What is AML in crypto — and why should you care?

AML stands for Anti-Money-Laundering. It is the set of rules and processes that financial institutions use to make sure the money flowing through them isn't the proceeds of crime, sanctions-evasion, or terrorism financing.

For decades, AML was a bank problem. Crypto changed that. In 2026, every centralised exchange, custodial wallet provider and most stablecoin issuers operate as a "Virtual Asset Service Provider" — a VASP — and they are subject to the same AML obligations as a high-street bank. Which means their problem is now your problem.

Why crypto AML became personal

Three things changed between 2018 and 2026:

1. FATF Travel Rule. The Financial Action Task Force extended AML information-sharing requirements to crypto in 2019. Today, when you send crypto to a regulated exchange, the sending VASP is required to share your identity with the receiving VASP.
2. MiCA in the EU. Markets in Crypto-Assets came into force in 2024–2025. It harmonised crypto AML across the EU and introduced consequences for failing to verify the source of funds — including, in some Member States, asset forfeiture.
3. Automated risk scoring. Tools like Chainalysis, TRM Labs, Elliptic and Scorechain made it cheap for exchanges to automatically score every deposit. What used to require an analyst now happens in 200ms.

The combined effect: an everyday user can run into AML walls without ever doing anything wrong. Accept payment from a freelance client who happened to use Tornado Cash for legitimate privacy, and your exchange may quietly freeze your deposit.

The three things AML systems actually do

From the user's perspective, AML in crypto boils down to three mechanisms:

1. KYC at the gate

"Know Your Customer." When you sign up for a regulated exchange, you submit ID, proof of address, and sometimes proof of income. This is the easy part — almost everyone has done it.

2. Transaction monitoring

The exchange watches every deposit and withdrawal you make. Each transaction is scored on its source-of-funds and counterparty exposure. Above a threshold — typically risk-score 60+ on the internal scale — the deposit is held for manual review.

3. Sanctions screening

Independent of risk score, addresses on OFAC SDN, EU consolidated, UN Security Council, and national lists are blocked at the protocol level. Some stablecoins (USDC, USDT) implement this in the token contract itself.

What a "risk score" means in plain words

When an exchange (or cryptoaml.cc) shows you a wallet score from 0 to 100, that number is summarising answers to questions like:

• Has this wallet ever received funds from a sanctioned address? How recently? How directly?
• Has it interacted with a known mixer? Was it depositing into the mixer or withdrawing?
• Has it received payments from ransomware victims?
• Have community reports flagged it as a scam wallet?
• Has any major exchange publicly frozen funds at this address?

Different services use different weights and thresholds, but the inputs are largely the same. A wallet with score 70 on one service will usually score 65–80 on another.

What this means in practice for everyday users

You don't need to become a compliance officer. You do need to develop one habit: check the wallet before crypto flows in either direction. The cost is thirty seconds. The benefit is avoiding any of the following scenarios:

• The freelancer scenario: Paid in ETH, deposited to Kraken, account restricted for 9 weeks while you produce invoices.
• The P2P seller scenario: Sold USDT on Binance P2P to a buyer whose wallet was later flagged. Binance reverses the trade, demands the USDT back.
• The accidental airdrop scenario: Received a "free" SPL token, signed an approve to inspect it, lost the contents of your wallet to a drainer kit.
• The legacy scenario: Withdrew BTC from Tornado Cash predecessor in 2020 for legitimate privacy. Deposited to a regulated exchange in 2026. Account locked until you produce a 2020 invoice you no longer have.

The most uncomfortable part of crypto AML in 2026 is that the rules apply retroactively. Your 2021 mixer interaction is your 2026 problem.

The honest path forward

Disclosure is your friend. If you have any concern about the cleanliness of funds — your own, or a counterparty's — the safest move is to ask your exchange before depositing. Compliance teams react well to upfront questions and react badly to surprises in their monitoring systems.

Beyond that:

• Run a check before every meaningful transaction. The cryptoaml.cc free checker takes ten seconds.
• Keep documentation — invoices, contracts, P2P chat screenshots — for every payment for at least 18 months.
• If you do P2P, use platforms with built-in dispute resolution (Binance P2P, OKX P2P, Bybit P2P). They are slower to side with you than you would like, but they at least have records.
• Don't try to "wash" tainted funds. The chain remembers. The system is getting better at reading the chain, not worse.

AML is not going away. It is becoming more granular, more automated, and more international. Your defence is not avoidance — it's a fifteen-second habit, repeated.