Crypto AML Challenges: Blockchain Analytics and Compliance

The intersection of cryptocurrency and anti-money laundering compliance represents one of the most technically complex frontiers in financial crime prevention. The same properties that make blockchain networks valuable — immutability, borderlessness, and permissionless access — create distinctive AML challenges that cannot be addressed with the same tools and techniques used for traditional payment flows. Understanding these challenges, and the analytical tools available to address them, is increasingly essential for compliance professionals at VASPs, payment firms with crypto exposure, and any institution that accepts fiat funds from customers who interact with crypto markets.

The Pseudonymity Challenge

Crypto assets are not anonymous — they are pseudonymous. Every transaction on a public blockchain like Bitcoin or Ethereum is permanently recorded in a publicly accessible ledger, with transaction amounts, timestamps, and the addresses of sender and recipient all visible. What is not natively visible is the identity of the individuals controlling those addresses. A Bitcoin address is a cryptographic key, not a name — it reveals nothing directly about its owner.

This pseudonymity creates a different challenge from traditional anonymous cash transactions. Unlike cash, the full transaction history of every address is permanently visible — making it possible, in principle, to trace funds across the entire history of a blockchain. But translating on-chain addresses into identified individuals requires combining blockchain analytics with off-chain identity information — typically obtained either from regulated exchanges where customers have undergone KYC, from law enforcement records, or from open-source intelligence.

The practical implication for AML compliance is that on-chain analytics tools can provide substantial intelligence about the risk profile of a wallet address — where funds have come from, where they have been, and whether they have passed through known illicit actors — but this intelligence must be integrated with traditional CDD to establish customer identity and form a complete risk picture.

On-Chain Analytics: Chainalysis, Elliptic, and Others

A specialist industry has developed around blockchain analytics — firms that maintain large databases of attributed wallet addresses and develop algorithms to identify risk patterns in on-chain transaction flows. The leading commercial providers include:

• Chainalysis: The market leader, used by both financial institutions and law enforcement globally. Chainalysis Reactor (for investigation) and KYT (Know Your Transaction, for screening) provide real-time risk scoring for Bitcoin, Ethereum, and many other chains. Chainalysis maintains attribution data for thousands of entities including exchanges, darknet markets, ransomware operators, and fraud operations.
• Elliptic: Provides blockchain analytics with strong capabilities in DeFi (decentralised finance) and cross-chain analysis. Elliptic Lens and Elliptic Navigator cover wallet screening and transaction monitoring respectively.
• TRM Labs: Particularly strong in regulatory compliance use cases, with VASP registry data and compliance-focused risk scoring frameworks.
• CipherTrace (now Mastercard): Focuses on VASP compliance monitoring and cryptocurrency intelligence.

These tools assign risk scores to wallet addresses based on their transaction history, with elevated scores for addresses that have received or sent funds to known illicit entities. The risk scores are used by VASPs and payment firms to make AML decisions about whether to process transactions, block withdrawals, or flag activity for investigation.

Wallet Risk Scoring: What the Numbers Mean

A wallet risk score is not a binary determination of guilt or innocence — it is a probabilistic assessment of the likelihood that funds in a wallet have been tainted by illicit activity. Understanding how these scores work is essential for avoiding both over-blocking of legitimate activity and under-blocking of genuine risks.

Most blockchain analytics tools calculate risk scores based on the proportion of a wallet's transaction history that can be traced to high-risk sources through a combination of direct and indirect exposure. Direct exposure is straightforward: the wallet has transacted directly with a known illicit address. Indirect exposure is more complex: the wallet received funds from an address that received funds from an illicit source — sometimes through multiple intermediate hops.

The treatment of indirect exposure is one of the most commercially contested aspects of blockchain analytics. A very low risk tolerance (flagging any indirect exposure, however remote) produces enormous false positive volumes. A too-permissive tolerance (only flagging direct exposure) may miss meaningful links to illicit activity. Most compliance programmes set threshold risk scores above which enhanced review or blocking occurs, calibrated through testing against historical outcomes in a manner analogous to TM threshold tuning.

Mixing Services and Anonymity-Enhancing Technologies

Mixing services (also called tumblers or blenders) are tools designed to break the on-chain transaction trail by pooling multiple users' funds and returning different coins of equivalent value, making it difficult to trace the origin of specific coins. CoinJoin (used on Bitcoin), Tornado Cash (Ethereum — sanctioned by OFAC in 2022), and various centralised mixing services all operate on this principle.

From an AML perspective, the use of mixing services is a significant red flag — there is no legitimate reason to mix cryptocurrency that cannot be addressed through standard privacy controls. OFAC's 2022 designation of Tornado Cash as a sanctioned entity (the first time a smart contract rather than an entity was designated) created a clear regulatory precedent: processing transactions that have passed through sanctioned mixing services violates OFAC sanctions, regardless of whether the underlying funds are illicit.

Privacy coins — cryptocurrencies like Monero (XMR) and Zcash (ZEC) that use cryptographic techniques to obscure transaction details at the protocol level — present a different challenge. Blockchain analytics tools have limited effectiveness against these assets, as the standard on-chain tracing methodology cannot be applied. Many regulated exchanges have delisted privacy coins in response to regulatory pressure, and FCA-registered cryptoasset firms in the UK are effectively prohibited from offering them.

Exchange AML Obligations

Regulated crypto exchanges — FCA-registered cryptoasset businesses in the UK, MiCA-authorised CASPs in the EU, and FinCEN-registered MSBs in the US — face a comprehensive set of AML obligations that go beyond what traditional payment firms face. These include:

• Full KYC/CDD at onboarding for all customers, including verification of identity for wallet deposits above minimum thresholds
• Transaction monitoring covering both fiat and on-chain activity, with blockchain analytics integration to identify high-risk transaction sources
• Travel Rule compliance for on-chain transfers above applicable thresholds
• Screening of deposit addresses against blockchain analytics risk scores before crediting accounts
• Enhanced monitoring for transactions involving unhosted wallets, high-risk jurisdictions, or DeFi protocols
• SAR/STR obligations for suspicious on-chain activity, including activity suggesting use of mixing services or darknet market transactions

Non-compliance with crypto AML obligations has resulted in some of the largest financial penalties in recent years — the Binance settlement of $4.3 billion with FinCEN, OFAC, and DOJ in November 2023 stands as the most significant, demonstrating that regulators view AML failures at crypto exchanges with the same severity as failures at traditional financial institutions.