Back to Blog

OFAC Sinaloa Cartel Sanctions: On-Chain Fund Tracing

Phalcon ComplianceMetaSleuth
June 11, 2026
5 min read
Key Insights

We traced the six sanctioned addresses with MetaSleuth, and the money moves almost entirely through centralized exchange deposit addresses.

BlockSec Research · June 2026

On May 20, 2026, the U.S. Treasury's Office of Foreign Assets Control (OFAC) sanctioned a group of individuals and entities tied to Mexico's Sinaloa Cartel, accusing them of providing money-laundering support for fentanyl trafficking: collecting drug cash inside the United States, converting it into cryptocurrency, and moving the funds back to Mexico through cross-border transfers. The action continues the U.S. enforcement posture that followed the designation of major cartels as terrorist organizations, treating fentanyl funding networks as a form of narco-terrorist financing.

Two of the sanctioned individuals left especially clear on-chain trails. One is Armando de Jesus Ojeda Aviles, whom OFAC identifies as a key money-laundering coordinator for the cartel's Los Chapitos faction, responsible for turning U.S. drug cash into crypto and moving it back to Mexico. The other is Rodrigo Alarcon Palomares, a member of Ojeda Aviles's network who handles cash collection inside the U.S. and also takes part in the crypto laundering. Together they account for six Ethereum addresses on the sanctions list.

A note on sourcing: the background on these individuals and the sanctions designations come from Treasury's public announcement. Every conclusion below about the structure and scale of the funds comes from BlockSec's own on-chain reconstruction of the sanctioned addresses using MetaSleuth.

Five sanctioned addresses, and how the drug money washes back into exchanges

The five sanctioned addresses under Ojeda Aviles are not independent wallets. On-chain, they form a laundering network with clear upstream and downstream relationships. Once we pulled the five addresses onto a single MetaSleuth graph, the structure was obvious: three of them are Binance deposit addresses, and the other two sit upstream of those three. Exchanges appear throughout the graph, with funds flowing in directly or indirectly from multiple exchanges, passing through these addresses, and ending up washed back into exchanges.

figure-1-ojeda-network.png
figure-1-ojeda-network.png

Figure 1. The fund network of Ojeda Aviles's five sanctioned addresses (the graph plots the higher-value paths, not every transaction): funds enter from multiple exchanges, pass through the addresses, and wash back into Binance. (Source: BlockSec MetaSleuth)

The three Binance deposit addresses that act as the collection point alone handled more than $4 million, and MetaSleuth flags this cluster as Critical. In other words, the network's real scale is larger; these three addresses are only the part that is directly visible.

What stands out most is the two upstream addresses. Beyond feeding the sanctioned Binance deposit addresses, their funds also flow to two additional Binance deposit addresses that have not been sanctioned. Based on the fund paths and behavior, these two are very likely part of the same laundering network; they simply have not appeared on OFAC's list yet. This is precisely the value of on-chain analysis over a sanctions list: the list gives you the known nodes, while following the on-chain flows often lets you fill in the nodes the list missed.

figure-2-binance-deposit-cluster.png
figure-2-binance-deposit-cluster.png

Figure 2. The upstream addresses not only feed the sanctioned Binance deposit addresses but also connect to two not-yet-sanctioned deposit addresses that are likely part of the same network. (Source: BlockSec MetaSleuth)

MetaSleuth graph for the Ojeda Aviles network (showing the higher-value paths, not every transaction): https://metasleuth.io/result/eth/0x038989cbb1710c72b9920dc4fa529158f463e72c?source=0ac18a5e-1134-4ee1-b03a-ebae63a0337c

The cash collector's address is simply a Coinbase account

By comparison, Alarcon Palomares, who handles cash collection inside the U.S., has a simpler on-chain profile that is even more telling. His sanctioned address is itself a Coinbase deposit address: funds come mostly from Coinbase and mostly go back to Coinbase.

figure-3-alarcon-coinbase.png
figure-3-alarcon-coinbase.png

Figure 3. Fund flows for the Alarcon Palomares sanctioned address: essentially a Coinbase deposit address, with funds moving in and out of Coinbase. (Source: BlockSec MetaSleuth)

That means this role's laundering activity happens mainly inside a centralized exchange with a full KYC process, likely behind an account that has completed identity verification. Unlike Ojeda Aviles's multi-hop network, the cash-collection leg has short fund paths and concentrated counterparties, which is exactly the kind of activity that compliance screening is best positioned to catch and stop.

