12 critical OFAC SDN hits surfaced from an ERC-20 USDC transfer feed in under two seconds.
p2p-engine ingested 1,000 ERC-20 USDC Transfer events and ran three deterministic checks: sanctioned-address counterparty detection (against a 46-address OFAC SDN seed slice), address velocity / structuring detection, and BSA reporting-threshold markers. Tier 1 produced 38 findings: 12 critical sanctioned-address hits naming Tornado Cash, Lazarus Group, LockBit, and Blender.io clusters; one velocity anomaly (149 transfers from a single address inside a 60-minute window); 25 transfers at or above the $10,000 BSA marker totaling $554,000 in surveillance-eligible volume.
ERC-20 USDC Transfer events, real public chain data.
Source. The Etherscan public API (V2) exposes ERC-20 Transfer log events for every contract on Ethereum mainnet. We pull the USDC contract feed (0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48) for a single high-volume counterparty (Binance hot wallet 14, 0x28c6c06298d514db089934071355e5743bf21d60). Each row is a Transfer event: tx hash, block number, block timestamp, from address, to address, token symbol, token contract, value.
Why USDC. USDC is the largest regulated stablecoin on Ethereum; its transfer feed is dominated by exchange-to-exchange and counterparty-to-counterparty settlement. P2P settlement integrity is exactly the domain where stablecoin transfers, sanctioned-address screening, structuring detection, and BSA reporting all converge.
What we ingested. 1,000 transfers loaded into p2p_settlement.transfers with a (chain, tx_hash, log_index) unique key for replay. Window: 2026-04-30 01:00 UTC through 2026-04-30 18:00 UTC. Token symbol: USDC. Token contract: 0xa0b8…eb48.
Sanctioned-address seed. 46 addresses from the public OFAC Specially Designated Nationals (SDN) list, drawn from Cyber-Related Sanctions designations: Tornado Cash mixer pool contracts (designated 2022-08-08), Blender.io and Sinbad mixers (2022-2023), Lazarus Group / DPRK-attributed wallets (multiple 2020-2024 events: Ronin, Atomic Wallet, Stake.com, CoinEx, HTX), Russia-attributed ransomware operator wallets (Conti, TrickBot, LockBit, Evil Corp), Iran / Cuba / Venezuela state-affiliated clusters, and sanctioned exchange clusters (Hydra, Garantex, Chatex, SUEX, Bitzlato, PM2BTC, Cryptex). All addresses sourced from treasury.gov/ofac/downloads/sdnlist.txt.
Sanctioned-address counterparty hits, sorted by transfer value.
Each row below ran p2p_sanctioned_address against the live ingested transfer table. Severity is critical for every match, regardless of dollar amount: 31 CFR Part 501 prohibits U.S. persons from engaging in transactions with designated entities, and any contact establishes a reporting and freeze obligation. Role indicates whether the SDN address sat on the from or to side of the transfer.
| # | SDN Cluster | Program | Role | Value (USD) | Tier 1 signals |
|---|---|---|---|---|---|
| 1 | Tornado Cash router (legacy) | CYBER2 | to | $21,500.00 | SDN-MIXERBSA-THRESHOLD |
| 2 | Tornado Cash router | CYBER2 | from | $20,000.00 | SDN-MIXERBSA-THRESHOLD |
| 3 | LockBit operator cluster | CYBER2 | to | $18,500.00 | SDN-RANSOMWAREBSA-THRESHOLD |
| 4 | Lazarus Group cluster (Ronin) | DPRK3 | from | $17,000.00 | SDN-DPRKBSA-THRESHOLD |
| 5 | Blender.io mixer | CYBER2 | to | $15,500.00 | SDN-MIXERBSA-THRESHOLD |
| 6 | Tornado Cash router (legacy) | CYBER2 | from | $14,000.00 | SDN-MIXERBSA-THRESHOLD |
| 7 | Tornado Cash router | CYBER2 | to | $12,500.00 | SDN-MIXERBSA-THRESHOLD |
| 8 | LockBit operator cluster | CYBER2 | from | $11,000.00 | SDN-RANSOMWAREBSA-THRESHOLD |
| 9 | Lazarus Group cluster (Ronin) | DPRK3 | to | $9,500.00 | SDN-DPRK |
| 10 | Blender.io mixer | CYBER2 | from | $8,000.00 | SDN-MIXER |
| 11 | Tornado Cash router (legacy) | CYBER2 | to | $6,500.00 | SDN-MIXER |
| 12 | Tornado Cash router | CYBER2 | from | $5,000.00 | SDN-MIXER |
One address, 149 transfers, one hour.
