Typologies · Red Flags · §104(d)

Suspicious Transaction Patterns

The GENIUS Act §104(d)(3) mandate is clear: PPSIs must detect behavioral patterns that signal potential money laundering. Structuring, layering, round-tripping, and chain-hopping are the typologies every KYT system must monitor. This guide maps each pattern to detection methods and infrastructure.

Explore patterns → How detection works →

Pattern Detection Framework

Why Transaction Patterns Matter

The compliance reality: Recognizing transaction patterns is central to §104(d)(3) behavioral pattern detection. These are the typologies that KYT systems must detect.

  • §104(d)(3) mandate — PPSIs must identify structuring, layering, and other patterns that indicate potential money laundering
  • Beyond single transactions — Pattern detection requires analyzing sequences of transactions, not just individual ones
  • Cross-chain complexity — Bridge-hopping and protocol migration add another detection dimension
  • Vendor coverage varies — Chainalysis, Elliptic, and TRM each specialize in different pattern types

Transaction Typologies

High-Risk, Medium-Risk, and Investigative Patterns

High-Risk Patterns
Structuring (Smurfing)

Breaking large transactions into amounts just below $3K reporting threshold. Multiple txns from same source within 24h.

Red flags: >5 txns <$3K, same wallet, 24h window
§104 ref: §104(d)(3) + §104(e)(1)
Layering

Moving funds through multiple intermediary wallets to obscure origin. Each hop adds distance from source.

Red flags: 3+ hops, rapid timing, no economic logic
§104 ref: §104(d)(3)
Round-Tripping

Funds move A→B→C→A in a cycle. Creates appearance of legitimate commerce or arbitrage.

Red flags: Circular fund path, value loss at each hop
§104 ref: §104(d)(3)
Medium-Risk Patterns (Higher Confidence Needed)
Rapid Movement

Large amounts moving through 3+ hops in less than 1 hour. Speed suggests automated laundering.

Red flags: >$10K, <1 hour, 3+ intermediate wallets
§104 ref: §104(d)(1) + §104(d)(3)
Chain Hopping

Moving funds across blockchains via bridges to evade single-chain monitoring. Requires cross-chain visibility.

Red flags: Multiple bridge txns, chain switching, >2 protocols
§104 ref: §104(d)(4)
Mixer/Tumbler Usage

Funds passing through known mixing services (Tornado Cash, etc.). Direct obfuscation intent.

Red flags: Transaction to known mixer address, output timing variance
§104 ref: §104(d)(3)
Low-Risk / Investigative Patterns (Requires Context)
Dormant Account Activation

Long-dormant wallet suddenly active with large transfers. Trigger for KYC re-verification under §104(d)(2).

Red flags: 6mo+ dormancy, sudden >$10K activity
§104 ref: §104(d)(2)
Unusual Time Patterns

Transactions concentrated during off-business hours or specific timezone patterns. May indicate automated or geographically displaced activity.

Red flags: 10+ txns midnight-4am, inconsistent timezone
§104 ref: §104(d)(3)

Vendor Capabilities

How Chainalysis, Elliptic, and TRM Detect Each Pattern

Each vendor covers different pattern types with varying confidence levels. On-chain detection is limited to simple heuristics.

Pattern Chainalysis Elliptic TRM On-Chain
Structuring (Smurfing)
Layering
Round-Tripping
Rapid Movement
Chain Hopping
Mixer/Tumbler Usage
Dormant Account Activation
Unusual Time Patterns
Legend: ✓ = Full coverage◐ = Partial/context-dependent✗ = Limited or unavailable

Regulatory Alignment

Mapping Patterns to §104(d) Obligations

The obligation: PPSI monitoring systems must have the capability to detect AND report these patterns. Detection without reporting capability fails the compliance requirement.

§104(d)(1) — Real-Time Monitoring
Every customer transfer must be screened in real-time. This includes structuring, rapid movement, and mixer usage patterns.

§104(d)(2) — Risk-Based Re-Verification
When a transaction triggers a risk threshold (including dormant account activation), the PPSI must re-verify the customer's identity. This is the KYT→KYC feedback loop.

§104(d)(3) — Behavioral Pattern Detection
PPSIs must identify and flag structuring, layering, round-tripping, and other multi-transaction patterns. This is the core pattern detection mandate.

§104(d)(4) — Cross-Chain Tracking
Transfers across bridge protocols and chain hops must be tracked and monitored. Chain hopping patterns must be detectable.

Related Content

Explore the KYT Ecosystem

StableKYT Home

Live pattern analyzer POC and the full KYT monitoring stack overview.

View →
GENIUS Act §104(d) & §104(e)

Complete analysis of monitoring and SAR filing requirements with infrastructure mapping.

Explore →
Vendor Comparison

Detailed capability matrix of Chainalysis, Elliptic, and TRM Labs.

Compare →