Your x402 Agent Just Paid a Sanctioned Wallet. Now What?

The x402 ecosystem is growing fast. Agents are paying for web scraping, GPU inference, data feeds — all settled in USDC on Base with a single HTTP round-trip. No accounts, no API keys. It's elegant. But here's the uncomfortable question nobody in the ecosystem is asking yet: Who is your agent paying? The Problem When your agent hits an x402 endpoint and sends a signed USDC transfer, it trusts the payTo address in the paymentRequirements response. The protocol verifies the payment mechanics — signature valid, amount correct, settlement confirmed. What it doesn't verify is whether that wallet belongs to: A sanctioned entity on the OFAC SDN list A business operating without proper licensing A fraudulent service that will take the USDC and return garbage data A company that dissolved six months ago As x402 scales from developer experiments to real agent workflows, compliance isn't optional — it's the thing that determines whether your enterprise clients can actually use agents that pay for