OFAC · EU · UN
Sanctioned designations
Direct match to SDN-listed crypto wallets — including Tornado Cash, Blender.io, Garantex, Sinbad and 800+ designations.
SAMPLE0x8589427373D6D84E98730D7795D8f6f8731FDA16
AegisAML
AegisAML
Accept crypto from one high-risk wallet without a check, and your funds can stay locked when you move them to an exchange or cash out — for up to six weeks. AegisAML runs the same risk checks on your PC, before you accept or send. No account. No cloud. No telemetry.
AegisAML
READ-ONLY
Ledger Nano X
LIVE
0x7a250d…f933f8 · Ethereum
Mixer proximity (2 hops) · OFAC cluster match. Screen before accepting inbound settlement.
You accept a stablecoin settlement from a counterparty you have only spoken to over Telegram. The address looks fine. The block explorer shows no obvious history. You accept the transfer.
Forty minutes later you sweep the funds to your CEX of choice for conversion. The deposit lands. Then, silently, it freezes.
The exchange ran the same on-chain AML check that AegisAML runs. Their model found two-hop mixer exposure on the inbound path. From that moment, the burden is on you to prove the funds’ origin — not on them to release them. The clock you are now on is not a transfer clock. It is a source-of-funds audit clock, and it runs in business days.
Pre-screening would have caught it at the address check — before the transfer, before the sweep, before the freeze. The screening itself is identical. The only difference is when you run it.
“The exchange has no incentive to surface why your deposit froze. They have every incentive to hold until you produce documentation.” — Compliance ops note, anonymised desk
No vague “suspicious activity.” Each finding maps to a named entity, a documented cluster, or a sanctions designation. The methodology mirrors what Chainalysis, Elliptic and Crystal call KYT. The price is the only difference.
Direct match to SDN-listed crypto wallets — including Tornado Cash, Blender.io, Garantex, Sinbad and 800+ designations.
SAMPLE0x8589427373D6D84E98730D7795D8f6f8731FDA16Funds that passed through Tornado Cash, ChipMixer, Sinbad or cross-chain privacy bridges within configurable hop depth.
SAMPLE0xD90e2f925DA726b50C4Ed8D0Fb90Ad053324F31bAddresses linked to documented breaches — Ronin, Wormhole, Euler, Nomad, Bybit hot wallet drain — and labelled theft clusters.
SAMPLE1FeexV6bAHb8ybZjqQMjJrcCrHGW9sb6uFTransaction paths touching labelled darknet deposit addresses and known illicit service clusters — Hydra successors, ASAP, active markets.
SAMPLE3FZbgi29cpjq2GjdwV8eyHuJJnkLtktZc5Funds routed through no-KYC exchanges, peel chains, or rapid layering patterns typical of laundering workflows.
SAMPLEbc1qa5wkgaew2dkv56kfvj49j0av5nml45x9ek9hz6EOAs and contracts tied to rug pulls, address-poisoning campaigns, and reported phishing drainer kits. A pre-sign safety net before you confirm.
SAMPLE0xa7B7Ae5D2867fF1B3a8C2A8a3C0a45F7e1c7c8C5Commercial AML is SaaS. Every address you query becomes a record on their server. We invert the architecture: the index comes to you, not the other way around. Verify this with Wireshark in five minutes.
Every query is a record. Account, contract, payment method — all attached to every lookup. Auditable by the provider, and by anyone who subpoenas the provider.
The only outbound traffic is the sanctions index sync — the same way virus definitions are updated. Your queries never leave the device. Watch the outbound packets with Wireshark.
If our claims could not be verified by you, in your own environment, they would be worthless. Crypto already taught everyone this. Here is what you can confirm before you install — and what we will never ask of you.
Every release ships with a SHA-256 checksum published on this page. Compare the hash of the file you downloaded against the published value before running. certutil -hashfile aegisaml.exe SHA256
Run Wireshark while AegisAML is open. The only outbound traffic should be the sanctions index sync to our CDN and public on-chain RPC. No telemetry, no addresses leaving the machine.
The app does not request signing permissions. The Ledger / Trezor integration uses xpub derivation only — the same data block-explorer apps consume. Signing transactions is impossible because the keys are never reachable.
No data collection means no controller relationship. We are not subject to GDPR because there is no personal data to process — and the same holds for CCPA, LGPD and PIPEDA. The architecture is the compliance posture.
