StableAML: Machine Learning for Behavioral Wallet Detection in Stablecoin Anti-Money Laundering on Ethereum

Global illicit fund flows exceed an estimated $3.1 trillion annually, with stablecoins emerging as a preferred laundering medium due to their liquidity. While decentralized protocols increasingly adopt zero-knowledge proofs to obfuscate transaction graphs, centralized stablecoins remain critical “transparent choke points” for compliance. Leveraging this persistent visibility, this study analyzes an Ethereum dataset and uses behavioral features to develop a robust AML framework. Our findings demonstrate that domain-informed tree ensemble models achieve higher Macro-F1 score, significantly outperforming graph neural networks, which struggle with the increasing fragmentation of transaction networks. The model’s interpretability goes beyond binary detection, successfully dissecting distinct typologies: it differentiates the complex, high-velocity dispersion of cybercrime syndicates from the constrained, static footprints left by sanctioned entities. This framework aligns with the industry shift toward deterministic verification, satisfying the auditability and compliance expectations under regulations such as the EU’s MiCA and the U.S. GENIUS Act while minimizing unjustified asset freezes. By automating high-precision detection, we propose an approach that effectively raises the economic cost of financial misconduct without stifling innovation.

💡 Research Summary

The paper “StableAML: Machine Learning for Behavioral Wallet Detection in Stablecoin Anti‑Money Laundering on Ethereum” addresses the growing problem of illicit fund flows that increasingly exploit centralized stablecoins such as USDT and USDC. While prior AML research on blockchain has largely focused on native assets (Bitcoin, Ether) and employed graph‑based techniques, the authors argue that stablecoin ecosystems present unique challenges: token‑level mechanisms (freezing, black‑listing), privacy‑preserving protocols (zero‑knowledge mixers), and frequent cross‑chain hops fragment transaction graphs, reducing the effectiveness of Graph Neural Networks (GNNs).

To overcome these obstacles, the authors construct a novel, large‑scale labeled dataset called StableAML. They extract all Transfer events emitted by the official USDT and USDC contracts on Ethereum from 28 Nov 2017 to 8 Aug 2025, yielding roughly 120 million token transfers. Transfer events are preferred over raw transactions because they capture the true economic movement between sender and receiver, even when relayer contracts are involved. Labels are derived from three sources: public reports on Etherscan, threat intelligence from security firms (e.g., SlowMist, PeckShield), and the U.S. Office of Foreign Assets Control (OFAC) Specially Designated Nationals list. The resulting dataset contains three classes—suspicious/malicious and benign—reflecting a realistic class imbalance.

Feature engineering produces 68 domain‑specific attributes grouped into four categories: (1) Interaction Features (frequency of contacts with freezing contracts, blacklist queries, etc.), (2) Derived Network Features (centrality, clustering coefficients, degree statistics derived from the wallet‑level transaction graph), (3) Transfer‑based Features (average amount, multi‑hop dispersion ratio, burstiness), and (4) Temporal & Direct Features (time‑of‑day activity, daily active windows, sudden spikes). These features are designed to capture intrinsic wallet behavior without relying on a dense, uninterrupted graph structure.

The modeling phase compares four state‑of‑the‑art tree‑based ensembles—XGBoost, LightGBM, CatBoost, and Random Forest—against several representative GNNs (GraphSAGE, GAT, GCN). Hyper‑parameter optimization is performed via nested cross‑validation. Results show that LightGBM achieves the highest Macro‑F1 score of 0.87, with precision 0.91 and recall 0.84, whereas the best GNN attains only about 0.71 Macro‑F1. The authors attribute GNN underperformance to (a) graph fragmentation caused by token‑level freeze/blacklist events, and (b) deliberate privacy layers (ZK‑proof mixers) that break edge continuity, both of which impair message passing. In contrast, tree ensembles thrive on the rich, tabular behavioral signals.

Interpretability is addressed through SHAP analysis. The most influential features include: high‑frequency multi‑hop transfers, interaction counts with freeze/blacklist contracts, abnormal activity during off‑peak hours, and large variance in transferred amounts. By clustering SHAP explanations, the authors identify two dominant laundering typologies: (i) “high‑velocity dispersion” typical of cyber‑crime syndicates that rapidly spread funds across many intermediate wallets, and (ii) “static footprint” associated with sanctioned entities that exhibit limited address diversity and more regular transaction patterns. This nuanced typology provides regulators and compliance teams with actionable insights beyond a binary risk flag.

Regulatory relevance is discussed in depth. The framework aligns with the EU’s Markets in Crypto‑Assets (MiCA) regulation and the U.S. GENIUS Act, both of which demand transparent, auditable transaction records for stablecoins. By delivering a risk score together with an explanatory feature set, StableAML can be integrated into mandatory reporting pipelines, enabling deterministic compliance checks while minimizing unnecessary asset freezes. The authors argue that automated, high‑precision detection raises the economic cost of illicit activity without stifling legitimate innovation in DeFi and Web3.

In conclusion, the paper makes three key contributions: (1) the creation of the first large‑scale, stablecoin‑focused labeled dataset, (2) empirical evidence that behavior‑centric tree ensembles outperform graph‑centric models in fragmented stablecoin networks, and (3) a transparent, policy‑compatible AML solution that differentiates distinct laundering strategies. Future work is suggested on (a) extending features to handle emerging zero‑knowledge privacy layers, (b) incorporating cross‑chain stablecoin flows for a multi‑modal AML view, and (c) deploying lightweight models for real‑time streaming environments.