①
Transaction triggers the bot
A deposit or withdrawal event fires an API call containing the wallet address, blockchain network, and transaction amount. The bot intercepts every transaction — not a random sample.
- What an AML bot is and who uses one
- AML bot context: illicit crypto activity at scale
- How AML bot screening works on-chain
- AML bot risk categories and automated responses
- AML bot API integration: what to build
- AML bot provider comparison
- Managing AML bot false positives
- Regulatory context: when an AML bot is required
- AML bot vs manual screening: when to use each
- Best practices for AML bot configuration
- Troubleshooting AML bot issues
- Sources & references
- FAQ
What an AML Bot Is — and Who Uses One
An AML bot is an automated software component that screens crypto wallet addresses and transactions against a blockchain analytics database in real time — without human intervention at the point of screening. It sits between the transaction initiation event and the execution layer, checking every deposit and withdrawal against a configured risk policy before allowing the transaction to proceed.
Primary users: high-volume VASPs
Centralised exchanges, payment processors, OTC desks, and neobanks processing thousands of transactions per day cannot rely on manual review for every check. An AML bot enforces consistent screening policy at any volume with a complete, timestamped audit trail for every decision.
ExchangesPayment processorsNeobanks
Secondary users: DeFi protocols and wallets
DeFi frontends, non-custodial wallet apps, and cross-chain bridges increasingly deploy AML bots at the connection layer — screening wallet addresses before allowing users to interact with the protocol. This is a voluntary risk management measure in most jurisdictions, though regulatory pressure is increasing.
DeFi frontendsWallet appsBridges
What an AML bot is not: It is not a KYC system (it does not verify identity), not a Travel Rule solution (it does not transmit originator/beneficiary data), and not a SAR filing tool. It is the transaction monitoring component of a broader AML programme — one that must work alongside identity verification, sanctions screening, and reporting workflows.
AML Bot Context: The Scale of Illicit Crypto Activity
$24.2B
Illicit crypto volume in 2023
Chainalysis 2024 Report
Chainalysis 2024 Report
72%
Illicit crypto passing through VASPs
FATF 2024 evaluations
FATF 2024 evaluations
<2s
Typical AML bot API response time
Major analytics providers
Major analytics providers
100%
Transaction coverage with API bot
vs. gaps in manual review
vs. gaps in manual review
The 72% figure is why VASPs are the primary regulatory focus for crypto AML — most illicit funds touch a VASP at some point. An AML bot running at every transaction is the only practical way to screen that volume consistently. Data source: Chainalysis 2024 Crypto Crime Report.
How AML Bot Screening Works On-Chain
An AML bot does not analyse transactions itself — it calls an analytics provider's API that maintains the entity database. Understanding the underlying mechanics helps configure the bot's thresholds correctly.
Entity cluster matching
Analytics providers maintain databases of wallet address clusters attributed to known entities — exchanges, darknet markets, ransomware groups, and cryptocurrency tumblers. When the bot submits an address, the API calculates what share of that address's fund flows have been proximate to each entity cluster and returns a scored breakdown.
Entity clustersFund flow analysisCategory breakdown
Hop distance weighting
Direct interaction (1 hop) with a high-risk cluster carries far more weight than indirect exposure at 2–3 hops via a legitimate exchange intermediary. AML bots that block on overall score alone without reading hop distance produce disproportionate false positive rates — the category breakdown and hop distance must both feed the decision logic.
1 hop = direct2+ hops = indirectVolume × distance
Limitation: Heuristic clustering is probabilistic. False positives occur for CoinJoin users, shared exchange hot wallets, and recently re-attributed clusters. Build a human review queue for medium-score results rather than automated blocking — the bot flags, the analyst decides.
AML Bot Risk Categories and Automated Responses
Low (0–25)
Auto-allow
Medium (26–74)
Review queue
High (75–100)
Auto-block
| Category detected | Severity | Automated bot response |
|---|---|---|
| Sanctioned entity (OFAC SDN) | Critical | Auto-block; route to SAR filing queue; no analyst override permitted |
| Mixer / tumbler | High | Auto-block above configured volume threshold; request source of funds |
| Darknet market | High | Auto-block; route to SAR queue |
| Ransomware | High | Auto-block; SAR filing; flag for legal review |
| Fraud / scam | Medium–High | Route to analyst queue; enhanced due diligence before decision |
| Unregulated P2P | Medium | Route to review queue; source-of-funds documentation request |
| Regulated exchange | Low | Auto-allow; log and proceed |
Configuration rule: The bot's category-response matrix must be written and approved by your compliance officer before deployment. Never use vendor defaults as your compliance policy — they are a starting point calibrated to a generic risk appetite, not yours.
