Key Considerations for Evaluating Indirect Risk on the Blockchain

Blockchain technology is unique for its promise of decentralization and transparency, offering unparalleled visibility into transactional activity taking place on-chain. But this transparency is a double-edged sword for compliance officers. While it has the potential to make money laundering detection much more effective, it also raises significant challenges about how to use and operationalize a level of transparency that does not exist in traditional financial systems.

The ability to see suspicious activity away from your customer or institution is often called “indirect risk.” And the number of wallet addresses between say, a customer’s wallet address and the final address where the risk originated or is identified, are often referred to as “hops.”

For example, in the image below, Address A has two wallet addresses between it and Nobitex, an Iranian exchange. Thus, Address A may have indirect risk exposure to a sanctioned exchange.

For compliance officers, questions quickly arise about how to leverage and investigate indirect risk. For example:

• How do I know if the risk several addresses away is connected to my customer or not?
• Is there a change of ownership from one address to the next?
• How many “hops” away from my customer’s wallet address should I consider?
• What factors should I consider to help me answer those questions?

As financial institutions and crypto businesses continue to build out more robust compliance processes for crypto compliance—and as regulators turn increased attention to crypto compliance programs—there’s a pressing need for compliance officers to understand when and how to harness this enhanced visibility.

Guiding principles for compliance officers

The following principles can help compliance officers determine the validity of potential indirect risk when looking at a path of on-chain transactions.

Importantly, no single factor is determinative to establish the validity of indirect risk. Rather, compliance officers need to evaluate a variety of factors collectively to make a determination.

Additionally, while blockchain intelligence companies like TRM may each have their own methodology on how indirect risk is calculated and presented to users, it’s important for compliance officers to understand and be able to explain the factors that go into those methodologies. Ultimately, the best crypto investigators need to leverage granular blockchain data, experience, and investigative intuition to make their own determinations.

1. Remember that more hops doesn’t necessarily equal less risk

In the early days of illicit cryptocurrency activity, money laundering and cashing out illicit proceeds was often quite direct. Bad actors had less of a need to obfuscate their trails given limited enforcement and compliance in many jurisdictions.

But over time, bad actors have become increasingly sophisticated in their money laundering schemes and their exploitation of the crypto ecosystem. To further evade detection and seizure efforts, their obfuscation patterns have intensified.

While some bad actors may still be relatively direct in cashing out ill-gotten gains through an exchange, others (like North Korea’s Lazarus group) prefer to use complicated patterns and techniques to obscure their paths. This means that compliance programs with transaction monitoring surveillances set to only look at a small number of arbitrary hops are more likely to miss this kind of illicit activity.

2. Be wary of tracing through services

As compliance officers attempt to assess indirect risk, they may inadvertently trace into an a intermediary service like an exchange.

One of the core tenants of blockchain tracing and investigations is that, generally, one cannot trace through a service—including entities such as an exchange, OTC desk, payment processor, etc. This extends from the fact that services often use common deposit addresses and omnibus account structures to aggregate customer funds. Investigators inadvertently tracing through a service will likely make incorrect assumptions about the validity of an indirect risk path.

An investigator may be able to identify whether a wallet address belongs to a service (even where the blockchain intelligence company does not have attribution) by analyzing the number of addresses in a particular cluster, the number of withdrawals and deposit transactions, the volume of funds flowing through it, or the number of different counterparties. For example, a wallet address with millions of dollars, thousands of transactions, and hundreds of counterparties is more likely to be a service.

3. Analyze the time between hops

By analyzing the timestamps between each transaction or wallet address and hop, compliance officers can gather important signals to help them evaluate the validity of potential indirect risk.

If the time between each set of chronologically (i.e., moving forward in time) occurring transfers is very close together, that could indicate a bad actor quickly moving funds along a path on the way to a cash out point. Sophisticated money launderers will often code a series of transactions so that transfers are only minutes apart. It should be noted that this data point alone is not determinative. Bad actors may deposit funds in an address and hold them for months at a time before transacting again. Still, transactions along a path that take place weeks, months, or years apart may be indicative of a change of ownership that undermines the potential of true indirect risk.

4. Review the activity and characteristics of intermediate addresses

Reviewing the transactional volume of each intermediate address between your customer’s wallet and the wallet carrying the illicit risk can be a significant factor in determining a path’s validity.

The presence of intermediate addresses with only two transactions (one deposit and one withdrawal) are a strong indicator that there isn’t a change of ownership, or that there may be strong connectivity between the risk and your customer’s wallet. These type of one-time use addresses are akin to funnel accounts at banking institutions that are opened only to facilitate the movement of one illicit transaction.

5. Leverage additional blockchain data to make connections

Depending on the type of blockchain you’re reviewing, there are additional data points investigators can use to try and determine whether a string of transfers is conducted by the same bad actor. For instance, when looking at Bitcoin transfers, looking for consistencies in Locktime, Version, Segwit, and type of address can give additional clues that one transfer is connected to the next.

Similarly, the type of wallet being used (and whether that changes) is additional signal. For instance, some wallets use only one address type, while others enable support for multiple types. As investigators follow a path and see that the address type changed from a legacy address to a multi-signature (multisig) address, there is good probability of a change of ownership. In essence, analyzing the behavior of wallet addresses includes not only more traditional transactional clues like volume, counterparties, throughput, etc., but can also extend to include the different types of addresses—giving additional datapoints for an investigator to leverage in their review.

These principles offer compliance officers a more structured approach for evaluating indirect risk in blockchain transactions. Importantly, without these contextual clues to evaluate indirect risk, compliance officers will be limited—and potentially mistaken—as they try to harness the enhanced visibility that blockchain technology offers. With these important signals, compliance officers can increase their effectiveness at identifying and reporting more actionable intelligence to regulators and law enforcement.