Backpack Learn

Appearance

Market Surveillance & Manipulation Detection

TL;DR

  • Market surveillance = the systems, processes, and people that detect and prevent manipulation on trading venues — required by every serious regulator and essential for market integrity
  • Common manipulation types: wash trading, spoofing/layering, front-running, pump-and-dump, insider trading, market cornering — each leaves distinct fingerprints in order and trade data
  • Detection is layered: self-trade prevention at the matching engine, statistical anomaly detection on trade/order data, network analysis across accounts, and on-chain analytics for crypto-specific threats
  • Technology stack: ranges from enterprise solutions (Nasdaq SMARTS, Eventus Validus, Solidus Labs HALO) to on-chain intelligence (Chainalysis KYT, TRM Labs, Elliptic)
  • Regulatory landscape is converging: MiCA in the EU, FINRA/SEC in the US, MAS in Singapore — all now explicitly require crypto exchanges to implement market abuse detection
  • Building a surveillance program requires three pillars: people (compliance analysts, investigators), technology (surveillance platform + on-chain tools), and process (alert triage, investigation workflows, regulatory reporting)

1. Why Market Surveillance Matters

Every market depends on a simple social contract: prices reflect genuine supply and demand. When traders can fake volume, spoof orders, or front-run other participants, that contract breaks down. Spreads widen. Retail gets burned. Institutional capital stays away.

Market surveillance exists to enforce that contract.

Three reasons exchanges invest in it:

  1. Market integrity — Fair price discovery attracts liquidity. Liquidity attracts more traders. It's a virtuous cycle, but only if participants trust the order book.

  2. Regulatory requirement — Every major jurisdiction now requires trading venues to implement surveillance. MiCA (EU), FINRA Rule 3110 (US), MAS (Singapore) — the specific rules vary but the mandate is universal: detect and prevent market abuse.

  3. Trust and reputation — One high-profile manipulation scandal can permanently damage an exchange's brand. The exchanges that survived the 2017-2018 "wild west" era are the ones that invested early in surveillance infrastructure.

The cost of building surveillance is real. But the cost of not having it — regulatory action, lost users, delisting by institutional partners — is existential.

2. Types of Market Manipulation

Wash Trading

What it is: Trading with yourself (or with a coordinated counterparty) to inflate volume without taking market risk.

Why it matters: Volume is the most-watched metric in crypto. Exchanges ranked by volume attract more listings, more traders, more fees. Fake volume distorts all of it.

Scale: Chainalysis's 2025 analysis identified approximately $2.57 billion in suspected wash trading across DeFi platforms using two complementary detection heuristics. On centralized exchanges, the real number is likely higher but harder to measure without internal data.

Wash Trade Pattern:

Account A ──sell 100 BTC @ $60,000──> Account B
Account B ──sell 100 BTC @ $60,000──> Account A

Net position change: zero
Reported volume: 200 BTC ($12M)
Actual economic activity: zero

Spoofing & Layering

What it is: Placing large orders you intend to cancel before execution, to create a false impression of supply or demand.

Spoofing = placing a single large fake order to move the price. Layering = placing multiple fake orders at different price levels to create the illusion of deep support or resistance.

Layering Example (manipulator wants to buy cheap):

Sell side        Price        Buy side
                 $101.00
                 $100.50
                 $100.00      ← real market
  500 units      $99.50       ← fake layer 1
  500 units      $99.00       ← fake layer 2
  500 units      $98.50       ← fake layer 3
  500 units      $98.00       ← fake layer 4

Other sellers see massive "support" and panic.
Price drops. Manipulator buys at $98.50.
All fake orders instantly cancelled.

The canonical case is Navinder Sarao, who spoofed E-mini S&P 500 futures from his bedroom in London, contributing to the 2010 Flash Crash that briefly wiped nearly $1 trillion from US equity markets. He was ordered to pay over $38 million in penalties and permanently banned from trading.

Front-Running

What it is: Trading ahead of a known incoming order to profit from the price impact that order will cause.

In traditional finance, this typically involves a broker or exchange employee seeing a large client order and trading ahead of it. In crypto, the concept has expanded to include MEV (Maximal Extractable Value) — where validators or searchers exploit transaction ordering on-chain.

