SlowMist: How to Evaluate the Effectiveness of Crypto AML Tools
In recent years, the core challenges faced by Virtual Asset Service Providers (VASPs) in the Anti-Money Laundering (AML) domain have quietly shifted.
In the early days, the industry focused more on “whether AML capabilities had been deployed.” Now, a more practical question has emerged — whether these capabilities have truly met standards acceptable to regulators.
Over the past year, this shift has become more evident. Multiple enforcement cases have conveyed the same signal: under a results-oriented enforcement framework, “having invested but achieving insufficient outcomes” is not strictly distinguished from “having taken no action” in terms of accountability.
In other words, regulators are not concerned with whether you “have done something,” but rather whether you “have done it effectively.”
This also means that evaluating AML tools is no longer just a comparison of features, but must return to a more fundamental question: can these tools identify risks in real on-chain environments?
Based on this, this article will analyze the reasons behind differences in risk assessments across AML vendor systems, and introduce a standardized evaluation methodology to help VASPs conduct independent testing and select suitable vendors.
Risks Beyond the List
In many compliance processes, sanctions lists and blacklist screening remain foundational capabilities. However, if evaluation stops at this level, it can easily create the illusion that “the system already covers risks.”
Taking OFAC as an example, its public lists are essentially a collection of “confirmed risks,” but real-world risks extend far beyond that. A large number of addresses not included in these lists may still be associated with sanctioned entities through control relationships or fund flows.
If a tool can only identify “already-labeled risks,” its practical value in real business scenarios is limited. The more critical question is whether it can identify risks that have not yet been included in sanctions lists.
Why Results Differ
In actual vendor selection processes, a very common phenomenon is:
The same address may receive completely different risk assessments across different AML vendor systems.
Such differences are usually not accidental, but stem from underlying capabilities — where the data comes from, whether it is updated in a timely manner, how labels are generated, how risk is calculated by models, and whether the system has the ability to analyze and trace fund flows.
When these factors vary, the risk assessments presented to users will naturally differ. The problem is that, in the absence of a unified evaluation methodology, these differences are difficult to identify through product demos or feature lists. What you see are feature descriptions, not actual effectiveness.
It is precisely based on this practical issue that SlowMist, drawing on long-term threat intelligence accumulation and AML tracking experience, has compiled the Crypto AML Vendor Evaluation Checklist & Implementation Guide. This guide references regulatory requirements from FATF, the Wolfsberg Group, as well as FinCEN, HKMA, and MAS, and attempts to provide an evaluation methodology that both aligns with regulatory logic and can be practically implemented.
This article provides a brief overview of the evaluation approach. The complete implementation method can be obtained via the following link:
https://github.com/slowmist/crypto-aml-vendor-evaluation
Validate Capabilities Through Real Testing
When selecting AML tools, many teams stop at two stages: watching demos or comparing feature lists. The problem is that these approaches often showcase the product’s “upper limit,” rather than its performance in real-world environments.
In actual AML scenarios, what truly impacts judgment are more detailed yet critical factors: whether the data is sufficiently up-to-date and comprehensive, whether labels are continuously updated, whether risk can propagate along fund flows, and whether the model remains stable in complex scenarios.
These issues are difficult to evaluate accurately without testing.
In past security analyses, we have repeatedly observed a situation where certain addresses do not appear on any public sanctions lists, yet their fund flows are already clearly associated with high-risk entities. In some systems, such addresses are still labeled as “low risk.” From a system perspective, everything appears normal; but from a risk perspective, critical issues have already been overlooked.
This is why relying solely on list-based detection is no longer sufficient to meet current compliance requirements. What truly needs to be validated is whether the tool can identify related addresses, reconstruct fund flows, and assess multi-hop indirect risks.
Based on these observations, the core idea of this guide is actually very simple: use data to “reverse-engineer” the true capabilities of a tool. By conducting standardized testing on vendors, the selection process — traditionally dependent on subjective judgment — can be transformed into a quantifiable decision-making process. You can prepare a small set of addresses, for example 20 to 50, covering three types: known high-risk addresses, clearly safe addresses, and gray-area addresses in between. Then input these addresses into different AML systems and record the risk assessments produced by each system.
After completing this round, several intuitive differences will usually emerge: which high-risk addresses were not identified, which normal addresses were falsely flagged, and whether the risk stratification of gray-area addresses is reasonable across different systems.
