3,378 Wallets In Multiple Sanctions Sources — The Cross-Verified Operator Core

The cross-source overlap calculation aggregates across our production threat-intelligence dataset: for each wallet identifier flagged in at least two of the five named sources (Tayvano Lazarus, OpenSanctions, OFAC SDN Advanced, Tether blacklist, USDT blacklist), count the distinct wallets.

The result: 3,378.

The query identifies wallet identifiers that appear in at least two distinct sources from the five-source set. The identifiers are stored as privacy-preserving hashes; what we extract for this analysis is the count, the chain distribution, and the entity-type distribution of the intersection — not the raw addresses, which remain inside the analytics pipeline.

Why these five sources: each represents a different threat-intel pipeline with independent collection. Tayvano Lazarus is curated by independent security researcher Taylor Monahan based on her tracing work plus law-enforcement coordination. OpenSanctions aggregates from approximately 250 source lists worldwide. OFAC SDN Advanced is the canonical US sanctions list with crypto-address enrichment. The Tether and USDT blacklist sources are issuer-level freeze records from on-chain monitoring.

When a wallet appears in two of these sources, the appearance is independent evidence. The wallet was identified by different methodologies, with different operational pipelines. The convergence is structurally meaningful.

A second targeted aggregation: how many wallets are flagged in **both** the Tayvano Lazarus list **and** the Tether blacklist (USDT or USDT-specific freeze records)?

Result: **60**.

Sixty wallets are simultaneously on the Lazarus DPRK attribution list and the Tether freeze list. These are wallets that:

1. Were identified by Tayvano Monahan as DPRK / Lazarus-attributed through her tracing methodology. 2. Were independently identified by Tether's compliance pipeline (via law-enforcement coordination, T3 Financial Crimes Unit, or direct OFAC liaison) as worth freezing.

The 60-wallet overlap is the operational evidence that Tether's freeze tooling is partially targeted at DPRK-attributed flows. Tether's broader cumulative freeze total since 2017 is $5.17 billion across 9,856 addresses; the 60-wallet DPRK overlap is a small fraction of that total but represents the highest-confidence DPRK component.

The economic value of the 60 wallets is not directly visible from our query (we tag at the wallet level, not the USD-value level), but the public reporting puts the Bybit/Lazarus-specific T3 freeze at $19 million as of April 2025, with no major public update since. The 60-wallet overlap is the cluster behind that $19 million.

A third targeted aggregation: how many wallets are flagged in **both** the Tayvano Lazarus list **and** Western ransomware sources (LockBit leak, Ransomwhere)?

Result: **0**.

Zero. The Lazarus / DPRK ecosystem and the Western ransomware ecosystem (LockBit, the broader Ransomwhere dataset) do not share wallets. The two ecosystems operate as structurally separate criminal economies.

This is operationally important and not, in our reading, sufficiently emphasized in public threat-intel commentary. Public discussion sometimes conflates "crypto crime" as a category, treating DPRK-state-actor theft and Western criminal ransomware as related phenomena. The zero-overlap finding confirms they are not related at the wallet level.

The structural explanations:

**Different operational pipelines.** Lazarus uses TraderTraitor-class infrastructure with custom wallets, custom Tornado Cash funding patterns, and Pyongyang-time deployment signatures. Western ransomware crews (LockBit's network) use commercially-acquired wallet tooling, mixer services aimed at Western customers (Wasabi, Samourai when active), and cash-out routes through Russian-language OTC desks.

**Different cash-out geography.** Lazarus laundering terminates at Chinese-language OTC nodes (CMLN networks per Chainalysis estimates: $16.1B in 2025). Western ransomware crews terminate at Russian-language OTC nodes operating through Garantex / Grinex / TokenSpot. The geographic separation is the load-bearing structural difference.

**Different attribution methodology.** Tayvano's Lazarus list is built from forensic tracing of specific high-profile hacks (Bybit, Drift, KelpDAO, etc.). The Ransomwhere dataset is built from victim-reported ransomware payments. The two methodologies produce disjoint wallet populations because the upstream operators are operationally separate.

A fourth query: how many Lazarus wallets are also recorded as Tornado Cash depositors in our `tornado_cash_depositor` source (the 7,708-wallet enumeration of every Tornado Cash deposit address)?

