Discrepancies in AML Service Evaluations

The article discusses discrepancies in AML service evaluations and offers insights on how to mitigate risks associated with cryptocurrency transactions.

On May 19, the AML service Crystal became the first major blockchain analytics provider to label the addresses of the Belarusian crypto service WHITEBIRD as fully linked to circumventing international sanctions. This action was based on the 20th EU sanctions package. However, not all analytics providers issued similar labels.

Many were more concerned about the inconsistencies in evaluations than the sanctions themselves. One provider may deem a wallet "clean," while another marks the same address as high-risk. The exchange where a user withdraws funds analyzes transactions using a different product. Thus, checking through one’s own AML service can create a false sense of security, as the platform views the same coin differently.

Together with the team from the Bitcoin mixer Mixer.Money, we explore why AML service evaluations differ and how to reduce the risk of freezing.

AML is Not a Unified System

Many users believe that all AML services utilize a single "blacklist." In reality, these are different commercial products with their own attribution databases, approaches to interpreting sanctions, and data update speeds. While the results of checks usually align, they can vary significantly in certain cases.

Due to methodological discrepancies among AML services, users cannot know in advance how their coins will be evaluated by a specific platform. Major exchanges, including Binance and OKX, rely on data from Western providers like Chainalysis and Elliptic. In the CIS countries, users often turn to other services. However, an AML report does not guarantee that the platform will see the same percentage of "cleanliness" for the coins upon deposit.

The risk score increases not only for direct counterparties of high-risk services but also for those who received bitcoins through one or two intermediaries. How analysts link addresses to each other and to the identity of the owner was discussed in detail by ForkLog in a separate article.

"The rule 'I checked the coins six months ago, they were clean' does not apply here. The history is rewritten on the analyst's side, and the user can only learn about this at the moment of freezing," notes Mixer.Money.

Diagnosis and Prevention

Discrepancies in evaluations are not a reason to urgently transfer funds between wallets. The first step is diagnosis.

"If you suspect that your coins may be 'tainted,' check them at least through one AML service. A check costs anywhere from a few cents to a dollar. Document the result with a date: if the platform later freezes your funds, you will have proof of the address status at the time of the transaction," advises Mixer.Money.

A simple transfer between your own addresses does not sever the connection. Clustering by common inputs and output addresses will restore it: the analyst sees that all wallets are controlled by one owner.

A seemingly logical step would be to run coins through a mixer. However, in practice, services that promise to "break the graph" post-factum often do more harm than good. Simply using a traditional mixer increases the risk score.

"CoinJoin transactions are easily readable on-chain. They record the fact of mixing, and the user's 'clean' coins get mixed with potentially 'dirty' ones from anonymous participants. The risk score of such assets automatically increases," warns Mixer.Money.

Proactive privacy works differently. Its goal is to prevent clean coins from acquiring a suspicious history and to avoid 'dirty' bitcoins from entering. This approach is implemented by Mixer.Money: the service does not mix users' funds but issues coins withdrawn from major exchanges.

The bitcoin.mixer 2.0 algorithm breaks the incoming amount into random parts, selects the timing and proportions for transfers, directs funds to investors on international platforms, and returns bitcoins with exchange history to the client’s specified addresses.

"Unlike CoinJoin, our algorithm excludes mixing funds between users: the client receives recently withdrawn coins from exchanges with a different history. The fact of mixing is not recorded, and the risk score remains minimal," emphasizes Mixer.Money.

In "Full Anonymity" mode, the user receives bitcoins from exchange withdrawals of independent investors. For any AML system, whether Crystal, Chainalysis, or a service from the CIS, such an operation appears the same: as a standard withdrawal from a trading platform.

Diagram of the bitcoin.mixer 2.0 algorithm. Source: Mixer.Money.

Any exchange or P2P counterparty can receive a sanction label in one AML service and remain unmarked in another. Those who accepted coins from them, unaware of the address status, will also suffer.

It is impossible to fully insure against such a situation post-factum. However, risks can be reduced in advance: by choosing services that do not increase users' risk scores but help create a transparent exchange history.