Pump-and-Dump

What it is: Accumulating a position, artificially inflating the price through coordinated buying and hype (social media, Telegram groups, influencer endorsements), then dumping the position on late buyers.

Pump-and-Dump Timeline:

Phase 1: Accumulation    (quiet buying, low volume)
Phase 2: Promotion       (social media hype, "insider tips")
Phase 3: Pump            (price spikes 200-1000%+)
Phase 4: Dump            (insiders sell into retail FOMO)
Phase 5: Collapse        (price returns to near-zero)

Duration: hours to days in crypto (weeks to months in TradFi)

Insider Trading

What it is: Trading based on material non-public information — upcoming listings, delistings, partnerships, or exchange operational data.

In crypto, the attack surface is wider than TradFi. Exchange employees know about listing decisions. Project insiders know about token unlocks. Validators can see pending transactions. Smart contract deployers know about upcoming protocol changes.

Market Cornering

What it is: Accumulating enough of an asset's supply to control its price, then squeezing short sellers or other market participants who need that asset.

In crypto, this is particularly dangerous for low-cap tokens where a single actor can acquire a dominant position. The Mango Markets exploit (covered in Section 9) is arguably a form of market cornering executed through DeFi mechanics.

3. How Wash Trading Detection Works

Wash trading detection operates at multiple levels, from simple self-trade checks to sophisticated network analysis.

Level 1: Self-Trade Prevention (STP)

The first line of defense sits inside the matching engine itself. Self-Trade Prevention (STP) detects when the same account (or accounts linked to the same entity) would trade against each other.

Order arrives:  BUY 10 BTC @ $60,000  from Account X
Book has:       SELL 10 BTC @ $60,000  from Account X

STP action: reject or cancel one side (configurable)

STP modes:
  - Cancel resting    (cancel the existing order)
  - Cancel aggressor  (reject the incoming order)
  - Cancel both       (nuke both sides)
  - Cancel smaller    (cancel the smaller order)

STP is necessary but not sufficient. Sophisticated wash traders use multiple accounts.

Level 2: Volume Pattern Analysis

Statistical methods flag anomalous trading patterns:

SignalWhat It Detects
Volume-to-unique-traders ratioHigh volume from few accounts
Time-of-day clusteringVolume concentrated in low-liquidity hours
Round-number biasTrades at suspiciously round sizes
Price-reversion patternsVolume that doesn't move price
Maker-taker symmetrySame accounts consistently on both sides

A useful heuristic: if volume spikes 10x but open interest, spread, and depth stay flat, something is wrong.

Level 3: Network Analysis

The most powerful detection method maps trading relationships as a graph.

Account Network Analysis:

    A ──trades──> B
    B ──trades──> C
    C ──trades──> A

    Closed loop detected.

    Additional signals:
    - A, B, C registered from same IP
    - A, B, C funded from same wallet
    - A, B, C have correlated order timing

    Conclusion: likely coordinated wash trading ring

Researchers have proposed iterative network-based procedures for wash trading detection, based on the observation that wash traders form approximately closed clusters of colluding counterparties who seldom transact with legitimate market participants.

Level 4: Cross-Venue Analysis

The most sophisticated operations wash-trade across multiple venues to avoid single-exchange detection. Cross-venue surveillance correlates activity across exchanges, matching:

  • Timing patterns across venues
  • Wallet funding sources (on-chain)
  • API key usage patterns
  • KYC identity matches

4. How Spoofing & Layering Detection Works

Spoofing detection analyzes the relationship between orders placed and orders executed, looking for patterns of deceptive intent.

Order-to-Trade Ratio (OTR)

The most basic metric. A high ratio of orders placed to orders executed suggests many orders are being placed without intent to trade.

OTR = Orders Placed / Orders Executed

Normal market maker:   OTR = 5-15x
Aggressive algo:       OTR = 20-50x
Potential spoofer:     OTR = 100x+

Note: high OTR alone isn't proof. Market makers legitimately
cancel orders as conditions change. Context matters.

