KYT is crypto’s transaction-level risk radar: KYC checks who you are, while KYT checks where your money came from and where it’s going. The article breaks down how KYT works through address clustering, wallet labeling, fund tracing, and risk scoring, while showing why it’s powerful but still imperfect.
Many people used to think KYT was just another compliance acronym. KYC, KYB, AML, CFT, Travel Rule... the usual alphabet soup that makes founders want to close the tab and go build something fun.
But KYT is actually different, and it's worth understanding why we put all the efforts and resources to have built-in essential KYT features for all merchants on @allscaleio.
KYC asks who are you?
KYT asks where did this money come from, and where is it going?
That sounds like a small difference. It is not. In crypto you can pass KYC perfectly (real person, clean passport, clean selfie, clean proof of address) and then two minutes later receive USDT from a wallet connected to a hack, a scam, a sanctioned exchange, a mixer, a darknet market, or a North Korean laundering cluster. Congrats: your ID is clean, your money is not.
That gap is the whole reason KYT exists. It's the part of crypto compliance that watches the money itself. And the deeper I went, the more I realized KYT isn't one thing. It's a graph problem, a detective database, a regulatory requirement, a giant private surveillance business, and a very useful system that's also wrong way more often than the marketing wants to admit, all at once.
So yeah, let's unpack it.
KYC = who you are. Passport, selfie, company docs, beneficial owners, proof of address. KYT = what your money does. Where the funds came from, what wallets they touched, and whether they passed through a mixer or are linked to hacks, scams, ransomware, sanctions, darknet markets, or weird high-risk exchanges.
The cleanest mental model I've found:
KYC is the bouncer at the club. KYT is the security camera inside.
The bouncer checks your ID once. The camera keeps watching. Crypto needs both because money moves after onboarding: a "good" customer can receive "bad" funds, a clean wallet can become risky later, and a stablecoin payment can look totally normal until you trace it 12 steps back and realize part of it came from a hack. That's the whole game.
A blockchain is basically a public spreadsheet. Every transaction is visible. Forever. But instead of names, you see addresses: 0x71C7...f2A3 or bc1q...
So crypto is not really anonymous. It is pseudonymous.
You do not immediately know who owns the address, but you can see what the address did:
This creates the weird superpower of crypto compliance: In traditional banking, a bank sees its own ledger. In crypto, everyone can see the global ledger.
That is why KYT exists. The raw data is public. The business is turning random-looking addresses into useful labels. The hard part is not reading the blockchain.
The hard part is knowing that:
- 0xabc...123 = Binance hot wallet
- 0xdef...456 = Tornado Cash withdrawal
- 0x999...777 = Lazarus-linked laundering address
That address-to-real-world-entity map is the whole moat.
Most explainers make KYT sound like magic AI. It's not magic, it's a pipeline: ingest raw blockchain data, cluster addresses that likely belong to the same person or service, label those clusters with real-world names, trace funds backward and forward, score the risk, then alert a human or auto-block the transaction.
Something like this:
Let's make that less abstract.
People don't use one address. Exchanges use millions, wallet apps generate new ones constantly, and criminals spin up fresh wallets all the time because it costs basically nothing. So KYT companies try to group addresses into clusters.
The classic Bitcoin trick is called the common-input-ownership heuristic, which is a fancy name for a simple idea: if five addresses all help pay for the same transaction, the sender probably controls all five, because spending from each address requires its private key. It's like five "different" people paying one bar tab out of the same physical wallet. Probably one person, five pockets. This works well enough to be useful.
It also breaks. CoinJoin exists specifically to make multiple unrelated users appear in one transaction, change-address detection can be wrong, wallets behave differently, and on Ethereum-style account chains there are no Bitcoin-like "coins" to trace, just balances moving between accounts. One academic paper found very high error rates when clustering heuristics are used naively: multi-input clustering had an average error rate above 60% in their test setup, and change-address heuristics were even worse.
So here's the first uncomfortable truth: the math alone is not the product. The product is the math plus the private label database plus human review, which brings us to the real business.
