I almost found out the hard way on test #47.
I was building an agent that pays invoices in USDC while I sleep. On the 47th test run, it sent USDC to a wallet I didn't recognize.
I checked it against the OFAC SDN list. It was there.
If that had been production, I'd be looking at a $356,000 fine — the starting penalty for an OFAC violation. The agent didn't know what OFAC was. It just saw "pay invoice #4021" and sent USDC. And it would have done it at 3 AM, repeatedly, until someone noticed.
Nobody Is Checking
Every day, more agents get the ability to send money autonomously. The payment rails are real: x402 (machine-to-machine payments over HTTP), AP2 (Google's Agent Payment Protocol), Coinbase AgentKit (USDC payments from AI agents).
None of them screen recipients against the OFAC SDN list. They move money. They do not check compliance. If your agent pays a sanctioned wallet, YOU are liable — not the protocol, not the wallet provider. You.
The Big Vendors Are Not for You
Chainalysis and Elliptic exist. Six-figure annual contracts. A sales call. A private API key. A dashboard a human logs into over coffee. That works when a compliance officer reviews transactions at 10 AM. It does not work when an agent pays an invoice at 3 AM in 200 milliseconds.
What I Built
agentmail — an OFAC sanctions screening API for AI agents. One curl call before every payment:
curl "https://agentmail-api.fly.dev/sanctions?wallet=0x742d35Cc..."
# { "clean": true, "action": "ALLOW", "latency_ms": 92 }
Covers 782 OFAC-listed crypto wallets, 19,086 SDN names, and 16 jurisdictions. Data synced hourly from the US Treasury. Under 100ms per check. Free tier: 5 checks/day. MIT-licensed. $10K legal-fee guarantee on paid plans.
One curl call. Under 100ms. Before the money moves.
Built after test #47 almost cost me $356,000. Don't let test #48 be yours.
Top comments (0)