This is the article I wish existed when I first encountered a case where the money moved but there were no transfer edges connecting sender to receiver.
In March 2026, a study documented a real transaction where roughly 38.2 million USDC were converted to 38.1 million DAI through a limit order. Three distinct roles were involved: a phishing-labeled address that signed the order (the principal), an independent MEV bot that executed it on-chain (the executor), and a separate address that received the DAI (the beneficiary). If you only look at the transfer graph, you can't see the economic relationship between the principal and the beneficiary. There's no direct line connecting them.
This is what I call the PEB problem — Principal, Executor, Beneficiary separation. And it's breaking traditional AML tracing.
How it works in practice
Take that limit-order example. The principal signs an off-chain intent: "I want to swap 38.2M USDC for DAI." An MEV bot spots the order and fills it on-chain. The bot borrows DAI via an Aave flash loan, uses it to fill the order through 1inch, swaps the received USDC back to DAI on Uniswap, delivers the DAI to the beneficiary, and repays the flash loan — all in one atomic transaction.
On-chain, you see transfers from the principal to the bot and from the bot to the beneficiary. But no single transfer path encodes the actual economic relationship. If you're tracing based on transfer edges alone, you'll either miss the connection entirely or follow the wrong trail.
Why transfer graphs break down
Traditional blockchain forensics assume that token transfers reliably show where value went. That assumption worked when crypto was mostly wallet-to-wallet payments. It falls apart in composable DeFi.
Value can migrate through contract state changes — AMM reserve rebalancing, for example — without creating a transfer edge from A to B. A cross-pool arbitrage can relocate value from one address to another through intermediary pool interactions, and the only thing the transfer graph shows is movements to and from contract addresses. The actual economic causality is encoded in the execution logic, not the transfers.
This isn't edge-case behavior. It's how DeFi works by design. Limit orders, flash loans, cross-chain bridges, MEV searchers — all of them can decouple who initiates a transaction from who benefits.
What this means for investigations
If you're doing AML tracing on a case that involves DeFi protocols, transfer-layer analysis is a starting point, not a conclusion. You need to look at what contracts actually did — the internal call sequence, the state changes, the execution semantics — to understand where value ended up.
This is harder than traditional tracing. It requires reading execution traces, understanding AMM invariants, and recognizing patterns like flash-loan-mediated fills. But without it, you're working with an incomplete picture, and your attribution claims won't hold up.
The practical shift: move from "which address sent tokens to which address" to "which economic intent was executed, by whom, and who benefited." That's a fundamentally different question, and answering it requires different tools and skills.