Dirty Money in Crypto: How One Transfer Can Freeze Your Entire Account

\n

Dirty money in crypto: how one transfer can freeze your entire account

\n\n

Picture this: you sell bitcoin through P2P, receive payment, withdraw funds to an exchange, and a few days later your account gets frozen. Support politely informs you that they are requesting documents as part of an AML procedure. You are confused, because you did nothing wrong.

\n\n

The problem is not you. The problem is the wallet the funds came from.

\n\n

The crypto market is no longer the wild west it once was. According to Chainalysis data, the volume of identified illegal transactions in 2024 reached $40.9 billion, and in 2025 that figure climbed to a record $154 billion. Exchanges, stablecoin providers, and regulators have tightened their tracking of fund flows. Checking an address before a transfer is now as important as verifying a counterparty before a bank wire.

\n\n

We break down how AML checks work, why someone else's history can become your problem, and how to protect yourself in a couple of minutes.

\n\n

What makes a wallet \"dirty\"

\n\n

The blockchain records every transaction permanently. That means the history of any address is fully transparent: you can trace where coins came from, which wallets they passed through, and whether they were ever linked to hacks, fraud, or sanctioned entities.

\n\n

An address is considered \"dirty\" if its history includes transactions tied to one of several risk categories:

\n\n

\n
• Sanctioned wallets – addresses on OFAC, UN, EU, and other regulatory lists
\n
• Hacks – funds from exchange breaches, DeFi protocol exploits, and bridge attacks
\n
• Scams and phishing – wallets linked to fraudulent schemes
\n
• Darknet markets – addresses that traded through platforms like Silk Road
\n
• Mixers – Tornado Cash and similar services included on sanctions lists
\n
• Unlicensed exchangers – P2P platforms operating without a license
\n
• Ransomware – addresses that received ransom payments from victims of extortion software
\n

\n\n

One important nuance: the degree of \"contamination\" is not binary. If an address received funds from a hacked wallet three transactions back, that is not the same as a direct theft. This is where the concept of an AML risk score comes in.

\n\n

How AML scoring works

\n\n

AML scoring (Anti-Money Laundering scoring) is a numerical risk rating for a specific blockchain address. It shows how likely it is that coins passed through illegal sources. The score is usually expressed as a percentage: 0 means clean, 100 means maximum risk.

\n\n

Direct and indirect risk

\n\n

Most AML services distinguish between two types of connection between an address and criminal sources.

\n\n

Direct risk: the wallet itself received funds directly from a hacked or sanctioned address. This is the most serious situation – exchanges react quickly and decisively.

\n\n

Indirect risk: somewhere in the chain of transactions leading to your address, a few steps back, there is a suspicious source. The further back in the chain, the lower the resulting score. But even an indirect connection is sometimes enough for an account freeze.

\n\n

What systems analyze

\n\n

GoPlus Security covers 62 blockchains and works with a database of more than 115,000 flagged addresses across 10 risk categories. AMLBot checks across 13 categories using data from 25+ sources, at a cost of $2–3 per check. The Chainalysis Sanctions API is free and checks an address against OFAC, EU, and UN sanctions lists.

\n\n

Major exchanges use their own systems, often purchasing data from Chainalysis or Elliptic, and configure thresholds automatically: for example, a score above 70% blocks a deposit immediately, while above 30% it goes to manual review by the compliance team.

\n\n

Real cases: when someone else's history becomes your problem

\n\n

This is not theory. Below are documented cases that changed how the entire industry approaches AML checks.

\n\n

Bybit: $1.5 billion in one night

\n\n

In February 2025, hackers from the Lazarus group (North Korea) stole $1.5 billion from Bybit. According to Chainalysis, this is the largest theft in the history of crypto. The funds were immediately split across thousands of wallets and routed through mixers. Addresses that received even a small fraction of those coins were flagged. Users who accidentally received transfers through these chains reported account freezes on Bybit and other exchanges.

\n\n

North Korean hackers in 2024 overall stole $1.34 billion, accounting for 61% of all crypto thefts that year, according to Chainalysis. Lazarus is not a fringe group. It is a state-sponsored program with thousands of addresses across multiple blockchains.

