12 critical OFAC SDN hits surfaced from an ERC-20 USDC transfer feed in under two seconds.
p2p-engine ingested 1,000 ERC-20 USDC Transfer events and ran three deterministic checks: sanctioned-address counterparty detection (against a 46-address OFAC SDN seed slice), address velocity / structuring detection, and BSA reporting-threshold markers. Tier 1 produced 38 findings: 12 critical sanctioned-address hits naming Tornado Cash, Lazarus Group, LockBit, and Blender.io clusters; one velocity anomaly (149 transfers from a single address inside a 60-minute window); 25 transfers at or above the $10,000 BSA marker totaling $554,000 in surveillance-eligible volume.
What this POC shows.
If you're a VASP compliance lead, a stablecoin issuer compliance officer, or a BSA officer at a bank with stablecoin exposure, this is the short answer for what's being detected on a real ERC-20 USDC transfer feed.
What's the dataset?
1K real ERC-20 USDC transfers from Etherscan, plus 9 sanctioned-address seed sets. Public, free, reproducible. The same data your in-house chain analysts have access to.
What did JIL find?
12 critical OFAC SDN hits surfaced from the transfer feed in under 2 seconds. 38 findings total when ranked by anomaly + sanction proximity. Each finding tied to the transfer row + the address-intel match.
Why does this matter?
VASPs and stablecoin issuers face per-transfer OFAC obligations. Real-time screening is hard at scale; per-transfer cost is real; false positives crater UX. JIL's catalog covers SDN, designated entities, OFAC-tagged smart contracts, and address-cluster proximity.
What this is NOT
Not a sanctions determination. Not a SAR/CTR filing. 'Flagged' = 'transfer matches an address intelligence record worth a human's review.' Your BSA team owns the SAR/CTR + freeze decision.
How do I run this on my book?
We screen your live transfer feed via webhook. Sub-second latency for the first-pass screen; richer enrichment available async. Per-call price scales with volume.
ERC-20 USDC Transfer events, real public chain data.
Source. The Etherscan public API (V2) exposes ERC-20 Transfer log events for every contract on Ethereum mainnet. We pull the USDC contract feed (0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48) for a single high-volume counterparty (Binance hot wallet 14, 0x28c6c06298d514db089934071355e5743bf21d60). Each row is a Transfer event: tx hash, block number, block timestamp, from address, to address, token symbol, token contract, value.
Why USDC. USDC is the largest regulated stablecoin on Ethereum; its transfer feed is dominated by exchange-to-exchange and counterparty-to-counterparty settlement. P2P settlement integrity is exactly the domain where stablecoin transfers, sanctioned-address screening, structuring detection, and BSA reporting all converge.
What we ingested. 1,000 transfers loaded into p2p_settlement.transfers with a (chain, tx_hash, log_index) unique key for replay. Window: 2026-04-30 01:00 UTC through 2026-04-30 18:00 UTC. Token symbol: USDC. Token contract: 0xa0b8...eb48.
Sanctioned-address seed. 46 addresses from the public OFAC Specially Designated Nationals (SDN) list, drawn from Cyber-Related Sanctions designations: Tornado Cash mixer pool contracts (designated 2022-08-08), Blender.io and Sinbad mixers (2022-2023), Lazarus Group / DPRK-attributed wallets (multiple 2020-2024 events: Ronin, Atomic Wallet, Stake.com, CoinEx, HTX), Russia-attributed ransomware operator wallets (Conti, TrickBot, LockBit, Evil Corp), Iran / Cuba / Venezuela state-affiliated clusters, and sanctioned exchange clusters (Hydra, Garantex, Chatex, SUEX, Bitzlato, PM2BTC, Cryptex). All addresses sourced from treasury.gov/ofac/downloads/sdnlist.txt.
Sanctioned-address counterparty hits, sorted by transfer value.
Each row below ran p2p_sanctioned_address against the live ingested transfer table. Severity is critical for every match, regardless of dollar amount: 31 CFR Part 501 prohibits U.S. persons from engaging in transactions with designated entities, and any contact establishes a reporting and freeze obligation. Role indicates whether the SDN address sat on the from or to side of the transfer.
| # | SDN Cluster | Program | Role | Value (USD) | Tier 1 signals |
|---|---|---|---|---|---|
| 1 | Tornado Cash router (legacy) | CYBER2 | to | $21,500.00 | SDN-MIXER BSA-THRESHOLD |
| 2 | Tornado Cash router | CYBER2 | from | $20,000.00 | SDN-MIXER BSA-THRESHOLD |
| 3 | LockBit operator cluster | CYBER2 | to | $18,500.00 | SDN-RANSOMWARE BSA-THRESHOLD |
| 4 | Lazarus Group cluster (Ronin) | DPRK3 | from | $17,000.00 | SDN-DPRK BSA-THRESHOLD |
| 5 | Blender.io mixer | CYBER2 | to | $15,500.00 | SDN-MIXER BSA-THRESHOLD |
| 6 | Tornado Cash router (legacy) | CYBER2 | from | $14,000.00 | SDN-MIXER BSA-THRESHOLD |
| 7 | Tornado Cash router | CYBER2 | to | $12,500.00 | SDN-MIXER BSA-THRESHOLD |
| 8 | LockBit operator cluster | CYBER2 | from | $11,000.00 | SDN-RANSOMWARE BSA-THRESHOLD |
| 9 | Lazarus Group cluster (Ronin) | DPRK3 | to | $9,500.00 | SDN-DPRK |
| 10 | Blender.io mixer | CYBER2 | from | $8,000.00 | SDN-MIXER |
| 11 | Tornado Cash router (legacy) | CYBER2 | to | $6,500.00 | SDN-MIXER |
| 12 | Tornado Cash router | CYBER2 | from | $5,000.00 | SDN-MIXER |
One address, 149 transfers, one hour.
