is the strongest source-of-funds posture available. The applicant holds the keys, signs the proof, and demonstrates control on-chain. The challenge is that self-custody hides the audit trail by default. UTXOs that have been consolidated, split, and re-consolidated across years do not show their origin without the analyst doing the work.

The standard documentation we build for a self-custody position:

UTXO inventory at engagement. A complete list of UTXOs that will fund the CBI contribution, with the address (or xpub-derived address path) for each.
Per-UTXO provenance chain. For each UTXO, the chain of transactions back to the documented origin event. Where intermediate transactions are coin consolidations or wallet rotations, the analyst memo explains the operational reason.
Signed message proofs. Where applicable, signed messages from the controlling private keys at the time of submission, demonstrating present control. Standard wallets (Bitcoin Core, Sparrow, Electrum, hardware-wallet companions) all support the signing primitive.
Multisig descriptor evidence. Where the position is held in a multisig setup, the descriptor (or partial descriptor where keys belong to third parties) is provided so the FIU can verify the control structure.
Lightning channel documentation. Where engagement funds move via Lightning, channel-state documentation and counterparty identification.

UTXO-level documentation is the part of the package that earns the most "we have not seen a package like this before" responses from FIU reviewers. That response is a good sign, not a bad one. It means the package is providing the verifiable proof that the FIU framework was designed to accept but rarely receives.

07 / Mining Income

Documenting mining income.

Mining income has the advantage of clear on-chain provenance: coinbase transactions (the first transaction in every block, which creates new Bitcoin and pays the miner) are unambiguous. The Bitcoin came into existence at that block height; the address that received it is the miner's address. There is no counterparty to attest to, because the chain itself attested.

The complication is income reporting and operating-cost evidence. The CBI program wants to see that the mining income was reported in the jurisdiction of tax residence (where the program is also exposed to that jurisdiction's tax authority through CRS) and that the mining operation was a legitimate business, not a front for laundered fiat.

Standard documentation for a mining-origin source-of-funds package:

Pool payout records. For pool miners, the pool's per-payout history with timestamps and per-payout amounts.
Solo mining coinbase mapping. For solo miners, the list of blocks mined and the coinbase transactions, with the mining-pool field decoded where applicable.
Operating-cost evidence. Electricity bills, hardware purchase invoices, hosting-facility contracts, ventilation and cooling infrastructure. The cost basis matters for both tax purposes and FIU confidence that the operation was real.
Income reporting. Filed returns showing the mining income, in whatever form the jurisdiction of tax residence requires. For US persons, Schedule C if operated as a trade or business; Schedule 1 if as a hobby.
Jurisdiction-specific compliance. Where mining took place in a jurisdiction with a specific licensing or registration regime (some EU member states, certain US states, post-2024 New York and Texas variants), the licence or registration record.

The Bitcoin Office of El Salvador, the Vanuatu Financial Intelligence Unit, and the UCID in Dubai all have stated frameworks for mining-origin funds. Each treats mining as a legitimate income source. The work is in proving the operation was what the applicant claims it was.

08 / Pitfalls

The pitfalls we see most often.

Most rejected Bitcoin source-of-funds packages fail for the same handful of reasons. Naming them publicly lets prospects pre-screen their own positions before they engage.

Pre-2017 acquisitions on now-defunct exchanges. Bitcoiners who bought through Mt. Gox, BTC-e, Cryptopia, or QuadrigaCX have legitimate origin events with no operating-exchange records to retrieve. The mitigation is contemporaneous bank-transfer records, email confirmations, claim-process documentation, and chain-analysis tying on-chain receipt to addresses the applicant controls. This is workable; it is just more work than a clean Coinbase 1099-B.
Mixer or coinjoin history without context. A CoinJoin transaction in the position's history is not automatically disqualifying. An unexplained CoinJoin two transactions before the engagement funding is. We document every CoinJoin in the chain with the privacy-tool used, the rationale (typical operational privacy practice for self-custody Bitcoiners), and the analyst's assessment of risk exposure. CoinJoins documented in advance clear at the FIU; CoinJoins discovered by the FIU during review get rejected.
OTC trades without counterparty records. Over-the-counter purchases through Bitcoin Talk forum threads, Discord groups, or peer connections in 2013 to 2017 often have no surviving counterparty. The mitigation is bank statements showing the fiat transfer, contemporaneous communications archived from the platform, and on-chain documentation of the receipt. Documented OTC trades clear; undocumented ones do not.
Exchange-KYC gaps from 2017 to 2019. Many Bitcoiners traded on early-cycle exchanges that no longer exist or have incomplete KYC archives. The UCID, VFIU, and Bitcoin Office accept circumstantial evidence: bank statements showing fiat outflows to exchange deposit addresses, archived account screenshots, timestamped trade histories. Build the package now; archived data degrades.
Unreconciled balance discrepancies. The most common rejection pattern. The applicant says they hold X BTC; the chain shows Y BTC at the disclosed addresses; the difference is unexplained. The fix is the reconciliation step (Section 03, step 5). Every disclosed BTC must be accounted for, and every undisclosed BTC at addresses we map must either be disclosed or be at addresses outside the engagement scope.
Stale tax compliance. For US persons especially, unfiled FBARs, missing Form 8938, or unreported Form 8949 lines create a tax-side exposure that the FIU may surface as a source-of-funds risk. Fix the tax compliance first; then file the CBI application. The order matters.
Engagement letters signed before the position is screened. An engagement letter signed against a position that will not clear at the FIU benefits no one. We pre-screen every Bitcoin position before we sign. If the position will not clear, we say so on the first call and we do not bill for a doomed file.

