Chainalysis published its Compliance Benchmark 2026 ("New Rails", 27 May) and the convergence headline is real: about 47% of crypto-onboarding programmes now run direct-alerting thresholds that would have ranked top-decile in 2020. The crypto industry has caught up to TradFi on the direct layer. But there's a second number in the same dataset that I think matters more, and almost nobody is talking about it. Indirect exposure thresholds across the four high-risk categories — ransomware, fraud shops, scams, darknet markets — still sit 10 to 20 times higher than the direct equivalents the cohort just converged on. The example Chainalysis gives is exact: a programme that alerts on $10 of direct ransomware exposure may not flag indirect ransomware exposure until it hits $100. For anyone outside the AML weeds, the mechanical distinction: \- Direct exposure = the wallet you're screening transacted directly with a flagged address. One hop. Easy to alert on, easy to investigate. \- Indirect exposure = the wallet you're screening is two or more hops from a flagged address — a counterparty of a counterparty. The blockchain-analytics cohort can trace it. The detection isn't the hard part. The hard part is what comes after the alert. At hop N the fan-out grows fast, and every cleared transaction obliges the receiving entity to produce evidence that the implicated counterparty was screened to its own standard. The conventional answer is to re-collect the underlying KYC documents and re-screen. That re-collection cost is what compresses indirect thresholds upward — false-positive economics, not detection difficulty. What made me write this up is that three regulatory regimes are now asking the same indirect-exposure question, and the implementations are still defaulting to direct-only: \- FATF Recommendation 15 + 16 (Updated Guidance) — Travel Rule originator/beneficiary obligations at every VASP-to-VASP transfer, which is the cross-rail counterparty layer that operationalises indirect monitoring. \- EU AMLR (Regulation 2024/1624) Articles 20 + 26 — verify customer identity AND ongoing monitoring of the relationship and the transactions inside it, consistent with the entity's knowledge of the customer's risk profile. \- FCA CP26/13 — widens the regulated UK crypto perimeter; OFSI Regulation 17A makes the multi-hop sanctions-tracing operational consequence explicit (Elliptic's 26 May analysis is the clearest read I've seen on what this does to UK VASP screening workflows). Three regimes asking the same question. Three implementations giving the same wrong answer. My read is that this isn't a screening-tool problem. The KYT cohort — Chainalysis KYT, TRM Labs, Elliptic, Merkle Science — does the detection work the regulator frame demands, and the tools are strong. Where the gap actually lives is at the handoff: evidence currency degrades each time a customer moves to a new obliged-entity perimeter, and re-collection cost scales with the number of handoffs. The structural fix, the way I see it, has to be two layers, not one: 1. Transaction-monitoring layer — the KYT cohort, doing exactly what they do today: cluster wallet addresses into identified entities, trace exposure across hops, surface alerts. Detection. 2. Identity-attestation layer — a portable, verifier-private claim that the wallet's owner was screened against sanctions / PEP / adverse-media / criminal / barred lists, bound to a specific wallet, valid until documented expiry. Evidence. These are different workloads. The transaction layer reads chain data; the identity layer carries the AML evidence behind the wallet. Neither alone closes the gap. KYT tools don't hold the document trail; the document trail doesn't read the chain. The architectural question is how you let the receiving platform read "this wallet's owner was screened to a documented standard at attestation time" without re-collecting the underlying KYC each handoff. Reusable attestation as a primitive, basically. The live test for whether anyone actually builds this properly is what OFAC just did on 2 June — the Iran-exchange designations (Nobitex, Wallex, Bitpin, Ramzinex, $40B tracked exposure). The screening surface for any UK or EU CASP touching those rails just expanded by an order of magnitude overnight. Programmes running direct-only will look fine in their dashboards and fail at supervisory review on the indirect-exposure standard. Curious what others here think — anyone working on the identity-attestation side of this? The KYT side is well-mapped; the evidence-portability side feels like it's still being invented. I wrote a longer architectural read on this if useful: [https://verifyo.com/insights/indirect-exposure-crypto-compliance-gap](https://verifyo.com/insights/indirect-exposure-crypto-compliance-gap) (full disclosure, I'm one of the people building Verifyo on the identity-attestation side — the KYT cohort I named above does the transaction layer; we don't, and the piece is about why both are needed).

**Confidential transfers are live in public beta on Sui Devnet.** Transfer amounts and balances are private, with controlled visibility for compliance and auditability. **What this means for finance workflows:** Imagine every time you send money, the amount is written on the outside of the envelope — visible to anyone passing by. That's how most blockchains work today. Every transaction is fully public. Confidential transfers change that. **The amount inside the envelope is sealed.** People can still see who sent it and who received it, but not how much. Importantly, the issuer decides who can open the envelope, so an issuer, exchange, or regulator can still access important info when needed. **With confidential transfers on Sui:** → Sender and receiver addresses and token type stay visible when a transaction occurs. → Transfer amounts and balances become confidential. → Authorized parties maintain access through defined policies to enable compliance. → Audit trails remain intact. **This removes a structural barrier.** Institutions, fintechs, and payment apps that need controlled visibility now have a path forward. They get the benefits of a public chain, without exposing their flows. Public and private transfers both live alongside each other. Visible where it should be. Confidential where it needs to be. Auditable when required. Launch partners Bridge, TRM Labs, and Merkle Science are already working with the core team to explore confidential transfers, and how risk scoring, monitoring, and investigations would function when sensitive financial data isn't fully public onchain. Read more → [https://blog.sui.io/confidential-transfers-public-beta/](https://blog.sui.io/confidential-transfers-public-beta/)

🚨 Crypto reports claim ZachXBT has flagged Tokenlon, citing Merkle Science data that allegedly links 57–60% of swaps (2022–2023) to scam-related activity, including pig-butchering operations. The analysis suggests victim ETH and USDC were routed through Tokenlon and converted into USDT/DAI, potentially to obscure transaction trails before reaching centralized exchanges. Some independent commentary is also referenced as supporting concerns about obfuscation patterns in DeFi flows. Other DeFi platforms such as Butter Network, HiFiSwap, Bridgers, and SWFT are also mentioned in broader risk discussions. The findings have sparked renewed debate over illicit flow exposure and enforcement gaps in decentralized finance.