On-Chain AML: Blockchain Transaction Monitoring for Crypto Compliance

On-chain AML monitors blockchain transactions directly to detect financial crime risk — applying AML controls to wallet behavior, fund flows, and counterparty relationships across open, decentralised networks.
Traditional AML systems were built for closed financial networks where every participant is identified and every transaction routes through a regulated intermediary. Blockchain works differently — assets move pseudonymously, directly between wallets, across open networks with no central gatekeeper. On-chain AML — also called blockchain AML, crypto AML monitoring, or blockchain transaction monitoring — is the discipline of applying AML controls to this environment: monitoring blockchain transaction data in real time, detecting behavioral anomalies, and supporting risk-based compliance decisions before suspicious activity escalates. This guide covers what on-chain AML is, why it differs from traditional AML, what it detects, and how Web3Firewall supports on-chain AML workflows.
Reviewed by the Web3Firewall compliance team · Last updated: 18 March 2026
Web3Firewall provides risk intelligence and analysis tools. It does not provide legal, regulatory, or sanctions determinations. Nothing on this page constitutes legal or compliance advice.
Book a Demo

What is on-chain AML?

On-chain AML (anti-money laundering) refers to the application of AML controls and monitoring directly to blockchain transaction data — including wallet behavior, fund flows, smart contract interactions, and counterparty relationships across decentralised networks. Unlike traditional AML systems designed for bank ledgers and closed payment networks, on-chain AML operates on publicly available blockchain data to identify patterns consistent with financial crime, sanctions exposure, or other compliance risk. On-chain AML is one component of a broader AML/CFT programme — complementing KYC/KYB, case management, escalation, reporting, and governance controls.
In one sentence: On-chain AML monitors blockchain transactions directly to detect financial crime risk — without relying on intermediaries or closed financial networks.
The core distinction: Traditional AML monitors accounts. On-chain AML monitors behavior across open networks.
Anti-money laundering (AML) controls have existed in financial services for decades. They were designed for a world where money moves through banks, correspondent networks, and card schemes — environments where every participant is identified, every transaction is recorded by a regulated institution, and suspicious activity can be flagged, frozen, or reported through established channels.
Blockchain changes each of those assumptions. Assets move directly between wallet addresses, often without any regulated intermediary. Transactions are pseudonymous — wallet addresses are public, but the identities behind them are not always known. Funds can cross borders instantly, route through multiple protocols, and reach a mixer or exchange within minutes of leaving their origin.
On-chain AML is the discipline that applies AML controls to this environment. It uses blockchain data — which is public and immutable — to reconstruct transaction histories, map counterparty relationships, detect behavioral anomalies, and identify patterns consistent with layering, structuring, sanctions-related activity, or other financial crime typologies. Tools that perform this function are variously called on-chain AML platforms, crypto AML monitoring tools, blockchain transaction monitoring systems, or wallet screening solutions.
For many organisations operating digital asset platforms — exchanges, custodians, payment providers, infrastructure operators — on-chain AML monitoring is a practical necessity for meeting AML/CFT obligations. In the EU, AML/CFT obligations for crypto-asset transfers are driven most directly by Regulation (EU) 2023/1113 and related supervisory guidance. MiCA creates separate but operationally adjacent obligations, including controls around transfer services and, where relevant, market abuse monitoring. In the US and UK, covered firms may also be subject to AML/CTF obligations under applicable MSB and money-laundering regimes.

Why on-chain AML is different from traditional AML

Traditional AML and on-chain AML share the same goal — detecting and preventing financial crime. But the environments they operate in are sufficiently different that the same tools do not work for both.

Dimension

Traditional AML

On-chain AML

Transaction network
Closed — banks, card schemes, correspondent networks
Open — public blockchain, permissionless
Participant identity
Known — KYC at account opening
Pseudonymous — wallet addresses, not names
Transaction speed
Hours to days (settlement)
Seconds to minutes
Data source
Internal ledger records
Public blockchain data
Intermediary
Always present
Often absent — direct wallet-to-wallet
Monitoring approach
Rule-based thresholds, name screening
Behavioral analysis, graph traversal, risk scoring
Attack surface
Insider fraud, account takeover
Novel wallets, mixers, cross-chain bridging
Reversibility
Possible in many cases
Impossible once confirmed on-chain
The most consequential difference is speed and irreversibility. In traditional finance, a suspicious transaction can often be frozen, recalled, or reversed. On-chain, once a transaction is confirmed, it is permanent. This is why on-chain AML places much greater weight on pre-execution controls — wallet screening and risk assessment before a transaction is processed — rather than purely post-transaction investigation.

