The Cat-and-Mouse Dilemma of VASPs Under Compliance Pressure

13 min read Mar 13, 2026

Background

Over the past few years, Virtual Asset Service Providers (VASPs) have repeatedly been reminded that Anti-Money Laundering (AML) and Know Your Transaction (KYT) monitoring are not “compliance bonuses,” but the baseline for survival and continued operation. In 2025, several leading or well-known platforms were heavily fined for insufficient AML compliance:

BitMEX was fined $100 million by the United States Department of Justice for violating the Bank Secrecy Act due to failing to establish, implement, and maintain an adequate and effective AML and Know Your Customer (KYC) program;
OKX was fined over $504 million by the United States Department of Justice for failing to implement sufficient KYC and transaction monitoring, allowing illicit funds to flow through the platform;
Paxos was fined $26.5 million by the New York State Department of Financial Services due to systemic deficiencies in its AML framework;
Coinbase Europe was fined €21.46 million after being accused of failing to effectively monitor approximately 30 million transactions between 2021 and 2025, resulting in illicit fund flows;
KuCoin was fined CAD 19.5 million by the Financial Transactions and Reports Analysis Centre of Canada for AML compliance failures. The exchange operated in Canada as an unregistered foreign money services business, failed to report large virtual currency transactions, and did not retain required records.

These cases are not isolated incidents. Together, they point to several clear characteristics of current AML enforcement.

1. Enforcement Measures Are No Longer Limited to “Fines”

Regulatory measures in 2025 have gone beyond the single dimension of administrative fines. Platforms may also face asset freezes or confiscation, criminal charges, business bans, or even direct disconnection from the global financial system.

Infrastructure Seizures: Garantex had its servers shut down and faced criminal charges in a joint operation by the United States and Europe.
Comprehensive Sanctions and Blacklisting: Payeer was placed on the EU sanctions list, prohibiting any entity within the European Union from transacting with it.
Operational Bans: India directly blocked more than 20 platforms, including BingX, LBank, and Poloniex.

For VASPs, the impact of these measures often far exceeds the fines themselves and may even directly terminate business operations.

2. Joint Enforcement Is Becoming the New Normal

The “2024–2025 Anti-Money Laundering and Counter-Terrorist Financing Threat Report” released by Tracfin notes that AML and counter-terrorist financing efforts operate in a constantly evolving environment. New technologies and financial products continue to emerge, financial crimes take diverse forms, and illicit fund flows are not restricted by industry or geography. Crypto assets are no longer a new phenomenon; they have become deeply integrated into illicit financial networks. Blockchain technology has both become a frequent medium for fraud and a tool for evading international and European sanctions and laundering money.

Against this backdrop, the regulatory model in which each jurisdiction acts independently has become increasingly ineffective. From the joint enforcement operation involving the United States, Europe, and Finland in the case of Garantex, to coordinated crackdowns across multiple countries on sanction evasion related to Russia, a clear trend is emerging: AML enforcement is shifting from territorial regulation toward cross-jurisdictional collaborative governance.

Joint enforcement is no longer an ad hoc response but is becoming a normalized practice. This also signals that global crypto compliance is accelerating toward a more unified and auditable regulatory phase.

3. Historical Compliance Issues Are Being Settled

A series of fines issued in 2025 also send another signal: regulatory enforcement has strong retroactive reach. Even if the issues occurred years ago, once they are identified as systemic compliance failures, they may still lead to concentrated accountability today. Compliance costs saved earlier will likely have to be repaid later in fines that are ten or even a hundred times higher.

In January and February 2025, BitMEX and OKX faced penalties of $100 million and $504 million respectively. The United States Department of Justice explicitly stated in its announcement that these penalties targeted their long-term failure to implement effective AML and KYC systems.
In November 2025, Coinbase Europe was fined €21.46 million by the Central Bank of Ireland for failing to effectively monitor approximately 30 million transactions between 2021 and 2025.

