A laundering technique that moves assets across multiple blockchains to break forensic continuity. It does not remove visibility, but it makes tracing harder because analysts must correlate activity across different ledgers, services, and operator identities to reconstruct the full path of funds.
Expanded Definition
Chain hopping is a laundering pattern, not a single transaction type. It describes the deliberate movement of assets across multiple blockchains, bridges, exchanges, and intermediary wallets so investigators must reconstruct activity across different ledgers and service providers. The tactic is designed to fragment forensic continuity, not to make the trail disappear. That distinction matters because visibility often remains, but the evidence is distributed across separate control environments, identities, and recordkeeping systems.
In practice, chain hopping is commonly associated with layered transfers, rapid asset swaps, and repeated use of services that alter the asset’s form or custody context. A rigorous understanding requires separating the blockchain layer from the identity layer: transaction data may still be public, while the operators, account holders, or NHI-linked service identities behind the transfers may sit behind different compliance regimes. That is one reason why the NIST Cybersecurity Framework 2.0 is useful as a governance lens, even though it does not define the term itself. It helps teams think about asset tracing as an ongoing detection and response capability rather than a one-time review.
The most common misapplication is treating chain hopping as if it were the same as simple coin mixing, which occurs when analysts focus on one wallet hop and miss the cross-chain transitions that reset the investigative trail.
Examples and Use Cases
Implementing detection for chain hopping rigorously often introduces false-positive pressure, requiring organisations to weigh broader surveillance coverage against the cost of investigating legitimate cross-chain activity.
- A suspect wallet sends funds from one chain to a bridge contract, receives wrapped assets on a second chain, then disperses them through multiple wallets to obscure the original source.
- An exchange compliance team sees deposits arrive from a known wallet cluster, but the assets have already crossed two networks and passed through several intermediary services before entering the platform.
- An investigation team links an on-chain transfer to a centralised service, then discovers that the same value was exchanged, bridged, and re-encoded across assets before reaching another ledger.
- A sanctions screening workflow flags only the final destination address, but the relevant exposure occurred earlier when the same assets traversed infrastructure owned by different operators and jurisdictions.
- A blockchain analytics team correlates activity using address clustering, bridge telemetry, and off-chain account records, aligning with broader digital-identity controls referenced in NIST CSF 2.0 and identity assurance concepts from NIST SP 800-63.
In laundering investigations, chain hopping is often paired with service fragmentation, meaning no single ledger view is sufficient to establish provenance without correlating exchange logs, bridge events, and wallet relationships.
Why It Matters for Security Teams
Chain hopping matters because it turns asset tracing into a multi-domain correlation problem. Security teams that only monitor one blockchain or one service boundary can miss the point where provenance is actually degraded. The operational risk is not just lost visibility, but delayed containment, weaker suspicious activity reporting, and incomplete incident narratives when funds move through several ledgers before reaching an exit point.
For compliance, investigations, and fraud teams, the challenge is to connect blockchain telemetry with customer identity, service operator records, and case management evidence. That is where identity governance becomes relevant: the same transfer may be visible on-chain, but the human or machine accounts controlling the hops may be spread across exchanges, custodians, and automated services. Where relevant, teams should align detection and escalation processes with FATF virtual asset guidance and map escalation workflows to the NIST Cybersecurity Framework 2.0 to keep investigative ownership clear.
Organisations typically encounter the full operational burden only after a laundering case spans multiple chains and the evidence trail must be rebuilt retroactively, at which point chain hopping becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0, NIST SP 800-63 and NIST AI RMF set the technical controls, and DORA define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | DE.CM-1 | Continuous monitoring supports detection of multi-ledger asset movement patterns. |
| NIST SP 800-63 | AAL2 | Identity assurance helps tie account activity to actors behind cross-chain transactions. |
| NIST AI RMF | Risk management supports governance for analytics used to detect laundering patterns. | |
| OWASP Non-Human Identity Top 10 | Cross-service automation often relies on machine identities that can obscure transaction paths. | |
| DORA | Operational resilience matters when financial firms must trace cross-chain exposure during incidents. |
Expand monitoring to correlate cross-chain events, service logs, and alerts into one investigation workflow.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org