How on-chain AML monitoring works

On-chain AML monitoring — sometimes called crypto transaction monitoring or blockchain transaction monitoring — works by ingesting publicly available blockchain data and applying multiple analytical layers to identify risk signals. A well-designed system operates across five layers:
Layer 1: Transaction ingestion
Every transaction confirmed on a monitored blockchain is ingested in near real time — including the sending address, receiving address, transaction value, smart contract calls, and token transfers. Historical data supports retrospective analysis and behavioral baseline building.
Layer 2: Counterparty graph traversal
On-chain AML goes beyond direct counterparty screening. Graph traversal traces fund flows across multiple hops — identifying indirect exposure to high-risk addresses that would be invisible from a simple one-hop check. A wallet that has never directly interacted with a risky address may still carry elevated exposure if funds passed through one two or three hops earlier.
Layer 3: Behavioral baseline and anomaly detection
Each monitored wallet develops a behavioral baseline — normal transaction size, frequency, counterparty diversity, and protocol usage. Deviations from this baseline are flagged for review. This layer is critical for detecting novel threats that have not yet appeared on any watchlist.
Layer 4: Risk scoring and classification
Individual signals are combined into a structured risk score mapped to risk bands (low, medium, high, critical). Each score is explainable: the signals that contributed, their weights, and the supporting evidence are documented. This explainability supports compliance review and internal documentation workflows.
Layer 5: Policy controls and alerting
Risk scores and behavioral signals feed into a policy engine that generates automated alerts, routes transactions for review, or — in pre-broadcast workflows — can prevent a transaction from being submitted before it reaches the network. Policies can be configured by jurisdiction, asset type, counterparty risk tier, or transaction size within the platform.

What does on-chain AML monitoring detect?

Request a demo
On-chain AML monitoring can identify patterns consistent with a range of financial crime typologies. These signals inform risk assessment — they are indicators, not legal or regulatory determinations.

Layering and structuring

Transaction patterns designed to obscure the origin of funds — including rapid movement across multiple wallets, protocol hops in quick succession, and amounts structured to fall below threshold levels.

Mixer and obfuscation service

Interactions with cryptocurrency mixing services, privacy protocols, or other obfuscation tools designed to break the transaction trail. A high-weight signal in most on-chain AML risk models.

High-risk address exposure

Direct or indirect connections to addresses associated in risk intelligence datasets with sanctions-related activity, darknet market use, ransomware payments, or exploit-related fund flows.

Rapid cross-protocol fund movement

Funds moving through three or more protocols — DEXs, bridges, lending protocols — in rapid succession after leaving an origin wallet. A pattern commonly associated with fund extraction after illicit activity.

Anomalous transaction velocity

Sudden spikes in transaction frequency far above a wallet's established baseline — consistent with automated behavior, structuring, or exploit extraction activity.

Dormant wallet reactivation

Long-inactive wallets that suddenly move significant funds — associated with coordinated fund release activity, compromised wallet recovery, or pre-planned distributions.

New wallet high-value activity

Newly created wallets with no transaction history that immediately interact with high-value protocols or receive large fund transfers — a common pattern in attack staging and fresh infrastructure setup.

Exchange risk exposure

Funds that transited through exchanges with historically weak AML controls carry elevated risk — even if those exchanges are not themselves sanctioned entities.

Behavioral baseline deviation

Any significant departure from a wallet's established transaction patterns — in terms of size, frequency, counterparty type, or protocol usage — that warrants review regardless of whether known-bad indicators are present.

What is the Travel Rule and how does it relate to on-chain AML?