The Cat-and-Mouse Dilemma

In practice, the problem often does not lie in whether AML measures exist, but in the fact that they exist, yet fail to meet the standards recognized by regulators. Under a results-oriented enforcement logic, “effort but ineffective” and “not done at all” are often treated almost the same in terms of accountability. This is precisely the root of the cat-and-mouse dilemma many VASPs find themselves trapped in. This dilemma is the result of multiple overlapping factors.

1. Fragmented Standards

AML requirements vary significantly across jurisdictions. Major differences exist in areas such as:

Thresholds for identifying suspicious transactions
Reporting timelines and formats for STRs / SARs
Risk classification methodologies and scoring logic
Required KYT coverage depth and tracing levels

This means that for VASPs operating across borders, a platform may be considered compliant in jurisdiction A yet still be deemed regulatorily insufficient in jurisdiction B.

Moreover, different KYT tools vary in intelligence sources (including regional coverage and depth of cooperation with law enforcement), risk models, coverage scope, and risk determination thresholds (conservative vs. aggressive).

“Why does the same address or transaction carry different risk levels across different KYT tools?” This is one of the most common questions users ask when adopting a new KYT system.

2. List Screening — Necessary but Not Sufficient

Taking the sanctions system of the Office of Foreign Assets Control as an example, since 2018 more than 1,200 crypto addresses linked to hacker groups, money-laundering networks, and drug-related crimes have been added to the Specially Designated Nationals List. However, OFAC has also made it clear that this list represents only a portion of identified risks, not a complete map of risk exposure.

In other words, a company’s compliance obligation is not merely to avoid addresses on the list, but also to identify and avoid addresses that are not listed yet are effectively controlled by sanctioned entities.

Under such requirements, relying solely on static list screening clearly cannot meet compliance expectations.

3. Structural Risks of Stablecoins

The structural characteristics of stablecoins further amplify the passive position of VASPs in AML enforcement. The CEO of Tether once stated that the company proactively freezes hundreds of millions of dollars in suspicious Tether every day, and has cooperated with more than 80 law-enforcement agencies worldwide, freezing more addresses than any other crypto company. However, on-chain analytics data shows that fewer than 8% of frozen addresses ultimately lead to arrests, while the amount of funds laundered through USDT in 2025 increased by roughly 220% year-over-year, far outpacing the growth in frozen assets.

This is not simply a matter of insufficient enforcement. Rather, the efficiency advantages of stablecoins are continuously widening the speed gap between regulators and illicit actors. Compared with traditional methods of moving and hiding wealth — such as diamonds, gold, or artwork — which involve high transportation costs, long liquidation cycles, and significant cross-border risks, stablecoins offer price stability, strong liquidity, and nearly frictionless cross-border transfer. This enables illicit funds to complete multiple rounds of transfers, splitting, and re-aggregation within extremely short timeframes.

As a result, regulation and compliance efforts often only take effect after funds have already moved, typically at the stage of post-incident freezing, while illicit actors have long completed asset substitution and risk transfer. For VASPs, even with continuous investment in KYT systems and active cooperation with law enforcement, it remains difficult to truly “catch the mouse” in terms of speed and structural dynamics. Under a results-oriented regulatory framework, this “one-step-behind” reality — driven by tooling and systemic limitations — may still ultimately be judged as compliance failure.

4. AML Has Significant Professional Barriers

Many teams underestimate the professional complexity of AML in the virtual asset sector. AML is often mistakenly viewed as simply using a KYT tool to check risk, while in reality it is an ongoing compliance system that must operate continuously. Even when KYT tools are deployed, significant weaknesses can remain.

The first issue is under-reporting risk. Research from MetaComp shows that when the risk threshold is set to “medium-high risk and above,” relying on a single KYT tool can result in a false-negative rate of up to 24.55%, whereas cross-verification using three different KYT tools can reduce that rate to below 0.1%. This implies that achieving identification levels acceptable to regulators often requires substantially higher technological and operational costs.

