Blog

KYT capabilities for uncovering laundering through licensed exchanges

At a glance
  • Know Your Transaction tooling uncovers laundering through licensed exchanges by tracing cross-chain flows, attributing wallets to entities, and flagging typologies incumbents miss.
  • Licensed venues are exploited via nested services, structuring, and layering — patterns that require entity attribution and multi-hop tracing to expose.
  • NOMINIS complements Tier-1 blockchain analytics with deeper coverage of terror-financing, sanctions-evasion, and proliferation-financing cases.
  • Effective transaction monitoring combines real-time screening, cross-chain visibility, and human intelligence to reduce false positives and blind spots.

KYT Capabilities For Uncovering Laundering Through Licensed Exchanges

Know Your Transaction (KYT) capabilities uncover laundering through licensed exchanges by continuously screening on-chain activity, attributing pseudonymous wallets to real-world entities, and tracing funds across chains and hops until the money trail reaches a regulated venue. The most effective platforms combine real-time monitoring, entity-level attribution data, and typology detection tuned to how illicit actors actually behave inside licensed VASPs and CASPs — including nested services, structuring, layering, and sanctions evasion. This means a compliance team can see not only that a deposit came from a suspicious address, but why it matters: which sanctioned entity, terror-financing cluster, or dark-web marketplace sits upstream, and how the funds hopped through mixers, bridges, or intermediary exchanges to arrive at your platform.

Concrete examples from public reporting illustrate what strong transaction monitoring surfaces. Separately, when an ISIS crypto terror-financing network was designated in 2026, Nominis reports it had already traced a substantial nine-figure flow through the wider set of facilitators — much of it well before the names reached sanctions lists. These are the kinds of typologies — terror financing, proliferation financing, and sanctions evasion routed through licensed venues — where transaction-monitoring depth, not breadth alone, determines whether an MLRO catches the case or misses it.

How does KYT detect laundering routed through licensed exchanges?

Know Your Transaction (KYT) analytics detect laundering routed through licensed exchanges by combining on-chain behavioural analysis with off-chain attribution, so that funds arriving from a regulated venue are judged not by the deposit address alone but by the full upstream path. The mechanism matters because a licensed VASP deposit looks clean on its face — the counterparty is a known, supervised entity — yet the underlying funds may have traversed mixers, nested services, or sanctioned wallets before landing there.

Core mechanisms fall into a small set of interlocking capabilities, each with distinct attributes:

  • Cross-chain tracing. Attribute: hop depth. Nominis traces flows in real time across 70+ blockchains with cross-chain tracing up to 50+ hops, which matters because layering typically spans several bridges and asset swaps before re-entering a regulated venue.
  • Attribution data. Attribute: entity coverage — the depth of address-to-entity mapping, including nested services, dark-web markets, OTC desks, and terror-financing wallets. Attribution is what converts a pseudonymous flow into an actionable name; without it, a suspicious pattern has no owner.
  • Typology detection. Attribute: pattern library — structuring (breaking large sums into small transfers), layering (rapid movement through many wallets), peel chains, and rapid deposit-then-withdrawal at licensed venues. Each typology carries its own scoring weight.
  • Counterparty risk scoring. Attribute: score granularity, from wallet level up to the operating entity. Two deposits from the same licensed exchange can carry very different risk if one originates from a nested broker inside that venue.
  • Sanctions and terror-financing screening. Attribute: reference-list freshness. Nominis operates what it describes as the largest crypto terror-financing database in the world, and its intelligence unit has repeatedly flagged wallets — including IRGC- and Hezbollah-linked addresses subsequently sanctioned — before they reached public designation lists.

Together these attributes let compliance teams detect laundering that a KYC-only view misses: a licensed exchange deposit is decomposed into its upstream hops, matched against attribution and typology libraries, and scored so investigators see not just where funds came from, but what they passed through.

What laundering typologies appear most often on licensed exchanges?

Common laundering typologies appear repeatedly on licensed exchanges, but the label "laundering" covers several distinct behaviours — and disambiguating them matters because each requires a different detection signal in transaction monitoring.

This depends on what you mean by "laundering on a licensed venue." The term collapses at least three separable patterns:

  • Placement-stage abuse — illicit fiat converted to crypto at the exchange itself, often via structured card top-ups or third-party payment processors.
  • Layering through the exchange — funds already on-chain from an illicit source (ransomware payout, scam, sanctioned wallet) deposited into a compliant venue as a "cleansing" hop before withdrawal to a fresh address.
  • Integration and cash-out — illicit balances routed to fiat off-ramps, OTC desks, or nested brokers riding on the licensed exchange's liquidity.

Which specific typologies recur most?

