MetaMask Pre-Sign AML Screening

MetaMask shows you a confirmation popup — recipient address, amount, gas — and waits for your click. Once you sign, the transaction is irreversible. Pre-sign AML screening means checking every counterparty address and contract before you approve. Whether you use MetaMask, Rabby, Brave Wallet, or another EVM browser extension, the workflow is the same: pause, screen, then sign.

Why MetaMask does not screen AML for you

Browser wallets optimize for signing speed and broad dApp compatibility. Built-in warnings cover known phishing domains and sometimes flagged contract bytecode, but they do not perform full KYT graph analysis on recipient addresses. MetaMask will happily let you send ETH to a wallet two hops from a sanctioned mixer or approve a token spend to a drainer contract if you confirm the prompt.

That gap matters for two reasons. First, security: malicious contracts drain assets. Second, compliance: receiving tainted inbound transfers or forwarding mixed funds to a CEX can freeze your off-ramp. Pre-sign screening addresses the compliance side; hardware wallets and transaction simulators address complementary security layers.

What to screen before every signature

Not every MetaMask interaction carries the same risk. Prioritize screening for these transaction types:

• Outbound transfers — Sending ETH, USDT, or ERC-20 tokens to a human counterparty or OTC seller address.
• Inbound verification — When someone shares an address for you to pay them, screen their address before sending (they may be a mule).
• Token approvals — approve() grants a contract permission to pull tokens. Screen the spender contract; unlimited approvals to unknown deployers are high risk.
• Contract interactions — Swaps, mints, and stakes route through router contracts. Screen the pool, router, and any address receiving your funds.
• Signatures (EIP-712) — Off-chain signatures can authorize listings or permits. AML screening applies to the beneficiary address encoded in the typed data.

Step-by-step pre-sign workflow on Windows

1. Trigger the transaction in your dApp or wallet send flow. MetaMask opens the confirmation drawer — do not click Confirm yet.
2. Copy the recipient address or contract from the MetaMask detail view. Expand hex fields if the UI truncates them.
3. Paste into AegisAML (or your local AML tool) and run a screening report. Review sanctions / SDN status, mixer hop distance, scam labels, and direct hack exposure.
4. Compare with context — Does the risk profile match who claims to be on the other side? A verified OTC desk should not show peel-chain patterns from ransomware clusters.
5. Decide — Proceed, request a different address, or abort. If proceeding to a CEX later, re-screen your own wallet after receipt.
6. Sign only after documentation — For business transfers, save the screening snapshot with date and transaction memo.

This adds thirty to ninety seconds per transfer. For large or unfamiliar counterparties, that delay is cheap insurance against permanent loss and exchange account reviews.

Screening your own MetaMask addresses

Pre-sign is not only about recipients. Before withdrawing from MetaMask to Coinbase, Kraken, or Binance, audit your sending address for inherited exposure. Airdrops, NFT royalties, and random inbound transfers can taint an address you have used for years.

Connect MetaMask to AegisAML in read-only mode on Windows — export public addresses or use wallet connect without granting transaction authority. Scan your active accounts and any archived accounts that still hold dust or NFTs. Rotate to a fresh address if one account shows severe mixer proximity and you plan a large CEX deposit.

Rabby, Frame, and other EVM wallets

Rabby offers richer pre-sign simulation than stock MetaMask, including token flow previews and contract labels. Those features reduce drainer risk but still are not a substitute for sanctions list matching and multi-hop graph tracing. Apply the same copy-paste screening workflow regardless of which EVM wallet surfaces the confirmation UI.

For multi-chain users, confirm which network the transaction uses — Ethereum mainnet, Arbitrum, Base, Polygon. AML graphs are chain-specific. An address clean on L2 may have separate history on L1.

Common MetaMask scenarios requiring AML checks

OTC USDT payment

Seller shares a Tron or Ethereum address in Telegram. You open MetaMask to send ERC-20 USDT. Screen the 0x address; verify chain; confirm USDT contract is official Tether (0xdAC17F958D2ee523a2206206994597C13D831ec7 on mainnet). Scammers substitute look-alike tokens and addresses.

NFT or freelance payment

A buyer sends ETH to your MetaMask. Screen the buyer's address before delivering goods. If they paid from a flagged source, your wallet inherits exposure when you consolidate to cold storage or a CEX.

DeFi yield and bridging

Bridging to a new L2 creates a fresh address with no history — low inherited risk. However, the bridge contract itself and the destination liquidity pool may have sanctioned interaction history. Screen contracts when bridging six-figure sums.

Permit and approval phishing

AML screening cannot fix a malicious unlimited approval, but checking whether the spender contract is a known drainer or freshly deployed scam is part of a holistic pre-sign review. Combine AML reports with bytecode age and community blocklists.

Limits of pre-sign screening

Screening analyzes public on-chain history through the moment you query. It cannot predict future behaviour, private off-chain identity, or encrypted memo fields. A "low risk" address can still belong to a social engineer. Pre-sign AML is necessary but not sufficient — combine it with invoice verification, video calls for large OTC, and hardware wallet transaction prompts.

Screening also cannot undo approvals you already granted. Periodically revoke token allowances with tools like Revoke.cash and re-screen addresses you continue to use for CEX off-ramps.

Why local Windows screening fits MetaMask users

MetaMask users on desktop already run a full operating system capable of local graph analysis. Cloud AML APIs charge per lookup and may log queried addresses under their terms of service. AegisAML runs locally: paste addresses from MetaMask's confirmation screen, get hop and sanctions results, and never upload your seed phrase or private keys.