Ichnos

Methodology & limits

How our screening works — and what it can't tell you yet

A plain-language account of what Ichnos screens, how the four risk tiers and proximity figures are produced, and — just as importantly — where the current limits are. No black-box scores, no invented certainty.

Compliance only works if you can defend it. A risk figure you cannot explain to a supervisor is a liability, not an assurance. This page describes exactly how Ichnos reaches its results, in terms a compliance officer can use — and it states, without hedging, what those results do and do not prove today. We would rather under-claim and be trusted than over-claim and be wrong.

1. What we screen

Ichnos screens crypto wallet addresses and counterparties against the primary sanctions and watchlist sources an EU CASP is expected to have checked:

  • OFAC SDN crypto addresses — the wallet addresses the US Treasury’s Office of Foreign Assets Control publishes on its Specially Designated Nationals list.
  • EU consolidated list — the EU’s consolidated list of persons, groups and entities subject to financial sanctions, including the crypto addresses it carries.
  • OpenSanctions — an aggregated open dataset of sanctions, PEP and watchlist entities and their known crypto addresses, used to broaden coverage beyond the two primary lists.

These sources are refreshed daily. Every screening records which dataset version it ran against, so a result is always tied to the exact list state at the moment of the check — not to “the lists, some time”. Provenance is part of the answer, not an afterthought.

2. The four risk tiers

Rather than a single opaque score, Ichnos places each address into one of four tiers. Each is a factual statement about the address’s relationship to the flagged (sanctioned or known-illicit) set — nothing more:

  • Direct — the address is itself on a sanctions list. This is the highest-certainty result: an exact match against listed data.
  • Near — the address sits roughly one hop from a flagged address (it transacted directly with one). This is a proximity signal, not a listing.
  • Indirect — the address sits two or more hops from a flagged address. Exposure is more distant and, on its own, weaker evidence.
  • Clear — no known exposure to the flagged set within the analysed graph. This is the absence of a known connection, not a guarantee of innocence (see the limits below).

Near and Indirect are proximity indicators, not verdicts. They tell you a wallet is close to something sanctioned in the transaction graph. They do not say the wallet itself is sanctioned, nor that its owner did anything wrong — a wallet can receive funds that passed near an illicit address entirely innocently. Treat these tiers as a prompt to look closer, not as a finding of guilt.

3. How proximity is computed

Proximity starts from the flagged seed set — every address we know to be sanctioned or illicit. From that seed, the engine walks outward through the transaction graph a bounded number of hops, recording how far each reachable address sits from the nearest flagged one. That hop distance is what produces the Near / Indirect classification.

Alongside the distance, Ichnos estimates an exposure percentage — a taint/haircut figure that approximates how much of an address’s balance can be traced back toward the flagged set. This is deliberately called an estimate: it is a model of fund flow, not a ledger of it (again, see the limits).

Two safeguards keep the graph honest rather than alarmist:

  • Exchange-hub exclusion. Large exchange and service addresses touch enormous numbers of wallets. Left unchecked, they would make almost everything look “near” something bad. Ichnos detects these high-degree hubs by their connection count (cardinality) and stops the graph from tainting the world through them — so a wallet that merely used the same exchange as an illicit actor is not falsely flagged.
  • Bounded traversal. The walk uses an out-degree cap and aggregate size ceilings so a single screening explores a defined, repeatable neighbourhood rather than an unbounded one.

For Bitcoin, Ichnos additionally uses co-spend clustering: when several addresses are spent together in one transaction, they are almost certainly controlled by the same entity, so they are grouped and their exposure considered together. At request time none of this is computed live — each screening is a fast lookup against a precomputed proximity index, which is what keeps a check quick while the heavy graph work happens ahead of time.

4. Provenance & auditability

The report is the product. Every screening records the dataset versions (which OFAC, EU and OpenSanctions snapshots were in force) and the engine version that produced the result. That means any past check can be reproduced and explained: you can show a supervisor precisely what data and what logic cleared or flagged a given transfer, on the date it happened.

One check, one defensible record. A signed, timestamped report — naming the lists, the dataset and engine versions, every match and its tier, and the exposure findings — is the deliverable you keep for your compliance file. See how it fits MiCA and the Travel Rule in MiCA & Travel Rule compliance.

5. Limits & honesty

This is the section most vendors leave out. We think it is the most important one. Here is what Ichnos results do not mean:

  • Proximity is not guilt. A Near or Indirect tier means a wallet is close to something flagged in the graph — it is a reason to investigate, never a finding that the wallet or its owner is sanctioned or criminal.
  • Exposure figures are modelled estimates. The exposure percentage comes from a taint/haircut model. It approximates how funds could have flowed; it is not a measured, audited trace of actual money movement, and different reasonable models would produce different figures.
  • Coverage depends on the chain-data source. The graph can only reveal connections that exist in the transaction data we have ingested. Gaps in that data mean a “Clear” result is the absence of a known link, not proof that no link exists anywhere.
  • Lists are never complete. Screening reflects the sanctions data published so far. Newly created illicit addresses that no authority has listed yet cannot be matched by anyone.

On accuracy, we hold ourselves to the same honesty. Ichnos currently runs its proximity engine against an internal validation graph while the live chain-data pipeline is being validated. Because of that, we are not publishing quantitative accuracy figures yet — putting a precise percentage next to an unvalidated pipeline would be exactly the false certainty this page exists to reject. Once the live chain-data engine is validated, we will publish accuracy benchmarks measured against labelled, real-world datasets, in the same open way. Until then, treat the tiers as well-reasoned indicators to be confirmed by a human reviewer — not as a settled score.

If you want to understand a specific result, the report tells you why it scored the way it did, and a real person here will walk you through it. That is the standard we are building Ichnos to — see what it screens in crypto sanctions screening.

Screening you can explain to a supervisor.

Every check names the lists and engine version it ran against, and says plainly how confident it is.