Cancel Rate Analysis

Spoofers cancel orders quickly — often within milliseconds of placement. Detection systems track:

  • Cancel-to-fill ratio: orders cancelled vs. filled
  • Time-to-cancel: how quickly orders are pulled
  • Cancel clustering: cancels concentrated in short windows
Spoofing Signature:

Time    Action              Size      Price     Lifetime
10:00:00.001  PLACE SELL   1000 BTC  $60,500   ─┐
10:00:00.002  PLACE SELL   1000 BTC  $60,400    │
10:00:00.003  PLACE SELL   1000 BTC  $60,300    │ 200ms
10:00:00.004  PLACE BUY     50 BTC   $60,100    │ ← real order
10:00:00.200  CANCEL SELL  1000 BTC  $60,500   ─┘
10:00:00.201  CANCEL SELL  1000 BTC  $60,400
10:00:00.202  CANCEL SELL  1000 BTC  $60,300

Pattern: large orders placed, small order filled, large orders cancelled

Book Pressure Analysis

Sophisticated systems look at the impact of orders on the book:

  • Was a large order placed on one side while the trader executed on the opposite side?
  • Did the order book return to its prior state after the orders were cancelled?
  • Was the price movement reversed once the large orders disappeared?

Intent Modeling

Modern surveillance uses machine learning to model trader intent. Rather than hard-coding rules ("cancel rate > X = alert"), ML models learn the difference between legitimate market-making behavior and spoofing by analyzing:

  • Full order lifecycle (place, modify, cancel, fill)
  • Order size relative to typical market depth
  • Temporal patterns (how orders relate to price movements)
  • Cross-instrument patterns (spoofing futures to move spot)

5. Front-Running and MEV

TradFi Front-Running

In traditional markets, front-running is straightforward: a broker sees a client's large buy order, buys ahead of it, then profits when the client order pushes the price up.

It's illegal everywhere. The remedies are well-established: information barriers (Chinese walls), trade surveillance on employee accounts, time-stamped order routing, and severe penalties.

Crypto MEV

Crypto introduced a fundamentally different front-running vector: MEV (Maximal Extractable Value). Because blockchain transactions sit in a public mempool before confirmation, anyone can see pending trades and insert their own transactions before or after them.

Sandwich Attack:

1. Victim submits:  BUY 100 ETH on Uniswap (visible in mempool)
2. Attacker inserts: BUY 50 ETH  (front-run, pushes price up)
3. Victim's trade:   BUY 100 ETH (executes at worse price)
4. Attacker inserts: SELL 50 ETH (back-run, captures the spread)

Attacker profit: price impact on 50 ETH
Victim cost: worse execution on 100 ETH

Scale: Sandwich attacks constituted $290 million — over 50% of total MEV volume ($562 million) in 2025 on Ethereum alone. On Solana, sandwich bots extracted $370-500 million over 16 months from January 2024 to May 2025.

MEV Countermeasures

ApproachHow It WorksExamples
Private transaction poolsBypass public mempoolFlashbots Protect ($43B+ protected)
Batch auctionsExecute at uniform clearing priceCowSwap
Fair sequencingOrder by timestamp, not gasArbitrum, Optimism (experimental)
Encrypted mempoolsHide tx details until confirmationShutter Network, threshold encryption
MEV-aware routingRoute through MEV-protected relaysMEV Blocker, various wallet integrations

How Exchanges Prevent Internal Front-Running

Centralized exchanges face a different but equally serious risk: employees or systems with access to the order book trading ahead of users.

Defenses include:

  • Information barriers: Matching engine operators cannot trade on the platform
  • Employee trading restrictions: Personal trading must go through compliance pre-clearance
  • Audit trails: Every order book access is logged and monitored
  • Latency fairness: Randomized or batched order processing to prevent timing advantages
  • Encrypted order flow: Orders encrypted in transit so infrastructure operators cannot read them

6. Surveillance Technology Stack

Enterprise Platforms

PlatformOriginKey CapabilitiesNotable Clients
Nasdaq SMARTSTradFi (Nasdaq)Cross-market surveillance, pattern detection, regulatory reporting50+ exchanges globally, CFTC
Eventus ValidusTradFi/CryptoConfigurable alert rules, multi-asset coverage, crypto-native since 2018Leading crypto exchanges
Solidus Labs HALOCrypto-nativeTrade surveillance, transaction monitoring, threat intelligence (T3)CFTC GMAC advisor, CMIC founder
TradeVigilantTradFiReal-time monitoring, compliance workflowsRegional exchanges

Nasdaq SMARTS

The gold standard in TradFi surveillance, now actively expanding into crypto. The CFTC adopted Nasdaq surveillance technology to monitor crypto derivatives markets. SMARTS analyzes trading patterns across multiple venues simultaneously, flagging anomalies that individual exchanges might miss.