The Travel Rule is one of the most operationally significant AML obligations for organisations handling crypto-asset transfers. It requires virtual asset service providers (VASPs) and crypto-asset service providers (CASPs) to collect, verify, and transmit originator and beneficiary information alongside every crypto-asset transfer.
In the EU, the Travel Rule is governed by the Transfer of Funds Regulation (Regulation (EU) 2023/1113), which extends originator-and-beneficiary information requirements to crypto-asset transfers and is supported by EBA guidance on the information that must accompany transfers and how firms should handle missing or incomplete information. ESMA has published guidelines on transfer services for crypto-assets under MiCA.
On-chain AML monitoring supports Travel Rule workflows in two specific areas:
In the EU, the Travel Rule is governed by the Transfer of Funds Regulation (Regulation (EU) 2023/1113), which extends originator-and-beneficiary information requirements to crypto-asset transfers and is supported by EBA guidance on the information that must accompany transfers and how firms should handle missing or incomplete information. ESMA has published guidelines on transfer services for crypto-assets under MiCA.
Self-hosted wallet due diligence
For transfers involving self-hosted (unhosted) wallets, CASPs must apply the controls required under Regulation (EU) 2023/1113 and related guidance. On-chain AML tools support due diligence and risk assessment for transfers involving self-hosted wallets where required under applicable rules and guidance — providing structured, auditable risk signals to inform compliance decisions.
Counterparty screening
Before processing a transfer, CASPs need to assess the risk profile of the counterparty wallet. On-chain AML monitoring supports this assessment — combining direct address screening, graph traversal for indirect exposure, and behavioral analysis — producing a structured risk indicator that can be documented for compliance records.
For a full breakdown of Travel Rule requirements and how they interact with broader MiCA obligations, see our MiCA compliance guide [link: /mica-compliance].

What is the difference between on-chain AML and blockchain analytics?

Blockchain analytics is a broad category covering any analysis of on-chain data — including market intelligence, forensic investigation, protocol research, and compliance monitoring. On-chain AML is a specific, operationally-focused application of blockchain analytics.
The distinction: Blockchain analytics is the toolset. On-chain AML is a specific use case — applying that toolset to detect financial crime risk and support AML/CFT compliance workflows.
Blockchain analytics tools are often built for investigators and researchers — powerful for reconstructing transaction histories and building cases after the fact. On-chain AML tools are designed for operational compliance teams — they produce structured risk scores, integrate into transaction processing pipelines, generate audit-ready records, and operate at the speed and scale of live transaction volumes.
For a full breakdown of how wallet risk scoring — a core component of on-chain AML — works in practice, see our wallet risk scoring guide [link: /wallet-risk-scoring].

On-chain AML as part of a broader AML/CFT programme

Request a demo
On-chain AML monitoring is a powerful capability, but it is one component of a broader AML/CFT programme — not a substitute for the full set of controls that regulated organisations are expected to maintain.
A complete AML/CFT programme for a digital asset business typically includes:

Transaction monitoring

continuous analysis of on-chain activity for suspicious patterns, covered by on-chain AML tooling.

KYC/KYB

customer and business identity verification at onboarding, supported by off-chain identity checks and document verification.

Sanctions screening

real-time screening against applicable sanctions lists, arising under AML/CFT and sanctions regimes rather than from any single regulation.

Case management and investigation

human review workflows for flagged activity, documentation of decisions, and escalation procedures.

Suspicious activity reporting (SAR)

the formal reporting process for transactions suspected of involving financial crime, governed by applicable national AML/CTF frameworks.

Governance and training

the policies, procedures, and staff training that regulators expect to see alongside technical controls.
On-chain AML monitoring strengthens the transaction monitoring component and generates the risk intelligence and audit trails that support case management and reporting. Web3Firewall is designed to integrate into this broader programme — not to replace it.

What regulations drive on-chain AML and transaction monitoring requirements?

For many crypto businesses, AML/CFT obligations include transaction monitoring, suspicious activity handling, and risk-based controls. The specific obligations vary by jurisdiction, entity type, and business model — firms should assess their precise requirements with qualified legal counsel.
Item 1
FATF Recommendation
The Financial Action Task Force's Recommendation 16 establishes the global baseline for originator and beneficiary information requirements in transfers of value, including the Travel Rule context for virtual assets. FATF guidance and subsequent updates — including the June 2025 update to Recommendation 16 — shape how national and regional regimes implement risk-based controls for virtual asset activity.
Item 2
EU Transfer of Funds Regulation
Regulation (EU) 2023/1113 extends originator-and-beneficiary information requirements to crypto-asset transfers and is supported by EBA guidance on the information that must accompany transfers and how firms should handle missing or incomplete information. CASPs must also apply controls for transfers involving self-hosted wallets as required under the EU framework and supervisory guidance.
Item 3
EU MiCA
Regulation (EU) 2023/1114 creates CASP authorisation requirements and obligations including transfer service controls and, for trading platforms, market abuse monitoring obligations. MiCA and EU AML/CFT frameworks are separate regimes that often rely on overlapping monitoring, governance, and control infrastructure. MiCA entered into force in June 2023, with the main CASP regime applying from 30 December 2024, subject in some Member States to transitional arrangements.
Item 4
FinCEN / BSA (US)
FinCEN's guidance clarifies how existing Bank Secrecy Act obligations apply to certain virtual currency business models, including AML programme, recordkeeping, and SAR obligations for covered money services businesses. The 2019 FinCEN guidance explicitly noted it did not create new requirements but applied existing BSA rules to covered entities.
Item 5
FCA (UK)
In the UK, certain cryptoasset businesses must register under the Money Laundering Regulations and are supervised by the FCA for AML/CTF compliance. Registered firms are expected to maintain systems and controls appropriate to their money-laundering and terrorist-financing risks.
DORA (the Digital Operational Resilience Act, applying from 17 January 2025) is not an AML/CFT regime, but it increases the importance of resilient monitoring, alerting, and incident-response infrastructure for regulated entities — including CASPs under MiCA.

