Four Questions That Protect Every Crypto Acquisition
This is the fifth and final article in a series that started with a simple observation: the wallet history of your M&A target is a public record, and most deal teams never look at it.
Over the past four articles, I’ve documented what that oversight produces in practice. A European payments firm inherited sanctioned entity exposure that cost $4.1 million and fourteen months of regulatory correspondence. Garantex processed $96 billion in cryptocurrency while serving every major ransomware group operating between 2019 and 2025 then rebuilt its infrastructure under a new name within weeks of a multinational law enforcement seizure. Cryptomixer laundered €1.3 billion in Bitcoin since 2016; law enforcement now holds 12 terabytes of transaction logs connecting every wallet that used it. Evita Pay moved $530 million through the U.S. financial system on behalf of sanctioned Russian banks while presenting fabricated compliance documentation to every financial institution it worked with. Paxful built a $500 million suspicious transaction portfolio by deliberately not implementing AML controls and marketing that absence to criminal clients.
In each case, the transaction behavior that documented the risk was publicly accessible on the blockchain before the enforcement action. In no case was it examined as part of routine due diligence.
This final article translates the enforcement record into a practical screening framework four questions that, answered at the blockchain level rather than the document level, determine whether a crypto-adjacent acquisition is safe to close.
The Framework: Four Questions, Four Screening Objectives
These four questions map directly to the core objectives of professional blockchain AML screening. They are not theoretical. Each one is anchored in a specific detection gap that the enforcement record documents.
Question 1: Who Has This Company Actually Transacted With?
Document review answers this question with counterparty names from invoices, contracts, and banking records. For crypto-adjacent businesses, that answer is frequently incomplete, fabricated, or structurally misleading. Evita Pay had clean invoices Gugnin whited out the Russian counterparty information on more than 80 of them. The actual counterparties were customers holding funds at PJSC Sberbank, PJSC VTB Bank, PJSC Sovcombank, and JSC Tinkoff Bank all OFAC-designated.
Blockchain screening answers this question from the transaction record directly. Every wallet address that sent funds to or received funds from the target company’s identified wallets is a counterparty. Those addresses are assessable against risk databases covering OFAC designations, darknet market-associated wallets, ransomware payment addresses, mixer output clusters, and high-risk exchange infrastructure.
The Garantex case establishes the scope of this question clearly. Per TRM Labs, over 70% of cryptocurrency volumes to and from sanctioned entities in the relevant period flowed through Garantex. Any crypto payment company operating in the Russian-adjacent or high-risk exchange ecosystem has a meaningful probability of Garantex-connected counterparty exposure. That exposure is traceable on-chain regardless of what invoices say.
What this question surfaces in practice: direct OFAC exposure, sanctioned jurisdiction counterparty concentration, darknet market or ransomware wallet relationships, and mixer output address receipts none of which appear in standard compliance documentation.
Question 2: What Do the Transfer Histories Actually Show?
This is the behavioral question. Transaction volume and counterparty diversity from financial statements are backward-looking summaries. The blockchain record is a timestamped, granular account of every individual transfer — amounts, timing, directionality, conversion patterns, and structuring indicators.
The Paxful enforcement action is the clearest documentation of why this question matters. FinCEN found that Paxful operated for years without an effective AML program, without a qualified compliance officer, without independent testing, and without SAR filings — while its transaction history showed flows from Iran, North Korea, Venezuela, ransomware actors, and Backpage.com. The company’s stated compliance posture and its actual transaction behavior were irreconcilable. Document review accessed the former. Behavioral analysis of the transaction record would have found the latter.
Specific behavioral indicators that this question identifies: transaction structuring below compliance thresholds (the Evita $1.9 million split), rapid USDT-to-fiat conversion inconsistent with normal payment processing, absence of return-flow patterns expected in legitimate merchant business, counterparty concentration in high-risk jurisdictions, and incoming flow profiles inconsistent with the stated customer base.
Per Chainalysis, stablecoins accounted for 84% of all illicit cryptocurrency transaction volume in 2025. For acquisition targets with significant USDT transaction history particularly on the Tron blockchain, which blockchain analytics firms identify as the preferred medium for underground economy settlements behavioral analysis of transfer history is the primary detection tool for illicit flow exposure.
Question 3: What Money Laundering Schemes and Patterns Are Present?
This question operates at the structural level. Individual transactions can be explainable in isolation; patterns across hundreds or thousands of transactions establish whether the business has been used as a laundering vehicle.
The four patterns documented in the previous article peeling chains, mixer reuse, stablecoin fast-conversion flows, and indirect sanctioned entity exposure — are the primary indicators blockchain screening examines at this level. Each has a forensic signature that is identifiable through transaction graph analysis regardless of the number of intermediate hops or the sophistication of the structuring.