Result: **7 wallets**.

Seven. A small absolute number, and structurally meaningful. The seven wallets are the Lazarus operators who used Tornado Cash directly as a depositor — meaning they signed deposits to the protocol rather than receiving Tornado Cash outputs from upstream funded wallets.

The vast majority of Lazarus's Tornado Cash activity (per Elliptic's Bybit anniversary post and prior reporting) was as a **withdrawal recipient** — the operators received funds from existing Tornado deposits made by earlier or laundered-through wallets. The seven direct-depositor wallets are the ones that closed the loop by making fresh deposits in the laundering chain.

The signal here is the OFAC compliance position. When OFAC's August 2022 Tornado Cash designation was in effect, every Tornado depositor wallet — including these seven — became potentially subject to secondary-sanctions exposure for any counterparty processing their inflows or outflows. The Fifth Circuit's Van Loon v. Treasury ruling (November 26, 2024) and Treasury's March 21, 2025 delisting changed the framework forward, but the historical exposure remains.

A fifth query: how many wallets in our A7A5 token scan source overlap with Tether blacklist sources?

Result: **0**.

Zero overlap. Tether has not frozen any wallet in our A7A5 cluster. This is structurally interesting because the EU 20th sanctions package designates A7A5 for ban effective May 24, 2026 (in nine days from this article), and the underlying A7 ecosystem entities (Old Vector LLC, A7 LLC, Payeer) were OFAC-designated in August 2025.

The non-freeze by Tether is the structural illustration of the jurisdictional split. Tether's freeze pipeline acts on US-OFAC, Asian-LE, and gambling/fraud signals. EU-sanctions designations for Russian sanctions evasion have not historically been a Tether freeze category. The EU 20th package may change this — Tether's response to the May 24 effective date is one of the operationally most-watched compliance events of 2026.

For Sanctuary's screening: the A7A5 wallets carry sanctions-category flags propagated from the EU 20th-package designation regardless of the Tether-freeze status. Compliance officers screening EU-customer-touching flows should treat A7A5-cluster wallets as Critical from May 24 onward, whether or not Tether has issued a freeze.

Five structural conclusions from the cross-source analysis:

**One.** Cross-source verification is the highest-confidence sanctions signal. 3,378 wallets are independently corroborated across two-plus sources; these are the operator core. Compliance vendors should expose cross-source-verified flagging as a discrete tier in their risk model.

**Two.** DPRK and Western ransomware are structurally separate. Compliance frameworks should treat them as different categories with different freeze probabilities, different cash-out geographies, and different attribution pipelines.

**Three.** Tether's freeze tooling is selectively active. Of the 18,168 Lazarus-attributed wallets, Tether has frozen 60 — approximately 0.33 percent. The freeze is high-value when it acts but does not cover the broader cluster. Compliance frameworks should not assume Tether-blacklist coverage as sufficient.

**Four.** The Tornado Cash depositor population is operationally distinct from the recipient population. Lazarus's seven direct depositors are a small fraction of Lazarus's Tornado Cash footprint. The recipient-side detection (the `tornado_cash_recipient` behavioral detector) is the operationally productive screening; the depositor-side flagging is a smaller, structurally narrower category.

**Five.** Jurisdictional sanctions disconnects produce coverage gaps. The A7A5 zero-Tether-overlap is a clear illustration. EU sanctions need to be a discrete signal in any screening engine that serves EU customers, regardless of US-OFAC or Tether-freeze coverage.

3,378 wallets are independently verified across multiple sanctions sources. They are the highest-confidence operator core. They are also a small fraction of the total flagged universe (1.43 million flags total).

For compliance teams: tiered confidence weighting matters. Treat single-source flags as material; treat cross-source-verified flags as conclusive. The 3,378 is the conclusive set.

For ecosystem analysis: the zero-overlap between Lazarus and Western ransomware confirms structural separation. The 60-wallet Lazarus-Tether overlap confirms Tether's selective DPRK enforcement. The zero-overlap of A7A5 and Tether confirms the EU-jurisdictional gap.

The dataset shows the structure. The structure informs the screening. The screening informs the decision.