MetaSleuth view of the Alarcon Palomares sanctioned address: https://metasleuth.io/result/eth/0xaC4cC4B68ea24BbFAAC8fD127B67Ed445ACcCE22?source=c5a43e44-8fb3-4e6f-ac52-a3e860ee4249

What the on-chain graph tells us

Putting the two individuals' fund paths side by side, a few facts matter more than any single number.

First, this fentanyl laundering chain relies heavily on centralized exchanges. Whether it is Ojeda Aviles's three Binance deposit addresses or Alarcon Palomares's Coinbase deposit address, funds move in and out through exchange deposit channels rather than through mixers or complex cross-chain bridges. The exchange deposit step remains the key node where drug money gets on-chain and is cashed out.

Second, a sanctions list is a starting point, not the full picture. The two not-yet-sanctioned Binance deposit addresses connected to Ojeda Aviles's upstream remind us that a laundering network's on-chain footprint is often larger than what enforcement can publicly name at any given moment. Only by treating listed addresses as seeds and reconstructing the full flow can you see the network's real boundaries.

Third, the division of labor is clear, but the paths are short. Ojeda Aviles handles aggregation and cross-border movement, and Alarcon Palomares handles cash collection. The roles differ, but neither chain's on-chain path is complex. For exchanges and payment firms, that means the risk can be identified before funds ever enter the platform.

What this means for exchanges and payment firms

The most direct reminder for virtual asset service providers is that high-risk funds can enter your platform without your knowledge. Before drug proceeds reach an exchange, they may already have passed through several layers of address transfers. Without an effective on-chain risk-identification mechanism, a platform can easily receive assets from sanctioned entities at the deposit or OTC-settlement stage, and once that happens, funds may be frozen and it can trigger regulatory investigation and licensing risk.

That is why a growing number of exchanges and payment firms are moving on-chain risk screening upstream, before funds are deposited: scoring addresses in real time and flagging whether they connect to sanctioned entities, trafficking networks, or anomalous fund paths. This kind of pre-deposit screening is shifting from a compliance nice-to-have to core infrastructure.

All individuals and addresses in this sanctions action are already in BlockSec's intelligence database, and we will keep tracking the on-chain activity of these addresses and networks. For exchanges, payment firms, and compliance teams, Phalcon Compliance provides real-time risk screening for addresses and transactions, a precise address-labeling system, and fund-flow analysis to help identify high-risk addresses and trace illicit fund sources; the network reconstruction in this piece was done with MetaSleuth, our fund-tracking investigation platform.

If you would like to run on-chain address risk screening yourself, you can try Phalcon Compliance for free at blocksec.com.

Sign up for the latest updates
Crypto Compliance Tools: A Pragmatic Purchasing Guide for VASPs

Crypto Compliance Tools: A Pragmatic Purchasing Guide for VASPs

Procurement framework for VASPs evaluating crypto compliance software. Covers AML controls, wallet screening, KYT, case management, API integration, and cost modeling, with a decision checklist for early-stage, growing, and fully licensed virtual asset service providers.

DeFi Compliance Platform Requirements: Building an On-Chain Risk Stack

DeFi Compliance Platform Requirements: Building an On-Chain Risk Stack

A technical guide for DeFi protocol teams building an on-chain compliance platform. Covers DeFi-specific stack requirements, real-time KYT, cross-chain tracing, behavioral risk scoring, alert-to-report workflow, and common operational failure points.

Blockchain Compliance Platform Architecture: 2026 VASP Regulatory Guide

Blockchain Compliance Platform Architecture: 2026 VASP Regulatory Guide

A 2026 architecture guide for VASPs building blockchain compliance platforms. Covers real-time KYT, on-chain risk scoring, address labeling, SAR automation, multi-jurisdictional rule support, and vendor evaluation criteria.

Start Real-Time AML with Phalcon Compliance

Turn Phalcon Network alerts into actions with Phalcon Compliance. Use verified blockchain intelligence to screen wallets, monitor transactions and investigate risks. This helps you respond quickly and stay compliant in the digital assets ecosystem.

Get Started with Phalcon Compliance
Contact Sales
Phalcon Compliance

Go Deeper with MetaSleuth Investigation

Extend your crypto compliance capabilities with Blocksec's MetaSleuth Investigation, the first platform for tracing funds, mapping transaction networks and revealing hidden on-chain relationships.

Move from detection to resolution faster with clear visual insights and evidence-ready workflows across the digital assets ecosystem.

MetaSleuth Investigation