The second issue is insufficient processes and experience. In practice, many teams lack clear and executable SOPs regarding when to report, how to report, and to whom to report. Different jurisdictions impose varying definitions, triggering conditions, and deadlines for SAR / STR filings. Without experienced compliance officers, it is easy to encounter situations where reports that should have been filed are not filed, or are filed too late. Under results-oriented enforcement logic, such deviations are rarely treated as operational mistakes — they are instead directly regarded as compliance failures.

5. Cost Reality: The Mouse Runs Fast While the Cat Is Weighed Down

When a system identifies potential sanctions-related risk signals, whether an institution possesses mature investigative capabilities often determines whether those risks can be identified in a timely manner and handled appropriately.

In real-world operations, compliance teams frequently encounter a series of “red flags” that warrant attention. For example, customers may conduct indirect transactions through multi-hop paths with exchanges located in sanctioned regions; customers may frequently transact with entities in countries believed to be involved in sanctions evasion activities; or customers may repeatedly move funds through exchange services located in high-risk jurisdictions that do not require KYC identity verification.

These signals do not necessarily indicate violations directly, but they often suggest that the compliance team needs to conduct further investigation. In sanctions-related cases, even if there are only multi-layered and seemingly distant fund connections between a customer and a sanctioned party, it may still lead to serious compliance consequences. Therefore, once such risk signals are identified, institutions must possess the capability to conduct in-depth investigations into customer activities, ensuring that potential risks can be fully identified and assessed. At the same time, when clear risk hits are discovered during investigations, institutions must also have clear internal reporting mechanisms in place so that risks can be promptly escalated to higher-level decision-making or compliance departments. Ultimately, investigation results should form structured and comprehensive reports, which can be provided to regulators, law enforcement agencies, or other relevant parties when necessary.

An AML framework considered acceptable by regulators typically requires:

Dedicated compliance and investigation teams
24/7 transaction monitoring
Cross-use of multiple KYT tools
Clear internal reporting, review, and record-keeping processes
Continuously updated rules, models, and strategies

For small and medium-sized VASPs or early-stage Web3 teams, this often means multiplying the costs of both personnel and technology.

AML Compliance Tools

Whether it is fragmented standards, the structural risks of stablecoins, or the continuous evolution of illicit techniques, the core challenge facing VASPs is not only whether they value compliance, but also whether they possess identification and response capabilities that match the complexity of the risks. In this cat-and-mouse confrontation, experience, processes, and judgment are certainly important; however, an AML system that lacks support from scientific algorithms and foundational capabilities often struggles to truly function in practice. For VASPs, without sufficiently deep on-chain analytical capabilities, it is easy to unknowingly interact indirectly with sanctioned entities and thereby assume compliance risks.

Therefore, using the right tools is a crucial step in improving AML effectiveness.

The outstanding contributions of SlowMist in the AML field have received authoritative recognition. At the Hong Kong ICT Awards, SlowMist was awarded the FinTech Award (Gold Award | RegTech: Regulatory & Risk Management) for its practical contributions to on-chain compliance.

SlowMist KYT is the next-generation blockchain AML compliance system launched by SlowMist. It transforms eight years of accumulated security intelligence capabilities into a full lifecycle compliance solution covering risk identification, in-depth investigation, automated handling, and audit traceability, helping VASPs establish configurable and auditable AML capabilities in complex risk environments.

Addressing the pain points mentioned earlier for VASPs, SlowMist KYT provides six core capabilities:

1. Solid Data Foundation

Currently, SlowMist KYT has accumulated over 400 million address labels, more than 10,000 entities, 500,000+ threat intelligence records, and 90 million+ risk addresses, covering 19 major public blockchains, 100+ tokens, 14 stablecoins, and 25 risk categories. These continuously updated datasets provide a solid foundation for identifying deep-layer risks and more closely align with regulatory expectations regarding coverage depth and risk interpretability.