Within those categories, the recurring behaviours flagged by continuous transaction analysis (KYT) tend to cluster around a short list:

  • Structuring (smurfing) — deposits fragmented under internal alerting thresholds, sometimes across many freshly-onboarded accounts controlled by one beneficial owner.
  • Layering across chains — rapid movement through bridges, wrapped assets, and stablecoin swaps to break the on-chain trail before re-entering a regulated venue.
  • Nested services — smaller brokers or no-KYC exchanges routing customer funds through a licensed platform's custody, obscuring the true originator. A Nominis forensic study of 57 no-KYC exchanges serving the Russian and Ukrainian market found that 45 of them route funds through nested services.
  • Mixer and privacy-tool proximity — deposits arriving from wallets that recently interacted with sanctioned mixers or coin-join services.
  • Sanctions and terror-financing exposure — funds tied to designated wallets or facilitator clusters. Per Nominis's public reporting, in 2023 the firm (then Xplorisk) identified 5,000 wallets linked to terror financing that had collectively moved roughly $100 million, several of which were later sanctioned.

Which meaning matters most for a compliance team?

For an MLRO at a regulated venue, the layering pattern — illicit on-chain funds using the exchange as a legitimising hop — is usually the highest-yield detection target, because it is where attribution data on counterparty wallets converts directly into filed suspicious activity reports.

Which KYT signals matter most for uncovering hidden flows?

Which signals matter most in a KYT workflow depends on scope: the highest-value indicators are those that expose hidden flows through licensed venues, not just obvious darknet touchpoints. Below are the attributes that carry the most weight in a well-tuned risk score.

What behavioural attributes should the workflow track?

  • Structuring patterns: many sub-threshold deposits from distinct funding wallets converging on one beneficiary — classic smurfing behaviour that continuous transaction monitoring must catch across chains, not just within one.
  • Layering velocity: rapid multi-hop movement through intermediary addresses within short windows, often across bridges. The workflow should evaluate hop depth and time-to-cash-out as first-class features.
  • Peel chains: a large wallet repeatedly siphoning small amounts to fresh addresses while the residue moves onward — a strong laundering signature on UTXO chains.

Which counterparty attributes carry the most weight?

  • Attribution data quality: does the counterparty resolve to an identified entity (exchange, mixer, sanctioned address, ransomware cluster), or only to a cluster of unknown control? Confidence in attribution should itself be a scored input.
  • Nested-service exposure: brokers routing through another platform's custody are a top hidden-flow vector. Nominis research on 57 no-KYC exchanges serving the Russian and Ukrainian market found 45 of them route funds through nested services, spanning nearly 6,000 wallets and substantial annual volume.
  • Jurisdictional posture of the counterparty exchange: Nominis research indicates illicit actors are 12x more likely to use exchanges based in low-risk FATF jurisdictions, with roughly 91.5% of terror-linked transactions targeting low-risk or increased-risk venues — a decisive input for any risk model.

What wallet-level attributes complete the picture?

  • Hosted vs unhosted status: unhosted counterparties reduce screening visibility and warrant tighter thresholds under FATF Travel Rule expectations.
  • Age, funding lineage, and dormancy breaks: freshly funded wallets that suddenly transact at volume are a persistent red flag.
  • Proximity to sanctioned or terror-linked clusters: Nominis operates what it describes as the largest crypto terror-financing database in the world, and proximity metrics against curated adversary sets are typically the most productive indicator for uncovering illicit activity moving through otherwise licensed venues.

Weight these attributes together, and pseudonymous flows through regulated exchanges become materially easier to surface.

How does KYT compare to KYC and traditional AML monitoring?

Know Your Transaction (KYT) and Know Your Customer (KYC) compare as complementary controls rather than substitutes, and legacy AML transaction monitoring sits alongside both as the fiat-era baseline. KYC verifies identity at onboarding and periodically thereafter; KYT continuously analyses on-chain activity to detect laundering, sanctions evasion, terror financing and fraud; and traditional AML monitoring inspects fiat rails inside a bank or PSP for structuring, unusual velocity and known red flags. A regulated VASP or CASP needs all three, wired together.

Which criteria matter when comparing these controls?

Before the table, weight the criteria by what your risk appetite actually depends on. Data source matters most because it defines what you can see. Timing determines whether you catch illicit flows before or after settlement. Detection surface — the typologies each control can spot — decides where blind spots live. Evidence quality governs what you can hand to a regulator or law-enforcement partner.

Criterion KYC Legacy AML monitoring KYT (on-chain)
Data source Identity documents, PEP/sanctions lists Fiat transaction records inside the institution Public blockchain data plus attribution intelligence
Timing Onboarding + periodic refresh Batch or near-real-time on internal rails Real-time, pre- and post-transaction
Detection surface Identity fraud, sanctioned individuals Structuring, velocity anomalies, known fiat typologies Mixers, nested exchanges, cross-chain layering, stablecoin laundering
Counterparty visibility Direct customer only Direct customer only Direct customer AND counterparty wallets, multiple hops out
Evidence quality Documentary Rule-hit logs Traceable on-chain graph with attribution data

Where does the on-chain layer close gaps the others cannot?

