Why Your Crypto Got Frozen: AML Score Drift Explained (2026)
Table of Contents
Disclosure: This article may contain affiliate links. We earn a commission at no extra cost to you. Our editorial policy ensures all recommendations are based on genuine analysis.
In 2025, Tether alone froze $1.26 billion in USDT across 4,163 addresses, according to AMLBot’s data-backed analysis. But centralized exchanges freeze accounts at a far higher rate than issuers do — and most of those freezes are not triggered by anything the account holder did wrong. They are triggered by AML score drift: the quiet, automated process by which crypto you bought legitimately today can be flagged as high-risk tomorrow.
This guide explains what AML scoring actually measures, why your score can change without you doing anything, which contamination vectors are real and which are overblown, and the defensive steps every holder should take before they become one of the next frozen addresses.
What you will learn:
- How Chainalysis, Elliptic, and TRM Labs actually score crypto addresses in 2026
- What “AML score drift” means and why it happens after you already own the funds
- The real contamination vectors (and the ones that are mostly hype)
- How to screen an address before you accept a transfer — with free tools
- What to do if your exchange account is frozen (90% recover in 30 days with the right steps)
- How to spot the “crypto recovery” scams that the FBI warned about in 2025
Intermediate
How AML Scoring Actually Works in 2026
Three firms dominate blockchain analytics: Chainalysis, Elliptic, and TRM Labs. Between them, they power the compliance systems at nearly every major exchange, stablecoin issuer, and law enforcement agency. Each uses a different scoring model, and exchanges mix and match them.
| Provider | Score Model | Where You Encounter It |
|---|---|---|
| Chainalysis | KYT real-time transaction monitoring + Reactor forensic tool. Risk levels not publicly documented. | Binance, Coinbase, most US exchanges, federal agencies |
| Elliptic | 0.0-10.0 risk score (0.1 increments) across 70+ risk categories. The only publicly-disclosed scale. | European exchanges, banks, stablecoin issuers |
| TRM Labs | 4 tiers: Low, Medium, High, Severe. 150+ configurable risk indicators. Entity monitoring with change alerts. | Bybit, Kraken, Asia-Pacific exchanges |
Exchanges configure their own thresholds privately. A Medium score at one exchange might trigger a review; at another it is ignored. None of them publish the exact threshold that auto-freezes your account, because doing so would be a roadmap for bad actors.
Why the opacity matters: You cannot “check your own AML score” at most major exchanges. You find out your score is high only when your withdrawal fails, your account is locked, or your deposit is reversed. The tools we cover later let you pre-screen addresses before they touch your account.
What Is “AML Score Drift”?
Here is the counterintuitive truth of blockchain analytics: your address’s risk score is not static. It is recalculated continuously as new information enters the analytics firm’s database. A transaction you received six months ago — perfectly legitimate when it happened — can cause your score to rise today because an address three hops upstream has since been added to a sanctions list.
Chainalysis, Elliptic, and TRM all use clustering analysis to follow funds back through the chain to an “identified service” (an exchange, a mixer, a sanctioned wallet). When that upstream identification changes, every downstream address inherits some of that new risk. The look-back period is not publicly disclosed, but there is no documented technical limit — analytics firms are not required to stop at a fixed number of hops.
A frequently-cited anecdote illustrates the problem: in August 2022, an anonymous sender used Tornado Cash to send 0.1 ETH to 600+ high-profile wallets, including those belonging to celebrities and exchanges. Every recipient instantly inherited some degree of Tornado Cash exposure on the major analytics platforms. None of them had asked for the exposure. This is the clearest public example of involuntary contamination.
What Actually Causes Drift
The contamination vectors that are real and documented:
- Direct receipts from sanctioned addresses. The cleanest case — OFAC’s crypto-related SDN list stood at around 1,245 addresses as of February 2025, growing at roughly 18% annually. Anyone who received funds from these addresses at any point gets flagged immediately.
- Proximity to mixers and coinjoin services. Chainalysis estimates that about 25% of mixed funds in 2025-2026 had illicit origins. Funds that passed through a mixer carry elevated risk downstream, even if your specific coins were clean.
- Cross-chain bridge usage. Chainalysis tracked over $21 billion laundered through cross-chain and cross-asset services by 2025 — roughly 5x the 2022 level. Bridges are a primary laundering vector, so analytics firms now treat bridge-originated funds as elevated risk by default.
- P2P trade exposure. If your counterparty had a compromised history, some of that risk propagates. This is why professional traders often refuse P2P trades without first screening the counterparty’s address.
- Sanctions list expansion. Chainalysis reported a 700% surge in sanctions evasion-related designations in 2025 vs 2024. Every one of those new entries retroactively recolors the graph of addresses they interacted with.
The vectors that are mostly folklore — worth knowing but not panicking over:
- “Dust attacks.” Tiny unsolicited transfers meant to link your wallet to a flagged cluster. Real, but analytics firms mostly filter dust-sized amounts from their scoring models. Still, don’t spend dust you didn’t expect.