AML Bot API Integration: What to Build
Integrating an AML bot requires connecting your transaction processing layer to an analytics provider's API and building the logic to act on the response.
- Webhook or synchronous call: for deposits, a synchronous pre-transaction check (block before execution) is ideal. For withdrawals, a pre-processing check prevents funds leaving before screening. Asynchronous post-transaction scanning is lower friction but creates a window where illicit funds may have already moved.
- Response handling: parse the risk score and category breakdown from the API response. Your logic should branch on category type first, then score — not score alone. Store the full response JSON as part of the transaction record.
- Action states: implement three clear states — auto-allow (log and proceed), review queue (hold transaction, notify analyst), and auto-block (reject transaction, log reason, route to SAR workflow if applicable).
- Latency management: major analytics APIs respond in under two seconds. Build a timeout fallback — if the API does not respond within your SLA, decide in advance whether to fail-open (allow with flag) or fail-closed (hold pending response). Document the choice and its compliance rationale.
- Audit log: every API call, response, decision, and any subsequent analyst action must be stored with full timestamps. This is the compliance record — not a debug log.
Architecture tip: Run AML bot checks asynchronously where transaction confirmation latency allows — this avoids adding API latency to user-facing transaction times. For high-value withdrawals, a synchronous pre-check is worth the latency.
AML Bot Provider Comparison: APIs and Coverage
| Provider | API type | Chain coverage | Best for |
|---|---|---|---|
| Chainalysis KYT | REST API, webhooks | BTC, ETH, Tron, SOL, 20+ | Large exchanges; institutions; forensic quality |
| Elliptic Navigator | REST API | BTC, ETH, DeFi, cross-chain | DeFi protocols; cross-chain operations |
| TRM Labs | REST API, webhooks | 30+ chains | Mid-market VASPs; wide chain coverage |
| Crystal Blockchain | REST API | BTC, ETH, ERC-20 | EU VASPs; BTC-focused compliance |
For critical AML bot decisions, consider routing high-score results through a second provider's API to reduce false positives from single-vendor attribution errors. Methodology: Chainalysis · Elliptic.
Managing AML Bot False Positives
False positives — legitimate transactions blocked by the bot — are the most common operational complaint with AML bot deployments. They damage user experience and create legal exposure if not handled correctly.
Common false positive causes
CoinJoin transactions whose structure resembles mixer activity. Large exchange withdrawals where the hot wallet has indirect exposure from thousands of other users. Newly re-attributed clusters where a previously-neutral address is now scored against a newly-identified illicit entity. Over-broad score thresholds that block all medium-score results regardless of category.
CoinJoinShared hot walletsRe-attribution
Reducing false positives without gaps
Route medium-score results to a human review queue rather than auto-blocking. Configure per-category thresholds rather than a single score cutoff. Request source-of-funds documentation before blocking on indirect exposure. Track and report your false positive rate quarterly — above 10–15% of blocked transactions being cleared signals miscalibrated thresholds.
Per-category thresholdsReview queueTrack FP rate
Build a documented dispute resolution SLA — typically 3–5 business days — with a clear process for users to submit source-of-funds evidence. This protects both legitimate users and your organisation from wrongful account closure claims.
Regulatory Context: When an AML Bot Is Required
- FATF Recommendation 15: VASPs must apply ongoing transaction monitoring — which regulators interpret to mean real-time or near-real-time screening at every material transaction. An AML bot running via API is the standard implementation of this obligation for high-volume operations. Full guidance at fatf-gafi.org.
- EU Transfer of Funds Regulation (TFR): no minimum threshold — every transfer requires compliance checks. Manual review at this volume is operationally impossible for any meaningful exchange.
- US FinCEN / BSA: MSBs dealing in virtual currency must maintain an effective AML programme including transaction monitoring. An AML bot is not specifically mandated by name, but real-time monitoring is the practical standard expected in examinations. See fincen.gov.
FATF mutual evaluation rounds in 2023–2024 cited "inadequate transaction monitoring" as the most common AML deficiency in VASP assessments globally. An AML bot is the primary tool for satisfying this obligation at scale.
AML Bot vs Manual Screening: When to Use Each
| Approach | Best for | Pros | Cons |
|---|---|---|---|
| AML bot (real-time API) | High-volume VASPs; automated compliance | 100% coverage; consistent policy; full audit trail; no human gaps | Integration cost; requires codified risk policy; latency management |
| Manual (dashboard) | Low volume; forensic investigations; edge cases | Analyst context; flexible interpretation; no integration needed | Doesn't scale; coverage gaps; inconsistent decisions |
| Batch re-screening | Periodic review of existing user wallets | Catches newly-attributed risk in updated databases | Lagging — not real-time; requires scheduling |
The right answer for most regulated VASPs is all three — an AML bot for real-time transaction screening, batch re-screening for existing user wallets, and manual review for the analyst queue generated by medium-score results.
