AML in DeFi: How Crypto Businesses Manage Risk From Decentralized Finance
According to industry blockchain crime research published in early 2026, illicit crypto addresses received at least $154 billion in 2025 — a 162% increase year-over-year — and DeFi protocols saw flows of stolen funds spike by roughly 370% in the days immediately following major hacks. Over the same period, cross-chain bridges quietly overtook mixers as the most popular laundering channel, with more than $21 billion routed through DEXs and bridges since 2022.
For crypto businesses, the takeaway is uncomfortable but straightforward: even when a DeFi protocol itself is decentralized, the funds it touches don't stay decentralized. They eventually land on exchanges, OTC desks, payment platforms, custody providers, and other regulated services — and they bring DeFi-related AML risk with them.
This article walks through how crypto businesses are managing that risk in 2026: what DeFi exposure actually looks like on-chain, what regulators currently expect, which signals matter, where blockchain analytics stops and human judgment starts, and how to put it all into a practical risk-based framework.
What Makes DeFi Different From Centralized Crypto Services
In a centralized crypto service, the compliance team has a familiar set of building blocks: a customer account, a verified identity, an internal ledger of deposits and withdrawals, and a record of who interacted with whom. In DeFi, almost none of those building blocks exist by default.
DeFi lets users swap, lend, borrow, bridge, and provide liquidity directly from their own wallets, often without ever opening an account. Instead of "User Alice deposits to Exchange X," the on-chain record reads "wallet 0x…a3f called smart contract 0x…b7c." The compliance team is no longer reviewing customer files — it is reviewing wallet behavior.
Smart Contracts and Non-Custodial Wallets
A smart contract is self-executing code that lives on a blockchain. A user signs a transaction from a non-custodial wallet (a wallet where they alone hold the private keys), and the contract executes — no human in the middle approving the transfer.
For AML purposes, this matters for one practical reason: there is no onboarding step where anyone collected the user's identity. The contract doesn't request a passport. It just runs. Any identity layer has to be built either by the business that interacts with the protocol or by the regulated service downstream that eventually receives the funds.
DEXs, Bridges, Lending, and Liquidity Pools
A short glossary worth keeping in mind throughout the rest of the article:
- Decentralized Exchange (DEX): A smart contract that lets users swap one token for another without a custodial order book. In practical terms, swap activity changes the asset type of funds without ever passing through a regulated intermediary — useful for legitimate trading, and equally useful for laundering.
- Cross-Chain Bridge: A protocol that moves value between blockchains (e.g., from Ethereum to Solana). Bridges break the simple "follow the same coin on the same chain" tracing assumption that older AML tools were built on.
- Lending Protocol: A smart contract that lets users deposit collateral and borrow against it. Loans can be drawn and repaid in seconds, which is also why they are sometimes used to layer or restructure funds.
- Liquidity Pool: A smart contract that holds a pool of two or more tokens supplied by many users. Funds in the pool are commingled by design, which makes source-of-funds analysis on pool exits harder than analyzing a direct wallet-to-wallet transfer.
None of these tools is inherently illicit. The vast majority of DeFi volume is ordinary trading, hedging, and yield-seeking activity. The point is simply that each of these primitives changes how on-chain activity has to be analyzed compared to a centralized exchange.
Why DeFi Creates AML Challenges
This is where the practical difficulty begins. The core mismatch is that traditional AML was built around account-based finance: accounts have owners, owners have IDs, and transactions tie back to a person. DeFi is address-based: addresses don't have legal owners by default, and a single user can spin up new ones in seconds.
A few specific challenges follow from that:
- No Protocol-Level KYC: Most DeFi protocols don't collect identity, which means a regulated business cannot rely on the protocol to have already vetted a counterparty. Source-of-funds questions land entirely on the business at the point of deposit.
- Wallets Instead of Customers: Wallet addresses are the unit of analysis, not customers. The same person can use ten wallets, and ten people can share one. Risk has to be inferred from on-chain behavior rather than confirmed from a verified file.
- Asset Swaps Change the Trail: DEX swaps transform one asset into another mid-flow. A wallet that received ETH from a hack can exit a DEX holding USDC or USDT, which makes naive "follow the token" tracing miss the connection.
- Bridges Fragment the Chain of Custody: When value moves across blockchains, the destination chain shows a fresh deposit with no obvious history. Cross-chain tracing requires linking events across separate ledgers, which is a different (and harder) analytical problem.