- “The 2-hop rule.” The idea that contamination stops after two hops is a forum myth. Analytics firms trace to the nearest identified service, not to a fixed hop count.
- “Exchange-pool mixing taints your whole deposit.” Large exchanges commingle user funds internally, but their analytics accounts are treated as identified services — so the contamination chain restarts at the exchange output, not continues through it.
The Tornado Cash Question — What Changed in 2025
Tornado Cash is the highest-profile case in crypto AML history, and its legal status changed dramatically during 2025. If you have ever interacted with it (directly or by receiving inbound funds from someone who did), the current rules are different from what they were a year ago.
| Date | Event | Practical Effect |
|---|---|---|
| Aug 2022 | OFAC sanctions Tornado Cash | All US persons prohibited from interacting; exchanges freeze related funds |
| Nov 2024 | Fifth Circuit Court of Appeals rules immutable smart contracts are not “property” under IEEPA | OFAC’s legal authority to sanction the protocol is overturned |
| Mar 2025 | US Treasury officially delists Tornado Cash | US persons may legally use the protocol again; exchange freezes based solely on the sanction designation become legally questionable |
| Apr 2025 | Texas district court permanently enjoins OFAC from re-imposing | Treasury warned it may sanction again under a different legal theory, but not currently |
| Aug 2025 | Co-founder Roman Storm convicted on unlicensed money transmitting count (mixed verdict) | Using the protocol is legal, but operating or providing it remains a criminal risk |
What this means for your address in 2026: Chainalysis, Elliptic, and TRM still flag Tornado Cash interactions as elevated risk in their scoring models, because analytics risk is not the same as legal risk. Exchanges may still freeze accounts with Tornado Cash exposure even though the protocol itself is no longer sanctioned. If you have historical exposure, the analytics flag is likely to persist even though the legal prohibition has been lifted. Source: US Treasury Tornado Cash Delisting.
How to Screen an Address Before You Accept Funds
The most useful defensive habit is to check any address you are about to receive from — especially for OTC, P2P, and freelance-payment scenarios — before you accept the transfer. Several tools make this accessible to individual users:
| Tool | Price | Chains Covered | Best For |
|---|---|---|---|
| AMLBot | ~$0.20 per check | BTC, ETH, BNB, Solana, TRON | One-off pre-trade checks; Telegram bot interface |
| Breadcrumbs.app | Free tier available | EVM chains, Bitcoin | Visual flow tracing; community-driven |
| Scorechain | Custom (free trials) | EVM chains primarily | Businesses and regular users; full wallet reports |
Caveat: These tools use their own proprietary data, which does not perfectly match what Chainalysis, Elliptic, or TRM see. A “clean” score on AMLBot is not a guarantee that Binance’s Chainalysis feed will agree. Treat these checks as a first-line filter, not an all-clear.
What to avoid: Do not use generic “crypto risk checkers” that ask you to connect a wallet, sign a message, or pay with the asset you’re checking. Legitimate screening tools only need the address string — nothing else. The “sign to prove ownership” pattern is used by drainer scams. For practical address safety before payment acceptance, see our freelancer crypto payment guide.
If Your Exchange Account Is Already Frozen
Exchange-level freezes are different from issuer-level freezes (which we cover separately in our Tether freeze recovery guide). Exchange freezes are typically a compliance review — they are reversible if you can document your source of funds. The key data point: roughly 90% of frozen accounts are released within 30 days when the holder follows the proper procedure, according to Chainalysis’s 2025 compliance report.
The Process That Actually Works
- Do not panic-trade. Any attempt to “shuffle” funds to avoid the freeze makes things worse — it reads as structuring to the compliance team.
- Open an official support case within 48 hours. Most exchanges have shorter response times for cases opened early. Use the in-app ticket system, not third-party Telegram support channels (those are phishing targets).
- Gather your documentation before you reply. Source of funds (bank statements, employment proof, crypto purchase receipts), transaction history, and identity re-verification documents. Submit all at once to avoid back-and-forth delays.
- Expect 3 to 30 days for resolution. Simple cases (KYC refresh) clear in 3-5 days. Source-of-funds documentation cases typically resolve in 2-4 weeks.
- If refused, request a written explanation. Exchanges in the EU and UK are often legally obligated to provide one. With that document, a crypto-specialized attorney has something concrete to work with.
The “Unfreeze Service” Scam Pattern
The FBI issued a Public Service Announcement in August 2025 specifically warning about cryptocurrency recovery scams. The vast majority of online services offering to “unfreeze” exchange accounts or recover frozen issuer funds are fraudulent. The red flags are remarkably consistent:
- Upfront fee demanded before any work begins. Legitimate recovery attorneys work on contingency or documented hourly rates with a retainer — not a wire to an offshore account before they start.