\n\n

Tether and Circle: billions frozen

\n\n

By 2025, Tether (USDT) had frozen funds across addresses totaling $3.29 billion – more than 7,000 wallets. Circle (USDC) froze $109 million across 372 addresses. These are not theoretical risks. Stablecoin providers have the right to block specific addresses at any moment at regulators' request.

\n\n

If your USDT sits at an address that ends up on Tether's blacklist, you will physically be unable to withdraw funds. The coins will show in the wallet, but transactions will be rejected at the smart contract level.

\n\n

Binance and OKX: regulatory blows

\n\n

In November 2023, Binance paid $4.3 billion under a settlement with the US Department of Justice for AML violations. This is one of the largest corporate payments in the history of financial regulators.

\n\n

In February 2025, OKX pleaded guilty and agreed to pay $505 million on charges of facilitating money laundering exceeding $5 billion. After these cases, both exchanges sharply tightened their AML filters, and users began reporting more frequent freezes even at moderate risk scores.

\n\n

OFAC list: up 32% in one year

\n\n

As of February 2025, the OFAC SDN sanctions list contained 1,245 crypto addresses, up 32% from the year before. The US regulator continues to actively add new wallets. If your funds arrived from such an address, any US-based exchange or service is required to freeze them.

\n\n

What happens when dirty coins reach you

\n\n

Many people assume that since they did nothing wrong, the exchange will sort it out and return everything. In practice, it works differently.

\n\n

The typical chain of events looks like this:

\n\n

\n
1. You receive a deposit from a high-risk wallet (often without knowing it)
\n
2. The exchange automatically blocks your withdrawal
\n
3. Support requests documents: KYC, proof of source of funds, correspondence with the sender
\n
4. If the explanation does not satisfy the compliance team, the account is frozen completely
\n
5. In serious cases, the exchange may pass data to the regulator, which can lead to confiscation
\n

\n\n

Unfreeze timelines range from several weeks to several months. There are no guarantees. Even if you eventually prove your innocence, the market may have moved significantly in that time.

\n\n

The worst part: you do not need to receive money directly from a hacker for this to happen. Sometimes three or four intermediate wallets are enough. That is why you need to check even people you have worked with before.

\n\n

How to protect yourself: practical steps

\n\n

Check before sending and before receiving

\n\n

Checks are needed in both directions. Before sending money, confirm that the recipient's address is not sanctioned: your funds could be stuck permanently. Before accepting a payment (especially from a stranger on P2P), check the sender's address. If the score is high, it is better to ask for a transfer from a different wallet.

\n\n

Use multiple tools

\n\n

No single service has a complete database. A sensible approach: a quick free check, plus a detailed report through a professional tool when needed.

\n\n

\n
• Free express check: our AML checker on CoinMagnetic – instant results, no registration required, powered by GoPlus Security and Chainalysis
\n
• Detailed report: AMLBot – 13 risk categories, 25+ data sources, available via Telegram bot, starting at $2 per check
\n
• Wallet balance check: our multi-chain wallet checker shows assets across 7 EVM networks and Solana
\n

\n\n

We earn a commission on some links in this article.

\n\n

Work with verified exchanges

\n\n

Licensed platforms run their own AML checks on deposits and will usually not let you receive genuinely dirty funds. But that does not remove your responsibility: they can also freeze your account if something looks suspicious. Our reviews of all exchanges can help you choose the right one.

\n\n

Keep a record of your conversations

\n\n

For P2P deals, document everything: chat screenshots, payment details, transaction timestamps. If the exchange later asks for the source of funds, you will have the paperwork. This is not red tape – it is your safety net.

\n\n

Check regularly, not only before transactions

\n\n

A wallet can end up on a sanctions list after you have already received funds from it. Periodically checking your own addresses helps you spot a problem early. It is also worth occasionally checking the wallets of regular counterparties: situations change.

