Multi-Hop Transactions in Cryptocurrency: The Compliance Risks Associated with Indirect Exposure

      Public blockchains function as permissionless networks, enabling anyone to send digital assets to any address at any time. This open architecture presents a significant technical challenge for compliance teams monitoring the movement of funds, as digital assets rarely travel in linear paths. They frequently pass through several intermediate wallets before reaching their final destination. This multi-hop characteristic distinguishes blockchain compliance from traditional banking, where every transfer mandates prior institutional approval.

      To grasp how sanctions enforcement operates within the cryptocurrency space, it is essential to consider this indirect exposure. Recent reports have claimed that Binance facilitated $1.7 billion in transactions linked to sanctioned Iranian entities, underscoring a more extensive issue: traditional financial regulations do not account for the technical realities of decentralized networks and contemporary crypto platforms. Consequently, new regulatory, legal, and compliance frameworks must be established to address the evolving nature of financial transactions.

      Understanding Multi-Hop Transactions

      In conventional finance, a bank transfer proceeds directly from sender to recipient. Conversely, blockchain transfers function differently. Typically, funds move from an initial wallet through a series of intermediate addresses before arriving at their final destination. Astra Cai, the Global Head of Sanctions at Binance, elaborates on this operational reality, stating, “Blockchain transactions usually involve multiple hops. What does multi-hop mean? It implies that there are numerous steps… all these intermediate wallets are not sanctioned wallets at the time of the transactions.”

      This creates a scenario known as three degrees of separation. An exchange might accept a deposit from an intermediate wallet that appears entirely compliant. Only after the funds have completed their multi-step journey does law enforcement identify the ultimate receiving wallet as a sanctioned entity. At the precise moment the exchange processed the intermediate transfer, standard on-chain surveillance tools failed to flag any of those middle addresses.

      This situation lies at the heart of recent allegations against Binance, which suggested that the exchange permitted Iran-backed terrorism groups to funnel money through its platform and subsequently dismissed compliance officers who identified the transactions. Binance contends that their internal assessments found no evidence of users directly engaging in transactions with sanctioned parties. The exposure was entirely indirect, as the funds traversed several unrelated wallets before reaching a destination that authorities later classified as restricted.

      During a recent appearance on The David Lin Report, Binance Chief Compliance Officer Noah Perlman stated, “The notion that we would terminate employees for raising concerns is simply absurd, as demonstrated by the fact that the investigation persisted, the relevant accounts were removed, and appropriate reporting was conducted.”

      The Challenges of Real-Time Sanctions Screening

      The primary compliance gap arises from the timing of sanctions designations. Sanction lists are inherently historical. Government authorities typically designate wallets long after identifying problematic behavioral patterns. Cryptocurrency platforms screen transactions against the regulatory lists currently available at the exact moment a transfer occurs. If an address gets added to a sanctions list after funds have already passed through it, the earlier transfers were not regulatory violations at the time they occurred.

      “We can only act on the information we have. We cannot take proactive measures if wallets have not yet been sanctioned. If they are sanctioned after the fact, we can respond to that, but we cannot be held accountable for blocking funds to wallets that were not sanctioned at the time,” Perlman explained.

      In the recent cases involving alleged Iranian exposure, reports indicate that none of the users in question appeared on sanctions lists while they were active on the platform. Even with advanced blockchain analytics tools, compliance teams are unable to predict which seemingly random alphanumeric addresses will be flagged by US authorities months later.

      The Reasons Exchanges Depend on Post-Receipt Controls

      Since blockchain networks are completely permissionless, digital assets arrive in exchange deposit addresses without any pre-approval process. This technical framework means that risk exposure cannot be minimized to zero on any centralized trading platform. Therefore, instead of attempting to block every incoming transfer, major exchanges must utilize extensive post-receipt controls. This entails employing robust on-chain monitoring systems, continuous screening, and thorough post-receipt investigations.

      The operational response is initiated when a compliance department receives credible intelligence concerning suspicious transaction patterns. The platform conducts an investigation, offboards questionable accounts, mitigates further exposure, and reports the findings to the relevant authorities. Binance employs over 1,500 compliance staff globally to manage this workload.

      When appropriately implemented, these retrospective mitigation strategies are highly effective, as indicated by recent data. Binance announced a 96.8% decrease in its sanctions-related exposure from early 2024 to mid-2025. The exchange also processed upwards of 71,000 law enforcement requests and assisted authorities in seizing over $131 million in illicit funds throughout 2025.

      The true metric of a successful compliance program is not the total absence of risk but rather the promptness and thoroughness of the response once new threat information becomes available.

      Connecting Traditional Sanctions Frameworks with Blockchain Reality

      Multi-hop transactions pose a fundamental technical challenge that necessitates regulators to reassess traditional enforcement mechanisms. The standard measure of corporate compliance needs to evolve from demanding absolute prevention to evaluating the robustness of a platform’s detection