Use cases by team

Request a demo

Compliance and AML teams

Automate transaction monitoring across all wallet activity — not just sampled transactions. Route high-risk cases to human review with full supporting evidence. Generate audit-ready records that support suspicious activity reporting, regulatory examinations, and internal governance reviews.

Exchange operations (CEX)

Screen deposit and withdrawal addresses in real time before funds hit the hot wallet. Support Travel Rule workflows for all transfers. Apply risk-based due diligence for self-hosted wallet transfers. Flag behavioral anomalies in high-value withdrawal activity for compliance review.

Custodians

Monitor custodied wallet portfolios continuously for changes in risk profile. Detect when a custodied address receives funds from or develops indirect exposure to high-risk counterparties. Apply Travel Rule controls and risk-based checks for all outbound transfers.

Stablecoin and token issuers

Screen wallet addresses before minting or processing large transfers. Monitor token transfer patterns for structuring-consistent behavior. Support Travel Rule originator and beneficiary data workflows for token transfers under the TFR.

Infrastructure providers

Integrate on-chain AML monitoring into RPC nodes, wallet APIs, or transaction relay services — offering downstream risk intelligence to clients without them needing to build their own monitoring infrastructure.

MSSPs

Deliver managed on-chain AML monitoring as a service. Use Web3Firewall's API to power wallet screening, transaction risk scoring, behavioral alerting, and reporting workflows for multiple digital asset clients from a single integration.

Example: on-chain AML signals in practice

Here is a concrete example of what on-chain AML monitoring surfaces for a wallet that passes standard identity screening but carries significant on-chain risk signals.
This example illustrates the core gap that on-chain AML fills: identity verification tells you who someone claims to be. On-chain AML monitoring tells you what their funds have been doing. For compliance teams responsible for detecting financial crime, both dimensions are necessary.

Why Web3Firewall for on-chain AML

Request a demo
Web3Firewall is a Web3 security and compliance platform — often described as a SIEM for blockchain. It is designed for operational compliance teams who need crypto AML monitoring to run continuously, integrate into existing transaction workflows, and produce audit-ready evidence.
The platform combines behavioral monitoring, wallet risk scoring, transaction simulation, and a programmable policy engine into a single operational layer. Transactions routed through Web3Firewall can receive a real-time verdict — allow, deny, or require approval — that applies customer-defined risk and policy rules within configured transaction workflows. Web3Firewall is designed to support AML/CFT workflows and help operationalise jurisdiction-specific compliance controls — not to replace the full AML/CFT programme that regulated organisations must maintain. No software product alone satisfies regulatory AML/CFT obligations in full.

Behavioral monitoring, not only static lists

Every wallet is scored against behavioral baselines — not just matched against known-bad address lists. Novel threats from wallets with no prior risk history are surfaced before they appear on any external watchlist.

Real-time blockchain transaction monitoring

Continuous monitoring of transaction flows, wallet interactions, and on-chain behavior across supported chains. Automated alerting when patterns consistent with layering, structuring, mixing, or other financial crime typologies are detected.

Travel Rule workflow support

Wallet screening and risk scoring designed to support Travel Rule workflows — including risk assessment and due diligence for self-hosted wallet transfers where required under applicable rules and guidance. Provides auditable risk signals and audit trails to support compliance documentation.

Pre-broadcast controls

On-chain AML controls that can operate before a transaction reaches the network — not only after confirmation. Transactions routed through Web3Firewall that trigger configured policy rules can receive an automated verdict before submission, within customer-defined workflows.

