ONYX//AML
2026-06-03

How exchange AML screening works: what compliance actually sees

"I did nothing wrong — why was I frozen?" is the most common question in our inbox. The answer is almost always in the AML engine's mechanics: it scores not you, but your transaction graph.

The exchange doesn't look at you. It looks at the graph

On every deposit the engine (Chainalysis KYT, TRM Labs, Elliptic) builds a graph: where the tokens came from, through which addresses, which clusters those addresses belong to. Each known cluster carries a category: exchange, OTC desk, mixer, darknet market, sanctioned service, scam project.

Your deposit gets a risk score — a weighted "contamination" estimate across the whole chain. Key word: chain. Tokens that passed a mixer three transfers before you still drag risk into your score.

Hops: why you answer for others' sins

A hop is one transfer in the chain. Engines look 2–5 hops deep. You can receive USDT from a perfectly legitimate counterparty who got it from an OTC desk that accepted a dirty flow — and the flag lands on you. Unfair? Yes. But the risk model minimizes the exchange's risk, not your convenience.

Why the freeze comes months after the deposit

Cluster attribution updates retroactively. An address neutral today gets linked to a hack or sanctioned service six months later — and the engine re-scores every transaction that touched it. That is why "old" deposits suddenly become a problem.

The most frequent triggers

P2P flows

Fiat and crypto from dozens of strangers — statistically the dirtiest channel. See the P2P triangulation breakdown.

No-KYC swap services

Deposits from "anonymous" swappers carry high base risk — that is where stolen funds get dumped.

Mixers and privacy protocols

Any touch is a near-guaranteed flag, even if you "just wanted privacy."

Sanctions proximity

The sanctioned-cluster list grows monthly, and retrospective re-scoring touches ever more histories.

If the flag already happened

The paradox of AML cases: the exchange will not tell you what triggered — that would "reveal methodology." So professional work starts with an independent forensic report on your addresses using the same tool class: you see your graph through the exchange's eyes (how the engines build that graph — our Chainalysis methodology breakdown). Then the Source of Funds dossier, then one verified compliance reply instead of panicked tickets.

Reducing the risk in advance

  1. Check incoming addresses before accepting funds — at minimum the contract blacklist check; ideally a full AML score.
  2. Avoid direct deposits from no-KYC swappers; remember hops do not "wash" the trail, only dilute the weight.
  3. Keep a documentary trail of every large deal.
  4. Refuse third-party payments in P2P — the payer's name must match the counterparty.

And above all: if a flag happened, do not panic-spread the remaining funds across new addresses. That is the only way to make the case worse. Estimate your scenario via the interactive assessment — we will say honestly whether you need help at all.

Free preliminary case assessment

Describe your situation — we will return an honest assessment: what is realistically possible, how long it takes and what it costs. No "guaranteed unlocks" — they do not exist; compliance decides.

CASE INTAKE // FREE ASSESSMENT

Confidential. We run our own AML screening first: cases involving sanctioned or knowingly illicit flows are declined — including any sanctions-evasion scenarios.