Alert Rule Codes
BlockchainAnalysis.io's transaction monitoring system uses 6 alert rule codes to classify detected risk events. Each code represents a specific type of suspicious activity identified during continuous wallet monitoring.
Alert rules run automatically for all monitored wallets. When a rule triggers, an alert is created with the corresponding code, severity level, and detailed context.
Rule Code Reference
SANCTIONS-001 — Sanctions Exposure Detected
Triggers when: A monitored wallet sends to or receives from an address that is on a government sanctions list (OFAC SDN, EU, UN, UK HMT) or is attributed to a sanctioned entity.
| Field | Value | |-------|-------| | Default Severity | Critical | | Regulatory Basis | OFAC compliance, EU AML Directives, UN Security Council Resolutions | | Action Required | Immediate review, potential SAR filing, consider freezing the relationship |
What to check:
- Is the counterparty directly sanctioned, or is the exposure indirect (via intermediary)?
- What is the transaction value and direction (inbound vs outbound)?
- Has the sanctions designation been recently added (the monitored wallet may not have known)?
MIXING-001 — Mixer/Tumbler Interaction
Triggers when: A monitored wallet interacts with a known mixing or tumbling service (e.g., Tornado Cash, Wasabi Wallet, ChipMixer, Samourai Whirlpool).
| Field | Value | |-------|-------| | Default Severity | High | | Regulatory Basis | FATF Recommendation 16, AML/CFT regulations | | Action Required | Enhanced due diligence, assess whether mixing is consistent with stated business activity |
What to check:
- Is the wallet a DeFi protocol that received mixed funds passively, or did the wallet owner actively use the mixer?
- What percentage of total volume involves mixed funds?
- Is the mixer sanctioned (e.g., Tornado Cash post-OFAC designation)?
SCAM-001 — Scam/Fraud Association
Triggers when: A monitored wallet transacts with an address flagged as associated with scams, phishing, rug pulls, Ponzi schemes, or other fraud.
| Field | Value | |-------|-------| | Default Severity | High | | Regulatory Basis | Fraud prevention regulations, consumer protection laws | | Action Required | Investigate the nature of the interaction, assess whether the monitored entity is a victim or participant |
What to check:
- Is the monitored wallet sending to or receiving from the scam address?
- Is the scam label based on confirmed data or community reports?
- What is the transaction value relative to the wallet's overall volume?
HIGHRISK-001 — High-Risk Entity Interaction
Triggers when: A monitored wallet interacts with an entity classified as high-risk (threat level ≥ 51) that does not fall into the more specific categories above (sanctions, mixer, scam).
| Field | Value | |-------|-------| | Default Severity | Medium | | Regulatory Basis | Risk-based approach (FATF), internal risk appetite | | Action Required | Review the entity, assess whether enhanced due diligence is warranted |
What to check:
- What category is the high-risk entity (gambling, unregulated exchange, P2P)?
- Is the interaction a one-time event or a recurring pattern?
- Does the interaction align with the monitored entity's known business activities?
DARKWEB-001 — Darknet Marketplace Interaction
Triggers when: A monitored wallet transacts with an address associated with a darknet marketplace, vendor, or related infrastructure.
| Field | Value | |-------|-------| | Default Severity | Critical | | Regulatory Basis | AML/CFT regulations, controlled substance laws | | Action Required | Immediate review, likely SAR filing, consider law enforcement referral |
What to check:
- Is the darknet marketplace still active or is it a historical (defunct) market?
- What is the transaction direction and value?
- Are there multiple interactions over time, or is this isolated?
VELOCITY-001 — Unusual Transaction Velocity
Triggers when: A monitored wallet exhibits transaction activity significantly above its historical baseline, suggesting potential structuring, layering, or automated fund movement.
| Field | Value | |-------|-------| | Default Severity | Medium | | Regulatory Basis | Anti-structuring regulations, suspicious transaction reporting thresholds | | Action Required | Review transaction patterns, assess whether velocity aligns with known business operations |
What to check:
- Has the wallet's activity genuinely increased (e.g., business growth), or is the pattern anomalous?
- Are transactions just below reporting thresholds (potential structuring)?
- Are funds being rapidly moved through multiple intermediary addresses (layering)?
Severity Levels
Each alert is assigned a severity that can be customized per rule:
| Severity | Color | Description | |----------|-------|-------------| | Critical | Red | Requires immediate action. Potential regulatory violation or active threat. | | High | Orange | Requires prompt review. Significant risk identified. | | Medium | Yellow | Requires investigation. Elevated risk that may need action. | | Low | Blue | Informational. Minor risk factor detected. |
Default severities can be adjusted under Monitoring > Alert Settings. You can also create custom thresholds (e.g., only trigger HIGHRISK-001 for threat levels ≥ 70 instead of ≥ 51).
Next Steps
- Monitoring Alerts — How alerts are delivered and managed.
- Transaction Monitoring — Setting up continuous monitoring.
- BA Copilot — Use Copilot in Alerts mode to investigate triggered rules.