Risk Score

Every address screened by BlockchainAnalysis.io receives a risk score from 0 to 100. The score is deterministic, transparent, and computed from 11 independently weighted risk factors. It is designed to give compliance teams a standardized, auditable metric for making risk-based decisions about blockchain transactions and counterparties.

Score Ranges

| Score | Classification | Color | Description | |---|---|---|---| | 0 - 15 | Low Risk | Green | No elevated risk indicators. The address is associated with known, reputable entities or shows transaction patterns consistent with legitimate use. | | 16 - 40 | Medium-Low Risk | Light Green | Minor risk factors present. Typical for active DeFi users, addresses that interact with a wide range of protocols, or addresses with limited transaction history. | | 41 - 60 | Medium Risk | Yellow | One or more significant risk factors detected. Enhanced due diligence is recommended. Common triggers include moderate bridge usage, interaction with unaudited protocols, or partial source-of-funds opacity. | | 61 - 80 | High Risk | Orange | Multiple significant risk factors or direct exposure to high-risk categories. Compliance escalation is recommended. May involve indirect mixer exposure, association with flagged entities, or high-risk jurisdiction connections. | | 81 - 100 | Critical Risk | Red | Direct sanctions exposure, confirmed mixer deposits, association with known scam/theft/darknet activity, or terrorist financing indicators. Strongest possible compliance response is warranted. |

A score of 0 does not mean an address is guaranteed to be safe. It means that based on the data available to BlockchainAnalysis.io at the time of screening, no risk indicators were detected. New intelligence, delayed blockchain indexing, or novel obfuscation techniques can change this assessment.

The 11 Risk Factors

Each factor is evaluated independently on a 0-100 sub-scale and then combined using a weighted formula to produce the overall score. The weights reflect the relative severity of each factor from a regulatory and compliance perspective.

1. Sanctions Exposure (Weight: 25%)

The highest-weighted factor. Measures whether the address has any connection to sanctioned entities or addresses.

What is evaluated:

  • Direct match against OFAC SDN, EU Consolidated List, UN Security Council, and 29+ other sanctions lists
  • Transactions with addresses that are directly sanctioned (1-hop exposure)
  • Transactions with addresses that have transacted with sanctioned addresses (2-hop exposure, weighted by distance and volume)
  • Entity resolution — whether the address belongs to a sanctioned organization even if the specific address is not listed

Scoring logic:

  • Direct sanctions match: 100/100 (automatic Critical risk)
  • 1-hop direct transaction with sanctioned address: 70-95/100 depending on volume and recency
  • 2-hop indirect exposure: 20-60/100 depending on volume, recency, and intermediary entity type
  • No exposure: 0/100

A direct sanctions match overrides the weighted score calculation. If the address is on any sanctions list, the overall score is automatically set to 100 regardless of other factors.

2. Mixer Usage (Weight: 15%)

Measures direct and indirect exposure to mixing services and coin-mixing protocols.

What is evaluated:

  • Direct deposits to or withdrawals from known mixer contracts (Tornado Cash, Wasabi Wallet, Samourai Whirlpool, JoinMarket, etc.)
  • Funds received from addresses that previously passed through a mixer (indirect exposure)
  • Percentage of total address volume that has mixer exposure
  • Recency of mixer interactions

Scoring logic:

  • Direct mixer deposit/withdrawal: 80-100/100
  • Significant indirect exposure (>30% of inflows): 50-79/100
  • Minor indirect exposure (less than 10% of inflows, more than 3 hops away): 10-30/100
  • No exposure: 0/100

3. Darknet Activity (Weight: 12%)

Measures association with known darknet marketplace addresses.

What is evaluated:

  • Direct transactions with addresses attributed to darknet markets (Hydra, Silk Road successors, etc.)
  • Addresses belonging to entities that have been confirmed as darknet vendors or operators
  • Indirect fund flows from darknet-attributed sources

Scoring logic:

  • Direct darknet market interaction: 85-100/100
  • Entity match with known darknet vendor: 90-100/100
  • Indirect exposure via intermediaries: 20-60/100
  • No exposure: 0/100

4. Gambling (Weight: 5%)

Measures interaction with licensed and unlicensed gambling platforms.

What is evaluated:

  • Transactions with known gambling platform addresses (both licensed and unlicensed)
  • Volume and frequency of gambling-related transactions
  • Whether the gambling platform is licensed in a recognized jurisdiction

Scoring logic:

  • High-volume interaction with unlicensed gambling platforms: 60-90/100
  • Moderate interaction with licensed gambling platforms: 15-40/100
  • Minimal or no gambling exposure: 0-10/100

5. Scam Association (Weight: 10%)

Measures whether the address is associated with known scam operations.

