Every blockchain address has a history. Every transaction it has made, every contract it has interacted with, every token it has received — all permanently recorded and publicly readable. Address risk scoring is the practice of analyzing that history to determine whether an address is safe to interact with or connected to malicious activity.
When you send funds to a phishing address, approve a malicious smart contract, or receive tokens from a sanctioned entity, you become part of a chain of transactions that risk-scoring systems can trace. Understanding how this scoring works helps you protect yourself — and understand why exchanges sometimes freeze withdrawals.
BLUF: Address risk scoring evaluates six categories — phishing links, sanctions exposure, money laundering associations, honeypot creation, blacklist status, and interaction with known malicious contracts. A single interaction with a flagged address can contaminate your own address’s risk profile.
What Address Risk Scoring Measures
Risk scoring systems aggregate data from multiple sources — on-chain transaction history, law enforcement databases, community reports, and exchange compliance feeds — to flag addresses involved in malicious activity.
The Six Risk Categories
| Risk Category | What It Detects | Severity |
|---|---|---|
| Phishing association | Address has received funds from or sent to known phishing campaigns | Critical |
| Sanctions exposure | Address appears on OFAC, UN, or EU sanctions lists | Critical |
| Money laundering | Address has interacted with mixers or Tornado Cash with large volumes | High |
| Honeypot creation | Address has deployed contracts identified as honeypots | High |
| Blacklist status | Address is flagged on exchange or compliance blacklists | High |
| Exploit association | Address has received funds from known protocol exploits or flash loan attacks | High |
Let’s examine each category in detail.
1. Phishing Association
Phishing is the most common on-chain crime. Attackers create fake websites that mimic legitimate DApps, tricking users into signing transactions that drain their wallets. The stolen funds flow through a network of intermediary addresses before reaching the attacker’s final destination.
How Phishing Addresses Are Tracked
When a victim reports a phishing address, compliance services add it to their databases. Then, any address that receives funds from the phishing address — or sends funds to it — gets flagged as having a phishing association.
This creates a contamination chain:
- Phishing address drains victim’s wallet
- Funds move to intermediary address A (laundering step 1)
- Funds move through a mixer
- Funds arrive at exchange deposit address B
If you interact with address A — even unknowingly, such as receiving a token airdrop from it — your address may inherit a phishing risk flag.
Why This Matters for You
Exchanges use these risk scores for compliance. If your address has a phishing association flag, an exchange may:
- Freeze your deposit pending manual review
- Require additional KYC documentation
- Flag your account for anti-money laundering (AML) investigation
- In extreme cases, report your address to authorities
2. Sanctions Exposure
Government sanctions lists — particularly the US Treasury’s OFAC Specially Designated Nationals (SDN) list — include blockchain addresses associated with terrorism, narcotics trafficking, weapons proliferation, and state-sponsored cybercrime.
High-Profile Sanctioned Addresses
The most notable example is Tornado Cash, the crypto mixer sanctioned by OFAC in August 2022. After the sanction:
- US persons are prohibited from interacting with any Tornado Cash smart contract
- Any address that sent or received funds through Tornado Cash may carry a sanctions exposure flag
- Major exchanges automatically flag addresses with Tornado Cash interaction history
- Even receiving an unsolicited token transfer from a sanctioned address can contaminate your wallet
The practical implication: if you receive tokens from an unknown address and that address has sanctions exposure, you may face account freezes at centralized exchanges.
