From Wallets to Counterparties: Why VASP Attribution Matters for Proactive Compliance 

In crypto compliance, everything begins with a deceptively simple question: who controls the wallet on the other side of the transaction? This clarity directly impacts how transfers are handled, the necessity for additional verification, and the evaluation of indirect risks for VASPs. The challenging task here is identifying the party behind a wallet.

While blockchain data shows asset movements, it lacks information on who owns an address, complicating compliance teams' efforts to evaluate activities and apply risk policies effectively. Without knowing the counterparty, determining obligations, conducting due diligence, and assessing the level of risk becomes difficult.

Thus, attribution is vital for a strong compliance program. It provides essential context for compliance teams because it supports AML controls and enhances Travel Rule processes for information exchange. Additionally, it enables a risk-based framework with clear thresholds, rather than arbitrary decisions.

What is VASP Attribution

Attribution is the process of identifying the controller of a blockchain address by linking it to a service or unhosted wallet, grouping related addresses into “clusters” to represent that service's footprint. Rather than viewing each wallet address in isolation, attribution provides structure via clustering: it shows which actors are involved and which addresses belong to the same operational entity, offering a clearer view of how value moves across the ecosystem. 

At Merkle Science, clustering is mainly heuristic-based but built on an initial layer of fully evidence-backed attribution. It is only extended through structured validation, repeated applicability testing, and multi-stage review to ensure consistency and auditability. 

VASP attribution helps identify whether a blockchain address is managed by a VASP, like an exchange, custodian, or wallet service. This helps link a transfer to a known party and indicates which regulations apply.

When we find out that an address belongs to a supervised VASP, we know exactly what to do. However, if the address belongs to a nested or “parasite” exchange using another platform’s wallets, the situation becomes riskier and needs more review. Without this understanding, it can be difficult to apply controls consistently or explain why we assess certain transactions in a specific way. Merkle Science identifies such structures using dusting and custom clustering heuristics.

Why VASP Attribution Matters to Compliance Teams: Travel Rule, AML, and CFT Requirements

Crypto compliance mostly depends on knowing exactly who receives the funds. Sanctions screening, for example, is only effective when a compliance team can identify the counterparty institution and the jurisdiction under which it operates, not just the wallet address. VASP attribution enables the detection of transfers involving sanctioned or high-risk platforms, allowing for the blocking, escalation, and documentation of decisions in a manner that meets regulatory expectations.

The same clarity enables proportionate due diligence. After identifying a counterparty VASP, we can assess its risk by examining its jurisdiction, regulatory oversight, and compliance history. This helps teams to go beyond the standard controls and apply another level of scrutiny that matches the actual risk posed by the institution involved.

Attribution is central to effective transaction monitoring  because it anchors on-chain activity to an identifiable counterparty rather than treating every address as standalone. Without that context, routine operational flows such as pooled wallets used by payment processors or omnibus accounts used by brokers can resemble structuring or layering and trigger unnecessary alerts. When the counterparty is known, monitoring rules can be calibrated to expected behavior and risk tier, reducing false positives while preserving escalation for activity that genuinely warrants investigation.

VASP attribution helps organizations make clear and reliable compliance decisions. It makes sure that actions are based on risks, are consistent, and rely on evidence rather than being reactive. This applies across areas like sanctions, due diligence, and monitoring.

The Biggest Challenges for VASP Attribution in 2026

The challenges of VASP attribution in 2026 come from regulatory, technical, and often behavioral factors as well. As jurisdictions adopt VASP rules and the Travel Rule at varying paces, while on-chain visibility varies by service, attribution methods can fail with some transaction patterns. On top of that, counterparties often use structures that are not always obvious on the blockchain. This fragmentation is best seen from FATF’s 2025 update, as many jurisdictions still struggle with identifying VASP activities. Data inconsistencies, transactions across multiple blockchains, and attempts to hide information by illegal actors make it difficult to track where certain actions come from. Attribution should not depend on just one piece of information.

For compliance teams, these constraints mean that attribution rarely gives a clean result. 

Decisions must often be made on a spectrum of certainty: what can be verified confidently, what can only be inferred, and what remains unresolved.

 Controls that depend on counterparty clarity—from the Travel Rule to sanctions screening to risk scoring—inherit this uncertainty. As a result, teams must document assumptions, justify escalations more carefully, and structure policies that can withstand supervisory scrutiny even when attribution cannot provide perfect answers.