Common Questions

Source-of-funds FAQ.

How long does the 21 CBI source-of-funds package take to assemble?

For a clean self-custody position with documented exchange purchases, four to six weeks of focused work. For positions with pre-2017 acquisitions, defunct-exchange origins, or mixer history, eight to twelve weeks. We tell you the realistic timeline on the first call after we have seen the position; we do not quote a generic "couple of weeks" number that bends under reality.

Do I have to disclose every wallet I have ever held?

You disclose every wallet that holds funds that will be used for the CBI engagement, every wallet that received the funds that are being used, and every funding-source wallet up the chain. Wallets that have never touched the engagement funds are out of scope. Compartmentalization is preserved at the wallet level, not at the position level. Self-custody best practice (separate wallets per purpose) is an advantage here, not a problem.

My exchange is defunct. Can the package still clear?

Yes, with effort. Defunct exchanges (Mt. Gox, BTC-e, Cryptopia, QuadrigaCX, and several smaller venues) are recognised by Financial Intelligence Units as legitimate origin points; the obligation shifts to circumstantial evidence. We assemble contemporaneous bank-transfer records, archived account screenshots, claim-process documentation, and chain analysis tying on-chain receipt to addresses you control. The package is more work, but it clears more often than not.

I have mining income. Is that harder or easier?

Different, not necessarily harder. Mining income has the advantage of clear on-chain provenance (coinbase transactions are unambiguous) and the disadvantage of fragmented tax documentation across years and jurisdictions. We assemble pool-payout records, electricity bills as operating-cost evidence, and the income reporting you have already filed. The Bitcoin Office of El Salvador, FIU Vanuatu, and the UCID in Dubai all have stated frameworks for mining-origin funds.

I am a US citizen with FATCA and FBAR exposure. Does that change the process?

Yes. US persons start from a position of strength because the IRS already holds a documentary trail for any Bitcoin position reported on Form 8949, Schedule D, FBAR (FinCEN Form 114), and Form 8938. We use that existing paper trail as the backbone of the source-of-funds package: filed returns, exchange Form 1099-B records, and the on-chain history that ties exchange withdrawals to your self-custody addresses. The CBI program wants the same information the IRS already has on file, presented in a different format. If there are unreported gains or unfiled FBARs, we tell you to fix that with a tax attorney before we file the CBI application; we do not paper over compliance gaps.

What chain-analysis tools does 21 CBI use?

We work with the Chainalysis Reactor product for transaction-graph analysis and TRM Labs for risk scoring on counterparties. Where the position predates institutional analytics coverage (early-cycle addresses, custom-built explorers from 2013 to 2016), we build the analysis manually against the public blockchain and document our reasoning. Tooling is an input to the package; the analyst judgement is what assembles a defensible narrative.

Will 21 CBI take the engagement if my source of funds will not clear?

No. We pre-screen every prospective engagement against the source-of-funds standard before we sign an engagement letter. If we cannot get your position cleared, we tell you on the first call and we do not bill for a doomed file. This is a reputation business; we do not get a second chance with a Financial Intelligence Unit that has seen us submit packages they had to reject.

Where the package goes

The same package, six destinations.

The methodology above is jurisdiction-agnostic. The package we assemble is reformatted to the destination program's FIU template at the submission step. The six programs we currently advise on:

Vanuatu São Tomé & Príncipe Türkiye El Salvador Malta Argentina

Begin Your Sovereignty.

If your position will clear, we will tell you on the first call. If it will not, we will tell you that too, and we will not bill for a doomed file.

Begin Your Sovereignty

Adam Juchniewicz, CEO, 21 CBI