Key capabilities:

  • Cross-market pattern detection
  • Spoofing and layering alerts
  • Wash trading identification
  • Insider trading correlation
  • Regulatory reporting automation

Eventus Validus

Built for both TradFi and crypto from the start. Leading crypto exchanges have used Validus since 2018 to demonstrate regulatory readiness in licensing applications, showing regulators they have robust trade surveillance before approval.

Key capabilities:

  • Configurable alert logic (no black-box approach)
  • Multi-asset coverage (spot, derivatives, DeFi)
  • Case management and investigation workflows
  • Regulatory audit trail

Solidus Labs HALO

The most crypto-native of the enterprise platforms. HALO combines trade surveillance, transaction monitoring, and threat intelligence into a unified platform — what Solidus calls the "T3" approach.

Key capabilities:

  • AI-driven intent modeling (analyzes why a trader acts, not just what they did)
  • Trader profile anomaly detection
  • Liquidity metric analysis
  • Cross-chain threat intelligence
  • Founding member of the Crypto Market Integrity Coalition (CMIC)

Custom Systems

Many large exchanges build proprietary surveillance on top of their matching engine data. The advantage: direct access to order-level data without vendor API latency. The disadvantage: significant engineering investment and the need to keep pace with evolving manipulation techniques.

Typical Custom Architecture:

┌─────────────┐     ┌──────────────┐     ┌────────────┐
│  Matching    │────>│  Event       │────>│  Detection  │
│  Engine      │     │  Stream      │     │  Engine     │
│  (orders +   │     │  (Kafka/     │     │  (rules +   │
│   trades)    │     │   Kinesis)   │     │   ML models)│
└─────────────┘     └──────────────┘     └─────┬──────┘

                                               v
                                         ┌────────────┐
                                         │  Alert      │
                                         │  Dashboard  │
                                         │  + Case Mgmt│
                                         └─────┬──────┘

                                               v
                                         ┌────────────┐
                                         │  Compliance │
                                         │  Team       │
                                         │  (review +  │
                                         │   escalate) │
                                         └────────────┘

7. On-Chain Analytics Integration

Crypto surveillance has a unique advantage over TradFi: blockchain transparency. On-chain analytics platforms supplement traditional order book surveillance with wallet-level intelligence.

How On-Chain Data Supplements Order Book Surveillance

Order Book SurveillanceOn-Chain AnalyticsCombined Insight
Detects wash trading patterns in tradesLinks accounts to common funding walletsConfirms coordination across accounts
Flags unusual volume spikesTracks token movements before listingIdentifies insider trading
Monitors spoofing in the order bookTraces proceeds after manipulationMaps the full lifecycle of abuse
Detects pump patterns in price/volumeMonitors social media wallets & influencer activityConnects promoters to profit-taking

Key Platforms

Chainalysis KYT (Know Your Transaction)

  • Real-time transaction monitoring with alerts within seconds
  • Risk scoring for deposits and withdrawals
  • Coverage across 35+ blockchains
  • Direct integration into exchange compliance workflows
  • ~40% market share in blockchain intelligence

TRM Labs

  • AI-native approach to blockchain intelligence
  • Dynamic risk scoring that adapts to emerging threats
  • All-in-one stack: monitoring, investigations, case management
  • Appointed to CFTC advisory committees

Elliptic

  • Entity-level risk assessment
  • AI-powered network analysis for tracing suspicious flows
  • Strong European regulatory focus (valuable for MiCA compliance)
  • Specializes in minimizing compliance friction

Integration Architecture 

Exchange Surveillance Stack:

