Why One Hop Is Often Not Enough

The simplest blockchain risk check asks a binary question: did this wallet transact directly with a sanctioned or high-risk address? That question matters, but by itself it is rarely enough for a mature compliance program. A large share of operationally relevant risk does not arrive as a neat, direct interaction. It arrives through intermediaries, routing wallets, cross-asset swaps, and short transaction chains that are intentionally designed to create plausible distance.

That is where two-hop analysis becomes useful. Two-hop exposure does not mean “everything is suspicious.” It means your program acknowledges how on-chain risk actually travels. A customer can be one or two counterparties away from a sanctioned service, a mixer, or a laundering network without ever touching it directly. If your monitoring stops too early, you produce false comfort. If it traces too aggressively through every intermediary, you produce false positives. The art is in designing a methodology that is both cautious and defensible.

Direct risk is only the first layer

Direct risk is operationally clean. If a wallet transacted with a sanctioned address yesterday, the case for escalation is usually obvious. But direct exposure is also easy for threat actors to route around. A single hop through a fresh wallet can remove the cleanest possible signal while still preserving the economic connection to the bad actor.

That is why firms that operate at scale rarely stop at direct screening. They examine whether the customer’s counterparty itself has meaningful exposure to sanctioned or illicit entities. In other words, they ask what sits one step behind the transaction the customer can see.

TRM’s description of indirect risk is useful because it frames the issue correctly: the question is not just hop count, but whether the path remains meaningful. Timing, wallet behavior, intermediary type, and service boundaries all change the strength of the risk inference.

What a second hop actually adds

A two-hop model often catches patterns that direct screening misses:

• peel-chain routing after theft or sanctions evasion
• newly created transit wallets used to break simple tracing
• short-lived aggregation wallets that collect and forward value
• counterparties whose own upstream connections are deteriorating even if they are not yet directly labeled

From an operations perspective, this matters because the second hop is where you start to see patterns rather than isolated transactions. One hop can tell you that your counterparty touched risk. Two hops can tell you whether the flow still looks like a coherent chain of exposure or a benign break in ownership.

For example, if Wallet A pays your customer, and Wallet A itself just received funds minutes earlier from a high-risk cluster through a thin intermediary path, two-hop analysis captures a materially different picture than a direct-only program would. That does not prove wrongdoing. It does tell you the flow deserves more attention than a green checkmark.

Why fixed hop limits can fail

Some compliance teams assume there is a safe threshold: three hops is harmless, five hops is too far, one hop is all that matters. That assumption is tempting because it is easy to operationalize. It is also unreliable.

Elliptic has argued plainly that sanctioned actors can move funds through many hops specifically because they expect exchanges or screening tools to stop searching after an arbitrary threshold. TRM makes a similar point from the opposite direction: there is no universal regulatory bright line that makes indirect exposure acceptable simply because enough intermediaries exist.

This does not mean every chain must be traced forever in every case. It means fixed hop limits are a poor substitute for a real methodology. A short chain through clearly linked wallets may be more meaningful than a long chain separated by time, services, and genuine changes in ownership.

Where two-hop analysis goes wrong

Two-hop screening can fail in two opposite ways.

The first is underreach. This happens when a program records only direct counterparties or caps investigation at a simplistic hop threshold. The result is that material exposure never enters the case.

The second is overreach. This happens when analysts trace through omnibus services, exchanges, processors, or other intermediaries as though all outbound value still belongs to the same original source. That creates phantom paths and poor decisions.

TRM’s guidance on indirect risk is especially useful here: once the transaction chain reaches a known service that aggregates funds from many users, the reliability of attribution changes. In those cases, the right move is usually to stop tracing through the service and assess the risk up to that point rather than pretend the entire downstream flow belongs to the same actor.

What makes a two-hop path meaningful

A good two-hop methodology is evidence-based rather than purely geometric. Teams should evaluate:

• transaction timing: close sequencing suggests coordination
• wallet structure: funnel accounts and empty transit wallets are more suspicious
• asset continuity: did the same asset move through the chain, or was there a real ownership-changing swap?
• service boundaries: did the path pass through an exchange, bridge, OTC desk, or protocol that breaks attribution confidence?
• behavior recurrence: is this a one-off edge case or a repeat pattern across many flows?

When those signals line up, two-hop analysis becomes far more informative than a raw “distance from risk” score. It starts to answer the operational question that matters: does this path plausibly represent continued exposure, or has the risk signal become too attenuated to drive action?

How to use two-hop exposure in policy

Two-hop exposure should not automatically equal rejection. It should drive a calibrated response. For many programs, that means a tiered model:

• direct sanctioned exposure: block or stop immediately
• strong one-hop exposure: enhanced review before release
• strong two-hop exposure with time and behavior coherence: manual escalation or tighter limits
• weak two-hop exposure through noisy intermediaries: note, monitor, but do not overreact

The important part is documentation. If you flag two-hop risk, you should be able to explain why that path remained meaningful. If you do not flag it, you should be able to explain what broke attribution confidence. A regulator or auditor does not only care that you used a tool. They care that your methodology makes sense.

Why two-hop matters even more in DeFi and cross-chain flows

Modern laundering rarely stays within one asset or one chain. Funds move through decentralized exchanges, bridges, wrapped assets, and liquidity routes that were never designed around traditional compliance visibility. Treasury’s 2023 DeFi risk assessment explicitly noted that illicit actors use DeFi services to transfer and launder proceeds and exploit weak controls.

In that environment, direct-only screening ages badly. If a wallet receives Tether today, the risk may sit one or two steps back in Ether, a bridge asset, or an upstream service. Two-hop analysis is often the minimum viable layer that reveals the real picture.

A practical implementation model

If you are building two-hop monitoring into an existing workflow, start with a narrow design:

1. Define which risk categories justify indirect tracing.
2. Require analysts to stop at known omnibus services unless another control restores attribution confidence.
3. Use timing and behavioral context to separate meaningful chains from weak historical adjacency.
4. Record the rationale every time a two-hop signal changes the case outcome.
5. Review false positives monthly and recalibrate thresholds.

That approach keeps the program practical. It prevents alert fatigue while still acknowledging that many of the most consequential crypto risks are not direct.

The bottom line

Two-hop exposure analysis is not about making every wallet guilty by association. It is about refusing to confuse direct-only screening with comprehensive risk management. In crypto, meaningful exposure often survives a single intermediary. Sometimes it survives two. Sometimes it collapses because the path crossed a service boundary or a true ownership change. Your job is to tell the difference.

When a program can explain that difference clearly, two-hop analysis stops being a buzzword and becomes what it should be: a disciplined way to reduce blind spots without inventing risk that is not there.