OFAC's $344M USDT seizure tied to the Central Bank of Iran was a watershed. The EU's 20th Russia sanctions package now explicitly names crypto-specific entities. The Travel Rule (FATF Recommendation 16) is in force in 80+ jurisdictions. If your exchange, custodian, or wallet processes a single transfer touching a Specially Designated National (SDN), you face civil penalties starting at $250K per violation — or referral for criminal prosecution.
This post is the API-level checklist 1F customers use to operationalize sanctions compliance.
What "real-time sanctions screening" means in 2026
Three distinct screening points, each with different latency and cost requirements:
| Trigger | Latency budget | What gets screened |
|---|---|---|
| KYC / wallet onboarding | 1–5 seconds | Customer's deposit address + 1-hop counterparty graph |
| Withdrawal request | < 500 ms | Destination address + multi-hop indirect exposure |
| Live mempool / pre-confirmation | < 100 ms | Pending tx destination across all subscribed wallets |
A screening tool that only handles the first two has a "live touch" gap — funds confirm before you can block them. 1F covers all three on the same data plane.
The minimum API surface
# 1. KYC-time wallet decision
POST /api/kyc/screen
{ "address": "0x4b6F…1aE8" }
→ { decision: "BLOCK", confidence: 0.91, flags: [...], latencyMs: 4.2 }
# 2. Bulk pre-withdrawal screen (up to 1000 addresses per call)
POST /api/forensics/screen
{ "addresses": ["0x...", "0x...", ...] }
→ { results: [{ address, verdict: "BLOCK"|"REVIEW"|"WARN"|"ALLOW", reasons: [...] }] }
# 3. Continuous webhook subscription
POST /api/forensics/screen/subscribe
{ "address": "0x...", "webhookUrl": "https://your.api/1f-alerts", "hmacSecret": "..." }
# 4. Real-time pre-confirmation stream
POST /api/stream/subscribe
{ "addresses": [...], "includePending": true }
Every endpoint joins against the OFAC SDN list refreshed daily plus the broader 1F entity store (community-flagged scam wallets, hacker-active addresses, fraud-network proximity).
Why multi-hop indirect exposure is the hard part
OFAC's 50% rule applies on-chain too: a wallet that received funds from a sanctioned address two hops back is itself "blocked property" from the moment it received that value. Most screening vendors only flag direct touches. 1F surfaces indirect exposure with weighted scores up to 6 hops:
GET /api/forensics/exposure-multihop/{address}?dir=in&hops=3
→ {
exposureScore: 0.62,
paths: [
{ hop: 1, addr: "0x...", amount: "$140K", category: "mixer" },
{ hop: 2, addr: "0x...", amount: "$140K", category: "sanctioned", entity: "OFAC SDN: 0xLazarusGroup" },
]
}
This is the same query path used by major US-listed exchanges to file SARs when indirect exposure crosses configured thresholds.
Handling Russia, Iran, North Korea designations
The 1F entity store ingests:
- OFAC SDN list (full daily refresh)
- EU consolidated sanctions list (weekly, includes the new 20th-package entries)
- UK HMT sanctions list
- UN Security Council list
- Lazarus Group address pool (continuously updated from on-chain attribution + community-feed posts)
- Tornado.cash deposit pools (all sanctioned mainnet pools tracked at the contract level)
Calling /api/sanctions/check/{address} joins against all of them in one query.
FinCEN SAR integration
When you do find a hit and need to file a Suspicious Activity Report, 1F's FinCEN Form 111-style adapter renders the case bundle with all the inputs investigators need:
GET /case/{caseId}/sar
Auto-derives typology checkboxes from address categories (mixer touch, sanctioned proximity, structuring pattern, mule cluster), includes the full audit log of every action by every actor with HMAC chain-of-custody, and prints to PDF for upload to BSA E-Filing. The 1F bundle is a companion to the official Form 111, not a substitute — but it cuts the prep time from days to minutes.
What this costs
Free tier covers up to 1,000 screening calls per month. Starter ($50/mo) covers 100K. Pro ($200/mo) covers 5M and includes the webhook + real-time stream tiers. Equivalent Chainalysis Reactor seats start at $50K/year per user.
If you have a paying customer base today and aren't doing some form of indirect-exposure screening at withdrawal time, it's not a question of whether you'll have an OFAC moment — it's a question of when. The technical work is one API call away.