A practical, compliance-first guide to screening crypto wallets and transactions: how blockchain AML tools calculate risk scores, what the FATF Travel Rule requires, how to choose between Chainalysis, Elliptic, TRM Labs, and Crystal Blockchain, and how to handle flagged addresses — whether you're an exchange, a DeFi protocol, or an individual user trying to understand a compliance rejection.
Gather the on-chain identifier — a wallet address, a transaction hash, or an entity name. Know which blockchain you're screening (ETH, BTC, Solana, etc.) since tools track different networks with different coverage depth.
Submit the address to your chosen analytics provider. The tool traces the transaction graph — mapping fund flows backward to known entities (exchanges, mixers, darknet markets, sanction lists) and forward to counterparties.
Risk scores are probability-weighted signals, not verdicts. A medium score on a DeFi protocol interaction means something very different from a medium score on direct mixer exposure. Context — cluster type, exposure distance, volume — changes the picture.
Record the screening result, your interpretation, and your decision. Compliance value comes from the audit trail, not just the score. If blocking, communicate the basis clearly. If allowing, document why the risk is acceptable.
Anti-money laundering screening in crypto means using blockchain analytics tools to assess whether a wallet address or transaction has a history linked to illicit activity — darknet markets, ransomware, sanctioned entities, mixers, or fraud. The goal is not to surveil all users; it is to identify whether specific funds have been proximate to known criminal activity, and to what degree.
Regulated entities — centralised exchanges, custodians, payment processors, and increasingly DeFi protocols in regulated jurisdictions — face legal obligations under AML/CFT frameworks. The FATF's updated guidance (fatf-gafi.org) treats virtual asset service providers (VASPs) as obligated entities equivalent to traditional financial institutions.
Individual users receiving large transfers, DeFi protocols managing treasury funds, and DAOs accepting contributions can use blockchain analytics proactively to avoid unknowingly accepting tainted funds — which could create downstream compliance problems or asset freezes.
Blockchain analytics firms build entity databases by clustering addresses they believe are controlled by the same entity — exchanges, mixers, darknet markets, ransomware wallets — and then trace transaction flows through the graph to calculate how "close" any given address is to those known entities. The methodology is explained in Chainalysis's public research blog and Elliptic's blog.
The most widely used clustering method is "common input ownership" — the assumption that if multiple addresses are used as inputs in the same transaction, they are likely controlled by the same entity. Analytics firms combine this with proprietary intelligence, exchange deposit patterns, and public information to assign addresses to named clusters.
Direct exposure means your address has transacted directly with a known illicit entity. Indirect exposure means a counterparty of yours has done so. Most tools distinguish these and weight them differently — a single hop from a mixer is treated as far more concerning than a third-degree connection through a legitimate exchange.
Risk scores are vendor-specific and not standardised across tools. A "55/100" on one platform is not comparable to a "55/100" on another. What matters is what the underlying exposure categories are — and what your risk tolerance is for each category.
| Score range | Typical exposure | Recommended action |
|---|---|---|
| 0–25 Low | Clean history; exposure only to regulated entities (exchanges, wallets) | Proceed normally; document the result |
| 26–60 Medium | Indirect exposure to risky categories; peer-to-peer platforms; unhosted wallets | Enhanced due diligence; request source-of-funds documentation |
| 61–100 High | Direct or near-direct exposure to mixers, darknet markets, ransomware, OFAC-sanctioned entities | Block or freeze pending investigation; file SAR/STR if required by jurisdiction |
The Financial Action Task Force (FATF) is the global standard-setter for anti-money laundering. Its 2019 update to Recommendation 16 extended the "Travel Rule" — previously applied to bank wire transfers — to virtual asset service providers (VASPs). The full guidance is at fatf-gafi.org.
VASPs transferring virtual assets above a threshold (USD/EUR 1,000 in most jurisdictions) must collect, verify, and transmit originator and beneficiary information to the receiving VASP — mirroring what banks do with SWIFT messages. This requires both parties to have compatible identity data infrastructure. Failure to comply creates regulatory exposure for the transmitting VASP.
Implementation is uneven globally. The EU's Transfer of Funds Regulation (TFR) removes the minimum threshold — all transactions require Travel Rule data. Solutions like TRM Labs and the IVMS101 messaging standard have emerged to handle cross-VASP data exchange. Unhosted wallet transactions add complexity — most regulators require enhanced due diligence above the threshold.
The major blockchain analytics platforms cover overlapping but not identical datasets. Choose based on coverage breadth, integration options, and price point for your volume.
| Tool | Strengths | Best for | Integration |
|---|---|---|---|
| Chainalysis KYT | Broadest entity database; law enforcement relationships; deep BTC/ETH coverage | Enterprise exchanges; financial institutions; regulators | REST API; case management UI |
| Elliptic Navigator | Strong DeFi and cross-chain coverage; holistic risk scoring | DeFi protocols; cross-chain operations; fintechs | REST API; web interface |
| TRM Labs | Wide chain support (20+); fast; competitive pricing; good Travel Rule tooling | Mid-market exchanges; neobanks; emerging market VASPs | REST API; webhooks |
| Crystal Blockchain | Strong BTC tracing; compliance reporting; EU-focused | European VASPs; BTC-heavy operations; compliance reporting | REST API; dashboard |
Not all "risky" exposure categories carry equal weight. Understanding what each category means helps distinguish true compliance risk from algorithmic noise.
Evaluating blockchain analytics vendors is different from evaluating standard software. Coverage accuracy, update latency, and methodology transparency matter far more than UI design.