- Liquidity Pools Commingle Funds: A pool may hold tokens supplied by hundreds of users. The funds a wallet withdraws are mathematically the pool's, not the same coins anyone specific deposited.
Address-Based Risk Instead of Account-Based Risk
In practical terms, the compliance team is no longer asking only "Who is this customer?" It is also asking "What did this wallet do before it sent us money, and what does it do after we send money back?" Reputable wallets stay reputable through behavior — interaction history, counterparty quality, age, and pattern — not through paperwork alone.
Cross-Chain Movement and Asset Swaps
DEXs and bridges complicate source-of-funds analysis because value can change both asset type and blockchain in minutes. A laundering pattern that took three days to unfold in 2018 can now run in three minutes through a router that auto-swaps and auto-bridges. Industry tracing research from late 2025 found that roughly one in three complex cross-chain investigations now spans more than three blockchains, and one in five spans more than ten, which gives a sense of how fragmented the trail has become.
Is DeFi Regulated Under AML Rules?
Short answer: it depends on how decentralized the service actually is, who is in control, and which jurisdiction you are looking at. There is no single global rule that says "DeFi is regulated" or "DeFi is exempt." There are, however, a few specific anchors worth knowing.
FATF. The Financial Action Task Force's standard for virtual assets — Recommendation 15 and its Interpretive Note (R.15/INR.15) — applies AML/CFT obligations to virtual asset service providers and to DeFi arrangements where a natural or legal person exercises control or sufficient influence over the service. FATF's June 2025 sixth Targeted Update on virtual assets reaffirmed this position and flagged DeFi as a continuing implementation priority, noting that only a handful of jurisdictions had yet registered DeFi entities as VASPs in practice.
Calling a service "DeFi" doesn't put it outside scope. The question regulators ask is whether someone — a development team, a foundation, a governance entity — has enough operational control to be treated as the responsible party. The full position is set out in FATF's FATF 2025 Targeted Update on Virtual Assets and VASPs.
European Union (MiCA). Regulation (EU) 2023/1114 (MiCA), which has been in full force for crypto-asset service providers since 30 December 2024, takes a similar approach. Recital 22 explicitly states that crypto-asset services provided "in a fully decentralised manner without any intermediary" fall outside MiCA's scope, but the regulation otherwise applies even when part of a service is performed in a decentralised manner. In practical terms, that puts most "DeFi-branded" services with identifiable operators, frontends, or governance bodies inside scope, and reserves the exemption for genuinely intermediary-free arrangements — a category European supervisors are still narrowing on a case-by-case basis. ESMA's official explainer covers the MiCA Rules on Decentralized Crypto-Asset Services in more detail.
United States. The U.S. Treasury's Illicit Finance Risk Assessment of Decentralized Finance (April 6, 2023) — the first national-level DeFi risk assessment of its kind — took the position that the most significant illicit-finance risk comes from DeFi services that are subject to AML/CFT obligations under the Bank Secrecy Act but fail to comply. Where a person or entity engages in money-transmission activity, FinCEN's longstanding 2019 CVC guidance (FIN-2019-G001) and the existing BSA framework continue to apply regardless of whether the front-end is called "decentralized." In practical terms, U.S. regulators view "DeFi" as a description of architecture, not a license to operate outside AML rules.
For everyone else. Even when a specific protocol is outside scope, the regulated business that downstream accepts or processes DeFi-exposed funds is still in scope under its own license. The DeFi exemption, where it exists, does not extend to the exchange, OTC desk, or payment platform that handles the funds afterward. That is the part most compliance teams care about in day-to-day operations — and it sits inside the broader set of Crypto AML Regulations and Compliance Requirements that already apply to licensed crypto businesses.
Key DeFi AML Risk Signals Crypto Businesses Should Monitor
This is the practical heart of the article. What are compliance teams actually watching for when funds with DeFi exposure show up at the deposit door?
A short, prioritized list:
- Direct or Close Exposure to Sanctioned Addresses or Protocols: Direct receipt from a sanctioned wallet is the strongest signal. One or two hops away through a high-throughput contract is weaker but still material, especially for large amounts.
- Mixer or Privacy-Tool Proximity: Exposure to known mixers, coin-joins, or privacy-preserving routers warrants enhanced review. Not every mixer user is a criminal, but the signal-to-noise ratio is high enough that this should never be ignored.
