Settlements whose recipient or sender is on a public hacker / sanctions feed: Bybit hack tracker, OFAC SDN, and tayvano/lazarus-bluenoroff-research (~322 incidents).
The April 21–22 2026 spike is the KelpDAO laundering: ~75 K ETH swapped to BTC via THORChain in 36 hours.
The canonical affiliate resolution from the affiliates page applied to each illicit swap. Categories: frontend, wallet, aggregator, or unattributed (no affiliate registered — the user interacted with the chain directly).
A swap is flagged when its recipient_address or sender_address matches a row in the flagged_addresses table. Address comparison is lowercase-on-lowercase; both sides are normalised on insert.
USD estimate uses stored prices where available and falls back to a recent conservative spot ($80 K BTC, $2.3 K ETH, $200 SOL). Stablecoins counted 1:1. Native protocol tokens (RUNE, FLIP, NEAR) valued at 0 — the figure is a floor.
Direction. A flagged sender on an ETH→BTC swap means a known bad actor is laundering stolen ETH into BTC; a flagged recipient means the swap output is going to a known bad actor.
Not exhaustive. The public sources we use catch a small fraction of the wallets tagged in proprietary feeds. The lazarus-bluenoroff-research catalog also mixes victim addresses with hacker addresses; manual classification would improve precision.