Ichnos

How crypto wallet screening works: sanctions, proximity and exposure

A plain-language guide to how crypto wallet screening works — sanctions-list matching, illicit-cluster proximity, exposure estimates, and what a screening result does and does not prove.

Wallet screeningHow it worksAML

If you run compliance at an EU crypto business, “screen the wallet” sounds like a single button. Underneath, it is three different questions with three different levels of certainty. Confusing them is how teams either miss real risk or freeze on false alarms. This guide walks through what actually happens when a crypto wallet address is screened, in terms a compliance officer can use — and, just as importantly, what each answer can and cannot prove.

The three questions a screen actually answers

A wallet screen is not one lookup. It is layered:

  1. Is this address itself on a sanctions list? A direct, exact match against published data. This is the highest-certainty result there is.
  2. How close is this address to something flagged? A proximity question, measured in “hops” across the transaction graph. This is a signal, not a verdict.
  3. How much of this address’s balance can be traced back toward flagged sources? An exposure estimate — a model of fund flow, not a measured ledger of it.

Good screening keeps these three separate in the result, because they carry very different weight. A tool that collapses them into one opaque score is doing you a disservice: you cannot defend a number you cannot break apart.

Step one: sanctions-list matching

The foundation is comparing the address against the reference data an EU CASP is expected to have checked. In practice that means the crypto addresses published on:

  • the OFAC SDN list (the US Treasury’s Specially Designated Nationals list);
  • the EU consolidated list of persons, groups and entities under financial sanctions; and
  • OpenSanctions, an aggregated open dataset that broadens coverage of sanctions, PEP and watchlist entities and their known addresses.

If the address you screened appears on one of these lists, that is a direct match — an exact hit against listed data. There is no ambiguity and no modelling involved. It is the clearest signal in the whole process and the one that should stop a transfer for review immediately.

The catch is that lists are only ever as current as their last update and only ever contain what an authority has already designated. A newly created illicit address that no one has listed yet cannot be matched by anyone — not by us, not by an enterprise tool. Screening reduces risk; it does not eliminate it.

Step two: proximity across the transaction graph

Most addresses are not themselves listed. The more useful question is how close an address sits to something that is. Blockchains are public, so the flow of funds between addresses forms a graph you can walk.

Screening starts from a flagged seed set — every address known to be sanctioned or illicit — and walks outward through the transaction graph a bounded number of hops, recording how far each address sits from the nearest flagged one. That distance produces a tier:

  • Direct — the address is itself on a list (step one).
  • Near — roughly one hop from a flagged address; it transacted directly with one.
  • Indirect — two or more hops away; exposure is more distant and, on its own, weaker evidence.
  • Clear — no known exposure to the flagged set within the analysed graph.

Two safeguards keep this from crying wolf. Exchange-hub exclusion stops high-degree service addresses — the ones that touch millions of wallets — from making everything look “near” something bad; a wallet that merely used the same exchange as an illicit actor should not be flagged for it. Bounded traversal caps how far and wide a single screen explores, so results are repeatable rather than sprawling. For Bitcoin, addresses spent together in one transaction are grouped by co-spend clustering, because they are almost certainly controlled by the same entity.

Step three: exposure as an estimate

Alongside distance, screening can estimate an exposure percentage — a taint or haircut figure that approximates how much of an address’s balance traces back toward flagged sources. This is deliberately called an estimate. It is a model of how funds could have flowed, not an audited trace of how they did, and two reasonable models will produce different figures. Treat it as a magnitude indicator, not a measurement.

What the result does not mean

This is the part most vendors skip, and it is the most important. A Near or Indirect result means a wallet is close to something flagged in the graph — a reason to look harder, never a finding that the wallet or its owner is sanctioned or criminal. Funds can pass near an illicit address entirely innocently. And a Clear result is the absence of a known connection on the data screened, not proof that no link exists anywhere.

Honest screening tells you which of the three questions produced the answer, how confident it is, and which data it ran against — so a human can make the call. That is why the report matters as much as the result: it records the exact list versions and engine version behind every check, so you can reproduce and defend any decision months later. (For the full account of the tiers, safeguards and limits, see our methodology.)

Put it into practice

The best way to understand screening is to run one. You can create an Ichnos account and screen your first 100 wallet and counterparty checks free — no card — and keep the signed report for each. Start free and screen a wallet →

← All guides

Screen your first wallet — free.

Create an account and run your first 100 wallet and counterparty checks free, no card. Hand your auditor a report you can stand behind.