Warning

Please be vigilant about TRM impersonation scams, especially those claiming to assist with fund recovery. More info

Solutions
Products
RESOURCES
Customers
Company
Request a demo
en
Search
Search
Back to Glossary

Ownership risk

Table of contents
Ownership risk

Ownership risk in crypto compliance refers to the exposure that arises when a wallet address is owned, controlled by, or directly associated with a sanctioned entity, designated terrorist organization, or other high-risk actor. It represents the most direct form of blockchain risk — not a transactional link to a bad actor, but an identity link. The wallet itself belongs to the problem.

{{horizontal-line}}

What is ownership risk?

In blockchain compliance, risk is typically assessed along three dimensions:

  1. Whether a wallet is owned by a bad actor
  2. Whether it has transacted with one
  3. How many steps separate it from illicit activity

Ownership risk sits at the top of that hierarchy. It describes situations where a wallet address has been attributed to — or is controlled by — an entity that is sanctioned, criminally designated, or otherwise identified as high-risk.

This can take several forms. A wallet may be directly listed on a sanctions designation (OFAC's Specially Designated Nationals list, for example, increasingly includes specific crypto addresses). It may be attributed to a known threat actor — a ransomware group, darknet marketplace, or terrorist financing network — through blockchain intelligence and open-source research. Or it may be linked to a real-world entity whose legal or regulatory status makes it prohibited to transact with.

Ownership risk is distinct from the risk of association. A wallet doesn't need to have sent or received funds from an illicit source to carry ownership risk — the issue is who controls it. This is what makes ownership risk both the most unambiguous category of blockchain risk and, in some ways, the most legally consequential.

How is ownership risk identified?

Identifying ownership risk requires connecting pseudonymous wallet addresses to real-world entities — a process that draws on entity attribution, address clustering, and open-source intelligence.

Sanctions list matching

Sanctions list matching is the most straightforward mechanism. OFAC and other sanctions authorities now routinely include specific crypto wallet addresses on their designation notices. Any direct match between a screened address and a listed address constitutes clear ownership risk. But list-based matching alone is insufficient — bad actors frequently rotate addresses, and newly created wallets won't appear on any list until after the fact.

Entity attribution

Entity attribution extends beyond list matching by connecting wallet addresses to known actors through behavioral analysis, on-chain data, and external intelligence. Blockchain intelligence platforms like TRM Labs maintain attribution databases built from millions of data sources — including dark web monitoring, threat intelligence feeds, and law enforcement partnerships — that allow compliance teams to link addresses to entities even when those addresses aren't formally listed.

Address clustering

Address clustering uses on-chain behavioral signals to group wallets likely controlled by the same entity. Common input ownership heuristics, address reuse patterns, and other cryptographic signals can establish that multiple addresses belong to a single actor — meaning that a sanctions designation against one address effectively extends to the cluster.

{{37-ownership-risk-glossary-callout-1}}

What are the biggest challenges in assessing ownership risk?

Attribution confidence

Attribution confidence varies significantly across addresses. Some wallets have high-confidence attribution backed by multiple independent data sources; others carry lower-confidence labels based on limited signals. Compliance teams need to understand not just the risk label applied to an address, but the evidentiary quality behind it — and calibrate their response accordingly.

Address rotation

Address rotation is a deliberate evasion tactic. Sanctioned actors and criminal organizations frequently generate new wallet addresses to avoid matching against known lists. An institution that screens only against a static list of known bad addresses will miss activity from newly generated wallets tied to the same actor. This is why attribution at the entity level — identifying the organization behind the addresses — is more durable than address-level screening alone.

Shared and custodial addresses

Shared and custodial addresses create attribution complexity. When a sanctioned individual uses a centralized exchange or custodial wallet, their transactions may flow through addresses that also handle funds from thousands of unrelated users. Compliance teams need to distinguish between true ownership of an address and incidental use of a shared service.

Pseudonymity

Pseudonymity remains a structural feature of most blockchains. While blockchain data is public, connecting an address to a real-world identity requires off-chain intelligence that not every institution has access to. The quality of an institution's ownership risk detection is directly proportional to the quality of the attribution data underpinning its screening.

Why does ownership risk matter for financial institutions and crypto businesses?