2. Deep Risk Screening and Proportional Dilution Algorithm

In response to increasingly complex laundering paths, SlowMist KYT supports penetration-style tracing analysis of up to 10 layers both upstream and downstream. More importantly, the system incorporates a scientific proportional dilution algorithm. It abandons the “full-amount association” logic that often leads to false positives, and instead quantifies the risk contribution ratio of funds at each layer, transforming network-style associations into intuitive and precise risk scores. This provides compliance teams with more persuasive decision-making evidence and significantly reduces decision fatigue.

On this basis, the system also features continuous risk monitoring capabilities. The automated monitoring engine actively tracks changes in the risk status of addresses and transaction behaviors. Once high-risk funds are detected through retrospective analysis, the system automatically generates time-evolving Suspicious Transaction Reports (STRs), enabling dynamic risk recording and traceability. This helps institutions meet regulatory requirements for auditability and traceability.

3. On-Demand Customization of Risk Screening Rules

Different institutions have varying business structures, risk appetites, and regulatory requirements. Therefore, SlowMist KYT provides a highly configurable risk screening rule framework, enabling compliance teams to flexibly adjust risk identification strategies.

The system supports setting transaction monitoring thresholds, allowing teams to filter out low-value noise transactions through minimum amount thresholds. In terms of risk identification logic, the system provides a two-layer management mechanism based on categories and entities. The platform predefines risk levels for 25 risk types, including sanctions, gambling, and illegal services. At the same time, it allows independent configuration of specific risk entities, assigning them higher priority to override default category rules. In addition, the highly configurable rule framework enables compliance teams to flexibly adjust risk identification strategies according to operational needs.

4. Automated Closed-Loop Workflow and One-Click STR Export

To address the complex investigation and reporting processes involved in compliance operations, SlowMist KYT establishes a closed-loop workflow from alert to resolution. When a risk is detected, the system can automatically trigger a risk ticket and assign it to designated personnel for handling. The system also supports one-click export of standardized Suspicious Transaction Reports (STRs), greatly improving the efficiency of reporting to regulators.

5. Decision Parameter Traceability and Audit Resilience

To address compliance traceability, SlowMist KYT provides a unique policy change history mechanism. When reviewing any historical screening result, the system can reconstruct the exact risk configuration version used at the time of the decision. This audit loop — from decision outcome to historical parameters — effectively supports regulatory inspections and retrospective audits, ensuring that every compliance decision is fully documented and well-supported.

6. Stablecoin Ecosystem Risk Monitoring

For stablecoin issuers and regulators, the SlowMist KYT system also provides a fully automated hosted continuous screening module. It processes every transaction on the blockchain in real time, detecting and identifying high-risk fund exposure in stages such as the issuance, redemption, and large transfers of target stablecoin contracts. This enables stablecoin issuers and regulators to maintain a comprehensive view of the overall risk landscape.

Final Thoughts

Anti-money laundering has never been a competition of isolated capabilities. It is a systemic effort that requires long-term collaboration among regulators, industry participants, and technological tools. Practice has repeatedly proven that only by continuously accumulating investigative experience, improving procedural frameworks, enhancing tool capabilities, and strengthening industry collaboration can risks be identified more quickly and facts reconstructed more accurately amid complex transaction paths and massive datasets — ultimately building a truly solid foundation of trust for users and the market.

The SlowMist KYT system offers multiple deployment options to help VASPs at different stages build their compliance frameworks:

Starter Plan: Designed for early-stage teams, supporting up to 3 members, with a screening cost of less than $1 per check, making it a cost-effective option for quickly meeting basic compliance requirements.

Enterprise Plan: Designed for platforms experiencing rapid business growth, supporting up to 10 members, with tiered pricing where the cost per screening decreases as usage volume increases.

Whether choosing the Starter Plan or the Enterprise Plan, we provide full access to the Web query dashboard, KYT API interface, whitelist and blacklist management, and risk ticket functions, ensuring that your compliance team has complete risk-handling capabilities. Institutions interested in learning more are welcome to contact the SlowMist security team (Email: kyt@slowmist.com) for trial inquiries and procurement.

About SlowMist

SlowMist is a threat intelligence firm focused on blockchain security, established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.

SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring), SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.

AML/KYT Research & Analysis