Best Practices for AML Bot Configuration and Operation
- Write the risk policy matrix before configuring the bot. Which category at which hop distance triggers which action. Vendor defaults are a starting point — your compliance officer must own the final thresholds.
- Configure per-category responses, not a single score cutoff. Sanction exposure → auto-block at any score. Indirect P2P at 3+ hops → review queue only. Category-specific logic dramatically reduces false positives.
- Never auto-block the entire medium-score band. Route medium scores to a review queue where an analyst applies judgment. Blanket medium-score blocking generates excessive false positives and potential wrongful account closure liability.
- Log everything — every API call, response, and decision. The audit trail is the compliance deliverable. Logs must include timestamps, full API response JSON, the decision taken, and which policy rule was applied.
- Test the bot on known addresses before go-live. Run a sample set of addresses with known risk profiles — clean addresses, known mixer interactions, sanctioned wallets — through the full bot pipeline and verify the actions match your configured policy.
- Monitor the false positive rate quarterly. Above 10–15% of blocked transactions being cleared indicates overconfigured thresholds. Adjust the matrix, retrain analysts, and retest.
Most common deployment mistake: Setting the auto-block threshold to cover the entire medium-score range to "be safe." This produces 3–5× the necessary false positives and creates operational chaos. Safe means proportionate — blocking only what your policy actually requires blocking.
Troubleshooting Common AML Bot Issues
"Bot is blocking too many legitimate transactions"
- Review the category breakdown of blocked transactions — if most blocks are driven by indirect P2P at 2+ hops rather than direct illicit exposure, your score threshold is too low. Raise the auto-block threshold and route the released range to the review queue instead.
- Check whether CoinJoin addresses are being blocked wholesale — consider adding a CoinJoin-specific exception path that routes to review rather than auto-block if the only exposure is CoinJoin at indirect distance.
"Bot API is timing out intermittently"
- Implement exponential backoff retry logic with a maximum of 2–3 retries. Define a clear fail-open or fail-closed policy for persistent timeouts — document whichever you choose and the compliance rationale for it.
- Evaluate whether your analytics provider's SLA matches your transaction volume. Some providers offer priority API tiers for high-volume clients with guaranteed latency.
"Score changed on an existing user address without any new transactions"
- Analytics databases are updated continuously — a previously-clean cluster can be re-attributed to a newly-identified illicit entity. Your batch re-screening process should catch these retroactive changes. Document the score change with both values and dates, and assess whether the updated attribution warrants a compliance review of the existing relationship.
Best diagnostic approach: Pull the full API response for any anomalous block and trace the specific entities and hop distances that generated the score. "Bot blocked address X" becomes "address X has 8% direct exposure to cluster Y at 1 hop — bot correctly applied policy rule Z." Specific is defensible; vague is not.
AML Bot: Sources & Authoritative References
Regulatory standards
About: Prepared by Crypto Finance Experts. Covers AML bot mechanics, API integration, risk categories, provider comparison, false positive management, regulatory requirements, and troubleshooting. Updated . Not legal advice.
AML Bot: Frequently Asked Questions
An AML bot is an automated software component that screens crypto wallet addresses and transactions in real time by calling a blockchain analytics API at every deposit and withdrawal. When a transaction is initiated, the bot sends the wallet address and chain to the analytics provider, receives a risk score and category breakdown, compares the result against a pre-configured risk matrix, and triggers an automated action — allow, hold for review, or block — without requiring human intervention at the point of screening.
The key difference from manual screening is scale and consistency: an AML bot screens 100% of transactions with identical policy enforcement and a complete timestamped audit log. Manual processes cover a fraction of transactions at best, introduce human inconsistency, and create audit trail gaps that regulators identify in examinations.
AML bots detect exposure to a range of risk categories returned by the analytics API: sanctioned entities (OFAC SDN list — requires immediate auto-block), cryptocurrency tumblers and mixers (high severity, block above volume threshold), darknet marketplace wallets (high severity, auto-block), ransomware payment addresses (high severity, auto-block and flag for SAR), fraud and scam wallets (medium-high, route to review), unregulated P2P exchanges (medium, enhanced due diligence), and gambling platforms (low-medium, jurisdiction-dependent).
The critical configuration principle is that the bot must respond differently to different categories — not apply the same action to all results above a single score threshold. A well-configured AML bot auto-blocks sanctions exposure at any score, routes indirect P2P to a review queue at medium scores, and auto-allows clean regulated exchange interactions regardless of any residual score.