If you want to further validate the tool’s performance in real environments, you can simulate typical on-chain transaction behaviors, such as deliberately structured transfers that split amounts, interactions with mixing contracts, or fund flows that pass through multiple hops before reaching a target address. By observing alert delays, whether risk propagates along transaction paths, whether rules support flexible configuration, and the response speed and stability of APIs, you can directly assess the tool’s practical effectiveness.
After completing the tests, you can score the tools based on the following evaluation dimensions:
In addition, to lower the barrier to execution, we have organized the entire testing process into a set of ready-to-use AI prompts.
Simply select addresses from the reference dataset in the Crypto AML Vendor Evaluation Checklist & Implementation Guide, or follow the steps in the SlowMist AI-Assisted AML Vendor Evaluation (Step-by-Step Guide) to have AI generate addresses. Then copy the prompts from the guide and provide the addresses along with query results from each system to an AI (such as Gemini), and the subsequent steps can be completed automatically: including data organization, result comparison, key metric calculation, and basic evaluation conclusions.
For the complete steps, please refer to:
Conclusion
Within the same evaluation framework, differences among AML tools typically concentrate on data quality, feature completeness, usability, technical performance, cost, and service support.
Based on long-term security research and threat intelligence accumulation, SlowMist KYT has carried out targeted optimizations in these areas, including multi-chain risk label coverage, a risk calculation method based on fund contribution, multi-layer on-chain path analysis capabilities, as well as continuous monitoring and automated historical data re-screening mechanisms. At the same time, on the compliance side, it supports STR report generation and audit trail retention to meet regulatory requirements for traceability.
If you would like a more intuitive understanding of these capabilities, you can visit: https://kyt.slowmist.com/get-started.html and fill out the form to apply for a free trial and demo, or contact: kyt@slowmist.com
Limited-time offer: Until December 2026, enjoy a 20% discount on SlowMist KYT purchases.
About SlowMist’s AML Capability Framework
Leveraging SlowMist’s years of deep expertise in blockchain ecosystem security and threat intelligence, SlowMist has built an industry-leading cryptocurrency AML and compliance framework. In response to increasingly stringent global regulatory environments and complex on-chain money laundering techniques, this framework provides integrated solutions covering pre-event, in-event, and post-event stages through its two core products — the SlowMist AML tracking system MistTrack and the professional, real-time AML engine SlowMist KYT designed for institutional compliance teams. These solutions serve global exchanges, financial institutions, regulatory bodies, and individual users, helping them achieve identifiable, controllable, and traceable risks in complex and ever-changing on-chain environments.
As a powerful on-chain data analysis tool, MistTrack focuses on fund tracking, address investigation, and label identification. The platform provides a scientific risk scoring algorithm and comprehensive address overviews. Through rich address labels, counterparty and behavioral analysis, and address footprint profiling — combined with powerful visual transaction graphs — it helps users accurately identify complex on-chain fund flows. At the same time, MistTrack supports KYT/KYA analysis, proactive monitoring and alerting, and convenient API integration, meeting users’ fundamental needs for on-chain fund investigation and AML.
To meet the more advanced compliance auditing and risk analysis needs of institutional users, the new SlowMist KYT enhances KYT/KYA risk screening by leveraging SlowMist’s extensive and dynamically updated AML database to conduct deep risk analysis across up to ten layers. It accurately identifies sanctioned entities or high-risk sources such as the dark web, and utilizes visualized relationship linkages to enable fund network analysis. It supports highly flexible risk rule configuration, allowing screening parameters to be adapted to different jurisdictions as needed, providing full control over risk scoring logic. Through continuous monitoring and automated backtracking, it precisely captures changes in risk exposure and automatically generates time-series STR reports, meeting “auditable and traceable” compliance standards. Its built-in alert engine and case management module support customizable real-time alert thresholds to filter noise and can automatically trigger risk tickets. From risk identification and tracking investigation to case handling, SlowMist KYT truly achieves a complete closed-loop for compliance operations.
Against the backdrop of increasingly stringent global regulations and continuously evolving on-chain risks, the SlowMist AML team is committed to driving compliance capability upgrades through technology — transforming complex on-chain behaviors into clear and reliable risk insights, continuously providing the industry with professional and dependable security and compliance infrastructure, and helping to build a more transparent, secure, and sustainable blockchain ecosystem.
About SlowMist
SlowMist is a threat intelligence firm focused on blockchain security, established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.
SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring), SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.
By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.