Programmable AML policy engine

Define monitoring rules and policy controls in a no-code interface or via API. Policies can be jurisdiction-aware, asset-specific, counterparty-specific, or threshold-driven — adapting to your compliance framework as regulatory requirements and supervisory guidance evolve.

Audit-ready evidence trails

Every monitoring decision, alert, and transaction verdict is logged with execution details, risk signals, verdict, and supporting evidence. Compliance teams have a complete, auditable record for regulatory examinations, reporting workflows, and internal governance reviews.
Disclaimer: Web3Firewall provides risk intelligence and analysis tools. It does not provide legal, regulatory, or sanctions determinations. Monitoring outputs are risk indicators designed to support human and automated decision-making within configured compliance workflows.

See on-chain AML monitoring in action

Try the sandbox to screen any wallet address and see its full risk profile, behavioral signals, and counterparty graph — or book a 30-minute demo to see how Web3Firewall fits into your AML compliance programme.
Try the sandbox
Book a demo

Frequently Asked Questions

What is on-chain AML?

On-chain AML (anti-money laundering) refers to the application of AML controls and monitoring directly to blockchain transaction data — including wallet behavior, fund flows, smart contract interactions, and counterparty relationships. Unlike traditional AML systems designed for bank ledgers, on-chain AML operates on publicly available blockchain data to identify patterns consistent with financial crime, sanctions exposure, or other compliance risk.

Why is on-chain AML different from traditional AML?

Traditional AML systems monitor transactions within closed financial networks where every participant is identified. On-chain AML operates on open, pseudonymous blockchain networks where funds move directly between wallet addresses without intermediaries. This requires behavioral analysis, graph traversal across wallet networks, and real-time risk scoring — rather than name-matching and threshold alerts alone.

Who needs on-chain AML tools?

Any organisation that manages, processes, or interacts with digital assets has exposure to on-chain AML risk — including centralised crypto exchanges, custodians, stablecoin issuers, payment providers, blockchain infrastructure providers, and DeFi protocols. Many are subject to AML/CFT obligations under applicable frameworks in their jurisdictions.

What does on-chain AML monitoring detect?

On-chain AML monitoring can identify patterns consistent with: layering and structuring behavior, mixer use, connections to addresses associated with elevated risk in intelligence datasets, rapid cross-protocol fund movement, anomalous transaction velocity, dormant wallet reactivation, and behavioral deviations from established baselines. These signals inform risk assessment — they are not legal or regulatory determinations.

What is the difference between on-chain AML and blockchain analytics?

Blockchain analytics covers any analysis of on-chain data. On-chain AML is a specific operational application — using blockchain analytics to detect financial crime risk and support AML/CFT compliance workflows. On-chain AML tools are designed to integrate into compliance workflows and produce structured, auditable risk assessments rather than being used purely for investigation.

What regulations drive on-chain AML and transaction monitoring requirements?

For many crypto businesses, AML/CFT obligations include transaction monitoring, suspicious activity handling, and risk-based controls. In the EU, these obligations are driven most directly by Regulation (EU) 2023/1113 and related AML/CFT requirements, while MiCA creates separate operational obligations that often rely on similar monitoring infrastructure. In the US and UK, covered firms may be subject to AML/CTF obligations under applicable MSB and money-laundering regimes.

How does behavioral analysis improve on-chain AML?

Static watchlists only flag wallets already identified as problematic. Behavioral analysis detects anomalous patterns — unusual transaction sequences, atypical fund routing, activity inconsistent with a wallet's historical baseline — even when no prior label exists. This is critical because most novel threats originate from wallets with no established risk history.

What is the Travel Rule and how does it relate to on-chain AML?

The Travel Rule requires VASPs and CASPs to collect, verify, and transmit originator and beneficiary information for crypto-asset transfers. In the EU, this is governed by the Transfer of Funds Regulation (Regulation (EU) 2023/1113), which extends originator-and-beneficiary information requirements to crypto-asset transfers and is supported by EBA guidance. On-chain AML monitoring supports Travel Rule workflows by providing wallet risk assessments, supporting due diligence and risk assessment for transfers involving self-hosted wallets where required under applicable rules and guidance, and generating audit trails for compliance documentation.
HomeAbout UsCareerProductPartnership
CEXsCustodiansInfrastructure ProvidersMSSPsStablecoin and Token Providers
Docs Blogs Privacy Policy Terms and Conditions
© All rights reserved. Web3Firewall. Privacy |  Terms and Conditions