In 2025, TRM Labs pegged illicit crypto inflows at a record $158 billion. Even more concerning for compliance teams: over $60 billion of that value migrated rapidly from criminal wallets into legitimate services. This staggering volume highlights the sheer speed at which illicit actors now obfuscate their trail and “cleanse” funds through high-velocity exchanges and cross-chain protocols.
The challenge is clear: while crypto rails scale, compliance expectations are tightening. Small gaps—weak onboarding, ignored alerts, or sloppy approvals—now translate into outsized regulatory risk. Teams that treat Anti-Money Laundering (AML) as a static policy document often find out the hard way that regulators judge operational proof: who approved what, why it happened, and what the system did to stop it.
Supervisors have also stopped treating crypto as a special case. The Financial Action Task Force (FATF) has warned that most jurisdictions still lag on core virtual asset standards, with roughly three-quarters only partially compliant or non-compliant—leaving virtual asset service providers (VASPs) exposed to misuse.
The Gap: Why Legacy AML Breaks in Crypto
Traditional AML programs assume identity sits inside an account and transactions pass through a small set of intermediaries with consistent data fields. Crypto doesn’t behave like that. Funds move through countless addresses at high speed, hop across chains, and route through smart contracts without ever touching a traditional bank chokepoint.
Consequently, the market is shifting from identity-first AML to behavioral Know-Your-Transaction (KYT). This model treats transaction behavior and network relationships as the primary signals, then maps them back to customer context. KYT focuses on what funds do (patterns, counterparties, velocity, exposure). This is the difference between having a policy and proving detection at scale—the exact standard regulators now test.
What Legacy AML Looks Like Today
Legacy AML in crypto often looks like a “bank AML stack” bolted onto a faster, more complex transaction environment. While it looks good on paper, it underperforms in practice because crypto risk shows up as patterns across addresses and chains, not as a single “high-risk customer” file.
The four pillars of traditional AML face significant hurdles in crypto:
1. Point-in-time onboarding – Know-Your-Customer/ Customer Due Diligence (KYC/CDD)
Firms verify identity at signup, run sanctions/ Politically Exposed Person (PEP) checks, and assign a risk rating that often stays in place with only periodic refreshes.
The problem: Crypto risk changes fast—new wallet links, counterparties, mixer exposure, bridge activity, or high-risk contract interactions can turn a “clean” profile risky overnight, and static ratings lag behind behavior.
2. Rules and thresholds
Legacy monitoring relies on fixed triggers (size, frequency, velocity, country flags) that fire when activity crosses a preset line.
The problem: Bad actors route around thresholds—splitting value, cycling through many addresses, using contracts and bridges, so the risk sits in the pattern, not one obvious breach.
3. Siloed views across rails
Fiat monitoring and on-chain monitoring often live in separate tools, with weak linkage between customer identity and wallet activity.
The problem: Teams lose the full picture at the critical handoffs—on-ramp → on-chain dispersal, on-chain exposure → off-ramp—forcing manual reconstruction and creating blind spots.
4. Reactive investigations
Alerts arrive late, analysts work with partial context, and decisions happen after funds have already moved through multiple hops.
The problem: Crypto moves quickly, so late detection turns AML into damage control instead of prevention, especially once funds leave controllable points like platform wallets and withdrawal pipelines.
What is Behavioral KYT?
Behavioral KYT is transaction monitoring that prioritizes what funds do over what customers say, by analyzing:
- Flow behaviour: velocity, layering, structuring, peel chains, rapid hops, dusting, circular flows
- Counterparty context: exposure to sanctioned entities, high-risk services, known scam clusters, mixers, illicit marketplaces
- Network signals: clustering, entity attribution, links to previously flagged activity
- Lifecycle patterns: how risk changes across time (before/after major events, announcements, withdrawals, or price shocks)
- Cross-rail linkage: joining fiat deposits/withdrawals with on-chain movement into one risk narrative
It doesn’t replace KYC. It makes KYC actionable by continuously updating risk based on behaviour.
Why Behavioral Detection is Non-Negotiable
Legacy AML fails in crypto because the risk rarely sits in one customer profile or one transaction. It lives in patterns: rapid hops across addresses, cross-chain routing, protocol interactions, stablecoin velocity, and counterparty clusters that change faster than a rules engine can keep up.
In a June 2025 update, the FATF flagged uneven global implementation of the Travel Rule, a rising illicit use of stablecoins, and a surge in fraud/scams activity on-chain. This is the enforcement posture firms now face: supervisors measure effectiveness in production.
1. Crypto risk is behavioural, not just identity-based
Bank-style AML assumes identity anchors risk. Crypto adversaries route around identity. They rotate addresses, split flows, reuse infrastructure, and rely on intermediating layers (Decentralized Exchanges (DEXs), bridges, aggregators, privacy tooling) that don’t behave like “accounts.”
A one-time KYC event can still leave you blind to what matters most: how funds move, who they touch, and whether the behaviour matches known typologies.
2. Rule-based monitoring breaks under scale and adaptation
Static thresholds and simple rulesets don’t degrade gracefully in crypto. When activity spikes, alerts explode and analysts drown in false positives.