Published methodology documentation. Regular public reports on illicit activity patterns (Chainalysis's annual Crypto Crime Report; Elliptic's Typologies reports). Law enforcement track record — tools used in actual prosecutions tend to have better-quality data. Transparent false positive rate acknowledgment. Clear data retention and privacy policy.
No published methodology — risk scores with no explanation of how they're calculated cannot be defended in a compliance audit or legal dispute. Overconfident certainty — "this address is criminal" rather than "this address has X% exposure to Y category." Poor chain coverage for your users' assets. No audit log or evidence trail for your compliance records.
Being flagged does not automatically mean criminal activity. It means a tool has found transaction history it considers risky based on its dataset and methodology. The appropriate response depends entirely on who is flagging whom and what the exposure actually is.
The right screening approach depends on your transaction volume, team size, and regulatory obligations.
| Method | Best for | Strengths | Limitations |
|---|---|---|---|
| Manual (dashboard) | Low-volume operations; individual checks; investigations | No integration required; easy audit trail; analyst context available | Does not scale; process gaps under pressure; no systematic coverage |
| Batch screening | Periodic review of existing user wallets; periodic portfolio checks | Covers existing book; identifies newly-flagged addresses | Lagging — not real-time; requires scheduling and automation |
| Real-time API | Exchanges; payment processors; anything with high transaction volume | Every transaction screened; automated decisions; audit log built-in | Integration cost; requires risk policy codification; latency considerations |
A crypto AML check is the process of submitting a blockchain address or transaction to an analytics tool that traces its fund-flow history and calculates a risk score based on proximity to known illicit entities — mixers, darknet markets, ransomware operators, and sanctioned addresses. The tool maps the transaction graph from your address to known clusters and weights each connection by distance and volume. The output is a risk score and a breakdown by exposure category, which you interpret against your risk policy to decide whether to proceed, investigate, or block.
Risk scores are vendor-specific indicators of exposure to illicit activity — not verdicts of guilt. A high score means the address has transaction history in proximity to known bad actors. Low scores mean clean, regulated entity exposure. Medium scores require judgment: read the category breakdown to understand what is driving the score. A medium score from indirect P2P exposure is treated very differently from a medium score from direct mixer interaction. Scores are inputs to decisions, not decisions themselves.
The FATF Travel Rule requires Virtual Asset Service Providers (VASPs) to collect and transmit originator and beneficiary identity information when transferring virtual assets above a threshold (typically USD/EUR 1,000, or no threshold under EU rules). This mirrors the wire transfer rules applied to traditional banks. VASPs sending funds must verify the beneficiary VASP is compliant and pass the identity data securely. The practical challenge is that crypto transfers lack the messaging infrastructure banks use — specialized Travel Rule solutions (Sygna, Notabene, etc.) have emerged to fill this gap.
Each has different strengths. Chainalysis has the broadest entity database and strongest law enforcement track record — best for large exchanges and institutions where forensic quality matters. Elliptic has strong DeFi and cross-chain coverage — better for protocols operating across multiple chains. TRM Labs offers wide chain support and competitive pricing — good for mid-market VASPs. Crystal Blockchain is strong for Bitcoin-focused operations and European compliance reporting. Most enterprise compliance teams evaluate two providers before committing. Run the same test addresses through multiple tools and compare outputs.
First, request the specific reason for the freeze in writing. Regulated exchanges must provide the basis for adverse action. Second, gather source-of-funds documentation — where did the flagged funds come from? Bank statements, exchange withdrawal records, and payroll documentation are all relevant. Third, run the address yourself using an analytics tool to understand what exposure is being flagged. Fourth, submit a formal dispute through the exchange's compliance channel with your supporting evidence. If the freeze appears to be a data error (incorrect entity clustering), you can also contact the analytics provider directly — most have processes for flagging incorrect attributions.
The type of wallet software (hardware vs software vs custodial) does not affect your AML risk score. Scores are based entirely on on-chain transaction history — what entities your address has transacted with, at what distance, and in what volume. A hardware wallet address with direct exposure to a darknet market deposit wallet will score just as high as a software wallet with the same history. Wallet type affects key security and custody, not AML risk profile.
This is one of the most contested regulatory questions in crypto. Currently, most truly decentralised protocols without a centralised operator are not considered VASPs under FATF guidance and therefore do not have explicit AML obligations. However, frontend interfaces, deployer teams, and governance token holders may face obligations depending on jurisdiction. The EU's MiCA regulation and FATF's 2021 guidance are pushing toward broader coverage. Many DeFi protocols screen wallet connections at the frontend level voluntarily — to protect their team members and reduce regulatory risk — even without explicit legal obligations.
Direct exposure means your address has transacted in a single hop with a known illicit entity — you sent funds to or received funds from a mixer, ransomware wallet, or darknet market deposit address. Indirect exposure means a counterparty of yours has done so — you transacted with an address that then sent to a mixer. Most analytics tools weight direct exposure much more heavily than indirect exposure, and exposure at 2+ hops is weighted less than at 1 hop. The practical question for compliance decisions is: how many hops away, how much volume, and what category of entity?
For individual deposits and withdrawals: screen in real time at every transaction. For existing user wallets in your book: periodic batch re-screening is standard practice — monthly or quarterly for lower-risk users, more frequently for high-value accounts. A wallet that scored clean at onboarding can acquire new illicit exposure as its subsequent transaction history develops. Analytics providers update their entity databases continuously — a wallet clean against last month's dataset may score differently against this month's updated attribution data. Build periodic re-screening into your compliance calendar and document when it runs.