What is evaluated:

  • Direct match with addresses reported in scam databases (phishing, rug pulls, Ponzi schemes, pig butchering, romance scams)
  • Receiving funds from known scam addresses
  • Sending funds to known scam addresses
  • Pattern analysis for common scam behaviors (e.g., rapid aggregation followed by exchange deposits)

Scoring logic:

  • Address is itself a known scam address: 95-100/100
  • Direct transactions with known scam addresses: 50-80/100
  • Indirect exposure: 10-40/100
  • No exposure: 0/100

6. Stolen Funds (Weight: 12%)

Measures exposure to funds that originated from known theft events (exchange hacks, protocol exploits, wallet drains).

What is evaluated:

  • Whether the address received funds that have been traced back to a known theft event
  • Whether the address is directly attributed to a known attacker/hacker entity
  • The directness of the connection (hops between the theft event and this address)
  • The percentage of the address's total inflows that originated from stolen funds

Scoring logic:

  • Address belongs to known attacker entity: 100/100
  • Direct receipt of stolen funds (1-2 hops): 70-95/100
  • Indirect receipt of stolen funds (3-5 hops): 30-60/100
  • Trace amount of indirect exposure (more than 5 hops, less than 5% of inflows): 5-20/100
  • No exposure: 0/100

7. Terrorist Financing (Weight: 10%)

Measures association with addresses or entities linked to designated terrorist organizations.

What is evaluated:

  • Addresses attributed to organizations designated as terrorist groups by OFAC, EU, UN, or national authorities
  • Transaction patterns consistent with known terrorist financing typologies
  • Geographic indicators linked to high-risk conflict zones
  • Cross-reference with FIU alerts and international cooperation notices

Scoring logic:

  • Direct association with designated terrorist organization: 100/100 (automatic Critical, same override as sanctions)
  • Transaction with addresses linked to terrorist financing: 70-95/100
  • Indirect exposure: 20-50/100
  • No exposure: 0/100

Like sanctions, a confirmed terrorist financing link overrides the weighted calculation and sets the overall score to 100.

8. High-Risk Jurisdiction (Weight: 3%)

Measures whether the address or its counterparties are associated with jurisdictions identified as high-risk by FATF or other regulatory bodies.

What is evaluated:

  • FATF Grey List and Black List jurisdiction associations
  • Geographic attribution of counterparty entities
  • Volume of transactions with entities headquartered in high-risk jurisdictions
  • Whether the address's primary exchange is licensed in a non-cooperative jurisdiction

Scoring logic:

  • Significant volume with FATF Black List jurisdictions: 70-100/100
  • Significant volume with FATF Grey List jurisdictions: 40-70/100
  • Minor exposure to high-risk jurisdictions: 10-30/100
  • No high-risk jurisdiction exposure: 0/100

9. DeFi Risk (Weight: 3%)

Measures the risk profile of the address's DeFi interactions.

What is evaluated:

  • Interaction with unaudited or exploited protocols
  • Volume in protocols with known vulnerabilities or governance risks
  • Interaction with protocols that have been used for money laundering (e.g., decentralized mixers, privacy DEXes)
  • Concentration of activity in high-risk DeFi categories

Scoring logic:

  • Direct interaction with exploited/malicious protocol: 70-100/100
  • Significant volume in unaudited protocols: 30-60/100
  • Normal DeFi activity across audited protocols: 0-15/100
  • No DeFi activity: 0/100

10. Bridge Risk (Weight: 3%)

Measures the risk associated with the address's cross-chain bridge usage.

What is evaluated:

  • Volume and frequency of bridge transactions
  • Whether bridge usage patterns are consistent with obfuscation (rapid bridging across multiple chains)
  • Security and risk profile of the bridge protocols used
  • Whether bridging destinations include chains with limited compliance tooling

Scoring logic:

  • Pattern consistent with cross-chain obfuscation: 70-100/100
  • High volume through exploited/unaudited bridges: 50-70/100
  • Moderate bridge usage through reputable protocols: 5-25/100
  • No bridge usage: 0/100

11. Entity Reputation (Weight: 2%)

Measures the overall reputation of the entity associated with the address, if identified.