When adversaries learn your rules, they tune behaviour to slip under thresholds—smurfing, batching, routing through multiple venues, or moving value across chains where your visibility drops. The result looks compliant on paper while risk quietly compounds in the background.
3. Stablecoins compress time-to-risk
Stablecoins operate like high-velocity, money-like settlement assets. That speed reduces the window for manual review and escalations, especially once funds move into layered routes (multiple hops, multiple chains, multiple counterparties).
The Financial Action Task Force has explicitly noted rising illicit use of stablecoins and warned that uneven controls can amplify risks as adoption grows. That reality makes behavioural detection and automated controls more valuable than “investigate later” workflows.
4. Cross-chain and Decentralized Finance (DeFi) introduce infrastructure risk, not just customer risk
A customer can look low-risk at onboarding and still interact with high-risk infrastructure: sanctioned clusters, exploit-linked pools, laundering services, or compromised protocols. Legacy AML often treats on-chain activity as “payment detail” instead of a primary risk surface.
Behavioural KYT flips that: it scores exposure based on network context (counterparties, adjacency to known bad clusters, contract-level risk, chain-hop patterns), then ties it back to customer context and controls.
5. Supervisors now benchmark effectiveness, not intent
Global expectations increasingly focus on consistency and real implementation. The FATF’s 2025 update reports that 73% of surveyed jurisdictions (85 of 117, excluding those planning to prohibit VASPs) have passed Travel Rule legislation, but it also highlights enforcement and implementation gaps, and notes many jurisdictions still haven’t operationalised supervision and enforcement.
As more rulebooks mature, regulators will test whether firms can detect, stop, and evidence controls in day-to-day operations, especially across stablecoin flows, cross-border activity, and typologies that mutate quickly.
Legacy AML vs. Behavioral KYT
Crypto compliance teams now face a simple reality: “We verified the customer” no longer proves “we controlled the risk.” On-chain exposure can change minute by minute, stablecoins move at settlement speed, and the highest-risk behaviour often sits in counterparties and transaction patterns—not in the customer’s onboarding documents.
That is why many firms are shifting from identity-first AML to behavioural KYT: a monitoring model that treats transaction behaviour and network exposure as the primary signal, then links it back to customer context for action.
| Goal | Legacy AML | Behavioral KYT |
| Detect illicit exposure | Screen names/locations; basic wallet checks | Map counterparties, entities, and exposure networks |
| Handle rapid typology changes | Update rules slowly; high false positives | Detect anomalies and pattern shifts using behaviour + typologies |
| Manage cross-chain risk | Treat chains as separate monitoring problems | Track flows across chains/bridges as a single risk story |
| Prove control effectiveness | Show policies and cases | Show measurable detection, interdiction, and audit-ready evidence |
| Reduce repeat failures | Manual, case-by-case learning | Feedback loops that tune models, rules, and risk scoring |
What Regulators Are Pushing Toward
Regulators want provable AML effectiveness on crypto rails: traceable flows, continuous monitoring, and controls that work across chains, not just KYC files and written policies. That shift is one reason crypto regulation penalties in 2026 keep clustering around “operating-model” failures rather than one-off bad actors.
- Pattern-led enforcement, not checklist compliance. Global standard setters keep signalling that typologies and transaction behaviour matter as much as customer identity.
Recent Financial Action Task Force publications and statements emphasize persistent gaps in how jurisdictions and firms implement virtual asset controls, which pushes supervisors to test whether firms can actually detect and disrupt laundering patterns (mixing services, cross-chain obfuscation, sanctions exposure), not merely “collect documents.”
- Travel Rule and end-to-end traceability are becoming non-optional. As Travel Rule implementation tightens, regulators expect firms to reliably attach originator/beneficiary information to transfers and to maintain policies, procedures, and controls that make those obligations operational.
In Europe, regulators have already anchored these expectations into the post-2024 framework and related supervisory guidance that explicitly covers transfers of certain crypto-assets, with formal guideline timelines that move compliance from “best effort” to “supervisable standard.”
- Singapore reinforces “ongoing monitoring” as the standard, not the upgrade. The Monetary Authority of Singapore (MAS) keeps Anti-Money Laundering/ Countering the Financing of Terrorism (AML/CFT) expectations for digital payment token services centred on risk-based controls and continuous transaction monitoring—exactly where behavioural KYT delivers value.
In practice, that means firms need tooling that can link customer context to on-chain behaviour (counterparty risk, typologies, exposure clusters) and prove they can escalate, restrict, and report when behaviour shifts—rather than treating on-chain activity as a back-office detail. Integrating Behavioral KYT into your AML Stack
Legacy AML breaks in crypto because it assumes accounts and slow-moving rails. Crypto runs on networks, counterparties, and behaviour that changes fast. Behavioral KYT closes that gap by turning transaction behaviour into a continuously updated risk signal—strong enough to support real-time controls, faster investigations, and regulator-grade evidence.
If you operate an exchange, wallet, or payment product, ChainUp helps you operationalize this shift. Our integrated stack combines institutional-grade wallet infrastructure (MPC) with KYT monitoring that connects on-chain behavior to customer context.
Talk to ChainUp to design a control model that fits your risk appetite and scales across chains efficiently and securely.