Integration requires connecting your transaction processing layer to your chosen analytics provider's REST API and building the decision logic that acts on the response. For deposits, implement a pre-transaction synchronous API call that holds the transaction pending the screening result. For withdrawals, integrate the check into the withdrawal initiation flow before the transaction is broadcast to the blockchain.
Parse the full API response — not just the headline score — and build branching logic on category type and hop distance. Store the complete response JSON as part of the transaction record for the audit trail. Implement timeout handling with a documented fail-open or fail-closed policy. Test against a set of known-risk addresses before go-live to verify the bot's actions match your configured policy. Most major providers offer sandbox environments and developer documentation specifically for bot integration.
No — an AML bot handles the screening and enforcement layer, but human analysts remain essential for medium-score review queue decisions, SAR filing, customer communication, dispute resolution, and regulatory examination responses. The bot ensures consistent policy enforcement at scale and generates the evidence analysts need. Analysts apply judgment to edge cases the bot cannot resolve algorithmically.
FATF guidance and most regulatory frameworks explicitly expect human oversight of automated AML systems — an AML programme composed entirely of automated decisions without human review capability is not considered compliant. The correct framing is: the AML bot handles the volume so analysts can focus their time on the cases that genuinely require judgment.
The most effective lever is per-category thresholds rather than a single score cutoff. Route medium-score results to a review queue rather than auto-blocking — the bot flags, the analyst decides. Configure higher tolerance for indirect exposure (2+ hops through legitimate intermediaries) and strict zero-tolerance only for direct sanction and darknet market exposure.
Track your false positive rate quarterly: what share of blocked transactions are subsequently cleared after analyst review? Above 10–15% suggests thresholds are overconfigured. Adjust the category-response matrix based on the actual breakdown of cleared blocks — if most are cleared due to indirect P2P exposure, raise the auto-block threshold for that specific category. Do not lower thresholds uniformly across all categories; adjust surgically by category type.
No regulation specifically mandates an "AML bot" by name — but FATF Recommendation 15 requires VASPs to apply ongoing transaction monitoring, and regulators interpret this to mean real-time or near-real-time screening at every material transaction. For any VASP processing significant transaction volume, an automated API-based bot is the only practical way to meet this standard consistently. Manual review at hundreds of transactions per day is operationally unfeasible and leaves systematic coverage gaps that regulators identify.
FATF mutual evaluation rounds in 2023–2024 cited inadequate transaction monitoring as the most common AML deficiency in VASP assessments. An AML bot running continuously is what satisfies the ongoing monitoring obligation in practice.
Match the provider to your primary chain exposure, volume, and integration needs. Chainalysis KYT is the market leader for large exchanges requiring forensic quality and regulatory defensibility — it has the broadest entity database and the strongest law enforcement relationships. Elliptic Navigator has stronger DeFi and cross-chain coverage. TRM Labs covers 30+ chains at competitive pricing. Crystal Blockchain is well-suited for European VASPs focused on Bitcoin compliance.
Before committing, test each shortlisted provider's API on addresses with known risk profiles — clean addresses, known mixer interactions, and sanctioned wallets. Compare the latency, the category breakdown accuracy, and the documentation quality. Well-documented methodology is important for regulatory defensibility: you need to be able to explain why your bot takes the actions it takes.
Every AML bot deployment must define a timeout policy before go-live: fail-open (allow the transaction with a flag for later review if the API does not respond within the SLA) or fail-closed (hold the transaction until the API responds or a manual decision is made). Both choices have compliance implications — fail-open risks allowing illicit transactions during outages; fail-closed risks blocking legitimate transactions and creating customer friction during API issues.
Most compliance teams choose fail-open with mandatory batch re-screening of all transactions processed during the outage window. This approach is defensible to regulators when documented: "During API outage between X and Y, transactions were allowed with flagging and subsequently re-screened in the batch run of [date]." The key is having the policy documented before an outage occurs, not improvising during one.
A complete AML bot audit log entry must include: the wallet address screened; the blockchain network; the transaction amount and direction (deposit or withdrawal); the exact timestamp of the API call; the analytics provider queried; the full API response including risk score, category breakdown, and hop distances; the policy rule applied; the automated action taken (allow, review queue, block); and — if the result entered the review queue — the analyst's decision, the rationale, and the timestamp of that decision.
This log is what regulators examine during AML programme reviews. It must be tamper-evident, retained for the required period (5 years under US BSA; varies by jurisdiction), and queryable — regulators will ask for specific date-range exports and want to be able to audit individual transaction decisions. Storing raw API response JSON alongside a structured decision record is the safest approach.