\n\n

AML myths that cost people money

\n\n

\"I didn't break any laws, so I have nothing to worry about\"

\n\n

Unfortunately, that is not how it works. Exchanges operate on a risk basis, not a guilt basis. If the automated system sees a high score, it freezes the account preemptively. The investigation comes later – and not necessarily quickly.

\n\n

\"Bitcoin is anonymous, no one will trace anything\"

\n\n

This misconception dates back to 2012. Bitcoin is pseudonymous: all transactions are public. Professional blockchain analytics firms like Chainalysis and Elliptic map connections between addresses with high accuracy. Their tools sit at the entrance to most major exchanges.

\n\n

\"P2P deals are safer, there's no KYC\"

\n\n

P2P without KYC means you do not know who you are dealing with. P2P is actually the primary channel through which laundered funds reach ordinary users. Transferring high-score funds through P2P is equally risky regardless of whether the platform has KYC or not.

\n\n

\"If I move the money on quickly, everything will be fine\"

\n\n

Blockchain transactions are irreversible and stay in the history permanently. Moving funds quickly does not \"clean\" them. An address's history is stored from the moment of its first transaction.

\n\n

How to read AML check results

\n\n

When you use our tool or a professional service, the result typically looks like this: an overall risk score as a percentage, plus a breakdown by category.

\n\n

Use the following thresholds as a guide:

\n\n

\n
• 0–25%: low risk. Most exchanges accept without questions.
\n
• 25–50%: moderate risk. May request additional documents, especially for larger amounts.
\n
• 50–75%: high risk. Serious chance of a freeze. Worth clarifying the source of funds before the deal.
\n
• Above 75%: critical risk. Most exchanges automatically block the deposit. We do not recommend accepting such funds.
\n

\n\n

Pay attention to the categories in the detailed report. A sanctioned address and an address with an indirect link to a darknet market from three years ago are very different situations with very different consequences. The score gives you a starting point, but the breakdown is what helps you understand the details.

\n\n

How our free AML checker works

\n\n

We built our own AML checker that runs through two reliable sources: GoPlus Security (62 blockchains, 115,000+ flagged addresses, 10 risk categories) and Chainalysis Sanctions API (OFAC, EU, and UN sanctions lists). A check takes a few seconds, requires no registration, and you immediately see the risk score along with the main flags.

\n\n

The tool covers the main networks: Ethereum, Bitcoin, BNB Chain, Polygon, Arbitrum, Tron, Solana. That covers the vast majority of everyday checks before a P2P deal or a transfer from an unfamiliar wallet.

\n\n

For professional tasks where a detailed report with 13 risk categories and a source breakdown matters, we recommend AMLBot: it offers both a web interface and a Telegram bot, at $2–3 per check.

\n\n

If you are just getting started with crypto transaction security, read our guide to buying crypto safely: it covers the main risk scenarios and how to avoid them.

\n\n

What it actually costs – to check or not to check

\n\n

A free check with our tool: $0, 30 seconds of your time.

\n\n

A paid AMLBot report: $2–3.

\n\n

A frozen account with several thousand dollars inside for a month or two while compliance sorts it out: hard to put a price on, but the lost nerves, time, and opportunities are guaranteed.

\n\n

The crypto market in 2025 is not the wild west. Exchanges, stablecoin providers, and regulators are watching fund flows more closely than most people realize. The habit of checking addresses before a transfer takes a few seconds and can save you from a very unpleasant situation.

\n\n

\n

According to Chainalysis, the volume of illegal crypto transactions in 2025 reached a record $154 billion. Every dollar of that passed through the blockchain – and some of those transactions touched ordinary users who had no idea what was happening.

\n

\n\n

Check an address right now

\n\n

Have an address you are about to transact with? Check it in 30 seconds – free, no registration needed.

\n\n

Open the CoinMagnetic AML checker

\n\n

We support Bitcoin, Ethereum, BNB Chain, Tron, Polygon, Arbitrum, Solana. Results are instant – a risk score plus the main flags by category.

\n\n

If you need a detailed report for a high-stakes deal, try AMLBot – it draws on 25+ data sources and breaks results down across 13 risk categories.

\n