- Links to Hacks, Exploits, Scams, or Fraud Clusters: Funds traceable to a named hack or scam cluster are among the clearest red flags. Industry research found that DeFi protocols absorb the largest immediate flows from major hacks, so the closer in time and hops to the incident, the more weight the signal carries.
- Bridge-To-Exchange Movement Right Before Deposit: A wallet that bridges from another chain and then deposits within minutes is doing exactly what a launderer would do. It is also doing what many legitimate users do — context matters, but the pattern earns at least an automated review.
- Rapid Multi-Asset Swaps: A sequence of swaps through several tokens that ends in a stablecoin right before deposit is classic layering. Industry crime reports continue to highlight that stablecoins now account for the majority of illicit on-chain transaction volume because of exactly this pattern.
- Repeated Interaction With High-Risk Smart Contracts: Some contracts are statistically associated with scam tokens, rug-pulls, or known laundering routers. Repeated, recent interaction is more telling than a single one-year-old hop.
- Newly Created Wallets Routing Funds Through DEXs or Bridges: A wallet that is days old, has no history, and immediately moves funds through a DEX-bridge-DEX sequence before deposit is a very common laundering setup.
- Indirect Exposure Through Multiple Hops: Risk doesn't vanish at hop 2. The strength of the signal decays with distance, but where amounts are large or timing is tight, indirect exposure still needs documentation.
Sanctions and High-Risk Entity Exposure
The most important nuance here is exposure is not the same as guilt. A wallet that received funds two hops away from a sanctioned address is not automatically the same as a wallet that received them directly. Compliance teams weigh distance, amount, timing, frequency, and pattern — not the bare yes/no of "was this wallet ever exposed."
That means risk-scoring tools should expose those variables to the human reviewer rather than collapse them into a single number. A deposit of $500 that touched a sanctioned protocol five hops back, three months ago, with no other red flags, is a very different case than a $250,000 deposit one hop away last night.
Mixers, Bridges, and Obfuscation Patterns
Mixers and bridges aren't automatic crime, but they are deliberately designed to break traceability. As enforcement against centralized mixers has intensified, bridges have largely replaced mixers as the laundering tool of choice — a shift that industry forensics research has been documenting since early 2025. For a compliance team, the practical implication is that bridge exposure should now be treated with the same seriousness mixer exposure was treated five years ago, especially when combined with other signals.
Exploit-Linked and Fraud-Linked Wallets
When a major DeFi exploit happens, stolen funds typically begin moving within minutes. Industry incident analyses regularly show multi-stage laundering chains involving DEX swaps, bridges, and instant-swap services before any centralized exchange touches the funds. A wallet that arrives at a deposit door with even a remote link to a recent exploit cluster deserves enhanced review and, often, escalation to a human analyst.
How Crypto Businesses Can Manage DeFi AML Risk
A workable DeFi AML program rests on a small number of controls applied consistently — not on any single magic tool. The essentials:
- Wallet Screening Before Accepting Funds: Run a risk check against every incoming wallet before the deposit is credited or made available. This is the lowest-friction, highest-impact control available.
- Continuous Transaction Monitoring: Re-screen periodically. A wallet that was clean at deposit can be retrospectively linked to a hack or sanctions designation weeks later, and the business needs to see that change before it lands on a regulator's desk.
- Risk Scoring Across Source, Destination, and Behavior: Treat risk as multi-dimensional. A high score on sanctions plus a high score on velocity is a different alert from a high score on either factor alone.
- Alert Review and Escalation Rules: Define who looks at what, when, and how it escalates. Most regulator findings center on missing or inconsistent escalation, not on missing tools.
- Source-Of-Funds Documentation: Where a wallet has DeFi exposure of any consequence, ask the user — and record the answer. The point isn't to interrogate; it's to have a written trail of the question and the answer.
- Case Management With Audit-Ready Records: Every alert, every decision, every override needs to live somewhere a regulator can read it. If it isn't documented, it didn't happen.
- Enhanced Due Diligence Thresholds: Set explicit amount, behavior, and exposure thresholds that trigger EDD automatically. Don't rely on analyst memory.
- API-Level Automation: Screening and monitoring at deposit speed only works if it runs through the deposit pipeline itself. Manual checks are fine as backup, not as primary control.
Wallet Screening Before Accepting Funds
The single highest-leverage decision in a DeFi AML program is the pre-deposit check. Once funds are credited and a user has withdrawn or traded against them, options narrow sharply. Screening at the deposit stage answers a simple question: "Do we accept this wallet's history, or do we hold and review?" That question is much easier to answer before the funds are in the user's balance than after. A standard Crypto Wallet Screening check at this stage handles the bulk of routine cases without slowing the deposit pipeline.
