Exchanges should move from isolated alerting to concentration-based analysis. The key is to cluster related wallets, counterparties, and transaction paths so investigators can see which small set of addresses drives most suspicious volume. That approach reduces noise, improves triage, and makes escalation more defensible under AML and reporting obligations.
Why This Matters for Security Teams
When illicit activity is spread across many addresses, simple address-by-address alerts miss the structure of the abuse. Exchanges need concentration-based analysis to understand which wallets, counterparties, and transaction paths are really driving risk. That matters for AML triage, sanctions screening, and defensible escalation, especially when criminals deliberately fragment flows to look routine.
The practical problem is not just volume, but attribution. One actor may control dozens of addresses, change chains quickly, and use intermediaries to blur direct links. Guidance from NIST Cybersecurity Framework 2.0 supports risk-based visibility and analysis, while NHIMG research on Top 10 NHI Issues highlights the same operational theme: fragmented identities and credentials become dangerous when teams cannot see the full pattern. In crypto compliance, the equivalent failure is fragmented transaction intelligence.
Exchanges that only monitor discrete alerts tend to over-escalate harmless retail activity and under-detect coordinated laundering, because the decisive signal sits in the cluster, not the single address.
How It Works in Practice
Effective detection starts by building a transaction graph that connects wallets through common funding sources, shared counterparties, timing patterns, reuse of infrastructure, and repeated exposure to high-risk services. Investigators then score clusters, not just isolated addresses, so they can identify a small number of entities generating outsized suspicious volume. This is consistent with risk-based monitoring principles in NIST SP 800-53 Rev. 5 Security and Privacy Controls, particularly where controls depend on correlation, auditability, and evidence retention.
NHIMG’s Ultimate Guide to NHIs — Key Challenges and Risks is useful here because the same visibility problem appears in identity systems: without lifecycle insight, organisations miss how many assets are linked to one root risk. In exchanges, the implementation pattern usually includes:
- Wallet clustering based on shared inputs, repeated withdrawal destinations, and common control indicators.
- Counterparty tagging for exchanges, mixers, bridges, gambling services, and high-risk hosted wallets.
- Path analysis to show how funds move through hops, peel chains, and rapid consolidation.
- Threshold logic that alerts when many low-risk transfers converge on the same beneficiary or exposure pattern.
- Case management that preserves explainable evidence, not just a risk score.
The goal is not to label every address as malicious. It is to show whether the same actor, campaign, or laundering route is creating material exposure across many transactions. That makes the alert easier to defend with compliance teams and, where necessary, with regulators. These controls tend to break down when exchanges lack reliable entity attribution, because false cluster merges and missed common-control links quickly distort the risk picture.
Common Variations and Edge Cases
Tighter clustering often increases investigative overhead, requiring organisations to balance detection depth against analyst capacity and false-positive risk. Current guidance suggests there is no universal standard for how aggressive clustering should be, because chain type, asset mix, and customer behaviour vary widely.
Cross-chain movement is the hardest case. A laundering pattern may begin on one network, bridge to another, then fan out through fresh addresses before reconsolidating. Analysts should avoid assuming that every hop indicates criminal intent, because normal user behaviour can also create multiple addresses through custodial wallets, payment processors, and exchange hot-wallet operations. The right approach is to combine cluster analysis with behavioural context, sanctions intelligence, and source-of-funds review. NHIMG’s NHI Lifecycle Management Guide reinforces the broader lesson that lifecycle visibility matters when assets are transient and distributed.
For higher-risk cases, exchanges should also align review depth with escalation thresholds, audit trails, and reporting obligations under local AML rules. In practice, the most common failure is not a lack of data, but a weak decision model: teams see many small alerts, yet never convert them into a single risk narrative that explains why the pattern matters.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0, NIST SP 800-63 and NIST AI RMF set the technical controls, and PCI DSS v4.0 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | DE.CM-1 | Continuous monitoring is needed to correlate fragmented wallet activity into one risk picture. |
| NIST SP 800-63 | Identity assurance informs customer and entity attribution behind clustered crypto flows. | |
| NIST AI RMF | Risk management is needed when analytics and scoring influence compliance decisions. | |
| OWASP Non-Human Identity Top 10 | Distributed wallet control mirrors non-human identity sprawl and visibility gaps. | |
| PCI DSS v4.0 | 10.2 | Audit logging supports defensible investigation and evidence retention for suspicious flows. |
Correlate transactions continuously so dispersed activity is detected as a single suspicious pattern.
Related resources from NHI Mgmt Group
- Why do NHIs create more operational risk when secrets are spread across many systems?
- Why do access governance tools fail when identity data is spread across many systems?
- How should security teams reduce risk when IT tools are spread across many systems?
- What breaks when identity governance is spread across too many vendor tools?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org