Protection against fraud through Zoom

Open a block explorer (Etherscan, Blockchair, Tronscan, etc.) and review the history: incoming/outgoing transactions, tokens, and internal transfers.

Look for obvious markers: labels like "mixer," "hacker," "darknet," or "exchange suspicious," as well as massive multiple inputs with mixed amounts.

If you see exchange addresses, identify which exchanges they are (using explorer labels).

Search the OFAC SDN (Sanctions List Search) and EU/local sanctions databases by entering the address or name. OFAC provides CSV/XML downloads and APIs for automation.

If the address is found in sanctions lists, block the transaction and escalate the situation to the legal or compliance department.

Chainalysis: Enter the address into the interface or request via API; check the risk score, labels (source: "theft," "mixer," "exchange"), transaction graph, and address "clusters." For integration, use their API/webhook for real-time validation during transfers.

Elliptic: Use the address profiler to see transaction timelines, tags, and links to incidents. Supports automatic alerts for watchlists.

Crystal Blockchain / TRM / CipherTrace: These provide a "taint" score and fund flow path. Pay attention to the percentage of "taint" originating from known incidents.

SlowMist: Useful for threat intelligence reports on specific cases and indicators of compromise (IoC).

Free options for initial checks: Etherscan (labels, ERC-20 transfers), OXT.me (BTC graph), WalletExplorer (clusters), Blockchair. These do not replace paid AML services but help in making quick decisions.

Direct match with sanctions or known theft → Stop.

"Mixer," "tumbler," or "Darknet" labels → High risk.

"Taint" or share of funds from criminal sources > X% → Request additional validation (the threshold usually depends on your policy; for many companies, anything explicitly linked to theft/sanctions is critical).

Graph distance to a known incident: 1–2 hops is high risk; > 5 hops is lower but still requires investigation.

If a direct link to sanctions or theft is found: suspend the transaction, report to the legal department, block the address, and log all correspondence and data.

For questionable links (non-obvious risk): request KYC and Proof of Funds (PoF) from the counterparty, or ask them to perform a small test transaction (micro-transfer).

Alternative: transfer funds to an escrow account or use a trusted exchange/provider with its own AML if the operation must be completed.

Document the decision and grounds (screenshots of reports, sanctions list search logs).

KYC Minimum: Passport/ID, a selfie with the document, and a recent Proof of Address (POA). For legal entities — constituent documents and UBO (Ultimate Beneficial Owner) details.

Verifiers: Sumsub, Onfido, Jumio — these integrate via API to automate document verification and AML screening.

Continuous Monitoring: Set up watchlists (addresses, IPs, domains), threshold alerts (e.g., incoming > $X or change in address risk score), and daily/weekly sanctions list updates via API.

For Individual Users: Perform a basic address check in an explorer and conduct test transfers; avoid suspicious links and never enter private keys in unknown applications.

For Companies: Establish Standard Operating Procedures (SOPs) for every verification step, conduct regular training for operations staff, and perform quarterly audits of AML processes.

Quick explorer check (Etherscan/Blockchair) — 2 min.

Sanctions lists (OFAC/EU) — 2–5 min.

AML tool — address profile + graph — 10–30 min.

Decision: Proceed / Request KYC / Withhold / Reject.

Log all actions and notify relevant departments.