AegisAML runs locally, makes no outbound calls except the public sanctions diff sync, and ships no telemetry. Suitable for SOC 2 and ISO 27001 controlled workstations without vendor risk review.
Index coverage aligned with US OFAC, EU CFSP, UN, UK OFSI, Swiss SECO, Australian DFAT, and Canadian SEMA — the same sanctions regimes that regulated counterparties rely on.
Exchanges screen every inbound deposit. If your sending UTXO path touches a sanctioned mixer within three hops, the deposit holds for source-of-funds review. Screen the sending address first — not after opening a support ticket.
Treasury · Private holdersYou cannot reverse a Bitcoin or USDT transfer. Paste the counterparty address, see the score, the hop path, and the named-entity matches. A thirty-second check beats producing source-of-funds documentation for a $480k payment you already accepted.
OTC desks · B2BConnect read-only on Windows. Scan every derived address for dormant exposure — old airdrop claims or mining payouts you forgot can still flag a future deposit. Export a timestamped PDF for your records.
Family office · HNWICommercial AML APIs and AegisAML check the same OFAC SDN list, the same mixer clusters, and the same hack-linked wallets. The difference is who they are built for.
Chainalysis, Elliptic and Crystal charge $3–15 per lookup and demand a $500+/month base contract before they will quote. Their customers are banks, exchanges and law firms.
Self-custody holders, OTC desks, and family offices need the same screening logic, on the same lists, against the same clusters — but had no affordable way to access it. AegisAML closes that gap. No upsell, no tier, no sales calls required.
The business model is simple: more people screening means fewer tainted coins moving through the system. That helps every legitimate counterparty in the ecosystem — including us, indirectly.
| CRITERION | ChainalysisKYT / Reactor | EllipticLens / Holistic | CrystalCrystal Expert | AegisAMLv2.4.1 |
|---|---|---|---|---|
| Target customer | Banks, exchanges, regulators, law enforcement | Banks, exchanges, governments, VASPs | VASPs, financial institutions, agencies | Self-custody, OTC, family office |
| Pricing | Custom enterprise · $500+/mo base | Custom enterprise · contract required | Custom enterprise · demo & quote | $0 · forever · no tier |
| Procurement | Sales call, KYC, contract | Sales call, KYC, contract | Sales call, KYC, contract | Direct download · no signup |
| Queries leave machine | Yes — SaaS / API | Yes — SaaS / API | Yes — SaaS / API | No — local index |
| OFAC / EU / UN | Yes | Yes | Yes | Yes — same lists |
| Mixer + hack clusters | Yes — proprietary | Yes — proprietary | Yes — proprietary | Yes — open OSINT |
| Hop / UTXO trace | Yes — Reactor | Yes — Investigator | Yes — Expert | Yes — on-chain RPC |
| Cold wallet (Ledger / Trezor) | API only | API only | API only | Native USB read-only |
| Platform | Web / API | Web / API | Web / API | Windows desktop · offline-capable |
| Methodology disclosure | Proprietary | Proprietary | Proprietary | Public · auditable |
Download the Windows installer. Verify the SHA-256 against the hash published below. Run it. Connect a hardware wallet read-only, open Exodus or Electrum, or paste any public address.
PS> Invoke-WebRequest aegisaml.io/dl/aegisaml-2.4.1.exe -OutFile aegisaml.exe PS> certutil -hashfile aegisaml.exe SHA256 # Compare against published hash: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 # match → signature OK PS> .\aegisaml.exe
We are not a venture-backed startup. There is no growth team, no “monetisation roadmap,” no upgrade tier waiting in the wings. The free version is the only version. That is the entire commitment.
Our reason for building this is straightforward: the same screening logic that institutions paid five or six figures for should not be priced out of reach of individuals who self-custody. Our reason for keeping it free is that the more people screen, the cleaner the shared on-chain ecosystem becomes.
You do not have to take any of this on faith. The architecture is verifiable, the methodology is public, the data sources are sovereign, and the release binaries are SHA-256-signed. Verify before you install.
Open methodology, signed releases, verifiable read-only architecture, plain-English changelogs.
Raise outside capital. Sell user data. Add a paid tier. Become a SaaS. Ship telemetry.
US, EU, UK, NATO-aligned. OFAC, EU CFSP, UN, OFSI, SECO, DFAT, SEMA, FATF-aligned.
