SIXPENCE
Back to Blog
6 min read

What Happens When a Crypto Transaction Gets Flagged?

When a crypto transaction is flagged, a monitoring signal has fired and it goes for review. Here is the full lifecycle, what it means for you, and how Sixpence supports each stage.

Research

What Happens When a Crypto Transaction Gets Flagged?

Direct answer

When a crypto transaction is flagged, an automated monitoring signal has fired, for example exposure to a sanctioned or high-risk address, and the transaction is sent for review. A flag is not an accusation and not a final decision. Depending on the provider's configuration and policy, the activity can be reviewed by a compliance team, you may be asked for more information, and the outcome can range from clearing it to filing a report or restricting the activity. The path depends on the provider, the evidence, and the jurisdiction.

Why this matters

If you are an individual, a flag can feel alarming, especially when a withdrawal is paused or an account is "under review." Knowing what a flag actually is, and what usually happens next, makes the process less confusing and helps you respond well. If you run a crypto business, understanding the lifecycle helps you handle flags consistently and fairly, and document them properly.

How it works

A flag is one step in a longer process. The typical lifecycle:

  1. A signal fires. Transaction monitoring evaluates activity using multiple signals and raises an alert when something crosses a threshold the provider has set, such as exposure to a sanctioned address or a high-risk pattern.
  2. Triage. The alert is sorted. Many alerts are false positives, so this step separates routine activity from cases that need a closer look.
  3. Review and investigation. A compliance analyst examines the context: where the funds came from, the counterparties involved, and the history around the transaction.
  4. Request for information. You may be asked to explain the source of funds or provide supporting detail. Clear records help here.
  5. Outcome. Depending on policy and findings, the provider may clear the activity, file a suspicious-activity or suspicious-transaction report (SAR or STR) with the relevant authority, or restrict the activity. In some cases, sanctions rules require blocking a transaction outright.

Throughout, a risk score or alert is decision-support, not proof of wrongdoing. People apply judgement, policy, and jurisdiction to decide the outcome.

Practical example or analogy

A flag is like a smoke alarm, not a fire brigade verdict. The alarm draws attention so a person can check whether there is a real problem. Often it is cooking smoke, sometimes it is a genuine fire, and either way the point is to prompt a look, not to deliver a judgment.

Key steps or considerations

If your transaction is flagged, as an individual:

  • Do not panic. A flag is a prompt for review, not an accusation.
  • Provide clear information. If asked, explain the source of funds and share records. Clean documentation helps a review conclude.
  • Be patient with timelines. Reviews take time and vary by provider.
  • Keep your own records. Your transaction history is useful evidence.

If you run a crypto business:

  • Set clear thresholds and escalation paths before alerts arrive.
  • Document every step, so a decision can be explained later.
  • Separate triage from investigation so analysts focus on real cases.

How LedgerBrain and LedgerWatch support the flag lifecycle

Sixpence supports this lifecycle with two distinct products that do different jobs.

  • LedgerBrain raises and explains the flag. It runs 24/7 real-time transaction monitoring with automated suspicious-pattern detection and alerts, and screens addresses against OFAC, UN, and EU sanctions lists with a 0 to 100 risk score. Crucially, it surfaces the signals behind a score, such as sanctions, darknet, or mixer exposure, so a reviewer can see why the activity was flagged rather than just seeing a number. This supports the signal and triage stages.
  • LedgerWatch supports the investigation and the record. It provides a transaction graph with entity clustering, plus case files with timelines and notes, and export for SAR and STR workflows. This supports the review, documentation, and reporting stages, so a team can move from an alert to a documented outcome.

When a compliance team needs a single check inside a workflow, the same address and transaction screening is also available as a pay-per-report KYT or KYA report through the x402 API, with no account required. The goal across all of this is to make a flag explainable and the response consistent and recorded. Final decisions still depend on the organisation's policy, the evidence, and human review.

Limitations and compliance considerations

  • A flag is not a verdict. It signals that review is warranted; the outcome depends on findings, policy, and jurisdiction.
  • False positives are expected. Tuning and good data reduce them, but they cannot be eliminated, which is why human review matters.
  • Outcomes vary by jurisdiction and licence. What a provider must do with a flag, including any reporting or blocking, depends on local rules. This is general information, not legal advice.

Frequently asked questions

Why was my crypto transaction flagged? A monitoring signal fired, often exposure to a sanctioned or high-risk address, or an unusual pattern. It routes the activity for review.

Does a flag mean I did something wrong? No. A flag is a prompt for review, not an accusation or a finding.

How long does a review take? It varies by provider and complexity. Providing clear information about the source of funds can help.

Can my funds be frozen? Depending on the provider's policy and the law, some activity can be restricted or, where sanctions apply, blocked. Many flags are cleared after review.

What is a SAR or STR? A suspicious-activity or suspicious-transaction report, which a regulated provider may file with an authority when activity meets certain criteria.

Conclusion

A flagged crypto transaction means a monitoring signal fired and the activity is going for review, not that a verdict has been reached. The lifecycle runs from signal to triage to investigation to outcome, with human judgement at the centre. Sixpence supports it with LedgerBrain, which raises and explains the flag, and LedgerWatch, which carries the investigation and the record. To see how the signals and case workflow fit together, review the LedgerBrain and LedgerWatch details at sixpence.io.

Sources

All PostsBack to Home