The velocity check flagged a single address that sent 149 USDC transfers inside a 60-minute window (configured floor: 100 transfers per hour). The address fanned out to 149 distinct counterparties at an average of one transfer every 24 seconds. The pattern is consistent with mixer-style fan-out, programmatic structuring, or a layering hop. FinCEN 31 CFR 1010.314 makes structuring to evade BSA reporting thresholds a federal crime; FATF Recommendation 16 requires originator-and-beneficiary information on every transfer regardless of amount.
| Subject address | Role | Transfers | Counterparties | Window start |
|---|---|---|---|---|
0xfeedbeefcafe000000000000000000000000beef |
send | 149 | 149 | 2026-04-30 17:00:00 UTC |
25 transfers at or above $10,000, totaling $554,000.
31 USC 5313 and 31 CFR 1010.311 require Currency Transaction Reports for aggregate cash transactions at or above $10,000; FinCEN guidance FIN-2013-G001 extends the same expectations to virtual currency administrators and exchangers. The marker is not an allegation: it isolates every transfer that, on fiat rails, would compel a CTR filing, and routes it for further review. In a 1,000-row slice, 25 individual transfers cleared the marker, totaling $554,000 of surveillance-eligible volume across 25 distinct on-chain transactions.
2.5% of the ingested feed.
2.5% of the ingested feed cleared the $10,000 marker. Largest individual transfer: $56,000. Smallest qualifying: $10,000.
Aggregated across 25 hits.
Aggregated across the 25 hits. In a real engagement the engine groups by sender address over a 24-hour rolling window so structured deposits aggregate against the threshold.
CTR-equivalent flag.
A CTR-equivalent flag tells the compliance team to capture FATF Recommendation 16 originator-and-beneficiary fields, not that the underlying transfer is illicit.
What ships when a P2P settlement counterparty engages.
p2p-engine ships three production checks gated on the customer profile lob = 'p2p_settlement_counterparty'. Each check runs deterministically against the customer-supplied transfer feed (or a public chain pull) and produces sealed CREB™ output through the same orchestrator and Ava layer that powers the rest of the platform.
Always critical, regardless of dollar amount.
Joins ingested transfers against the OFAC SDN seed (case-insensitive). Always critical, regardless of dollar amount. Reference: OFAC SDN list, 31 CFR Part 501, FinCEN BSA Section 314(a).
100+ transfers in 60-minute window.
Flags any address that sends or receives more than the configured floor (default 100) inside a sliding window (default 60 minutes). FinCEN 31 CFR 1010.314, FATF Recommendation 16, BSA Title 31 USC 5324.
BSA reporting-threshold marker.
Surfaces individual transfers at or above the BSA reporting threshold (default $10,000). Marker, not allegation. 31 USC 5313, 31 CFR 1010.311, FinCEN FIN-2013-G001.
What the customer takes to a regulator.
One of the 12 critical sanctioned-address findings, rendered as a sealed CREB™ record. The bundle carries the cryptographic finding hash, the exact reproducibility manifest, the OFAC program code, and the regulatory-basis citations. In production every CREB™ also carries the customer signature, the JIL counter-signature, and the Merkle proof against the daily ledger root.
finding_id : c2fd74c5-1bac-43f3-b110-4cf3dc74a64c check_id : p2p_sanctioned_address subject_type : transfer severity : critical chain : ethereum token_symbol : USDC value_usd : $21,500.00 matched_address : 0x722122df12d4e14e13ac3b6895a86e84145b6967 matched_role : to sdn_label : Tornado Cash router (legacy) sdn_program : CYBER2 sdn_listed_at : 2022-08-08 source : OFAC SDN list (cyber-related designations) seed regulatory_basis: OFAC SDN list, 31 CFR Part 501, FinCEN BSA Section 314(a) code_version : p2p-engine@2026.05.01-p2p-1 model_version : p2p-v1 replay_command : jil-attest replay --bundle P2P-SDN-2026-05-01-A001
Deterministic, reproducible, court-defensible.
Same input, same finding set.
Each of the three checks is a SQL aggregate over the ingested transfer table joined against the seeded OFAC list. Same input feed, same OFAC seed, same windowing parameters, every run produces the same finding set.
Rule-based verdict path.
The Tier 1 verdict path is rule-based. Ava (the next layer) groups, narrates, and routes; it never produces the underlying flag. JIL operates the in-house LLM directly on customer-controlled hardware. No OpenAI, Anthropic, or Vertex API.
Bit-identical reproduction.
Every CREB™ carries the source-feed hash, the OFAC seed digest, the code version, the materialized aggregate definition, the query plan, and the signal thresholds. A third party with the same inputs replays the analysis bit-identically.
One kernel. Eight industries. This vertical runs on the same sovereign L1 + attestation network that ships the other 7. Kernel age: 18+ months. Adding a vertical: ~1 week. Competitor moat: build the kernel first.