Continuous Transaction Monitoring
One-time checks are not enough. Wallet risk changes over time as new sanctions are announced, as new hacks attribute to old clusters, and as the wallet itself moves funds onward. A clean screen at 9:00 a.m. is not a clean screen forever. Continuous Transaction Monitoring — periodic re-screening of active counterparties and post-event re-scoring after major incidents — is what catches the cases that pre-deposit screening alone misses.
This is also where most regulator findings against crypto businesses come from. The deposit check passed; the follow-up didn't happen; six weeks later the wallet shows up in a sanctions update. A continuous monitoring layer closes that gap.
What DeFi AML Tools Cannot Fully Solve
It's worth being honest about the limits, because over-promising creates worse compliance outcomes than under-promising.
- Attribution Has Limits: Blockchain analytics can describe what a wallet did. It cannot, on its own, tell you who the human behind that wallet is. Identification still typically requires KYC data, exchange cooperation, or off-chain investigation.
- Smart Contracts Are Often Neutral Infrastructure: A contract used by a sanctioned actor is also used by thousands of normal users. The contract itself isn't a verdict; the behavior of a specific wallet inside it is.
- Context Beats Score: A high risk score without context — distance, timing, amount, counterparty quality — leads to bad decisions in both directions: missed real risk and unjustified account closures.
- Bridge Data Is Fragmented: Cross-chain tracing has improved sharply since 2023, but coverage is still uneven across newer chains and exotic bridges. A "no exposure" result on one chain does not mean "no exposure" anywhere.
- Risk Scoring Is Decision Support, Not Verdict: A number from an analytics tool is an input. The compliance decision — accept, hold, escalate, file a SAR — is still human.
- AML Controls Reduce Risk, They Do Not Eliminate It: A well-run program lowers exposure dramatically. It does not make DeFi-touching activity risk-free, and no honest provider should claim it does.
Building a Risk-Based AML Approach for DeFi Exposure
Pulling the pieces together, a workable framework usually looks like this:
- Define Acceptable and Unacceptable DeFi Exposure: Decide in advance what the business will simply not accept (e.g., direct sanctioned-address exposure, recent named-hack exposure). Write it down. The point of a policy is to remove that decision from the heat of the moment.
- Tier Signals Into Low, Medium, and High Risk: Each tier maps to a defined action — auto-approve, review, hold-and-escalate.
- Set Thresholds by Amount, Asset, Chain, Counterparty, and Exposure Type: A $50 deposit and a $500,000 deposit do not deserve the same workflow.
- Document Every Decision: Both the "approve" and the "reject" path needs a written rationale. Documentation is the difference between a defensible program and an indefensible one.
- Re-check Wallets Over Time: A counterparty's risk profile is not frozen at the moment of onboarding.
- Combine KYC + KYT + Transaction Monitoring: Each layer covers what the others miss. KYC verifies identity, KYT screens wallets and transactions, and ongoing monitoring catches change over time.
- Adapt Policies as Typologies Change: DeFi laundering patterns in 2026 do not look like 2022. The policy should be reviewed at least annually and after any major industry incident.
Low, Medium, and High-Risk DeFi Exposure
A useful starting point — to be tuned to the specific business model and license — looks roughly like this:
– Low Risk covers ordinary DEX use with no proximity to sanctioned or high-risk entities, an established wallet age, and normal transaction velocity. This is the majority of legitimate DeFi-touching activity — the screening result confirms the absence of red flags, and the deposit proceeds through the standard pipeline. – –– – Medium Risk covers signals like bridge use, multi-hop swap routing right before deposit, newly created wallets, unusual counterparty patterns, or indirect (roughly three-to-five hop) exposure to high-risk entities. The deposit isn't blocked, but it earns a closer look — typically an enhanced review, a source-of-funds question to the user where appropriate, and a written record of the decision.
– High Risk covers direct or close exposure to sanctioned addresses or protocols, mixer proximity, exploit-linked clusters, or links to darknet or fraud clusters. These deposits are held pending compliance review, escalated to a human analyst, and assessed against the business's reporting obligations.