Suggested read: Explore Travel Rule Implementation

VASP Attribution, the Travel Rule, the Sunrise Issue

VASPs face significant challenges with the Travel Rule due to uncertainty about who controls counterparty wallets. It can be unclear if a wallet belongs to a regulated VASP or an unhosted individual. Fragmented protocols and inconsistent verification hinder compliance efforts, resulting in a slow and uncertain process.

The Travel Rule explains what needs to be done, but putting it into practice presents a major challenge: tracking where the counterparty wallets are located. This issue is made worse by the gradual rollout known as the Sunrise Issue. 

The Sunrise Issue was once framed as a timing mismatch in which some jurisdictions had implemented the Travel Rule while others had not. I argue that framing it as merely a timing issue understates the challenge in 2026. The real problem is uneven operationalization: jurisdictions move at different speeds, interpret the FATF’s Recommendation 15 differently, and enforce it inconsistently, even after legislation is passed. 

Different countries have different rules for VASPs, and this creates possible weaknesses. A VASP in a country that takes longer to update its rules may not have strong requirements for onboarding and reporting. This can lead to gaps in identity checks during cross-border transactions. While MiCA doesn’t directly govern the Travel Rule, it defines the VASP scope. In the EU's MiCA transition, member states have transition periods ranging from five to eighteen months, all intersecting on July 1, 2026. As a result, a VASP can end up authorized in one area but out of scope in another, which creates inconsistencies in “pre-MiCA compliance”.

Brazil, for example, will apply Travel Rule obligations to domestic transfers starting February 2026, while cross-border requirements will begin in 2027. This creates a situation where one side of a transaction may be compliant while the other is not, complicating compliance efforts. Accurately identifying whether a counterparty is a VASP and its registration can help compliance teams navigate these obligations and improve due diligence. Without this clarity, teams might rely on assumptions instead of confirmed identities, making it harder to execute the Travel Rule and analyze sanctions.

Suggested read: Protocols in the Travel Rule Solution Explained (2025)

Unhosted Wallets: When Attribution Ends Before Compliance Begins

Unhosted wallets expose a limit that attribution cannot resolve: there is no counterparty institution on the other side. Without a supervised VASP to confirm identities or exchange Travel Rule data, the compliance burden rests solely on the originating firm. The FATF has stated that this doesn’t make such transfers risk-free; on-chain signals and the nature of a self-hosted wallet remain relevant. However, only a few jurisdictions have implemented enforceable obligations regarding this principle.

The main challenge for compliance teams is the lack of reciprocal controls, not just the wallet itself. When dealing with self-hosted wallets, assessing risk is harder without access to another VASP’s KYC, supervision, or reporting obligations. To manage this, firms rely on behavior-led risk assessment, analyzing on-chain behavior, categorizing unhosted-wallet transfers by value and risk, and applying allowlists or blocklists where there is confirmed exposure or repeat activity. They may apply lighter verification for first-time withdrawals and flag transfers that deviate from expected patterns. These measures help manage risk, but they do not provide the same certainty as transacting with a regulated counterparty.

AI-Enabled Evasion: When Attribution Can’t Keep the Pace

Using AI to manage transactions across different blockchain networks and DeFi platforms makes it harder to reconstruct how funds have moved upstream. This does not invalidate attribution, but it changes how attribution must be interpreted. Techniques that improve privacy, like coordinated transactions and quick shifts between chains, can impede counterparty detection.

These behaviors undermine standard attribution rules, so compliance teams must treat patterns of evasion themselves—such as rapid hops, coordinated timing, and micro-slicing—as risk indicators rather than relying solely on entity classification. At Merkle Science, this is addressed through rigorously tested and continuously updated behavior-based heuristics, such as peel-chain detection, applied consistently across observed patterns.

Attribution anchors the known party; behavior reveals the unknown one.

Why Attribution Alone Is No Longer Enough

The limits of VASP attribution are not failures of technology. They reflect an ecosystem where regulation, supervision, and illicit behavior move at different speeds. In that environment, compliance teams cannot rely on a single signal or a one-time classification.

Identity and on-chain intelligence must work together to enhance compliance. Verified counterparty identity offers regulatory certainty, while behavioral analysis helps detect emerging risks and reduce false positives. This combination transforms static attribution into a dynamic risk assessment that adapts to real-world behavior. 

For VASPs, this kind of approach enhances compliance and improves risk assessments to meet regulatory standards. Identity information combined with on-chain behavior is vital for effective Travel Rule enforcement when we take the complexity of the regulations into consideration. This combination provides VASPs with both certainty and flexibility in their compliance efforts.

Comply with the Crypto Travel Rule easily

Join 1,700+ VASPs in the Sumsub ecosystem.

Find out more