┌──────────────────────────────────────────┐
│              Order Book Layer             │
│  ┌─────────┐  ┌──────────┐  ┌─────────┐ │
│  │ Trade    │  │ Order    │  │ Account │ │
│  │ Surveil. │  │ Surveil. │  │ Linking │ │
│  └────┬────┘  └────┬─────┘  └────┬────┘ │
│       └────────────┼─────────────┘       │
│                    v                     │
│           ┌───────────────┐              │
│           │  Alert Engine │              │
│           └───────┬───────┘              │
└───────────────────┼──────────────────────┘

          ┌─────────┼─────────┐
          v         v         v
┌──────────┐ ┌──────────┐ ┌──────────┐
│Chainalysis│ │ TRM Labs │ │ Elliptic │
│   KYT    │ │          │ │          │
└──────────┘ └──────────┘ └──────────┘
     │              │            │
     v              v            v
┌──────────────────────────────────────┐
│         On-Chain Layer               │
│  Wallet clustering, fund tracing,    │
│  sanctions screening, risk scoring   │
└──────────────────────────────────────┘

The key insight: on-chain analytics answer questions that order book surveillance cannot. When you detect suspicious trading, on-chain data tells you whether the accounts are funded from the same source, whether proceeds flow to sanctioned entities, and whether the pattern extends to other venues.

8. Regulatory Frameworks

United States: SEC & FINRA

The US regulatory approach to crypto surveillance has evolved rapidly.

FINRA established dedicated crypto surveillance infrastructure:

  • Crypto Asset Investigations (CAI) team — conducts investigations related to crypto assets
  • Crypto Asset Surveillance Team (CAST) — leads market surveillance for crypto and crypto-related products
  • Blockchain Lab — provides technical blockchain analysis capability

FINRA actively monitors for pump-and-dump schemes in crypto asset securities traded on registered ATSs and investigates situations where individuals exploit investor interest in crypto to perpetrate market abuse.

SEC enforcement priorities include:

  • Wash trading on crypto platforms (charged four market makers in October 2024 for generating artificial token trading volume, with three more enforcement actions in the first half of 2025)
  • Insider trading around token listings
  • Market manipulation via social media
  • Unregistered securities offerings as manipulation vehicles

European Union: MiCA

The Markets in Crypto-Assets Regulation (MiCA) is the most comprehensive crypto-specific market abuse framework globally.

Key provisions (Title VI — Market Abuse):

  • Prohibits insider dealing, unlawful disclosure of inside information, and market manipulation
  • Applies to all transactions in crypto-assets, whether on or off a trading platform
  • Requires all entities that "professionally organize or execute transactions" to implement detection and prevention systems
  • ESMA issued supervisory guidelines in April 2025 (effective by June 30, 2025) establishing standards for National Competent Authorities

What MiCA explicitly covers that previous frameworks didn't:

  • MEV strategies as potential market manipulation
  • Social media-driven manipulation campaigns
  • Cross-chain manipulation patterns
  • DeFi-to-CeFi manipulation flows

Singapore: MAS

Singapore's Monetary Authority enacted significant crypto market integrity rules effective June 30, 2025, under the Financial Services and Markets Act (FSMA).

Key requirements:

  • Digital Token Service Providers (DTSPs) must be licensed — even if serving only overseas customers
  • Explicit prohibitions on unfair trading practices including wash trading
  • Consumer protection measures (e.g., prohibition on leverage for retail crypto trading)
  • Penalties: up to S$200,000 in fines and/or imprisonment

Other Jurisdictions

JurisdictionFrameworkStatus
JapanFSA / Payment Services ActMature — crypto exchange registration since 2017
Hong KongSFC licensing regimeActive — virtual asset trading platform licensing required
UAEVARA (Dubai), ADGM (Abu Dhabi)Growing — comprehensive frameworks in place
UKFCA registration + upcoming regimeTransitional — full crypto market abuse regime expected
AustraliaASIC oversightDeveloping — consultation on crypto-specific rules

The Convergence

The direction is clear: every major jurisdiction is moving toward requiring crypto exchanges to implement TradFi-grade surveillance. The gap between "crypto exchange" and "regulated trading venue" is closing fast. Exchanges that build surveillance infrastructure now are positioning themselves for the regulatory environment of 2027+.

