Briefings·Compliance
3 April 2026 6 min read GSIG-B-2026-002

Beyond Sanctions Lists: Why Address Screening Fails Modern Threats

The addresses on a sanctions list represent the tip of an iceberg, not the network. For institutional compliance programmes, the question is no longer what is on the list — it is what sits two hops from it.

Every regulated virtual asset service provider runs a blockchain analytics subscription. Most of them use it the same way: an address comes in, the address is queried against a vendor's proprietary labels, a risk score comes out, a decision gets recorded. This workflow has been the operating model of crypto compliance for almost a decade. It is also, increasingly, insufficient.

The reason is not that screening vendors are bad at labelling. They are quite good at it. The reason is that the threats they are meant to detect have restructured themselves around the screening model. Specifically: threat actors now operate through addresses that are, at the moment of query, genuinely unlabelled — because the labelling process runs in arrears and because the operational addresses of a sanctioned entity are rarely the ones designated.

What a sanctions list actually lists

OFAC's SDN list, the UK OFSI consolidated list, the EU CFSP list, the NBCTF designation register — each of these is a roster of identifiable, primary-control addresses linked to entities or persons who have been the subject of a formal designation process. These lists are authoritative. They are also narrow.

What they do not contain:

  • Operational addresses used by the sanctioned entity that have not yet been formally designated
  • Addresses controlled by third-party service providers that transact on behalf of sanctioned entities
  • Pass-through addresses created for the specific purpose of moving value once, then abandoned
  • Addresses at regulated intermediaries — exchanges, PSPs — that have received sanctioned-origin funds but have not yet been flagged
  • The enormous population of counterparty addresses whose only relevance is proximity

Each category is, individually, a small population. Combined, they account for the majority of transaction volume that a well-built attribution graph would classify as sanctioned-adjacent.

The empirical asymmetry

A worked intuition: for any given designated entity, the list will contain some number of identified addresses — usually in the single digits, occasionally in the tens. The number of addresses through which that entity's value actually flows in a given quarter is typically two to three orders of magnitude larger. The gap is not a flaw in list maintenance; it is a property of how designations work. A designating authority cannot designate an address it does not know about. It also cannot designate an address that belongs to a service provider in a non-cooperative jurisdiction, even if that service provider is known to handle sanctioned flow.

The list is the starting point of an investigation, not its conclusion. Any compliance programme that treats it as the conclusion is functionally accepting that the majority of sanctioned-adjacent transaction volume will pass through it unflagged. — GSIG Intelligence, methodological note

What graph-based attribution does instead

Attribution — the practice of assigning an address to an entity based on behavioural, structural, and transactional signals — is the layer above list-based screening. A mature attribution system does not ask is this address on the list? It asks who does this address belong to, and what do we know about them?

A well-constructed attribution graph operates over multiple signal classes:

  • Co-spend clustering: addresses that jointly fund single transactions almost always share a controller
  • Behavioural fingerprinting: transaction timing, gas pricing, counterparty selection, and fee preferences produce per-entity signatures that survive address rotation
  • Service attribution: exchanges, mixers, swap desks, OTC platforms are each recognisable from their internal address management patterns
  • Cross-chain resolution: an entity with addresses on Ethereum, TRON, and BNB Chain needs to be resolved as a single entity, not three separate ones
  • Temporal correlation: new operational wallets created by a known entity typically appear within hours of funding transactions from that entity's existing stack

Combining these signals produces an attribution graph that is both denser and more durable than any sanctions list. An address that is two hops from a designated entity — through its attribution, not through a vendor label — is a meaningful signal even when that address is otherwise clean. An address belonging to a service provider that routinely processes sanctioned flow is a meaningful signal even when the specific transaction under review is not itself sanctioned-origin.

Operational implication List-based screening answers the question is this transaction blocked under sanctions law? Graph-based attribution answers the question is this transaction structurally problematic, and do we have a defensible audit trail for our decision? The two questions are related but non-identical. Most enforcement-grade findings require the second question to be answerable.

What this means for institutional compliance

The practical implication is neither that screening vendors should be abandoned — they remain the fastest and cheapest first-pass filter — nor that every institution should build its own attribution graph. Attribution is an expensive, data-intensive, and methodologically sensitive function. Few institutions have the operational scale to produce it internally, and fewer still can do so with the jurisdictional coverage required.

What shifts is the expected depth of the compliance stack. A mid-sized VASP is no longer well-served by a single-vendor screening subscription. A minimum-viable compliance programme in 2026, in our experience, consists of:

  1. Transactional screening — via a vendor, at the point of transaction, against a list
  2. Forensic escalation — access to an intelligence function that can produce graph-based attribution on demand for flagged cases
  3. Periodic intelligence — structured awareness of the threat typologies that the institution is likely to encounter, refreshed quarterly
  4. Case reconstruction — the ability to produce an audit-grade investigative narrative when regulators ask

Most compliance programmes have Layer 1 well-built. Layer 2 is, for most institutions, the next capability gap. It is also the layer that differentiates a programme that will survive a serious regulatory examination from one that will not.

Closing

The distinction between screening and intelligence is not rhetorical; it is operational. Screening tells you whether a transaction hits a list. Intelligence tells you what the transaction actually is, who is behind it, and what the defensible compliance posture looks like. Both are necessary. Only one of them is what most institutions currently have.

GSIG operates a production-grade attribution graph spanning thirty-one chains and approximately 99,700 resolved entities, against a wallet population of 30.4 million addresses. Forensic intelligence for institutional compliance programmes is available to vetted clients.

Suggested citation
Global Sanctions Intelligence Group (2026). "Beyond Sanctions Lists: Why Address Screening Fails Modern Threats." GSIG Briefing GSIG-B-2026-002, 3 April 2026. Available at: https://gsig.uk/briefings/beyond-sanctions-lists
GSIG-B-2026-002 · Compliance · 3 April 2026 ← All briefings