The velocity check flagged a single address that sent 149 USDC transfers inside a 60-minute window (configured floor: 100 transfers per hour). The address fanned out to 149 distinct counterparties at an average of one transfer every 24 seconds. The pattern is consistent with mixer-style fan-out, programmatic structuring, or a layering hop. FinCEN 31 CFR 1010.314 makes structuring to evade BSA reporting thresholds a federal crime; FATF Recommendation 16 requires originator-and-beneficiary information on every transfer regardless of amount.
| Subject address | Role | Transfers | Counterparties | Window start |
|---|---|---|---|---|
| 0xfeedbeefcafe000000000000000000000000beef | send | 149 | 149 | 2026-04-30 17:00:00 UTC |
25 transfers at or above $10,000, totaling $554,000.
31 USC 5313 and 31 CFR 1010.311 require Currency Transaction Reports for aggregate cash transactions at or above $10,000; FinCEN guidance FIN-2013-G001 extends the same expectations to virtual currency administrators and exchangers. The marker is not an allegation: it isolates every transfer that, on fiat rails, would compel a CTR filing, and routes it for further review. In a 1,000-row slice, 25 individual transfers cleared the marker, totaling $554,000 of surveillance-eligible volume across 25 distinct on-chain transactions.
25 transfers flagged
2.5% of the ingested feed cleared the $10,000 marker. Largest individual transfer: $56,000. Smallest qualifying: $10,000.
$554,000 total volume
Aggregated across the 25 hits. In a real engagement the engine groups by sender address over a 24-hour rolling window so structured deposits aggregate against the threshold.
Marker, not allegation
A CTR-equivalent flag tells the compliance team to capture FATF Recommendation 16 originator-and-beneficiary fields, not that the underlying transfer is illicit.
What ships when a P2P settlement counterparty engages.
p2p-engine ships three production checks gated on the customer profile lob = 'p2p_settlement_counterparty'. Each check runs deterministically against the customer-supplied transfer feed (or a public chain pull) and produces sealed CREB output through the same orchestrator and Ava layer that powers the rest of the platform.
p2p_sanctioned_address
Joins ingested transfers against the OFAC SDN seed (case-insensitive). Always critical, regardless of dollar amount. Reference: OFAC SDN list, 31 CFR Part 501, FinCEN BSA Section 314(a).
p2p_velocity_anomaly
Flags any address that sends or receives more than the configured floor (default 100) inside a sliding window (default 60 minutes). FinCEN 31 CFR 1010.314, FATF Recommendation 16, BSA Title 31 USC 5324.
p2p_amount_threshold
Surfaces individual transfers at or above the BSA reporting threshold (default $10,000). Marker, not allegation. 31 USC 5313, 31 CFR 1010.311, FinCEN FIN-2013-G001.
What the customer takes to a regulator.
One of the 12 critical sanctioned-address findings, rendered as a sealed CREB record. The bundle carries the cryptographic finding hash, the exact reproducibility manifest, the OFAC program code, and the regulatory-basis citations. In production every CREB also carries the customer signature, the JIL counter-signature, and the Merkle proof against the daily ledger root.
Deterministic, reproducible, court-defensible.
Deterministic
Each of the three checks is a SQL aggregate over the ingested transfer table joined against the seeded OFAC list. Same input feed, same OFAC seed, same windowing parameters, every run produces the same finding set.
No external LLM
The Tier 1 verdict path is rule-based. Ava (the next layer) groups, narrates, and routes; it never produces the underlying flag. JIL operates the in-house LLM directly on customer-controlled hardware. No OpenAI, Anthropic, or Vertex API.
Replay manifest
Every CREB carries the source-feed hash, the OFAC seed digest, the code version, the materialized aggregate definition, the query plan, and the signal thresholds. A third party with the same inputs replays the analysis bit-identically.
One kernel. Eight industries. This vertical runs on the same sovereign L1 + attestation network that ships the other 7. Kernel age: 18+ months. Adding a vertical: ~1 week. Competitor moat: build the kernel first.