Stablecoins have moved from the edge of crypto markets into the core of on-chain payments, settlement, treasury movement, and cross-border value transfer. That shift changes what KYT has to do. A basic address blacklist can still stop known bad wallets, but it cannot explain how risk moves across counterparties, bridges, DEXs, issuers, VASPs, merchants, and unhosted wallets.
The core KYT question is no longer only: does this address have a risk label? It is: is the risk exposure of this fund flow visible, explainable, and actionable across the stablecoin ecosystem?
1. Stablecoins Are Payment Infrastructure, Not a Side Market
According to the DeFiLlama Stablecoins Dashboard, stablecoin supply was already above the hundreds-of-billions-of-dollars level when this article was prepared. USDT and USDC account for the dominant share. This means stablecoin risk monitoring is no longer only a back-office task for crypto exchanges. It now sits inside payment, settlement, cross-border treasury, and financial-institution risk management.
Visa Onchain Analytics also separates raw stablecoin transaction activity from adjusted and retail-sized flows. That design points to a practical compliance issue: raw on-chain volume contains bots, contract interactions, internal movements, and non-payment activity. If a compliance system only looks at the final address or the raw transaction amount, it can misread activity as legitimate economic flow, and it can also miss how illicit funds change shape across multiple hops.
FATF's work on stablecoins, unhosted wallets, peer-to-peer transactions, virtual assets, and VASPs makes the same operational point: AML/CFT controls must account for how these instruments are actually used. Stablecoins behave like payment instruments, but they also move like crypto assets. They can pass through regulated VASPs, unhosted wallets, DEXs, bridges, and high-risk services at high speed.
2. Why Single-Address Screening Is Not Enough
Single-address screening answers an important but narrow question: whether the queried address directly matches a known high-risk label, such as sanctions, hacking, scams, darkweb activity, or mixing services. This is necessary for pre-transaction controls, but it is not enough for stablecoin KYT.
Stablecoin laundering and sanctions-evasion paths often rely on intermediate wallets, rapid splitting, consolidation, DEX routing, bridge movement, and repeated small transfers. The final withdrawal address may look clean while the path, counterparty, or behavior reveals meaningful risk.
A stronger KYT program should therefore combine direct label hits, indirect exposure, counterparty context, source and destination exposure, transaction direction, behavioral monitoring, post-withdrawal alerts, and evidence for allow/block/delay/freeze/report decisions.
3. Stablecoin Risk Is a Flow Pattern
The risk does not always sit at one address. In many cases, the risk appears as a flow pattern: funds enter a VASP or wallet, move through an intermediary layer, split across fresh addresses, pass through a bridge or DEX, and then consolidate or exit through another service.
| Stage | What KYT should see | Possible action |
|---|---|---|
| Onboarding | Customer, merchant, OTC desk, VASP, or institutional counterparty risk | Approve, reject, limit, or require enhanced due diligence |
| Pre-transaction | Destination address, direct label, indirect exposure, entity risk | Allow, block, delay, or force manual review |
| Transaction monitoring | Hash, direction, amount, counterparty, path changes | Trigger alert, create case, update customer risk |
| Investigation | Multi-hop path, timeline, counterparties, evidence | Freeze coordination, SAR/STR, law-enforcement support |
| Data integration | Labels, entities, typologies, risk scores, behavioral signals | Embed KYT into business systems and controls |
4. Issuers and VASPs Need a Shared Risk Language
A stablecoin issuer and a VASP do not have the same job. The issuer may focus on minting, redemption, freeze/unfreeze decisions, sanctions exposure, and reserve trust. A VASP may focus on onboarding, deposit credibility, withdrawal approval, Travel Rule workflows, suspicious-activity reporting, counterparty risk, and ongoing customer monitoring.
The responsibilities differ, but the risk language must be shared. A usable KYT system needs to express findings in terms that can travel across teams: address profile, entity label, rule hit, source exposure, destination exposure, closest hop, counterparty, transaction direction, path, and recommended action.
OFAC's sanctions compliance guidance for the virtual currency industry emphasizes a risk-based sanctions compliance program, including management commitment, risk assessment, internal controls, testing/auditing, and training. The EBA's guidelines on information requirements for transfers of funds and crypto-assets bring similar operational pressure to VASP transfer workflows. For stablecoin businesses, these expectations converge on one question: can the institution explain what it saw before, during, and after a transaction, and what it did in response?
5. What Ecosystem-Level KYT Looks Like
Ecosystem-level KYT is not about blocking every transaction. It is about placing controls where the institution can make a defensible decision.
In ChainTrust's product workflow, the operating model can be split into five connected actions:
- CT Assess supports due diligence for VASPs, merchants, OTC desks, partners, and institutional customers.
- CT Check screens addresses and transactions before execution, returning address profiles, labels, rule hits, and risk exposure.
- CT Monitor provides ongoing monitoring for deposits, withdrawals, stock addresses, transaction hashes, direction, counterparties, and behavioral changes.
- CT Probe supports complex tracing, path expansion, graph investigation, timelines, counterparties, and report-ready evidence.
- CT Data integrates labels, entities, typologies, risk scores, and behavioral signals into business systems through API or data feeds.
