Briefings·Threat Finance
8 May 2026 7 min read GSIG-B-2026-007

Stablecoin Payments: The Missing Layer

The commercial map of stablecoin payments has been built. Volume, chain distribution, geographic corridors, token share — these are now well-documented. What sits inside the volume — sanctioned flow, hawala topology, sanctioned-cluster connectors — is not. No commercial analytics platform produces this layer. Every payment service provider operating on stablecoin rails is exposed to flow infrastructure that conventional screening cannot detect.

The stablecoin payments industry has reached the size at which it is mapped, measured, and modelled at commercial scale. Bottom-up analyses of payment flows now exist. Annualised settlement run rates are quoted in the tens of billions and rising. Payment service providers are profiled, geographic corridors are characterised, and the dominant rails — TRON USDT principally, with USDC and Ethereum following — are well understood.

Every dimension of the industry is now visible commercially, with one exception. What sits inside the volume.

This briefing is about that exception, why it exists, and what it means for the institutions building, intermediating, and investing in stablecoin payment infrastructure.

What commercial measurement captures

The bottom-up reports characterising the stablecoin payments industry capture, with credibility, the structural shape of the market. They tell us that TRON dominates settlement by volume across every region surveyed. They tell us that USDT accounts for the overwhelming majority of activity. They tell us that payment service providers — card programmes, B2B settlement firms, on-ramp/off-ramp infrastructure — are operating at scale on these rails, with throughput compounding quarter on quarter.

This measurement is real and it is useful. It is also, in compliance terms, only half the picture.

The reports measure the commercial throughput of the institutions involved. They do not measure — and were not designed to measure — what proportion of that throughput is attributable to sanctioned, sanctioned-adjacent, or illicit-origin flow. That measurement requires a different kind of work: forensic graph analysis at the topology level, conducted by institutions independent of the payment firms being analysed, using infrastructure that conventional commercial analytics platforms do not deploy.

The structural blind spot

The compliance tooling on which the global stablecoin payments industry currently relies operates almost exclusively at the address level. A counterparty wallet is submitted to a vendor. The vendor returns a label, or no label, and a risk score. If the address is not on a sanctions list and not directly tied to a labelled bad actor, the score is low, and the transaction proceeds.

This approach does not detect three categories of exposure that the GSIG platform has identified, repeatedly, in active investigations on the exact rails the commercial reports profile.

SHELL_RELAY topology. Automated, sub-one-hour pass-through wallets that function as programmatic hawala infrastructure. These wallets are not themselves sanctioned addresses. They are operational laundering mechanisms that sit between the sanctioned origin and the payment service provider's deposit address. By the time the funds arrive at the PSP, they have transited through multiple unlabelled intermediaries, and the address-level link to the sanctioned origin has been severed. Commercial screening does not detect them, because there is nothing to label — the addresses exist for minutes and are abandoned.

Cross-sanctioned connectors. Individual wallet addresses that bridge three or more distinct sanctioned clusters — for example, an address that simultaneously transacts with OFAC-designated networks, NBCTF seizure targets, and state-linked exchange infrastructure. These addresses are themselves unsanctioned. They are topological connectors visible only through graph-level analysis that conventional screening tools do not perform. The compliance signal is structural, not list-based.

Percentage-threshold evasion. Where sanctioned flow represents a small percentage of a high-volume PSP's total throughput, conventional screening normalises the exposure away. The flow is material in absolute dollar terms but invisible when measured as a percentage of total volume. A PSP processing tens of billions of dollars annually can carry hundreds of millions in sanctioned-adjacent flow without triggering any threshold-based alert. The vendor's risk score for the institution as a whole is low; the underlying exposure is significant.

These are not hypothetical detection gaps. They are findings from active investigations into infrastructure operating within the exact ecosystem the commercial reports document.

Where the gap concentrates

GSIG currently tracks deposit address infrastructure at licensed, operating payment service providers that receives direct or one-hop inflow from wallets we have classified as sanctioned-adjacent. The findings span multiple geographic corridors documented in commercial industry reports — including the UK, Southeast Asia, the Middle East, and East Africa.

The infrastructure involved includes entities that are licensed in their respective jurisdictions, that have passed conventional compliance screening, and that are embedded in partnerships with major global payment networks. None of these institutions are doing anything visible to commercial screening tools that would alert them to the exposure. The exposure is invisible by construction, given the tooling currently deployed.

This is the missing layer. Not a single firm's failure. Not a single vendor's omission. A structural gap in how the industry approaches sanctions compliance for stablecoin infrastructure.

What this means for the industry

The Treasury Borrowing Advisory Committee has projected stablecoin supply will reach $2 trillion by 2028. Major payment networks have embedded stablecoin rails into their infrastructure. The growth trajectory is steep and well-documented.

This growth is happening without a corresponding intelligence layer. The analytics platforms measuring the growth track volume, chain distribution, token share, and geographic corridors. They do not track what is inside the volume. The compliance tooling relied upon by every payment firm in the industry operates on address-level sanctions list matching. Neither produces the topology-level intelligence that the operational threat picture now requires.

The consequence is straightforward: every payment firm, every card programme, every B2B settlement platform, and every PSP settling on TRON USDT and equivalent rails has potential exposure to the same sanctioned-flow infrastructure GSIG has mapped — and no current commercial means of detecting it.

Operational implication The institutions intermediating stablecoin payments are operating with a compliance posture that was adequate when the threat actors were retail-scale and the rails were small. Neither condition holds. The compliance posture has not yet caught up.

What the missing layer actually is

The missing layer is not a product, and it is not a vendor service that can be procured from existing analytics providers. It is a category of intelligence that requires:

  • Multi-chain forensic infrastructure capable of reconstructing flow at the topology level rather than the address level, across every chain on which sanctioned actors operate
  • Independent attribution that does not rely on commercial relationships with the firms being analysed
  • Signals intelligence integration — including peer-network observation, cross-chain entity resolution, and behavioural fingerprinting — that conventional analytics vendors do not collect
  • Continuous re-evaluation as new infrastructure, new bridges, and new evasion mechanisms emerge, rather than the periodic refresh cycles that screening vendors operate on

These are not adjustments to existing screening products. They are different infrastructure built on different premises, by institutions whose business model is intelligence rather than sales-channel labelling.

Closing

This is the missing layer. The institutions that build the capability to see it — directly or via independent intelligence partnership — will operate above the regulatory standard the next two examination cycles establish. The institutions that do not will discover, repeatedly, that their compliance posture stops at the limit of address-level screening, and that the limit is materially shorter than the threat actors require to evade detection.

The commercial map of the stablecoin payments industry has been published. The intelligence map has not been built — by the analytics vendors, by the payment firms, or by the regulators. Building it is the work of the next cycle.

GSIG produces topology-level forensic intelligence for the stablecoin payments industry, including attribution-grade analysis of PSP counterparty exposure, sanctioned-flow infrastructure mapping, and continuous monitoring of evasion topology. Available to vetted institutional, government, and counsel clients under engagement.

Suggested citation
Global Sanctions Intelligence Group (2026). "Stablecoin Payments: The Missing Layer." GSIG Briefing GSIG-B-2026-007, 8 May 2026. Available at: https://gsig.uk/briefings/stablecoin-missing-layer
GSIG-B-2026-007 · Threat Finance · 8 May 2026 ← All briefings