TL;DR - FATF red flag indicators are the transaction, anonymity, counterparty, source-of-funds, and geographic patterns that compliance tools watch for, and matching several at once is what actually flags a crypto transaction for review.
When an exchange holds your deposit or asks where the money came from, it is rarely acting on a hunch. It is reacting to red flag indicators - a shared vocabulary of suspicious patterns that the global standard-setter for anti-money-laundering, the Financial Action Task Force (FATF), published for virtual assets in 2020. Most guides list a scary behavior or two and stop there. The useful part is understanding the full set of categories and, more importantly, that a single flag almost never sinks you - it is the combination that moves a transaction from "normal" to "review this now."
What are the FATF red flag indicators?
Red flag indicators are documented behaviors that, on their own or in clusters, suggest funds may be linked to money laundering, terrorist financing, or sanctions evasion. The FATF grouped them for crypto into six broad families: the size and timing of transactions, the shape of transaction patterns over time, the use of anonymity tools, warning signs about the sender or recipient, questions about the source of the funds, and the geography involved. Exchanges, banks, and blockchain-analytics firms build their monitoring rules on top of this same list, which is why a withdrawal that clears one platform can stall at another.
Think of each indicator as a data point rather than a verdict. Compliance teams and automated screening tools score them, weigh how many appear together, and decide whether the picture warrants a closer look. That scoring logic is the difference between a transaction that settles quietly and one that lands you an email asking for a source-of-funds letter.
The FATF sorts crypto red flags into six families; screening tools weigh how many appear together, not any single one in isolation.
Which crypto transaction patterns raise the biggest red flags?
The loudest signals come from how value moves. Breaking a large sum into many smaller transfers to stay under reporting thresholds - structuring - is a classic flag, and screening tools spot the pattern even when each piece looks trivial. So does depositing funds and withdrawing them almost immediately, which suggests an account is being used as a pass-through rather than for genuine trading. A brand-new account that suddenly handles high volume, transfers in rapid succession to many addresses, or amounts that make no sense for the customer's stated profile all belong in this group.
If you deliberately split deposits to fly under the radar, be aware that the tactic is itself a documented indicator; our guide on splitting crypto deposits to avoid AML detection explains why it tends to attract the exact scrutiny it is meant to dodge.
Do red flags about who you deal with matter as much as amounts?
Yes, and often more. A large share of the FATF list concerns anonymity and counterparties rather than dollar figures. Funds routed through a mixer or tumbler, converted into privacy coins such as Monero, moved through a peer-to-peer platform with no verification, or cashed through unhosted-wallet and ATM chains all raise anonymity flags because they are designed to break the trail. On the counterparty side, a sender who cannot or will not complete identity checks, gives inconsistent information, or uses IP addresses that clash with their claimed location adds warning signs of its own.
The source of funds is the category that catches ordinary users by surprise. Coins that trace back to a known scam, a darknet market, a ransomware wallet, or an address on a sanctions list carry that history with them permanently. You can inherit the exposure just by receiving a payment, and distance matters: value arriving directly from a flagged address scores highest, while exposure a few hops away scores lower but can still cross a review threshold. Our explainer on how many hops from a sanctioned address flag a wallet walks through where that line usually sits.
Does one red flag get your wallet frozen?
Usually not. A single indicator - one transfer that happens to be a round number, say - is weak evidence, and a well-tuned monitoring system will not act on it alone. What triggers a hold, a source-of-funds request, or a blocked withdrawal is a cluster of flags that together tell a story: a new account, funded from a mixer, moving money out within minutes, toward a high-risk jurisdiction. Each piece is ordinary; the combination is not.
This is why two people can behave almost identically and get different outcomes. The one whose funds also carry sanctions or stolen-funds exposure trips several indicators at once and crosses the score threshold, while the other stays below it. Understanding the categories lets you see your own activity the way a compliance engine does and fix the avoidable flags before they stack up.
A lone indicator normally clears; several stacked together push the risk score past the threshold that triggers a hold.
How do you check your own wallet for red flag exposure?
Start by reading your own history the way a reviewer would. Pull up the counterparty addresses on a block explorer such as Etherscan, check whether any match a sanctions entry against the public OFAC SDN list, and note any hops through mixers, no-KYC swappers, or addresses tied to scams. The manual route works, but it is slow and single-chain, and the risky counterparty is often two or three hops back where a casual look never reaches.
Rather than checking one list and one chain at a time, you can screen the address with Plastron to see sanctions, mixer, and stolen-funds exposure across Ethereum and six more EVM chains in a single query, with the risky counterparties named. Doing this before you send a payment, accept one, or withdraw to an exchange lets you catch a stacked-flag problem while you can still act on it - not after a deposit is already frozen.
FAQ
What is the difference between a red flag and an actual crime?
A red flag is a warning sign that warrants a closer look, not proof of wrongdoing. Plenty of flagged transactions turn out to be perfectly legitimate once explained. The indicator simply tells a compliance team where to focus; it is the investigation and the surrounding facts that determine whether anything is actually wrong.
Are the FATF indicators legally binding on exchanges?
The FATF guidance itself is a recommendation, not a law. Its influence comes from the fact that member countries turn those recommendations into national AML rules, and exchanges build their monitoring to satisfy those rules. So while the list is not a statute you can be charged under, the obligations it inspires are enforced through local regulators.
Can using a privacy coin or mixer alone get me flagged?
It can raise an anonymity flag, because both are on the FATF list as tools that obscure the trail. On its own that flag may not freeze anything, but combined with other indicators - such as an immediate cash-out or exposure to a sanctioned address - it can tip a transaction into review. Many regulated exchanges also reject mixer-linked deposits outright.
How can I tell which red flags my wallet trips before an exchange does?
Screen the address before you move funds. A tool that checks sanctions, mixer, and stolen-funds exposure across multiple chains and names the risky counterparties shows you the same picture an exchange's monitoring would build, so you can document a clean source of funds or avoid a risky path before it becomes a frozen deposit.
Disclaimer: This article is for educational and informational purposes only and is not legal, financial, tax, or compliance advice. Crypto carries risk; you act on this information at your own risk. Always do your own research and consult a qualified professional before making decisions. Views are the author's own and do not constitute financial, legal, or investment advice.
About Plastron
Plastron is a free, non-custodial wallet screening tool. It checks Ethereum and six EVM chains for AML and KYT risk — sanctions exposure, mixer contact, and stolen-funds proximity — and returns a risk report in seconds. It reads public on-chain data only: it never takes custody of funds and never asks for private keys.