Transacting with a wallet that carries ownership risk — knowingly or unknowingly — can be evidence of compliance obligation failures. For financial institutions, the regulatory exposure is acute. As banks expand their digital asset services — whether through crypto custody, stablecoin settlement, or correspondent relationships with crypto firms — they take on ownership risk exposure that their traditional transaction monitoring systems weren't built to detect. The NYDFS September 2025 Industry Letter made clear that New York-regulated banks are expected to implement blockchain analytics capable of assessing ownership, counterparty, and indirect exposure for any digital asset activity.

For crypto businesses, ownership risk is the primary compliance concern at onboarding. Screening a wallet address before a customer deposits funds is the first line of defense — catching ownership-risk wallets at the point of entry prevents the more complex downstream problem of having already accepted funds from a sanctioned actor. TRM Labs' analysis of blockchain risk typologies underscores that ownership risk, unlike indirect exposure, typically warrants immediate action rather than further investigation.

How does TRM Labs help assess ownership risk?

TRM Wallet Screening is purpose-built for ownership risk detection at scale. TRM's platform screens wallet addresses against a continuously updated database of sanctions designations, law enforcement intelligence, and threat actor attributions — returning a full risk assessment in under 400 milliseconds across 70 million+ digital assets and 29+ blockchains.

TRM's entity attribution capabilities go beyond list matching. TRM's dedicated threat intelligence team and data science models monitor over 300 million sources monthly — including dark web forums, sanctions updates, and court filings — to maintain attribution data that connects wallet addresses to real-world entities even before formal designations are issued. This is particularly important for catching wallets controlled by newly designated actors or previously unknown threat groups.

For compliance teams that need to investigate ownership risk in depth, TRM Forensics provides a visual investigation environment for tracing wallet clusters, surfacing entity attribution evidence, and building documented audit trails to support blocking decisions or regulatory inquiries.

TRM also allows institutions to configure ownership risk thresholds separately from counterparty and indirect risk — reflecting the fact that ownership risk typically warrants a different and more decisive response than probabilistic exposure at greater hop distances.

What is the difference between ownership risk vs. counterparty risk vs. indirect risk?

These three risk types describe different levels of proximity between a wallet and a source of illicit activity. Understanding the distinction is essential for calibrating compliance responses — not all blockchain risk is equivalent, and treating every exposure type the same leads either to over-blocking legitimate users or under-blocking genuine threats.

Ownership risk

Ownership risk is the most direct. A wallet carries ownership risk when it is owned, controlled by, or directly attributed to a high-risk entity — a sanctioned individual or organization, a designated terrorist group, or a known criminal actor. The wallet doesn't need to have transacted with anyone problematic; the problem is the identity of the person or group holding it. Ownership risk typically warrants immediate action: blocking, freezing, or filing a suspicious activity report (SAR).

Counterparty risk

Counterparty risk sits one step removed. A wallet carries counterparty risk when it has directly transacted with a high-risk address — but is not itself owned or controlled by a bad actor. The customer's wallet sent funds to, or received funds from, a wallet that has been attributed to illicit activity. This is sometimes called "one-hop" exposure. Counterparty risk requires investigation: Who conducted those transactions? Were they recent or historical? What was the nature of the interaction? The answers inform whether to block, request enhanced due diligence, or file a report.

Indirect risk

Indirect risk is the most distal. A wallet carries indirect risk when the connection to illicit activity runs through one or more intermediate wallets — two or more hops away. Indirect risk requires the most nuanced assessment, because hop count alone is not a reliable measure of exposure. Compliance teams must evaluate transaction timing, intermediate address behavior, whether the chain passed through an intermediary service, and the nature of the ultimate risk source. Regulatory guidance has made clear — particularly through the NYDFS enforcement action against Block — that meaningful indirect exposure cannot simply be defined away with a hop threshold.

The table below summarizes how the three risk types compare:

FactorOwnership riskCounterparty riskIndirect risk
DefinitionWallet is owned/controlled by a bad actorWallet directly transacted with a bad actorWallet is connected to a bad actor through intermediary wallets
Hop distance0 — the wallet is the risk1 — direct transaction2 or more — traced through intermediaries
Primary signalEntity attributionTransaction historyMulti-hop transaction chain

TRM Wallet Screening allows compliance teams to configure risk tolerances separately across all three typologies — reflecting the reality that each type carries different legal implications and warrants a different operational response.

