Warning

Please be vigilant about TRM impersonation scams, especially those claiming to assist with fund recovery. More info

Solutions
Products
RESOURCES
Customers
Company
Request a demo
en
Search
Search
Back to Glossary

Indirect risk

Table of contents
Indirect risk

Indirect risk in crypto compliance refers to a wallet's exposure to illicit activity that doesn't originate from a direct counterparty, but is traced through one or more intermediate wallet addresses on the blockchain. For financial institutions and crypto businesses, it's one of the most consequential — and most frequently misunderstood — concepts in transaction risk assessment.

{{horizontal-line}}

What is indirect risk?

In traditional finance, counterparty risk is relatively binary: a transaction either involves a sanctioned entity or it doesn't. On the blockchain, the picture is more complex. Because every transaction is recorded on a public ledger and traceable across wallets, compliance teams can — and regulators increasingly expect them to — identify not just who a customer transacted with directly, but who those counterparties subsequently transacted with.

Indirect risk describes the exposure that sits at the end of that chain. If a customer's wallet sent funds to Wallet A, which then sent funds to Wallet B, which sent funds to a sanctioned exchange, the customer has indirect risk exposure to that sanctioned entity — even though no direct transaction ever took place.

The number of intermediate wallets between a customer and the source of illicit activity is called the hop count, or simply "hops." One hop of separation means the customer transacted with someone who transacted with a high-risk entity. Two hops means there's one intermediary wallet in between. The question of how many hops are too many has no universal answer — and that ambiguity is at the heart of what makes indirect risk so challenging to operationalize.

How does indirect risk work?

Assessing indirect risk is not simply a matter of counting hops and applying a cutoff. OFAC has not defined a de minimis level of sanctions exposure that is automatically acceptable, regardless of hop count. Compliance teams need to evaluate indirect risk signals collectively.

Several factors determine whether a chain of transactions constitutes a valid indirect risk path:

Hop distance

Hop distance does not automatically reduce risk. Sophisticated bad actors deliberately move funds through multiple wallets to create the appearance of distance. Groups like Lazarus Group are known to route proceeds through dozens of wallets across multiple chains before attempting to cash out. An arbitrary hop cutoff creates exactly the gap experienced money launderers exploit.

Transaction timing

Transaction timing matters significantly. When funds move from one wallet to the next within minutes, that pattern strongly suggests intentional rapid movement rather than coincidental co-ownership. Transfers separated by weeks or months may indicate a genuine change of ownership — weakening the claim that an indirect risk path is valid.

Intermediate address behavior

Intermediate address behavior provides important signals. Wallets with exactly one inbound and one outbound transaction — sometimes called funnel accounts — almost certainly represent passthrough activity rather than legitimate ownership. These addresses function the same way short-lived banking accounts do in traditional money laundering schemes.

Blockchain data

Blockchain-specific data points add further context. On the Bitcoin blockchain, for example, elements like locktime, address type (legacy vs. SegWit vs. multi-signature), and wallet version can indicate whether the same entity controlled multiple addresses across hops.

No single factor is determinative. Compliance teams need to weigh these signals together and document their reasoning — both to make accurate risk decisions and to demonstrate defensible methodology if regulators ask.

What are the biggest challenges in assessing indirect risk?

Tracing through intermediary services

The most significant methodological pitfall is inadvertently tracing through an intermediary service — an exchange, OTC desk, or payment processor. These entities typically operate using omnibus accounts and common deposit addresses, meaning that funds from many different users flow through the same address. When a compliance team traces a transaction chain and hits an exchange deposit address, they cannot reliably attribute the outbound funds on the other side to the same source.

Incorrectly tracing through a service risks generating false positives — potentially flagging legitimate customers based on phantom risk paths. Identifying when a chain has passed through a service requires specific signals: unusually high transaction volume, a large number of counterparties, and transaction behavior consistent with aggregated flows.

The absence of a regulatory bright line

While regulators have signaled that meaningful indirect exposure requires action, no agency has prescribed a universal methodology for evaluating it. This leaves institutions to build internal frameworks — and to document them thoroughly in case of regulatory review. Institutions that set their thresholds too conservatively risk generating alert fatigue; those that set them too loosely risk enforcement exposure.

Why does indirect risk matter for financial institutions and crypto businesses?

Regulators are paying close attention to how institutions configure their blockchain analytics tools — not just whether they use them at all.

For crypto businesses, the stakes are high. Exchanges and virtual asset service providers (VASPs) that fail to detect and act on meaningful indirect exposure face regulatory sanctions, license revocations, and reputational damage. For financial institutions, the addition of crypto counterparties — whether directly through clients or indirectly through correspondent relationships — creates new categories of risk that traditional transaction monitoring tools weren't designed to assess.