Documentation and Escalation
The most underrated part of any DeFi AML program is the paper trail. The value of compliance isn't only in catching risk; it's in being able to show, after the fact, that the business asked the right questions at the right time and made a defensible decision. In practical terms, a regulator reviewing the program later will want to see: the screening result, the analyst's notes, the source-of-funds answer (where one was requested), the escalation path that was followed, and the final outcome. None of those need to be elaborate. They just need to exist.
Conclusion
DeFi has stopped being a side conversation. It is part of the normal fund flow that exchanges, OTC desks, payment platforms, and custodians see every day, and the DeFi AML risk it carries is one of the most consequential exposures any crypto business now has to manage. The good news is that the toolkit is mature. Wallet screening, KYT, continuous transaction monitoring, risk scoring, source-of-funds checks, and documented escalation — applied together, under a written risk-based AML approach — handle the overwhelming majority of real-world DeFi exposure.
FAQ
What Is AML in DeFi?
AML in DeFi is the practice of identifying and managing financial-crime risks tied to decentralized finance activity — including DEXs, cross-chain bridges, smart contracts, liquidity pools, and non-custodial wallets. In practice, it focuses on source-of-funds analysis, sanctions exposure, and behavioral risk signals for crypto businesses that accept or process DeFi-exposed funds.
Why Is DeFi Challenging for AML Compliance?
DeFi is challenging for AML compliance because activity happens through wallet addresses and smart contracts rather than customer accounts. There is typically no protocol-level KYC, funds can change asset type and blockchain in minutes, and liquidity pools commingle funds from many users — which makes source-of-funds attribution slower and more complex than in a traditional account-based system.
Is DeFi Regulated Under AML Rules?
It depends on the jurisdiction and the structure of the service. FATF Recommendation 15 and its Interpretive Note treat DeFi arrangements with identifiable controllers as in scope of AML/CFT obligations, MiCA Recital 22 exempts only services provided "in a fully decentralised manner without any intermediary," and the U.S. Treasury's April 2023 DeFi Risk Assessment confirmed that existing Bank Secrecy Act obligations apply wherever the activity meets the regulatory definition. Regulated downstream businesses that process DeFi-exposed funds remain in scope regardless.
Do DeFi Protocols Need KYC?
Not every DeFi protocol performs KYC, and many fully decentralized ones legitimately fall outside that requirement. However, crypto businesses that accept or process funds exposed to DeFi typically need KYC, KYT, wallet screening, and transaction monitoring under their own license, regardless of what the upstream protocol does.
What DeFi Activity Can Create AML Risk?
DeFi activity can create AML risk when funds are linked to sanctioned addresses or protocols, mixers, exploit-linked wallets, fraud or scam clusters, high-risk smart contracts, suspicious bridge routes, or unusual swap and liquidity-pool patterns. Risk is determined by the combination of signals — exposure type, distance, amount, timing, and behavior — not by any single hop.
Are DEX Transactions Automatically High-Risk?
No. DEX activity is not automatically suspicious — most DEX volume is ordinary trading. Risk depends on wallet history, transaction behavior, counterparties, exposure distance, amount, timing, and links to known high-risk entities, not on the use of a DEX as such.
How Do Bridges Affect DeFi AML Risk?
Cross-chain bridges move value between blockchains, which fragments transaction history across separate ledgers and makes tracing harder. In 2025 and 2026, industry forensics research consistently identified bridges as the primary laundering tool replacing mixers, which is why bridge exposure now warrants the same level of scrutiny mixer exposure once did.
Can AML Tools Identify the Person Behind a DeFi Wallet?
Not on their own. AML tools can analyze wallet behavior, transaction flows, and risk exposure, but identifying the real-world person behind a wallet usually requires KYC data from a regulated counterparty, exchange cooperation, or additional off-chain information. Blockchain analytics is decision support, not identity confirmation.
How Can Crypto Businesses Manage DeFi-Related AML Risk?
Crypto businesses manage DeFi-related AML risk by combining wallet screening before accepting deposits, continuous transaction monitoring, multi-factor risk scoring, source-of-funds documentation, defined escalation rules, and audit-ready case management. Each control covers gaps the others leave, and together they form a risk-based AML approach that regulators expect.
What's the Difference Between KYC and KYT in a DeFi Context?
KYC ("Know Your Customer") verifies the identity of the person opening or holding an account, while KYT ("Know Your Transaction") screens the wallets and transactions involved at the moment funds move. In a DeFi context, KYT is often the primary risk control because there is no protocol-level identity to rely on — but for regulated businesses that hold accounts on behalf of users, both layers are typically required.