How to Detect Sanctioned Wallets (EU, OFAC & UN)

A sanctioned wallet is any blockchain address designated by a government authority—such as OFAC, the European Union, or the United Nations—as belonging to a sanctioned person, group, or entity. For any business handling digital assets, detecting these wallets before transacting with them is both a legal obligation and a practical necessity. This guide explains how sanctions lists work, why indirect exposure matters, and what an effective screening system looks like.

Government Sanctions Lists and Crypto Addresses

Crypto sanctions compliance spans multiple jurisdictions. The Office of Foreign Assets Control (OFAC) maintains the Specially Designated Nationals and Blocked Persons (SDN) list, which applies to all US-connected persons and entities. The EU Consolidated Financial Sanctions List governs firms operating within the European Union, while UN Security Council sanctions committees maintain designations that apply internationally. Eagle Virtual ingests all three and makes them available on the sanctions page.

Since 2018, these authorities have increasingly added blockchain addresses directly to their sanctions lists. Designated entities range from ransomware operators to state-sponsored hacking groups such as North Korea's Lazarus Group.

The SDN list is published in machine-readable formats including XML and CSV, making it possible to screen addresses programmatically. However, simply downloading the list and doing exact-match lookups is insufficient for several reasons:

Format inconsistencies: Addresses on the SDN list may use different casing or encoding than what appears on-chain. EVM addresses, for example, may appear with or without a checksum, while TRON addresses use Base58.
Multi-chain identities: A sanctioned entity may control addresses on multiple chains. The SDN list might designate an Ethereum address, but the same entity could hold funds on Polygon, Arbitrum, or Tron under addresses not yet listed.
Update frequency: OFAC updates the SDN list on an irregular schedule—sometimes multiple times per week. Relying on a stale copy creates compliance gaps.

Direct vs. Indirect Sanctions Exposure

Sanctions compliance requires understanding two distinct types of exposure. Direct exposure means an address is itself on a sanctions list. This is straightforward to detect: compare the address against the SDN list, EU consolidated list, and any stablecoin issuer blacklists.

Indirect exposure is more complex and more common. It occurs when an address has transacted with a sanctioned address, or has received funds that originated from one. Indirect exposure is measured in hops—the number of transactions separating your address from a sanctioned one.

Why indirect exposure matters: OFAC's compliance guidance expects risk-based controls. Many regulated firms treat recent fund flows from sanctioned addresses as a serious escalation signal. Processing a transaction where funds recently passed through a sanctioned address—even if the immediate counterparty is not itself listed—can create substantial compliance and enforcement risk.

A robust detection system must look beyond direct matches. It needs to trace fund flows backward through the transaction graph to determine whether an address has meaningful proximity to sanctioned entities. This is where graph analysis and traversal algorithms become essential—mapping connections through multiple layers of transactions to establish risk proximity.

Cross-Chain Evasion and Chain-Hopping Detection

One of the most common sanctions evasion techniques is chain hopping: moving funds across multiple blockchains to obscure their origin. A sanctioned entity might move USDT from Ethereum to Tron via a bridge, swap to a different stablecoin on a decentralized exchange, and then bridge to another chain. Each step adds complexity and makes single-chain detection ineffective.

Effective sanctions screening must operate across chains. Sanctioned entities use bridges, token swaps, and multi-chain layering to distance themselves from flagged addresses. Eagle Virtual's cross-chain graph analysis detects these patterns automatically, linking activity across all supported networks into a unified risk view.

Single-chain screening is not enough

If your compliance system only screens against one blockchain, you are likely missing evasion activity. Sanctioned entities know that many screening tools are chain-specific, and they exploit this gap deliberately.

Automating Sanctions Compliance Screening

Manual sanctions screening does not scale. For any operation handling more than a handful of transactions per day, automation is essential. An effective screening pipeline includes these components:

Real-time list ingestion: Automatically fetch and parse updated SDN lists, EU consolidated sanctions lists, and stablecoin issuer blacklists. Normalize all addresses to a canonical format for consistent matching.
Pre-transaction screening: Before accepting a deposit or executing a withdrawal, query the address against all active lists and check its proximity score. Block or escalate based on configurable thresholds.
Graph-based risk scoring: Use transaction graph analysis to compute the shortest path between any address and the nearest sanctioned entity. Assign risk scores based on hop count, transaction recency, and volume.
Continuous monitoring: Sanctions designations can happen at any time. Re-screen your address book whenever lists are updated to catch retroactive exposure.
Audit logging: Record every screening decision, the data it was based on, and the action taken. This is your evidence of compliance if regulators ask questions.

Eagle Virtual provides these capabilities through its risk screening API. Each address query returns the sanctions match status, blacklist status, proximity depth, and connection paths across all supported chains. The API integrates directly into transaction workflows, enabling real-time screening at the point of deposit or withdrawal.

Best Practices for Sanctions Detection

Based on enforcement actions and regulatory guidance, the following best practices represent the current standard of care for crypto sanctions compliance:

Screen all counterparties, not just deposits. Sending funds to a sanctioned address is as much a violation as receiving funds from one. Screen both sides of every transaction.

Normalize addresses across formats. Convert all addresses to a standard format before matching. A checksum mismatch should not cause a missed sanctions hit.

Monitor for indirect exposure. Screening only against the SDN list misses the majority of sanctions risk. Use proximity analysis to detect indirect connections within 1–3 hops.

Cover all chains your business touches. If you accept deposits on Ethereum and Tron, your screening must cover both. Cross-chain evasion is the norm, not the exception.

Re-screen periodically. The SDN list changes frequently. A customer address that was clean last month may have been designated since then, or may have received funds from a newly designated address.

Frequently Asked Questions

What is a sanctioned wallet?

A sanctioned wallet is a blockchain address designated by a government authority—such as OFAC, the EU, or the UN—as belonging to a person, group, or entity subject to economic sanctions. Transacting with a sanctioned wallet is prohibited under the relevant jurisdiction's laws.

How often are sanctions lists updated?

OFAC updates the SDN list on an irregular basis—sometimes multiple times per week during active enforcement periods. The EU Consolidated Financial Sanctions List is updated as new Council Regulations are adopted. Because updates can happen at any time, automated ingestion is essential for staying current.

What is indirect sanctions exposure?

Indirect sanctions exposure occurs when an address has not been sanctioned itself but has transacted with—or received funds from—a sanctioned address. The risk is measured by the number of hops (intermediate transactions) between the address and the nearest sanctioned entity.

Can sanctions screening work across multiple blockchains?

Yes, but only if the screening system supports cross-chain analysis. Sanctioned entities frequently move funds between blockchains using bridges and decentralized exchanges to evade single-chain detection. Effective screening must unify activity across all chains an entity may use.