GDPR Article 25 by architecture: no processing means no controller relationship.
In-depth guides on the full pre-transfer AML stack: bitcoin and ethereum address screening, OFAC and EU CFSP sanctions, CEX deposit guides (Binance, Bybit, Crypto.com, Kraken, OKX), USDT and USDC stablecoin compliance, Ledger and Trezor audits, MetaMask and Phantom pre-sign workflows, MiCA and FATF Travel Rule explainers, and head-to-head comparison with Chainalysis, Elliptic and TRM Labs.
The definitive 2026 ranking. AegisAML #1, Misttrack, Breadcrumbs, GoPlus Security and 6 more reviewed.
Head-to-head with the market leader. Pricing, coverage, deployment, privacy, hardware integration.
Honest 2026 comparison: pricing, coverage, data sources, target customer. The four-way table no vendor publishes.
Ranked for self-custody, OTC and family-office buyers. Privacy posture and hardware wallet integration.
BTC-focused listicle: AegisAML, Mempool.space, OXT, Bitcoin Abuse DB, OFAC SDN registry and more.
The EUR 1,000 threshold, CASP obligations, AMLR enforcement — what EU rules require in 2026.
Inferno, Pink, Angel drainer families — the signature traps behind USD 400M+ stolen in 2024.
How dust transactions weaponise wallet copy-paste history. The mechanic behind the USD 71M-class loss.
UTXO hop analysis, OFAC SDN match, mixer proximity — before accepting BTC or sweeping to an exchange.
44 guides published · View the full index →
No. Wallet integration is read-only at the architectural level — not as policy. We read public addresses and on-chain transaction history, the same data visible on any block explorer. We cannot sign transactions, derive keys, or access your seed phrase. If anything ever asks for your seed, it is not us.
There is no catch. Commercial AML is priced for institutions, not for individuals. Address screening is infrastructure — like block explorers — and we believe it should be accessible to anyone self-custodying. No bundled adware, no data selling, no paywalled features.
No. Screening runs locally; the addresses you query are not uploaded. The sanctions index syncs as a static diff — like a virus definition update. Nothing leaves your machine except the sync request to mirrors. Watch it with Wireshark.
Yes — and you should. Every release publishes a SHA-256 checksum on this page. Run certutil -hashfile aegisaml.exe SHA256 and compare. Run it in a Windows Sandbox or VM first if you want isolation. Trust is earned by being auditable, not by asking for it.
No tool can. Exchanges use proprietary risk models we do not control. What AegisAML does: surface the same categories of risk (sanctions exposure, mixer proximity, hack-linked funds) so you make informed decisions before transacting. It is due diligence, not a guarantee.
Hardware: Ledger, Trezor, Coldcard, Keystone, BitBox02, Blockstream Jade, OneKey, SafePal, KeepKey. Desktop & self-custody: Exodus, Electrum, Sparrow, Wasabi, Atomic, Guarda, Coinomi, BlueWallet, Blockstream Green. Browser / mobile: MetaMask, Rabby, Phantom, Coinbase Wallet, Trust Wallet. Or paste any public address with no wallet connection at all.
Hardware wallet USB communication on Windows uses native HID drivers that Ledger and Trezor officially support. AegisAML is built as a native Windows desktop app for reliable cold wallet read-only access. macOS and Linux are not available at this time.
Yes. USDT on Tron is one of the most common B2B and OTC settlement rails. AegisAML screens TRC-20 and ERC-20 USDT addresses for sanctions exposure and high-risk exchange paths. Read the USDT AML guide.
Hop distance counts how many on-chain transfers separate your address from a flagged entity like Tornado Cash or ChipMixer. Exchanges often flag deposits with mixer exposure within 3 hops. AegisAML shows the full hop path so you understand why an address scored high. Details in the mixer exposure guide.
Yes. Paste any public Bitcoin, Ethereum, Solana, or USDT (TRC-20 or ERC-20) address — no wallet connection required. Ideal for P2P trades when you need to verify a counterparty’s address before paying. Wallet connection is optional and useful for portfolio-wide scans on Ledger, Trezor, or Exodus.
Yes for cached lookups. The sanctions index syncs every 4 hours by default — you can disable auto-sync and refresh manually. Address lookups against the local index work offline. Fresh on-chain hop analysis still needs internet for public RPC.