9. Case Studies

The Griffin-Shams Paper: 2017 Bitcoin Price Manipulation

What happened: University of Texas professors John Griffin and Amin Shams published a landmark paper (later peer-reviewed in the Journal of Finance) alleging that Tether issuance on Bitfinex was used to manipulate Bitcoin's price during the 2017 bull run.

Key findings:

  • A single entity on Bitfinex appeared to move Bitcoin's price upward when it dropped below certain thresholds
  • The 1% of hours with the largest Tether flows from Bitfinex to other exchanges (Bittrex, Poloniex) accounted for ~60% of Bitcoin's gains over 13 months
  • The researchers concluded that "instead of thousands of investors moving the price of Bitcoin, it's just one large one"

Bitfinex response: General Counsel Stuart Hoegner called the paper "foundationally flawed" and based on "an insufficient data set."

Outcome: Bitfinex and Tether settled with the New York Attorney General in 2021, paying $18.5 million in penalties without admitting wrongdoing. The case fundamentally shaped how regulators view crypto market integrity.

Surveillance lesson: Cross-venue flow analysis — tracking how stablecoin issuance correlates with price movements — is now a standard surveillance technique.

Mango Markets Exploit (2022)

What happened: In October 2022, Avraham Eisenberg manipulated the price of MNGO perpetual futures on Mango Markets (a Solana-based DEX) to inflate his collateral value, then used that inflated collateral to borrow over $100 million from the protocol.

The mechanics:

  1. Eisenberg took a massive long position in MNGO-PERP
  2. He simultaneously bought MNGO on spot markets to drive the oracle price up
  3. As the oracle price rose, his perpetual position showed enormous unrealized profit
  4. He used this "profit" as collateral to borrow all available assets from Mango's lending pools
  5. He drained approximately $110 million from the protocol

Legal aftermath:

  • Convicted by jury in April 2024 on wire fraud, commodities fraud, and commodities manipulation
  • In May 2025, a federal judge overturned all criminal convictions, ruling that prosecutors failed to establish proper venue (Eisenberg was in Puerto Rico, not New York) and hadn't proven sufficient evidence for wire fraud
  • Still faces civil suits from both SEC and CFTC

Surveillance lesson: Oracle manipulation is a crypto-specific attack vector. Surveillance systems need to monitor not just order book activity but also the oracle feeds that DeFi protocols depend on. Cross-market manipulation (spot to derivatives to lending) requires holistic surveillance.

The 2010 Flash Crash — Spoofing's Poster Child

What happened: On May 6, 2010, Navinder Sarao ran a custom spoofing program ("Dynamic Layering") from his parents' house in London, placing and canceling massive sell orders on E-mini S&P 500 futures.

Impact: The Dow Jones plunged nearly 1,000 points in minutes — nearly $1 trillion in market value evaporated briefly. Individual stocks traded at absurd prices (Accenture briefly hit $0.01).

Outcome:

  • Arrested in 2015 (five years after the incident)
  • Pled guilty to electronic fraud and spoofing in 2016
  • Ordered to pay $38.6 million in civil penalties
  • Permanently banned from trading
  • Sentenced to one year of home confinement (no prison) due to cooperation and Asperger's diagnosis

Surveillance lesson: Sarao's spoofing was visible in the data — extreme order-to-trade ratios, rapid cancellations, consistent pattern. But it took years to identify because cross-market surveillance tools were immature. Modern systems would flag this in minutes.

SEC vs. Market Makers (2024-2025)

What happened: In October 2024, the SEC charged four market makers for wash trading — generating artificial volume in crypto tokens. Three additional enforcement actions followed in early 2025.

Significance: This represented the SEC's clearest signal that wash trading enforcement in crypto would follow the same playbook as TradFi. The charges weren't based on novel legal theories — they applied existing anti-manipulation statutes to crypto market-making activity.

Surveillance lesson: The "crypto is different" defense for wash trading is dead. Regulators now have the tools and legal frameworks to prosecute crypto market manipulation with the same vigor as traditional markets.

10. Building a Surveillance Program

For a crypto exchange moving from zero to a production surveillance program, here's what you need.