This is where Chainalysis @chainalysis, Blocksec @BlockSecTeam, TRM @trmlabs, Elliptic @elliptic, Merkle Science @MerkleScience, Scorechain @scorechain, AMLBot @AMLBotHQ, Arkham @arkham, Bitrace @Bitrace_team, and others earn the money.
Everyone can read Ethereum. Not everyone knows which addresses belong to Binance, OKX, the Tether treasury, a phishing kit, a ransomware group, a darknet market, a sanctioned Russian exchange, a Chinese OTC broker, or Lazarus.
The important distinction is this: raw chain data is a commodity, attribution labels are manufactured intelligence. Anyone can run an Ethereum node. Almost nobody knows that one random address is actually an OKX deposit wallet, or a Lazarus cash-out wallet, or a USDT address used by a scam call center. That difference is the business.
Mostly, vendors build labels by doing boring detective work at scale. They run ground-truth transactions (deposit into an exchange, withdraw from it, watch which addresses get used, repeat until they've mapped the service).
They scrape OSINT (Open Source Intelligence) from forums, Telegram, Reddit, darknet markets, scam reports, ransomware pages, YouTube descriptions, GitHub repos, paste sites, anywhere people post addresses.
They lean on law enforcement and exchange relationships, because police seize servers and exchanges respond to subpoenas, and those signals flow back into a data flywheel.
They run undercover interactions against ransomware payment portals, darknet markets, and scam wallets. And then there's off-chain surveillance, which is the spicy part most brochures don't lead with.
Here's the more honest version:
This off-chain piece is not hypothetical. Leaked Chainalysis slides reported by CoinDesk showed Chainalysis owned WalletExplorer.com and used it to collect IP addresses from people looking up wallets, and there have been controversies around fake Bitcoin nodes and attempts to gather metadata on privacy coins.
That doesn't mean "every KYT vendor is evil." It means the clean public story, "we analyze the blockchain," is incomplete. The real story is that they combine on-chain graph data with off-chain clues: IP addresses, exchange KYC, subpoenas, OSINT, customer feedback, honeypots, and human investigation.
This is why your wallet is less private than you think, and it's not because the blockchain prints your legal name. It's because the moment your address touches an exchange, a website, an app, an RPC endpoint, a block explorer, a scam report, or any subpoena-able service, the pseudonymity starts leaking.
It's also why open-source KYT is hard. You can open-source the graph engine, the case-management workflow, and sanctions screening. You cannot magically open-source ten years of labeled exchange wallets, scam wallets, bridge routes, ransomware addresses, OTC brokers, law-enforcement leads, and customer feedback. That's why GraphSense and BlockSci are genuinely useful but they're not "free Chainalysis." The code isn't the scarce thing. The phone book is.
Now we get to the thing people think KYT is: "is this money dirty?" But even that question is slippery. Say a thief has 3 stolen BTC and mixes it with 7 clean BTC, so there are now 10 BTC in the wallet. If the wallet sends out 6 BTC, which BTC actually left?
There are three common ways to think about it, and they genuinely disagree:
The key point: when someone says "this wallet received dirty funds," the right follow-up is using which tracing method? Two KYT vendors can look at the same wallet and disagree, and it's not because one of them is dumb. It's because there's no single God-approved definition of "taint."
The product compliance teams actually see isn't a philosophical taint debate, it's a risk score: low, medium, high, critical, or some vendor-specific number. The easiest mental model:
A KYT score is like a credit score, except instead of asking if you repay debt, it asks who your money hangs out with.
There are two big types of exposure. Direct exposure is when you transact directly with a bad address. Indirect exposure is when your funds came from or went to something bad through pass-through wallets. And here's a trap worth flagging: hop count is not the right model. People say "it was 6 hops away, so it's fine," but creating wallets is free, so a launderer can make 50 hops in an afternoon.
Good KYT doesn't just count hops. It follows the money until it hits something meaningful, a regulated exchange, a mixer, a bridge, a sanctioned wallet, a scam cluster, a darknet service, a known exploit wallet, an unlicensed OTC desk, and then asks the questions that matter: what category was it, how much value touched it, was it direct or indirect, how fresh is the exposure, and what's our policy threshold?
