Knogin
[Developers]

Blockchain: Fund Flow Tracing & AML Detection

A financial intelligence unit receives a tip that a ransomware payment of 14 BTC has been split across three wallets and routed through a mixing service before being bridged to Ethereum and swapped on a decentralised exc

Back to All Modules
Category: BlockchainLast Updated: May 26, 2026
blockchaincompliance

Overview#

A financial intelligence unit receives a tip that a ransomware payment of 14 BTC has been split across three wallets and routed through a mixing service before being bridged to Ethereum and swapped on a decentralised exchange. Within minutes, an analyst opens the fund flow tracing module, seeds the investigation with the known originating address, and watches the full propagation path render as an interactive graph showing every hop, intermediate custodian, and final destination address, with entity labels drawn from blockchain attribution data.

Fund Flow Tracing provides deep visualisation and programmatic tracing of digital assets across complex on-chain topologies, including coin mixers, cross-chain bridges, and decentralised exchanges. It forms the backbone of Anti-Money Laundering (AML) detection by identifying obfuscation patterns, clustering related addresses into real-world entities where attribution is available, and generating compliance-ready Suspicious Activity Reports (SARs) directly from investigation findings.

Key Features#

  • Multi-hop transaction tracing: Follows fund movements across an arbitrary number of wallet hops on Bitcoin, Ethereum, and other supported chains, maintaining a complete provenance graph for each asset unit traced.
  • Mixer and bridge demixing: Applies common-input ownership heuristics, peel-chain analysis, and lock-and-mint event correlation to pierce common obfuscation techniques and re-associate funds with their origin cluster.
  • DEX trade reconstruction: Reconstructs token swaps and liquidity-pool interactions on decentralised exchanges to maintain tracing continuity when assets change form or chain.
  • Entity attribution and clustering: Groups addresses into named entities (exchanges, custodians, sanctioned services) using open attribution datasets and analyst-contributed labels, reducing graph complexity for investigators.
  • Automated SAR generation: Produces draft Suspicious Activity Reports populated with transaction evidence, risk scoring, and entity context, ready for analyst review and submission to financial intelligence units.
  • Configurable risk scoring: Allows compliance teams to define threshold rules based on exposure to high-risk entity categories, transaction velocity, and geographic jurisdiction, triggering automated alerts without manual triage.
  • Visual graph analysis: Renders the full fund-flow graph interactively, enabling analysts to expand or collapse subgraphs, filter by asset type or time window, and annotate nodes with case metadata.
  • Audit-ready evidence packaging: Every investigative session produces a timestamped, tamper-evident export containing the graph snapshot, supporting on-chain data references, and analyst notes for court or regulatory submission.

Use Cases#

  • Ransomware payment tracking: Trace ransomware proceeds from the initial extortion wallet through mixing and bridge layers to identify cash-out points and linked exchange accounts for law enforcement referral.
  • AML compliance monitoring: Financial institutions and virtual asset service providers (VASPs) use continuous fund flow monitoring to meet Travel Rule obligations and detect layering activity in near real time.
  • Sanctions screening: Screen incoming and outgoing transactions for exposure to addresses or entities listed under OFAC, EU, or UN sanctions programmes, with automatic blocking recommendations.
  • Investigative journalism and OSINT: Journalists and open-source intelligence analysts trace publicly visible on-chain flows to document illicit financial networks without requiring privileged data access.
  • Post-incident forensics: Following a protocol exploit or exchange breach, security teams reconstruct the attacker's withdrawal and laundering path to support recovery efforts and insurance claims.
  • Regulatory examination support: Compliance officers produce structured evidence packages showing an institution's AML monitoring coverage and investigation history for prudential regulators and auditors.

Integration#

Fund Flow Tracing connects to a graph database (Neo4j) for efficient multi-hop traversal and entity clustering, while all primary transaction records and investigation case data are persisted in PostgreSQL as the authoritative source of truth. On-chain data is ingested through configurable blockchain node connectors and enriched with attribution feeds in real time. Investigation findings and SAR drafts are exported in standard formats compatible with national financial intelligence unit reporting portals and existing compliance management systems, and the module exposes a GraphQL API so that other platform capabilities, such as the communications intelligence and identity resolution modules, can contribute corroborating evidence to open investigations.

Open Standards#

  • FATF Recommendation 16 (Travel Rule): The module captures originator and beneficiary information for virtual asset transfers in a format aligned with Financial Action Task Force Travel Rule requirements, supporting VASP-to-VASP data sharing obligations.
  • FinCEN SAR XML Schema: Automated SAR drafts are structured to conform to the US Financial Crimes Enforcement Network SAR electronic filing schema, reducing manual reformatting before submission.
  • ISO 20022: Where cross-border payment messaging context is available alongside on-chain evidence, transaction metadata is normalised to ISO 20022 data elements to facilitate correlation with traditional wire transfer records.
  • GraphML: Investigation graphs are exportable as GraphML, an open XML-based format, allowing analysts to load fund flow data into third-party graph analysis tools such as Gephi or yEd.
  • W3C Verifiable Credentials: Evidence packages supporting chain-of-custody requirements can be issued as W3C Verifiable Credentials, providing a cryptographically verifiable attestation of the data's integrity and provenance.
  • OASIS STIX 2.1: Threat intelligence derived from fund flow investigations, such as identified mixer addresses or sanctioned entity wallets, can be shared with partner organisations in STIX 2.1 format over TAXII feeds.
  • ISO/IEC 27001: The module's data handling, access control, and audit logging practices are aligned with ISO/IEC 27001 information security management requirements, supporting certification audits.

Availability#

  • Enterprise Plan: Included
  • Professional Plan: Available with on-chain data volume limits; automated SAR generation and law enforcement gateway export require an Enterprise plan upgrade.

Last Reviewed: 2026-05-26

Ready to Build?

Get started with our APIs or contact our integration team for support.