TRM Labs has written about how institutions should structure their approach here.

How does TRM Labs help compliance teams assess indirect risk?

TRM's blockchain intelligence platform is built to surface and contextualize indirect risk across multiple dimensions. TRM Wallet Screening and TRM Transaction Monitoring both trace indirect exposure paths across transaction hops, providing compliance teams with the evidence and context they need to make defensible decisions.

TRM's entity attribution capabilities allow compliance teams to identify when a transaction chain passes through a known service — and to stop tracing at that point rather than generating misleading conclusions. This is particularly important for complex indirect exposure paths that cross multiple exchanges or OTC desks before reaching a high-risk entity.

For multi-chain exposure, TRM automatically traces through cross-chain bridges and swaps, detecting indirect risk when funds move between blockchains. Given that moving assets across chains is a common obfuscation technique, cross-chain visibility is essential for institutions whose customers interact with DeFi protocols or multi-chain wallets.

{{horizontal-line}}

Frequently asked questions (FAQs)

1. What is the difference between direct risk and indirect risk in crypto?

Direct risk means a wallet transacted directly with a high-risk or sanctioned entity. Indirect risk means the exposure runs through one or more intermediate wallets — the customer never sent funds directly to the bad actor, but the transaction trail connects them. Both types of risk are relevant for compliance purposes, and regulators expect institutions to assess both.

2. How many hops away is still considered a compliance concern?

No regulatory body has set a universal hop threshold. OFAC has not defined a de minimis level of acceptable sanctions exposure, and the NYDFS enforcement action against Block demonstrated that setting internal thresholds too high — even 1% exposure to terrorism-linked wallets — can constitute a regulatory violation. Institutions must evaluate each case using multiple factors, not a single hop count.

3. Can you trace through an exchange when assessing indirect risk?

Generally, no. Exchanges and other intermediary services use common deposit addresses and omnibus account structures, meaning that funds from multiple unrelated users flow through the same addresses. Tracing through these services typically produces unreliable results and risks generating false positives. When a transaction chain hits a known service, compliance teams should stop tracing and assess the risk up to that point.

4. What is a funnel account in the context of indirect risk?

A funnel account is an intermediate wallet that receives funds from one address and immediately forwards them to another, with no other transaction history. This behavior strongly suggests the address was created solely to obscure the movement of funds — the blockchain equivalent of a short-lived shell account in traditional money laundering. A series of funnel accounts in a transaction chain is a meaningful signal of intentional obfuscation.

5. Does transaction timing affect how indirect risk is assessed?

Yes. Transfers that occur minutes apart across a chain of wallets suggest coordinated, intentional movement — and strengthen the case that the wallets are controlled by the same entity. Transfers separated by weeks or months are more likely to reflect genuine ownership changes, which weakens the indirect risk chain. Timing is one of several factors compliance teams should weigh collectively.

6. What should financial institutions do to manage indirect risk exposure?

Institutions should document their indirect risk methodology, configure blockchain analytics tools with defensible and calibrated thresholds, and train compliance staff on how to evaluate multi-hop exposure. The NYDFS September 2025 guidance recommends that banks with digital asset exposure implement blockchain analytics capable of assessing both direct and indirect risk — and that thresholds reflect genuine risk tolerance, not administrative convenience.

7. How does TRM Labs handle indirect risk across multiple blockchains?

TRM automatically traces through cross-chain bridges and swaps to detect indirect exposure when funds move between blockchains. Moving assets across chains is a common obfuscation technique — if monitoring stops at a chain boundary, the full risk picture may be missed. TRM's cross-chain coverage spans 640+ bridges and gives compliance teams a complete view of fund flows across chains.

Keep learning

Crypto compliance

Crypto compliance refers to the processes financial institutions and crypto businesses use to meet anti-money laundering (AML), counter terrorist financing (CTF), and other regulatory obligations.

Learn more

Counterparty risk

Counterparty risk is direct blockchain exposure through a transaction partner. Learn how VASPs, financial institutions, and law enforcement identify and manage it with TRM.

Learn more

Ownership risk

Ownership risk arises when a wallet is owned or controlled by a sanctioned entity. Learn how FIs and crypto businesses detect and respond to it.

Learn more
Subscribe and stay up to date with our insights

Access our coverage of TRON, Solana and 23 other blockchains

Fill out the form to speak with our team about investigative professional services.

Services of interest
Select
Transaction Monitoring/Wallet Screening
Training Services
Training Services
 
By clicking the button below, you agree to the TRM Labs Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
No items found.