Briefings·M&A Diligence
27 March 2026 5 min read GSIG-B-2026-003

Forensic Due Diligence in Crypto M&A: What Traditional Analytics Miss

A standard compliance diligence tells you whether a target's wallets hit a list. It does not tell you whether the target's revenue is structurally contaminated. The gap between those two questions is where every post-close regulatory surprise lives.

In every post-close regulatory surprise we have seen in crypto M&A, the same pattern recurs: the target's compliance diligence returned clean against vendor screening, the target's wallets did not hit any sanctions list, and the acquirer relied on this to move forward. Twelve to twenty-four months later, the acquirer learns that the target's revenue — not its wallets, its revenue — was structurally dependent on a counterparty base the acquirer cannot legally serve. By then, the deal is closed and the acquirer owns the problem.

The questions an acquirer actually needs answered before closing a digital-asset transaction are not are the target's wallets listed? but is the target's revenue model dependent on a counterparty base the acquirer cannot legally serve?

The asymmetry between screening and diligence

Screening is a yes/no question against a known list. Diligence is a descriptive question about a company's underlying business. These are different intellectual tasks:

  • A crypto payment processor can have zero sanctioned-list hits on its public wallets while simultaneously earning a significant share of its revenue from counterparties whose funds trace back to sanctioned origins within two or three hops
  • A crypto exchange can maintain a clean balance-sheet screening posture while operating a market-making relationship with an OTC desk that specialises in settling for sanctioned-jurisdiction customers
  • A stablecoin issuer can screen its primary market activity cleanly while its secondary market activity — the actual volume-weighted usage of the token — concentrates in pools and wallets tied to threat networks
  • A custodian can hold only screened addresses while its customer base includes intermediaries whose own customers are not screened to the same standard

In each case, the traditional diligence process returns a clean report. In each case, the post-close regulatory reality is anything but clean.

What forensic diligence actually examines

A forensic diligence examines the target's on-chain flow the way an accountant examines revenue concentration. The questions are structural:

What share of the target's transactional revenue, weighted properly across chains and stablecoins, originates from counterparties that are sanctioned-adjacent, jurisdictionally problematic, or structurally mixed? — Standard GSIG engagement scope

Answering that question requires:

  • Wallet discovery: the target's disclosed wallets are rarely the full operational set. Forensic diligence begins by identifying the complete population of addresses the target actually controls, derived from behavioural, transactional, and structural attribution.
  • Flow reconstruction: every significant inbound and outbound flow is traced back to its origin and forward to its destination, across chains, across bridges, across stablecoins.
  • Counterparty classification: each counterparty — not each address, each counterparty — is resolved to an entity and classified against a threat typology (clean, jurisdictionally problematic, sanctioned-adjacent, directly sanctioned, unclassified).
  • Rail-level segmentation: frequently, a target operates parallel business lines on different chains or stablecoins, with different contamination profiles on each. The weighted average number alone is not sufficient; rail-by-rail segmentation is what makes the finding actionable.
Case pattern observed repeatedly A target operates two clearing rails simultaneously: a clean institutional rail used to onboard regulated counterparties, and a contaminated retail or informal rail used for the operationally significant volume. The clean rail is what is shown to the acquirer. The contaminated rail is where the economics actually live. Separating them is the entire point of forensic diligence.

What the acquirer gets

A well-executed forensic diligence produces three outputs that traditional compliance diligence does not:

  1. Quantified contamination exposure. A specific percentage of the target's transactional revenue attributable to sanctioned-adjacent flow, with methodology documented.
  2. Entity-level counterparty mapping. The identities of the target's most economically significant counterparties, resolved to real entities where possible, with attribution evidence.
  3. Rail-level segmentation. A breakdown by chain, stablecoin, and clearing pattern that lets the acquirer understand which parts of the business are clean, which parts are contaminated, and what integration would actually mean.

This output is what allows counsel to have a defensible position on the question should we close, and if so on what terms? Without it, the closing decision is an informed guess.

Closing

Forensic diligence in crypto M&A is not an exotic add-on. It is the equivalent of a quality-of-earnings review for digital-asset transactions. Most acquirers still do not commission one. Most targets, for obvious reasons, do not volunteer one. The institutions that close these deals without it will continue to produce the post-close regulatory surprises that the current market has become known for.

GSIG conducts forensic diligence engagements on crypto payment processors, exchanges, stablecoin issuers, custodians, and PSPs with crypto rails. Each engagement is scoped to the transaction and produced at counsel-grade quality, available under engagement letter and privilege.

Suggested citation
Global Sanctions Intelligence Group (2026). "Forensic Due Diligence in Crypto M&A: What Traditional Analytics Miss." GSIG Briefing GSIG-B-2026-003, 27 March 2026. Available at: https://gsig.uk/briefings/crypto-ma-diligence
GSIG-B-2026-003 · M&A Diligence · 27 March 2026 ← All briefings