TLDR
During routine forensic monitoring, NOMINIS conducted a focused infrastructure mapping of 57 crypto exchange services operating in or servicing the Russian and Ukrainian market, including jurisdictions currently facing sanctions exposure. Rather than reviewing branding or public positioning, we traced how funds actually move on chain.
The findings were structurally significant. 45 out of 57 exchanges analyzed were not independently holding user funds, but were instead routing assets through nested services and relying on larger exchanges or intermediary infrastructure to provide custody and liquidity.
A substantial proportion of these exchanges operate with limited or no meaningful KYC enforcement. In a high-risk jurisdiction subject to sanctions pressure and financial isolation, this model creates dual risk dynamics. Some platforms may be structurally constrained by limited access to global banking rails and regulated custodians, meaning nested infrastructure is used as a practical mechanism to remain operational. Others may deliberately leverage this architecture to fragment the audit trail and obscure the origin of funds in the context of money laundering or sanctions evasion.
NOMINIS has identified nearly 6,000 wallets linked to nested exchange services, based in high risk jurisdictions including Russia and Gaza, collectively facilitating over $100 million in transaction volume annually, underscoring the scale at which this structure operates.
Effective KYT cannot operate at the logo level alone. It must operate at the wallet and custody layer, where exposure actually accumulates.
Introduction
Crypto exchange services typically present themselves as independent platforms operating in a competitive and diverse marketplace. Each maintains its own branding, website, user interface, and stated operating model. From the outside, the ecosystem appears fragmented, with dozens of seemingly separate entities serving distinct audiences.
In January 2026, NOMINIS conducted a focused infrastructure mapping exercise examining 57 exchanges operating in or servicing high-risk jurisdictions, including Russia and surrounding markets, currently subject to sanctions scrutiny. The objective was not to assess how these services describe themselves publicly, but to determine how funds actually move across blockchains and where assets ultimately consolidate.
Deposits and withdrawals were traced across multiple networks to identify custody endpoints, wallet activation patterns, and underlying infrastructure control. The findings revealed that surface-level differentiation frequently conceals structural dependence, particularly among exchanges operating without meaningful KYC enforcement.
Apparent “Independent” Exchanges Are Not Actually Separate
The investigation demonstrated that a significant proportion of exchanges presenting themselves as standalone businesses are structurally dependent on shared infrastructure rather than proprietary custody systems.
Of the 57 exchanges analyzed, 45 were found to route user funds through nested services, depositing assets into accounts controlled by larger centralized exchanges or intermediary liquidity providers. While branding and interfaces differ, the backend liquidity layer frequently converges into a smaller number of custody environments.
In the Russian market, where sanctions exposure has limited access to global financial infrastructure, this reliance can reflect operational constraint. Exchanges cut off from regulated custodians and correspondent banking relationships may turn to nested services as a means of maintaining liquidity and user functionality.
However, the same structural model can also serve a more deliberate purpose. For exchanges engaged in illicit finance, routing funds through nested services introduces additional layers between origin and ultimate custody, complicating attribution and fragmenting transaction visibility. In these cases, the architecture aligns with established laundering and sanctions evasion typologies.
The scale of this ecosystem is material. NOMINIS has identified nearly 6,000 wallets directly linked to nested exchange infrastructure, collectively facilitating in excess of $100 million in transaction volume each year. This concentration at the custody layer creates shared exposure across seemingly unrelated platforms.
Many Exchanges Depend on Other Exchanges to Hold the Funds
A second pattern emerged around the widespread use of layered custody models in which frontend exchanges do not directly control user assets. Deposits are frequently routed into corporate accounts maintained at larger centralized exchanges or processed through intermediary platforms providing settlement and liquidity services.
From the user’s perspective, funds appear to reside with a single brand. On-chain, those assets often settle within the wallet infrastructure of an entirely different entity.
In markets where KYC enforcement is minimal, this layered custody model materially alters the compliance perimeter. A frontend exchange may apply weak onboarding controls, yet user funds ultimately benefit from the liquidity, scale, and reputational insulation of the underlying custody provider. This dynamic can enable sanctioned actors or high-risk entities to access broader market liquidity indirectly.
Where intent is malicious, nested services may be used to deliberately introduce structural distance between illicit proceeds and final custody, creating a diffusion effect consistent with money laundering methodologies.
Through forensic tracing, wallet activation analysis, clustering of custody flows, and infrastructure attribution techniques, NOMINIS de-anonymizes nested exchange relationships and identifies the entities exercising effective control over deposit infrastructure.
Compliance Cannot Stop at the Logo Level
The most critical implication of this investigation is methodological rather than purely descriptive.
If 45 of 57 exchanges rely on nested services, screening exposure based solely on exchange names is insufficient. Two platforms that appear unrelated at the interface level may deposit funds into the same custody environment, meaning infrastructure risk is shared even where branding is not.
If the underlying nested exchange becomes subject to enforcement action, sanctions designation, liquidity disruption, or compliance failure, the impact can cascade across every frontend exchange reliant on that infrastructure.
Risk accumulates at the wallet and custody layer, not at the logo layer.
Traditional KYT systems that classify exposure exclusively based on named counterparties fail to account for this structural reality. Infrastructure-level mapping is required to understand where funds ultimately consolidate and which entities exercise effective control.
NOMINIS provides this visibility by mapping nested services, tracing cross-chain flows, clustering backend custody wallets, and identifying shared infrastructure exposure before it materializes as regulatory, enforcement, or reputational risk.
Conclusion
The focused mapping of 57 exchange services operating in high-risk jurisdictions demonstrates that the ecosystem examined is substantially more concentrated than it appears at the surface level.
A large proportion of Russian-facing exchanges operate without meaningful KYC enforcement and rely on nested exchange infrastructure for custody and liquidity. In some cases, this reliance may reflect structural constraint in a sanctioned environment. In others, it may serve as a deliberate mechanism for obfuscating financial flows associated with illicit activity.
Regardless of intent, the exposure created by shared custody infrastructure is measurable and material.
With nearly 6,000 wallets linked to nested services and over $100 million processed annually through this infrastructure, effective KYT must operate at the infrastructure layer. Visibility into nested services, custody relationships, and wallet-level control is essential to accurately assessing risk in high-risk jurisdictions.
.jpg)