- Request for your private keys or seed phrase. No legitimate service ever needs these. Ever.
- Guarantees of recovery. No attorney or service can guarantee a frozen-asset recovery. The outcome depends on the exchange’s policies, the specific compliance trigger, and the jurisdiction.
- Payment requested in cryptocurrency. Especially in the same asset you are trying to recover. This is a laundering pattern, not a service.
- Time pressure / urgency manipulation. “Act within 24 hours or lose your funds forever” is always a lie.
- First contact from a Telegram/WhatsApp group. Legitimate attorneys do not advertise in crypto chat groups.
How to verify a legitimate crypto attorney:
- Check their bar registration on the official state or country bar website. If they claim to practice in Wyoming, the Wyoming State Bar directory must list them.
- Confirm a physical office address and a traceable phone number.
- Expect a retainer model and a written engagement letter. No engagement letter = not a lawyer.
- Search their name plus “scam” or “complaint” on DuckDuckGo before engaging.
For a broader overview of crypto-specific scam patterns, our scam identification guide covers phishing, rug pulls, and impersonation attacks in depth.
Defensive Strategy — What to Do Before You Get Frozen
The single best strategy is behavioral: assume your activity is being scored continuously, and reduce contamination exposure proactively. Concrete actions:
- Segment wallets by use-case. A “receive from DEX aggregators” wallet, a “bank off-ramp” wallet, and a “long-term hold” wallet. Contamination in one does not propagate to the others.
- Avoid mixers and privacy protocols if you plan to off-ramp to a regulated exchange. The analytics flag outlives the legal change. See our legal status by country for jurisdiction-specific risks.
- Prefer issuer-screened stablecoins for large balances. USDC has a materially lower freeze rate than USDT ($109M vs $3.3B over 2023-2025). See USDT vs USDC for remittances.
- Consider self-custody for long-term holdings. A non-custodial wallet cannot be frozen by an exchange’s compliance team, though issuer-level freezes still apply. Our wallet selection guide covers the trade-offs.
- Screen before you receive. AMLBot, Breadcrumbs, and Scorechain checks cost less than 1% of the loss from a mis-timed freeze.
- Keep source-of-funds documentation. Bank statements, employer pay stubs, crypto purchase receipts. If you ever face a freeze, this is the first thing the compliance team will ask for.
Understanding Your Real Risk Exposure
Most individual crypto holders never hit the thresholds that trigger an AML freeze. The freezes you hear about are concentrated in patterns most users do not engage in: large OTC trades with unverified counterparties, extensive mixer usage, receipts from DeFi aggregators linked to exploits, and cross-chain bridging right before an off-ramp to fiat. If your pattern is “buy on Binance, hold, occasionally send to a hardware wallet,” your exposure is minimal.
The risk concentrates in three populations: professional traders who use multiple DEXs and bridges, users in high-risk jurisdictions on the OFAC monitoring list, and recipients of crypto income from mixed or unverified sources (grey-market marketplaces, anonymous tip jars, certain gaming/gambling platforms). For a country-by-country risk breakdown, see our global regulation guide.
Key Takeaways
- AML scoring is continuous, not static. Your risk score can change without you doing anything new, because analytics firms update their databases continuously.
- Three firms dominate: Chainalysis, Elliptic (0-10 scale), and TRM Labs (4 tiers). Exchanges configure their own thresholds privately.
- Real contamination vectors: direct receipts from sanctioned addresses, mixer proximity, cross-chain bridging, and P2P counterparty exposure. Dust attacks and “hop-count rules” are mostly folklore.
- Tornado Cash is no longer OFAC-sanctioned as of March 2025, but analytics firms still flag its interactions as elevated risk. Legal change ≠ analytics change.
- Pre-screening tools exist for individuals: AMLBot, Breadcrumbs, and Scorechain let you check addresses before accepting a transfer.
- Freeze recovery is ~90% successful within 30 days when you follow the proper documentation process. Panic-trading or using “unfreeze services” lowers your chances.
- “Recovery service” scams are a well-documented pattern — the FBI issued a 2025 PSA specifically about them. Upfront fees, guarantees of recovery, and crypto payment requests are always red flags.
Continue Learning
Related guides in the Security & Risk cluster:
Crypto Analyst at ChainGain
Alex has been covering cryptocurrency markets and blockchain technology since 2019. He focuses on practical guides that help people in emerging markets use crypto for savings, payments, and remittances. Full bio
Disclaimer: This article is for informational and defensive purposes only. It is not legal, financial, or tax advice. AML scoring methodologies and exchange compliance policies evolve continuously; always verify current procedures directly with your exchange or consult a qualified attorney. Sources: AMLBot Stablecoin Freezes Report, Chainalysis Research, TRM Labs, Elliptic, US Treasury Tornado Cash Delisting, FBI IC3 Recovery Scam PSA August 2025.