People

RoleResponsibilityMinimum Team
Head of Surveillance / CCOOwns the program, reports to board/regulators1
Surveillance AnalystsMonitor alerts, triage false positives, escalate2-4
InvestigatorsDeep-dive into escalated cases, prepare regulatory filings1-2
Surveillance EngineersBuild and maintain detection systems, tune models2-3
Compliance CounselLegal review of investigations, regulatory liaison1

A small exchange can start with 3-4 people covering multiple roles. A large exchange might have 20+ in the surveillance function.

Technology

Must-have (Day 1):

  • Self-trade prevention in the matching engine
  • Basic wash trading detection (volume patterns, account linking)
  • On-chain analytics integration (Chainalysis KYT or equivalent)
  • Alert dashboard and case management
  • Audit trail for all surveillance actions

Should-have (Year 1):

  • Enterprise surveillance platform (Solidus HALO, Eventus Validus, or Nasdaq SMARTS)
  • Spoofing and layering detection
  • Cross-market surveillance capability
  • Machine learning models for anomaly detection
  • Automated regulatory reporting

Nice-to-have (Mature program):

  • Custom ML models trained on your market's specific patterns
  • Real-time social media monitoring for pump-and-dump signals
  • Cross-exchange data sharing agreements
  • Threat intelligence feeds
  • Red team exercises (simulated manipulation attempts)

Process 

Alert Lifecycle:

┌──────────┐     ┌──────────┐     ┌──────────┐     ┌──────────┐
│ Detection │────>│  Triage  │────>│ Investig-│────>│ Action   │
│           │     │          │     │  ation   │     │          │
│ - Rules   │     │ - L1     │     │ - L2/L3  │     │ - Warn   │
│ - ML      │     │   analyst│     │   deep   │     │ - Suspend│
│ - On-chain│     │ - False  │     │   dive   │     │ - Ban    │
│           │     │   pos    │     │ - Evidence│     │ - Report │
│           │     │   filter │     │   gather │     │   to reg │
└──────────┘     └──────────┘     └──────────┘     └──────────┘
     │                                                    │
     │              Feedback Loop                         │
     └────────────────────────────────────────────────────┘
              (tuning rules based on outcomes)

Key processes to document:

  1. Alert triage SLA — How quickly must analysts review alerts? (Typical: 24 hours for standard, 1 hour for critical)
  2. Escalation criteria — When does an alert become an investigation? When does an investigation become a regulatory filing?
  3. Evidence preservation — How are order logs, trade data, communications, and on-chain records preserved for investigations?
  4. Regulatory reporting — Suspicious Activity Reports (SARs), Suspicious Transaction Reports (STRs), and jurisdiction-specific filings
  5. Feedback loop — How do investigation outcomes feed back into detection tuning? False positive rates should decrease over time.
  6. Periodic review — Annual (minimum) review of surveillance parameters, detection coverage, and program effectiveness

Metrics That Matter

MetricWhat It Tells You
Alert volume per dayIs your system too noisy or too quiet?
False positive rateAre analysts drowning in bad alerts? (Target: <70%)
Mean time to triageAre alerts being reviewed promptly?
Investigation-to-action ratioAre investigations leading to real enforcement?
Detection coverageWhich manipulation types can you actually detect?
Regulatory filing countAre you meeting reporting obligations?

The Cold Start Problem

New exchanges face a chicken-and-egg problem: you need historical data to train models, but you don't have historical data when you launch. Solutions:

  1. Start with rule-based detection — Hard thresholds (cancel rate > X, OTR > Y) work without training data
  2. Use vendor models — Enterprise platforms come pre-trained on manipulation patterns from other venues
  3. Import synthetic data — Generate realistic order book data with known manipulation patterns to test your systems
  4. Iterate fast — Move to ML-based detection once you have 3-6 months of real trading data

Summary

Market surveillance isn't optional for any exchange that wants to be taken seriously — by regulators, by institutional traders, or by retail users who deserve fair markets.

The technology exists. The regulatory mandates are clear. The case studies demonstrate what happens when surveillance fails.

The exchanges that invest in robust surveillance programs don't just avoid regulatory risk. They build markets where genuine price discovery happens, where spreads tighten because market makers trust the venue, and where the next generation of crypto traders can participate on a level playing field.

That's worth building for.