Sanctions are usually the hard stop. If an address is on OFAC's SDN list, you don't get cute, you block. Mixers are more nuanced: a mixer hit might trigger human review, source-of-funds questions, or a freeze, depending on the amount, jurisdiction, user profile, and vendor score. This is where compliance becomes product logic, and sometimes very user-hostile product logic.
Let's say you deposit 2 ETH into an exchange. Behind the scenes, before they credit you, the exchange screens the deposit: it checks the sending address, checks the source of funds, traces backward through wallets, looks for exposure to risky categories, compares the score to internal policy, and then either credits, holds, rejects, freezes, or escalates.
A concrete version: 1.4 ETH traces back cleanly to Coinbase, fine. But 0.6 ETH traces back through a few pass-through wallets to a Tornado Cash withdrawal, the vendor returns high mixer exposure, and the exchange doesn't auto-credit. A human analyst opens the graph, and if it also traces toward stolen funds, you get a source-of-funds email and your deposit may be frozen.
And you might be completely innocent. Maybe you bought that ETH OTC from someone sketchy, maybe you got paid by a customer who got paid by a customer who touched a mixer, maybe someone dusted you with tainted funds on purpose. This is the human cost of KYT: the system is trying to stop bad money, but it can absolutely punish good users.
If you're a normal business accepting stablecoin payments, this isn't an abstract compliance-podcast topic, it can get very real. You invoice a customer, they pay you from a risky wallet, you did nothing wrong, and now your treasury has exposure to funds that might trigger a freeze, a bank question, an exchange review, or a source-of-funds request down the line. That's why a payment solution built for everyday business shouldn't just help you get paid faster, it should help shield you from getting paid by a suspicious wallet in the first place.
This is also why @allscaleio has partnered with @BlockSecTeam to implement basic level built-in KYT for all of our merchant wallets. We make sure the wallet that's directly paying you isn't on any list (note: more advanced features are only for paid users, but basic features available to all by default as of June 2026).
That part isn't theoretical either. False positives are a real operational pain: older transaction-monitoring systems can generate brutal false-positive rates, and even better systems still need a ton of human triage. Which is the whole reason "we use Chainalysis" is not a compliance program. It's just a tool. The program is the policy, thresholds, analyst workflow, appeals path, audit trail, and judgment sitting around it.
Here's the 2026 punchline: KYT used to feel like a crypto-exchange thing, and now it's becoming a stablecoin-payments thing. That's a big shift, because stablecoins are no longer just exchange chips for traders, they're payment rails, payroll, invoices, remittance, merchant settlement, cross-border B2B, treasury movement, and (probably soon) agent payments.
This is also where the builder opportunity gets obvious. If stablecoins are going to be used by normal companies, the compliance layer has to move into the payment flow itself, not as a scary dashboard someone checks after the money is already sitting in your wallet, but before that. At AllScale this is one of the reasons we're working with BlockSec to enable built-in basic KYT for transactions. The goal is simple: if a business is getting paid through an invoice or a checkout link, we should help detect obvious wallet risk before that payment becomes their headache.
Here's the no-BS part. KYT is powerful, and it's also not magic. The main problems:
This is why I don't buy either extreme. "KYT is useless compliance theatre" is wrong, because it catches real crime, helps recover funds, and lets legitimate businesses operate. "KYT gives perfect truth" is also wrong, because it's a very good, very fast, very imperfect detective built on public ledgers, private labels, probabilistic assumptions, and human judgment. That's the real version.
Hope by this point you already see the point of why and how we at @allscaleio are implementing KYT even for our non-custodial solution. We care about the permisionless nature of on-chain payment but also care about compliance and protection for all the merchants on our platform. Many many thanks to our partner @BlockSecTeam, especially @yajinzhou and @RubyXulj for all the supports in building AllScale and for helping me to review this article.
In case you are still curious about even more details, here is more for you to read!
Disclaimer: this is not a financial or legal advice. AllScale is a non-custodial solution and our KYT results are applied directly on the wallet initiating all transactions but will not be able to guarantee 100% success rate (there is no one that can do it).
AllScale is a financial technology developer, not a bank and does not provide digital assets custodian services.
Sign up for our newsletter to get latest updates
AllScale is a financial technology developer, not a bank and does not provide digital assets custodian services.
© Copyright 2026. All Rights Reserved.