Identity checks and fiat-rail rules cannot see a counterparty's exposure to a mixer, a sanctioned wallet cluster, or a nested no-KYC exchange several hops away. Nominis covers real-time monitoring across 70+ blockchains with cross-chain tracing up to 50+ hops, which is where the concrete cases surface: sanctions were imposed on wallets after Nominis identified links to IRGC and Hezbollah terror financing, and Nominis has published on-chain analysis of IRGC-linked laundering through registered exchange infrastructure. The verdict: identity verification, fiat monitoring and on-chain analytics are not interchangeable — they are three lenses on the same customer, and gaps in any one leak into the others.

Why do licensed exchanges still miss laundering activity?

Licensed exchanges still miss laundering activity because their internal monitoring is optimised for on-platform behaviour, while sophisticated actors deliberately shape their flows to look ordinary at the point of deposit. When you are a regulated venue relying primarily on account-level rules, structured deposits from freshly hopped wallets can arrive already "washed" through nested services, bridges, and mixers — and the alert engine sees only the final, clean-looking leg.

When you operate a regulated venue, where does coverage break down?

If you are a compliance team at a VASP or CASP, the typical blind spots cluster in a few places:

  • Cross-chain layering. Funds hop between chains via bridges and swaps; single-chain rule engines lose the trail after a few hops.
  • Nested exchanges and no-KYC venues. A Nominis forensic study of 57 no-KYC exchanges serving the Russian and Ukrainian market found 45 route funds through nested services, identifying nearly 6,000 wallets that facilitate over $100 million in transaction volume annually — flows that surface at licensed venues looking like retail deposits.
  • Jurisdictional arbitrage. Nominis research found illicit actors are 12x more likely to use crypto exchanges based in low-risk FATF jurisdictions, meaning "clean-looking" counterparties are often intermediaries, not endpoints.
  • Attribution latency. Wallet clusters tied to terror financing, sanctions evasion, or proliferation financing (financial support for weapons of mass destruction) frequently move funds well before names reach official sanctions lists.

What should teams do — and what are the tradeoffs?

Do this But watch out for
Enrich transaction monitoring with external attribution data Stale or shallow attribution creates false confidence
Extend tracing across chains and many hops Deeper graphs can raise false positives without good typology tuning
Screen counterparties by jurisdiction risk, not just licence status Licensed status alone is not a proxy for clean flows
Feed intelligence on emerging typologies into rule updates Static rules decay quickly against adversaries who iterate

Mitigation tip for the highest-impact risk: pair every deep-graph trace with typology-driven scoring so investigators triage by intent, not raw hop count — otherwise the depth that closes blind spots also drowns the queue.

Frequently Asked Questions

What is Know-Your-Transaction monitoring, and how does it differ from KYC?

Know-Your-Transaction monitoring is the continuous analysis of blockchain transactions to detect money laundering, sanctions evasion, fraud, and terror financing. KYC (Know Your Customer) verifies identity once at onboarding; transaction monitoring runs perpetually against every deposit, withdrawal, and counterparty. Both are required under MiCA and FATF guidance, but only ongoing monitoring catches misuse that emerges after a customer is approved.

Why do licensed exchanges still appear in laundering typologies?

Because a license certifies onboarding controls, not the risk profile of every counterparty a customer touches. Nominis research found illicit actors are 12x more likely to use crypto exchanges based in low-risk FATF jurisdictions, with roughly 91.5% of terror-linked transactions targeting exchanges in low-risk and increased-risk jurisdictions — meaning regulated venues are frequently the exit or layering point, not the origin.

How does cross-chain tracing help uncover laundering through regulated venues?

Layering rarely stays on one chain. Funds hop from Bitcoin to Ethereum via bridges, into stablecoins, through TRON, and back — each hop breaks naive lookups. Nominis provides real-time monitoring across 70+ blockchains with cross-chain tracing up to 50+ hops, letting compliance teams follow a money trail across bridges and asset swaps rather than losing it at the boundary.

Can transaction monitoring detect nested services hiding behind licensed platforms?

Yes — with sufficient attribution data. A Nominis forensic study of 57 no-KYC exchanges serving the Russian and Ukrainian market found 45 route funds through nested services, identifying nearly 6,000 wallets that facilitate over $100 million in transaction volume annually. Detection depends on maintaining a labelled dataset that resolves nested infrastructure to its parent host.

How does this workflow support sanctions-list compliance?

Sanctions screening compares counterparties against official sanctions registries, but the highest-value catches happen before a wallet is designated. Nominis has publicly warned of emerging proliferation-financing tactics ahead of subsequent official designations, illustrating how forensic intelligence surfaces exposure before names reach public lists.

Is self-serve onboarding realistic for a regulated VASP?

Yes, when the vendor is audited and priced transparently. Nominis publishes pricing and offers immediate sign-up, letting a smaller CASP procure enterprise-grade tooling without a months-long sales cycle.

Ready to get started?

See how Nominis can help.

Book a demo