What is evaluated:

  • The entity's regulatory status (licensed, unlicensed, suspended)
  • Historical compliance incidents involving the entity
  • Public reporting and media coverage of the entity
  • The entity's own AML/KYC program strength (for exchanges and VASPs)

Scoring logic:

  • Entity with revoked license or enforcement actions: 60-90/100
  • Entity with no license in jurisdictions that require one: 40-60/100
  • Entity with clean track record and strong compliance program: 0-10/100
  • No entity identified (unattributed address): 20/100 (default uncertainty penalty)

Scoring Formula

The overall score is calculated as a weighted sum of the 11 factor scores:

Overall Score = (Sanctions * 0.25) + (Mixer * 0.15) + (Darknet * 0.12)
              + (Stolen * 0.12) + (Scam * 0.10) + (Terrorism * 0.10)
              + (Gambling * 0.05) + (Jurisdiction * 0.03) + (DeFi * 0.03)
              + (Bridge * 0.03) + (Entity * 0.02)

The raw weighted sum is then normalized to the 0-100 scale. The normalization ensures that the score reflects the severity distribution rather than being purely arithmetic.

Override conditions:

  • Direct sanctions match: score = 100 (regardless of other factors)
  • Direct terrorist financing match: score = 100 (regardless of other factors)
  • Active law enforcement freeze/seizure order: score = 100 (regardless of other factors)

Entity-Aware Scoring

A critical feature of the BlockchainAnalysis.io risk score is entity-aware scoring. This means the platform does not evaluate addresses in isolation — it links them to known real-world entities and incorporates entity-level intelligence into the score.

How Entity-Aware Scoring Works

  1. Address Clustering — On-chain heuristics (common input ownership for UTXO chains, contract deployment patterns for EVM chains) are used to group addresses that likely belong to the same entity.

  2. Entity Attribution — Clusters are matched against the 49M+ entity database using public attestation data, proprietary intelligence feeds, exchange API integrations, and community-sourced labels.

  3. Entity Risk Propagation — When an entity is identified, the risk characteristics of the entire entity (not just the individual address) inform the score. For example:

    • If you screen a single deposit address belonging to a sanctioned exchange, the sanctions exposure factor reflects the entity-level sanctions status — even if that specific address has never directly transacted with a sanctioned list address.
    • If an entity has been publicly implicated in a security breach or fraud, all addresses belonging to that entity inherit the elevated risk signal.

  4. Contextual Adjustment — Entity context can also reduce risk. An address that interacted with a mixer but belongs to a known law enforcement seizure wallet will have its mixer exposure contextualized rather than blindly penalized.

Entity-aware scoring is what makes the difference between a naive on-chain analysis tool and a compliance-grade risk platform. Without entity resolution, a deposit address at a sanctioned exchange looks identical to any other address with similar transaction patterns.

Transparent Breakdown

BlockchainAnalysis.io provides full transparency into how every score is calculated. Every screening report includes:

  • The overall score with its classification (Low / Medium-Low / Medium / High / Critical)
  • The individual score for each of the 11 factors (0-100 sub-scale)
  • The weight applied to each factor
  • The weighted contribution of each factor to the overall score
  • Evidence links — for each factor that scored above 0, the report includes specific transactions, addresses, or entity matches that triggered the score
  • Methodology notes — explanations of how indirect exposure was calculated, what hop distance was used, and what data sources contributed to the assessment

This transparency enables compliance teams to:

  • Explain and justify their risk decisions to regulators
  • Audit the scoring methodology for consistency
  • Override scores with documented reasoning when their internal analysis disagrees with the automated assessment
  • Meet the explainability requirements of regulatory frameworks that mandate transparent risk-based approaches

Score Recalculation

Risk scores are not static. They can change over time as new information becomes available:

  • New sanctions list updates — When a new sanctions designation is published, all affected addresses and entities are re-scored automatically.
  • New entity intelligence — When the entity database is updated with new attributions, affected addresses are re-scored.
  • New on-chain activity — If the address continues to transact, new transactions are incorporated into the next screening.
  • Continuous monitoring — Addresses on a monitoring watchlist are re-screened at configurable intervals and alerts are triggered when the score changes by more than the configured threshold (default: 10 points).

Score recalculation history is preserved. You can view how any address's score has changed over time in the Historical Risk Trend section (Section 11) of the screening report.

Using the Risk Score in Your Compliance Program

The risk score is designed to be a decision-support tool, not a decision-maker. Your compliance program should define:

  1. Threshold mappings — At what score levels do you require enhanced due diligence, escalation, blocking, or SAR filing?
  2. Factor-specific policies — Some factors may be more relevant to your business than others. A gambling platform may have a higher tolerance for the Gambling factor but zero tolerance for Sanctions Exposure.
  3. Override procedures — Document the process for when a compliance officer disagrees with the automated score and needs to override it with justification.
  4. Record-keeping — Store all screening reports, score breakdowns, and override decisions for the retention period required by your jurisdiction (typically 5-7 years).

Refer to Wallet Screening for detailed guidance on interpreting screening reports, and Supported Blockchains for chain-specific capabilities.

BlockchainAnalysis.io — Digital Asset Compliance Platform