The Exchanges Knew — Or Should Have
In 2026, cryptocurrency exchanges processed hundreds of transactions to addresses already identified as child exploitation buyers. The screening data existed. The transactions were preventable. The exchanges did nothing.
The DarkScout Intelligence database identified CSAM addresses before they were funded, flagged consumers after their first purchase, and made this intelligence commercially available. Despite this, major exchanges — Coinbase, Binance, Cash App, Kraken — continued processing transactions to known CSAM-linked addresses throughout early 2026.
This investigation uses blockchain attribution data covering 1.5 billion Bitcoin addresses and 5,225 known CSAM entities to document three distinct layers of failure: exchanges that sent customer withdrawals directly to CSAM addresses, exchanges that continued servicing customers already flagged as CSAM buyers, and the 41,170 unattributed consumer addresses that represent identifiable suspects behind KYC walls.
by exchanges in 2026
CSAM consumers in 2026
behind exchange KYC walls
The Intelligence Existed Before the Crime
The Surikata-X collection engine uses proprietary methods to identify and attribute cryptocurrency addresses used by CSAM operations. Through a combination of automated intelligence gathering and adversarial techniques that induce threat actors to expose their financial infrastructure, Surikata-X attributes addresses to criminal entities — feeding them into the DarkScout Intelligence database often before those addresses have ever been used on-chain.
For 42.4% of all funded CSAM addresses in our database, the attribution happened before the address ever received its first satoshi on the Bitcoin blockchain. The median lead time: 2.5 days. That is two and a half days where the address sat in a screening database, flagged and waiting — before any exchange customer sent money to it.
The remaining 57.6% were attributed after their first funding. As collection methods expand and adversarial coverage deepens, this gap continues to narrow.
Surikata-X identifies CSAM financial infrastructure through proprietary intelligence methods — attributing cryptocurrency addresses to criminal entities before they ever receive funding. The specifics of how addresses are collected are not disclosed. Every data point in this report originates from Surikata-X collection, stored and queried through the DarkScout Intelligence platform.
Surikata-X data is available as a real-time feed for integration into blockchain analytics platforms, compliance screening tools, and intelligence systems. If your platform screens cryptocurrency transactions and does not include Surikata-X data, your customers have a blind spot.
Layer 1: Direct Funding of CSAM Addresses
Exchange withdrawals to known CSAM entity addresses
Since January 1, 2026, exchange customers have sent Bitcoin to 459 CSAM-entity addresses — across only 52 days. Of these, 74.5% were already in the DarkScout Intelligence database before the first transaction arrived. The screening data existed. The withdrawals were processed anyway.
| Exchange | Prevention Rate | CSAM Addresses Funded 52 days · Jan 1 – Feb 21 |
|---|---|---|
| OKX | 90.0% | 10 |
| Robinhood | 88.9% | 18 |
| Binance | 81.1% | 74 |
| Revolut | 76.1% | 46 |
| Coinbase | 75.0% | 128 |
| Crypto.com | 66.7% | 12 |
| Cash App | 61.6% | 73 |
| Kraken | 53.8% | 13 |
Every exchange on this list processed withdrawals to CSAM addresses that were already flagged. The lowest prevention rate was Kraken at 53.8% — meaning even in the worst case, more than half of CSAM-destined withdrawals could have been blocked with existing screening data. At OKX, the figure was 90%.
The question for every blockchain analytics provider — Chainalysis, Elliptic, TRM Labs, Crystal, and others — is whether their CSAM coverage includes these 459 addresses. If the data existed and the exchanges' screening vendors did not surface it, the gap is in the analytics stack, not the intelligence.
Layer 2: Servicing Flagged CSAM Consumers
Exchange transactions to customers already identified as CSAM buyers
Beyond direct funding, a subtler failure: exchanges continued to send funds to customers who were already identifiable as CSAM buyers.
Here is how it works. A customer withdraws Bitcoin from an exchange and sends it to a known CSAM address. That on-chain transaction — combined with the CSAM address's attribution timestamp — creates a flag. The customer is now identifiable as a CSAM buyer. Any subsequent exchange transaction to that customer's address is preventable.