A simple USDT withdrawal illustrates the difference. A shallow workflow asks only whether the withdrawal address is on a blacklist. An ecosystem-level workflow asks whether the address has indirect exposure to high-risk entities, whether the customer has recently changed behavior, whether the funds move quickly after withdrawal, and whether the path later touches a bridge, DEX, mixer, high-risk VASP, or consolidation wallet.
6. Case View: Bybit / TraderTraitor Address and CT Probe Workflow
In February 2025, the FBI's IC3 notice attributed the Bybit theft to North Korean TraderTraitor activity and published related indicators, including Ethereum addresses. ChainTrust's analysis workflow can treat the address as an investigation object and move from address screening to transaction monitoring and path tracing.
Example address:
0x51E9d833Ecae4E8D9D8Be17300AEE6D3398C135DCT Probe identified the address as associated with LAZARUS GROUP / Sanctioned Entity. The address profile showed approximately 10,143.004 ETH in three inflows and approximately 10,143.003 ETH across outgoing transactions, leaving only a negligible balance. This pattern indicates that nearly all funds moved onward and that downstream fan-out deserves immediate review.
The investigation then focuses on outgoing transactions, counterparty distribution, active time windows, high-value transfers, and possible downstream routing. CT Monitor can be used around specific transaction hashes to observe direction, output address, amount, and subsequent counterparty exposure. CT Probe can then organize the address, transaction, and counterparty relationships into a path graph, timeline, and evidence report.
Example transaction hash used for monitoring context:
0x67aed7026235174aed195247ca66fdae4358f68e9e7adc128ed608dd69ac139eThe practical compliance value is not merely that a label exists. The value is that the institution can explain the sequence: what the address was, what rules were hit, how much value moved, where funds went, which counterparties mattered, and which action followed.
7. Six Metrics for Ecosystem-Level KYT
A stablecoin KYT program should move from label matching to exposure management.
| Metric | Question | Why it matters |
|---|---|---|
| Direct hit | Is the address linked to sanctions, hacks, scams, mixers, or other high-risk labels? | Useful for real-time blocking, but limited to known risk. |
| Indirect exposure | Did funds touch high-risk entities within defined hop or value thresholds? | Stablecoin laundering often uses intermediate addresses to reduce visible risk. |
| Path risk | Did the flow pass through bridges, DEXs, aggregators, privacy tools, or high-risk services? | The path itself can be a method for hiding source, destination, or control. |
| Entity risk | Is the counterparty a high-risk VASP, OTC desk, merchant, or nested service? | This affects onboarding, limits, review, and exit decisions. |
| Behavioral anomaly | Is there splitting, consolidation, burst frequency, circular movement, or sudden behavior change? | New threats may appear in behavior before they appear in labels. |
| Disposition | Was the transaction allowed, blocked, delayed, frozen, escalated, or reported? | Auditable outcomes are the basis of defensible compliance. |
8. Five Recommendations for Stablecoin Issuers and VASPs
1. Do not equate KYT with address blacklists. Blacklists are a minimum control. A complete KYT program must handle indirect exposure, path changes, and entity networks.
2. Use different strategies for deposits and withdrawals. Deposit-side monitoring focuses on source of funds and account credibility. Withdrawal-side monitoring focuses on destination risk, limits, execution timing, and manual review.
3. Treat bridges and DEXs as context-changing nodes. A bridge or DEX is not automatically illicit, but it changes the asset, chain, visibility, and path context. Monitoring should preserve the relationship before and after that transition.
4. Recompute historical exposure when labels change. New sanctions, incidents, entities, or typologies can change the meaning of historical transactions. Ongoing monitoring should cover existing customers and historical addresses, not only new transactions.
5. Turn disposition evidence into a product workflow. Compliance teams do not only need a risk score. They need evidence that can be explained to management, auditors, regulators, banks, counterparties, or law enforcement.
Conclusion
Stablecoins make on-chain funds faster, cheaper, and more global. They also make compliance risk easier to move across institutional boundaries. Single-address screening remains important, but it is only the entry point.
For issuers and VASPs, the next step is ecosystem-level KYT: understanding how funds move, where risk transforms, which nodes can act, and how every allow, block, delay, freeze, or report decision becomes explainable evidence.
The core question for stablecoin KYT is not whether one address is risky. The core question is whether the risk exposure of the fund flow is visible, explainable, and actionable across the ecosystem.
References
- DeFiLlama Stablecoins Dashboard, stablecoin supply dashboard, accessed 2026-05-21.
- Visa Onchain Analytics, stablecoin transaction dashboard, accessed 2026-05-21.
- FATF Targeted Report on Stablecoins and Unhosted Wallets, published 2026-03-04.
- FATF 2025 Targeted Update on Virtual Assets and VASPs, published 2025-06-26.
- FATF Virtual Assets Red Flag Indicators, published 2020-09-14.
- OFAC Sanctions Compliance Guidance for the Virtual Currency Industry, published 2021-10-15.
- EBA Guidelines on information requirements for transfers of funds and crypto-assets, Travel Rule guidelines under Regulation (EU) 2023/1113.
- FinCEN Advisory FIN-2019-A003 on Illicit Activity Involving Convertible Virtual Currency, published 2019-05-09.
- FBI IC3 PSA: North Korea Responsible for $1.5 Billion Bybit Hack, published 2025-02-26.
- ChainTrust Labs.