{{horizontal-line}}

Frequently asked questions (FAQs)

1. What is ownership risk in crypto compliance?

Ownership risk arises when a wallet address is owned, controlled by, or directly attributed to a sanctioned entity, designated terrorist organization, or other high-risk actor. It is the most direct form of blockchain risk — not a link through transactions, but an identity link. The wallet itself belongs to or is controlled by the problem.

2. How is ownership risk different from counterparty risk?

Ownership risk means the wallet itself is tied to a bad actor. Counterparty risk means the wallet directly transacted with a bad actor — but is not itself owned by one. The distinction matters because the appropriate compliance response differs: ownership risk typically requires immediate action, while counterparty risk calls for investigation and enhanced due diligence before deciding on next steps.

3. Can a wallet carry ownership risk even if it hasn't been used for illicit transactions?

Yes. A wallet controlled by a sanctioned entity carries ownership risk regardless of its transaction history. The basis for the designation is the identity of the controller, not the nature of the funds that have moved through it. Under OFAC's strict liability standard, transacting with such a wallet can constitute a sanctions violation even if the specific transaction appears benign.

4. How does OFAC handle crypto wallet addresses in sanctions designations?

OFAC routinely includes specific crypto wallet addresses in its Specially Designated Nationals (SDN) designations. These addresses are listed under the designated individual's or organization's entry and are subject to the same blocking and reporting requirements as other sanctioned property. Because sanctioned actors frequently rotate addresses, direct list matching is necessary but not sufficient — entity-level attribution is needed to catch new wallets controlled by the same actor.

5. What is address clustering and why does it matter for ownership risk?

Address clustering uses on-chain signals — common input ownership, address reuse patterns, and other behavioral indicators — to group wallet addresses that are likely controlled by the same entity. If a sanctions designation covers one address in a cluster, the compliance implication extends to the rest of the cluster. Institutions that screen only against explicitly listed addresses, without clustering analysis, risk missing significant ownership exposure.

6. How should compliance teams respond differently to ownership risk vs. indirect risk?

Ownership risk generally warrants immediate, decisive action — blocking the transaction, freezing the funds, and potentially filing a SAR — because the wallet is directly tied to a prohibited actor. Indirect risk requires a more calibrated response: evaluating hop distance, transaction timing, intermediate address behavior, and the nature of the ultimate risk source before deciding whether the exposure is meaningful enough to act on. Setting the same threshold for both risk types leads to either under-enforcement at the ownership level or over-blocking at the indirect level.

7. How does TRM Labs detect ownership risk for newly created wallets?

TRM's threat intelligence team monitors over 300 million sources monthly — including dark web forums, criminal marketplaces, and sanctions authority updates — to identify and attribute wallet addresses to known actors before formal designations are issued. This proactive attribution means TRM can flag a wallet controlled by a known ransomware group or terrorist financing network even if the address hasn't yet appeared on an OFAC list, reducing the window of exposure for institutions relying solely on list-based screening.

Keep learning

Wallet screening

Learn what wallet screening is and its role in cryptocurrency compliance. Discover how law enforcement, crypto businesses, and regulators use wallet screening to detect risks and ensure security in blockchain transactions.

Learn more

Counterparty risk

Counterparty risk is direct blockchain exposure through a transaction partner. Learn how VASPs, financial institutions, and law enforcement identify and manage it with TRM.

Learn more

Indirect risk

Indirect risk describes a wallet's exposure to illicit activity traced through intermediate blockchain addresses. Learn how FIs and crypto businesses assess and manage it.

Learn more
Subscribe and stay up to date with our insights

Access our coverage of TRON, Solana and 23 other blockchains

Fill out the form to speak with our team about investigative professional services.

Services of interest
Select
Transaction Monitoring/Wallet Screening
Training Services
Training Services
 
By clicking the button below, you agree to the TRM Labs Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Control vs. legal ownership is a complication that UK sanctions frameworks in particular have addressed directly. The UK's ownership and control tests require compliance teams to assess not just formal legal ownership, but de facto control — whether an entity directs the use of a wallet, even if not formally listed as its owner. This distinction matters when evaluating wallets held by subsidiaries, intermediaries, or nominees acting on behalf of a designated person.