In 2026, exchanges sent 759 transactions to addresses already flagged as CSAM consumers. Of these, 81% occurred on the same day the consumer was first flagged — suggesting customers withdraw from exchanges and purchase CSAM content within hours.
| Exchange | Transactions | Within 7 Days |
Within 30 Days |
Most Recent |
|---|---|---|---|---|
| Binance | 80 | 85 | 93 | Feb 21, 2026 |
| Coinbase | 71 | 78 | 87 | Feb 20, 2026 |
| MoonPay | 60 | 65 | 71 | Feb 21, 2026 |
| Kraken | 56 | 63 | 63 | Feb 18, 2026 |
| Revolut | 38 | 34 | 39 | Feb 20, 2026 |
| ChangeNow | 36 | 34 | 46 | Feb 21, 2026 |
| Paybis | 32 | 36 | 47 | Feb 19, 2026 |
| Cash App | 26 | 17 | 25 | Feb 19, 2026 |
| Uphold | 18 | 21 | 21 | Feb 16, 2026 |
| Paxos | 15 | 21 | 21 | Feb 14, 2026 |
Of the 759 preventable transactions, 614 occurred the same day the consumer was first flagged. Another 145 came days to weeks later — meaning exchanges continued to process withdrawals to addresses already identified as CSAM buyers. The intelligence existed. The screening did not.
Note: Transaction counts above reflect distinct on-chain transactions (deduplicated by transaction ID). Where a consumer address has multiple CSAM evidence chains — for example, purchases from multiple CSAM entities — the total number of exchange-to-consumer-to-CSAM evidence connections is significantly higher. The underlying dataset (sot.csam_022126) contains the full evidence chain for each connection.
Layer 3: 41,170 Suspects Behind KYC Walls
CSAM consumer addresses that map to exchange customer accounts
Every CSAM consumer address in the database represents an individual who sent Bitcoin to a known child exploitation operation. Our analysis identified 95,950 such addresses. Of these, 41,170 are unattributed to any known service — meaning they are personal addresses likely controlled by real individuals who purchased CSAM content.
But many of these individuals also hold accounts at regulated exchanges. Those exchanges performed KYC verification — collecting government IDs, names, addresses, and contact information. The subpoena path is direct:
| Exchange | CSAM Consumer Addresses | Jurisdiction | KYC Status |
|---|---|---|---|
 Cash App | 12,648 | United States | Full KYC (Block, Inc.) |
 Coinbase | 11,332 | United States | Full KYC (NASDAQ: COIN) |
 Kraken | 2,459 | United States | Full KYC |
 Paxful | 1,707 | United States | P2P (partial KYC) |
 OKX | 1,386 | Seychelles | KYC |
 MEXC | 816 | Seychelles | KYC |
Cash App has 12,648 customer addresses that have sent Bitcoin directly to known CSAM operations. Each of these addresses maps to a Block, Inc. customer account with full identity verification. Coinbase has 11,332. Kraken has 2,459. These are not anonymous users on an obscure platform — they are verified customers of publicly traded US companies.
Following the Money: Which Chains?
Across all cryptocurrency addresses collected from CSAM operations by Surikata-X, Bitcoin dominates at 89.4%. But the distribution reveals where CSAM operators are headed next — and where screening coverage needs to expand.
Litecoin — not Ethereum — is the second most common chain overall, at 4.9% of all collected CSAM addresses vs Ethereum's 0.7%. This likely reflects Litecoin's lower transaction fees and faster confirmation times for small payments.
However, recent collection data shows the landscape shifting. In the most recent collection period, Solana has overtaken both Litecoin and Ethereum as the second most common chain, suggesting CSAM operators are following the broader market toward low-fee, high-throughput networks.
Monero — the privacy coin most associated with illicit finance — accounts for only 0.9% of collected addresses. CSAM operators overwhelmingly choose convenience and liquidity over privacy, which means the vast majority of their financial activity is traceable.
The Network Expands
Traditional blockchain analysis relies on co-spend heuristics — when two addresses appear as inputs in the same transaction, they likely share a common owner. But CSAM operators have adapted. They keep wallet clusters deliberately small, typically aggregating only a handful of subscription payments before forwarding funds to mixers or money services businesses. This minimizes the footprint available to co-spend analysis and makes traditional on-chain clustering largely ineffective against sophisticated CSAM operations.
