On November 19, 2025, the US Department of the Treasury, together with authorities in the United Kingdom and Australia, announced new sanctions against Russian operated bulletproof hosting (BPH) providers and the individuals behind them. These services have long supported ransomware groups and other cybercrime infrastructure, and the coordinated designations mark a continued effort to disrupt the technical foundations that enable large scale attacks.

For organisations operating in the digital asset sector, these sanctions create immediate compliance responsibilities. Cryptocurrency exchanges, financial institutions, payment providers, and VASPs must quickly determine whether their users have interacted with any newly designated wallets, not only directly but also through multi hop transactions or cross chain movements. This is where the ability to visualise crypto transaction flows and understand exposure at both a granular and holistic level becomes essential.

Scorechain provides this clarity through its combination of sanctions screening, risk scoring, and intuitive graph based transaction analysis. Rather than approaching the topic from a forensic or investigative angle, Scorechain focuses on what AML and compliance teams need most: reliable risk insights, transparent visuals, and documentation that aligns with regulatory expectations.

Why These Hosting Provider Sanctions Matter for Crypto Compliance

Bulletproof hosting providers occupy a unique space within the cybercrime ecosystem. They lease servers, IP ranges, and digital infrastructure with minimal oversight, allowing ransomware operators and other malicious groups to remain online even when abuse reports are filed. This commercial structure is significant because these providers receive cryptocurrency payments from many different users. Some are legitimate customers, while others are cybercriminal groups. This mix means institutions may have indirect exposure without realising it.

With OFAC, the UK, and Australia formally designating these providers and their operators, compliance teams must revisit previous transactions. A routine payment made months earlier may now be linked to a sanctioned ecosystem. Since these providers often rely on cryptocurrency for subscription based services, the associated payment paths can be indirect, multi layered, or cross chain. Institutions therefore need the ability to identify these patterns across different periods and networks.

Read More: U.S. Department of the Treasury Press Release

This requirement goes beyond matching wallet addresses. It involves tracing transaction flows, understanding exposure routes, and determining whether customers interacted with relevant entities directly or through intermediaries.

Scorechain automatically updates its sanctions lists across the Wallet Screening and KYT modules. When OFAC released its November 2025 update, Scorechain’s database was synchronised immediately. This allows compliance teams to monitor exposure under standardised entity records.

The following OFAC designated entities now appear in Scorechain under their unified names:

“King James Conrad - Wedding Ryan James (OFAC)”
“Sokolovski Rolan (OFAC)”

These names are now part of Scorechain’s global entity profile system. Users can search, monitor, and trace exposure to these sanctioned individuals as part of their daily compliance workflow.

Sanctions screening identifies that exposure exists, but graph analysis shows how it occurred. Scorechain visualises each transaction within its network context, highlighting the nodes involved, the number of hops, and the direction of funds that may connect a customer to a sanctioned hosting provider.

Graph Analysis for Transaction Flow Visibility and Sanctions Exposure

The example below shows a Scorechain graph analysis visualisation focused on incoming flows to a high risk address. It highlights the origin of funds, intermediary wallets, and the structure of potential exposure. This level of detail helps compliance teams determine whether a user interacted with wallets linked to sanctioned hosting providers or cybercrime related infrastructure. This specific graph displays a Critical Risk classification for terrorism, reflecting the real activity associated with this sanctioned entity.

Scorechain’s visual layout helps analysts recognise layered transactions, multi hop routes, and clustering patterns that are difficult to understand through basic blockchain explorers or standalone data. High risk nodes are clearly visible, and the direction of funds is shown at each step. This supports informed decision making when reviewing customer activity, escalating a case for further investigation, or preparing documentation for internal audits and regulatory reviews.

Complex transaction activity often involves multiple chains or several custodial intermediaries. Scorechain links these movements together so compliance teams can interpret multi chain and multi hop behaviour with clarity. This reduces uncertainty when determining customer risk levels and deciding whether suspicious activity reports or enhanced due diligence procedures are required.

Ongoing Monitoring and Documentation for Regulatory Compliance

Sanctions involving infrastructure providers can continue to evolve after the initial announcement. Wallets connected to these providers may still receive payments, and additional intermediary wallets may later be tied to the same ecosystem. Because of this, ongoing monitoring is important for understanding how exposure changes over time.

Scorechain supports these requirements through audit ready reporting, exposure timelines, and visual summaries. Compliance teams can document when an exposure was identified, how funds moved within the network, and what actions were taken internally. These features help institutions demonstrate control, respond quickly to regulatory developments, and maintain a consistent approach to AML and sanctions compliance.