The Chinese-language money laundering networks identified by Chainalysis as processing $16.1 billion in 2025 approximately $44 million per day provide a current-scale reference point for how this question applies to active acquisitions. These networks provide laundering-as-a-service through Telegram-based guarantee platforms, processing funds from organized crime, sanctioned state actors, and ransomware groups. Their on-chain behavioral fingerprints are identifiable: high-velocity USDT flows, consistent OTC broker routing, rapid clearing times averaging 1.6 minutes for certain service types per Q4 2025 Chainalysis data. Acquisition targets whose transaction histories show patterns consistent with these networks regardless of stated business purpose carry material laundering exposure.
The Cryptomixer seizure adds a specific current risk dimension to this question. The 12 terabytes of operational data seized from Cryptomixer in November 2025 includes transaction logs connecting mixer input to mixer output addresses. Law enforcement in multiple jurisdictions is working through that dataset. Any acquisition target whose wallets show Cryptomixer exposure is inside a live enforcement investigation’s evidence set.
Question 4: What Is the Risk of Post-Closing Fund Blocking and Operational Disruption?
This question converts the first three answers into business impact. Sanctions exposure, sanctioned entity counterparty relationships, and mixer-associated wallet histories don’t only create regulatory liability they create operational continuity risk that acquirers often discover only after closing disrupts revenue operations.
Major exchanges and payment gateways Coinbase, Binance, Kraken, and their counterparts maintain internal risk scoring systems that trigger account reviews, fund holds, and terminations when wallets with flagged exposure attempt to transact. The de-risking dynamic documented in the Coinbase Europe enforcement action operates in both directions: a platform that fails to screen its own transactions faces regulatory penalty, and a platform that identifies high-risk counterparties blocks or terminates those relationships. An acquisition target whose wallets carry elevated risk scores is operationally exposed to fund freezes and account terminations regardless of the acquirer’s own compliance posture.
Per the enforcement record, the Garantex/Grinex sanctions designations and the ongoing enforcement actions against their successor infrastructure create a specific current risk: any wallet that transacted with Garantex-connected addresses after the 2022 initial designation carries OFAC compliance exposure that banking partners will identify through their own screening processes post-closing. That exposure doesn’t disappear at signing.
The practical answer to this question requires understanding the target company’s exchange and gateway counterparty risk profiles not just which platforms they use, but how those platforms’ internal risk systems score the wallet addresses the target company has operated. This assessment is possible through blockchain analytics tooling and doesn’t require access to non-public platform data.
Applying the Framework: What This Looks Like in a Deal
In a Red Dog Security M&A engagement involving a crypto payment company, these four questions structure a distinct due diligence workstream that runs parallel to financial and legal review not as a replacement for traditional due diligence, but as an independent verification of what the blockchain record shows versus what the documents say.
The workstream begins with wallet identification: mapping all addresses associated with the target, including treasury wallets, customer-facing payment addresses, exchange accounts, and any smart contract addresses the company controls or has interacted with materially. This often surfaces wallets not disclosed in standard due diligence — particularly in companies that have restructured, rebranded, or operated under multiple entities.
From the identified wallet set, each of the four questions is addressed through transaction graph analysis, counterparty reputation scoring, behavioral pattern analysis, and exchange risk assessment. Findings are mapped against the deal’s specific risk tolerance and structured as a risk-stratified assessment not a binary clean/dirty verdict, but a prioritized picture of material exposures that M&A advisors can use to adjust deal terms, negotiate representations and warranties, require remediation escrow, or walk away.
The regulatory pressure that makes this framework urgent rather than optional is on an accelerating timeline. The EU AMLR, taking effect July 2027, extends AML obligations to crypto asset service providers across the bloc in ways that will materially affect the compliance posture of any EU-connected acquisition target. AMLA the new EU Anti-Money Laundering Authority begins directly supervising high-risk cross-border crypto firms in 2025-2026. The enforcement record from 2025 alone documents eight figures in regulatory penalties against platforms that failed to meet these standards.
The blockchain record of what a company actually did as opposed to what its compliance documentation says it did exists now. It will still exist after the deal closes. The only question is when it gets examined.
This concludes the Dirty Money, Clean Deals series on cryptocurrency due diligence for M&A professionals. The five-article arc covers AML screening methodology, the European enforcement record, the Evita Pay and Paxful cases, laundering typologies and patterns, and this practical screening framework.
Vorex Intelligence Group conducts AI-enhanced OSINT investigations for M&A due diligence, threat intelligence, and corporate security assessments. If you are evaluating a crypto-adjacent acquisition and want independent blockchain AML analysis as part of your due diligence process, contact us.