This is precisely why Surikata-X's approach is different. Rather than working backward from on-chain activity, Surikata-X identifies CSAM addresses at the source — through the operators' own infrastructure — before clustering even becomes relevant. The attribution happens before the first transaction, not after an analyst tries to reconstruct wallet relationships from blockchain data.
And it works in both directions. Once a CSAM address is attributed, every address that has ever sent funds to it becomes a consumer lead. If that consumer address also transacted with a KYC-compliant exchange, the identity behind the purchase is one subpoena away. This is how Surikata-X attribution data generates the consumer leads described in Layer 3 — not through behavioral heuristics or transaction pattern matching, but through direct observation of payments to known CSAM infrastructure.
Where on-chain clustering does yield results, it reveals shared infrastructure. CSAM operators frequently use legitimate-appearing payment platforms like SatoshiBox to automate content delivery. A buyer pays through the platform, the CSAM content is delivered automatically, and the operator never builds their own payment system.
The On-Ramp: Fiat Gateway Services
CSAM payments also originate from fiat gateway services — platforms like Paybis and MoonPay that allow users to purchase cryptocurrency with a credit card and send it directly to a Bitcoin address in a single transaction. Our data shows both services processing transactions that funded known CSAM addresses. For a CSAM consumer who does not hold a cryptocurrency exchange account, these gateways are the path of least resistance: enter a card number, paste a CSAM address, and the funds arrive on-chain — often with minimal or no identity verification.
This matters because the consumer never opens a custodial account. There is no KYC-verified wallet, no ongoing relationship with an exchange, and no compliance team reviewing withdrawal destinations. The gateway processes a one-time purchase and the funds flow directly to the CSAM address. From the gateway's perspective, it looks like any other crypto purchase.
The Exit: Mixers and Instant Swap Services
On the cash-out side, CSAM operators move funds through Bitcoin mixers and instant swap services like ChangeNow and FixedFloat — platforms that exchange cryptocurrency with no account registration and minimal transaction limits. These services break the on-chain link between the CSAM address and the operator's personal wallet, making it significantly harder to trace the final destination of funds.
Methodology
DarkScout Intelligence Database (BigQuery): 1.5B Bitcoin addresses, 434M attributions, 35,458 entities including 5,225 CSAM entities and 34,020 CSAM-tagged addresses.
Pre-funding analysis: Compared bitcoin.aa.attribution_timestamp (when address was attributed) against actual block timestamps from bitcoin.transfers for 3,828 funded CSAM addresses.
Preventable transaction analysis: Flag date = GREATEST(consumer_tx_timestamp, csam_addr_attribution_timestamp) — the earliest moment each consumer was identifiable. Filtered to 2026 YTD. Consumer addresses with >500 exchange transactions excluded as likely unattributed services.
Limitations: Attribution timestamp may lag initial Surikata collection. USD values use $97K/BTC fixed rate. Co-spend heuristic may false-positive on CoinJoin transactions.
DarkScout Intelligence
PLATFORM
The attribution database and analytics platform powering every query in this report. Available via BigQuery and API for integration into compliance, analytics, and investigative platforms. darkscoutintel.com
The proprietary intelligence capability that feeds DarkScout. Through adversarial collection methods, Surikata-X identifies and attributes CSAM cryptocurrency addresses — often before they receive their first transaction. Available as a real-time data feed. darkscoutintel.com/datasets
Every finding in this report was derived from the DarkScout Intelligence platform, fed by Surikata-X collection — real-time CSAM address attribution, pre-funding detection, consumer identification, and wallet cluster expansion.
For blockchain analytics providers: DarkScout Intelligence data feeds plug directly into existing screening and scoring platforms. If your analytics product covers illicit finance, sanctions, or darknet attribution — and it does not include Surikata-X data — your customers have a blind spot.
For compliance teams: DarkScout screening integration, powered by Surikata-X collection, means you can block withdrawals to CSAM addresses before the first satoshi arrives. 42.4% of funded CSAM addresses were already flagged — your screening tool just needs the data.
For law enforcement and intelligence agencies: Consumer address mapping, network expansion, and full entity-level transaction data — available through the DarkScout platform for integration into investigative systems and case management.
Contact DarkScout Intelligence for data access, API integration, and partnership inquiries.