The Evolution of Wallet Screening

There’s a quiet evolution happening in the world of crypto wallet screening.

Today, virtually every crypto exchange, wallet provider and blockchain network is mandated to implement some flavor of wallet screening to check for connections to illegal activities like fraud, money laundering, and terrorism financing. Unfortunately, wallet screening is often time consuming, manual,and inconsistent. In this post, I will explore the current state of wallet screening and detail how this space is evolving and becoming more AI-centric, automated and proactive.

What is Wallet Screening?

Cryptocurrency wallet screening is the process of analyzing wallet addresses for illicit activity, sanctioned entities, or high-risk behaviors using blockchain analytics and watchlists. Wallet screening helps businesses with AML/KYC compliance, risk management, and regulatory adherence by flagging suspicious transactions and providing risk scores for proactive decision-making.

Yesterday’s Wallet Screening

In the early days of wallet screening, the focus was primarily on Know Your Customer (KYC) — linking users to real identities and checking against basic sanctions lists (like OFAC). Unfortunately, this static approach relied on manual review and struggled with pseudonymity, complex flows, and new blockchain entities, often missing illicit activity. Another shortcoming which continues to linger today is that screening relied on examining transactions after they were posted to the blockchain — in other words, after the transaction was completed. So, if bitcoin was transferred to a known bad actor, they’re catching these suspicious transactions after he/she has already received the funds.

Moving towards Dynamic & Behavioral Screening

We’re starting to see a shift from just “where” money went (exposure scoring) to “how” it moved, using Graph Neural Networks (GNNs) to spot unusual patterns, deviations, and intent. Some solutions now track assets across different blockchains and bridges, eliminating “blind spots.”

Advanced tools identify and flag use of mixers (like Tornado Cash) and custom privacy solutions, even before they’re officially blacklisted. NOTE:illicit mixers are solutions that mix potentially identifiable or “tainted” cryptocurrency funds with others, so as to obscure the trail back to the fund’s original source. Some blockchain screening solutions have introduced real-time monitoring which provide instant alerts for suspicious activities like high-risk deposits or unusual transaction volumes, replacing slow, point-in-time checks. But, these solutions still rely on post settlement transactions so if a high risk transaction has posted/settled then an alert is sent after-the-fact.

Changing Market Conditions

Wallet screening solutions have been forced to adapt as market conditions continue to shift.

  • Criminal Adaptation: Criminals use mixers, bridges, and complex layering to evade detection, forcing compliance tools to become more sophisticated.
  • Regulatory Pressure: Regulators expect proactive identification of sanctioned exposure, not just post-facto monitoring.
  • Market Growth: The expanding crypto market requires scalable, automated solutions to manage vast transaction data.

The Evolution Continues: Wallet Screening Getting More Holistic

Today, wallet screening is starting to combine off-chain identity data (e.g., KYC data) with on-chain behavior for a comprehensive view. AI and machine learning is increasingly being leveraged by solution providers to reduce false positives and improve efficiency, handling massive transaction volumes.

Some wallet screening solutions have introduced entity-level screening which connects individual wallets to broader entities (e.g., scams, illicit actors) for deeper investigations. Visualizations which can generate clear diagrams of wallet-to-wallet connections, can aid human investigators but this can also be time-consuming and may yield inconsistent results based on how well the investigators have been trained on these tools.

Press enter or click to view image in full sizeSource: Web3Firewall sandbox

Automated Fund Tracing and Sanctions Detection

Crypto taint tracing, especially using “hops” (transaction steps) like 5-hop analysis, is a key part of Know Your Transaction (KYT) for AML/CFT compliance. This technology helps VASPs meet FATF Travel Rule requirements by flagging funds from illicit sources (mixers, sanctioned wallets) using advanced analytics to assess risk, even as criminals use complex methods like chain hopping. Regulations mandate real-time monitoring for suspicious activity, and while “5 hops” isn’t a rigid rule, it’s a common tracing depth to identify tainted funds entering a platform.

Wallet tracing services can trace the “hop” history of funds to measure “taint” — the percentage of assets connected to illicit sources (e.g., hacks or darknet markets) — effectively creating a permanent digital paper trail for every coin. If contaminated or sanctioned funds are detected at any of these hops. This history is usually depicted through a visual map (like the one above) which allows analysts to manually manipulate the transaction history to identify sources of risk/taint.

Instead of using human reviewers, leading solutions can automatically trace those funds and correlate exposure across these hops. They’re able to do this by applying predefined policies. So instead of requiring analysts to manually click through graphs, the underlying system produces deterministic risk outputs, machine-readable results and executes immediate enforcement actions (e.g., blocks transactions) based on your policies.

Moving towards Pre-Signature Intelligence

A major shortcoming of existing wallet screening solutions is that detection is often based on historical data that’s already been posted to the chain (e.g., is this a known address and has it been involved in suspicious transactions in the past?). They typically rely on a limited number of transaction attributes and signals (e.g., reputation of recipient address).

Emerging solutions, such as Web3Firewall, are providing deeper insights by evaluating a large number of pre-signature signals (over 100) as well as historical activity. Comprehensive signals can include any of the following:

  • New Wallet: A newly created wallet address with no transaction history, making it less trustworthy.
  • Mixing Services: The contract creator used mixing services or attempted to use it to obscure the origin of their funds.
  • Failed Transaction: Failed transactions often due to errors in the transaction or insufficient funds.
  • Low Liquidity: Low trading volume or lack of available assets in a liquidity pool.
  • Anonymous Owner: The true owner or controlling entity of the contract is hidden, raising concerns about transparency and trust.
  • Bad Actor: A developer that intentionally introduces malicious code or vulnerabilities in a contract.
  • Spam Tokens: An attack where small amounts of cryptocurrency (dust) are sent to break users’ anonymity.

NOTE: This is a small sample of the types of comprehensive signals that can be evaluated in near real-time with the help of AI to arrive at a much more precise risk score fresh in realtime. These signals are also effective in identifying zero-day attacks and combating smart money laundering attempts.

Crypto wallet screening has transformed from a simple watchlist check to a complex, intelligent system that dynamically maps complex, cross-chain transactions, identifies risky behaviors (like mixer use), and provides real-time alerts, integrating pre-signature signals and on-chain data with off-chain identities for proactive risk management against evolving criminal tactics and regulatory compliance.