How to Check
Before interacting with any unknown address — especially one that sent you unsolicited tokens (a common phishing tactic) — check its sanctions status:
- Look up the address on a block explorer
- Check if it appears on OFAC’s SDN list
- Review its transaction history for mixer interactions
- Use the address risk API for automated screening
3. Money Laundering Associations
Money laundering on-chain typically involves breaking the link between illicit funds and their source. Common techniques include:
| Technique | How It Works | On-Chain Signature |
|---|---|---|
| Chain hopping | Moving funds across multiple blockchains via bridges | Rapid bridge interactions, fragmented amounts |
| Mixing | Using Tornado Cash or similar services | Interaction with known mixer contracts |
| Layering | Sending through dozens of intermediary addresses | High transaction count with small amounts, peeling chains |
| Swap laundering | Converting through multiple DEX pairs | Rapid swapping across many token pairs |
The Peeling Chain Pattern
A peeling chain is a classic money laundering technique:
- Start with 100 ETH from illicit source
- Send 99 ETH to address A, 1 ETH to address B (the “peel”)
- From address A, send 98 ETH to address C, 2 ETH to address D
- Continue peeling until the funds are fragmented across hundreds of addresses
- Each fragment eventually reaches an exchange for cash-out
Risk scoring systems detect this pattern by analyzing transaction graphs. If your address is in the path of a peeling chain — even if you had no knowledge of the laundering — you may inherit a risk flag.
4. Honeypot and Rug Pull Creation
Addresses that deploy malicious smart contracts — honeypots, rug pulls, or fake token contracts — are flagged as deployer risk addresses.
How to Identify a Risky Deployer
Before interacting with any new token or contract, check the deployer address:
- Prior deployments: Has this address deployed other contracts? Were any of them flagged as scams?
- Funding source: Where did the deployer get the gas funds? If from a mixer or a known exploit address, that’s a red flag
- Timing: Did the deployer create the contract minutes before a coordinated hype campaign? This suggests pre-planned manipulation
- Self-transactions: Does the deployer address repeatedly interact with its own contracts to create fake volume?
For tracking deployer behavior, see our token flow analysis guide and how to verify a token before buying.
5. Blacklist Status
Beyond government sanctions, several organizations maintain private blacklists:
- Exchange compliance lists: Each major exchange (Binance, Coinbase, Kraken) maintains internal risk databases
- Chainalysis / TRM Labs / Elliptic: Commercial blockchain analytics firms that sell risk data to exchanges and governments
- Community-maintained lists: Scam databases compiled by security researchers and DeFi communities
An address can be blacklisted by one exchange but not others. However, if a major exchange flags an address, others often follow.
6. Exploit and Hack Associations
When a protocol is exploited — whether through a flash loan attack, reentrancy vulnerability, or oracle manipulation — the attacker’s address and all downstream addresses that receive the stolen funds become flagged.
The Contamination Problem
If stolen funds pass through your address — even if you received them innocently (e.g., selling an NFT to someone who paid with stolen funds) — your address may be flagged as having exploit association. This is why:
- Always verify the source of incoming payments
- Be cautious when selling NFTs or tokens to unknown addresses
- Use escrow or marketplace services that screen buyers
- Check incoming transactions on a block explorer if you receive unexpected transfers
How to Read an Address Risk Report
A comprehensive risk report typically includes:
| Section | What It Tells You |
|---|---|
| Risk score | Overall risk level (0–100 or Low/Medium/High/Critical) |
| Sanctions check | Whether the address appears on any government list |
| Phishing flags | Number of phishing interactions in transaction history |
| Mixer exposure | Volume and frequency of mixer interactions |
| Exploit links | Whether the address received funds from known exploits |
| Exchange status | Whether major exchanges have flagged the address |
| Contract deployments | Any smart contracts deployed by the address |
| First seen | When the address was first active (newer = higher risk) |
Interpreting Risk Scores
| Score Range | Risk Level | Action |
|---|---|---|
| 0–10 | Clean | Safe to interact |
| 10–25 | Low | Exercise normal caution |
| 25–50 | Medium | Investigate before interacting |
| 50–75 | High | Do not interact without thorough investigation |
| 75–100 | Critical | Do not interact under any circumstances |
Practical Scenario: Checking an Unknown Address
Here’s a real-world workflow for screening an address before interacting:
- Copy the address and look it up on a block explorer
- Check the basics: How old is the address? What’s the transaction count? What tokens does it hold?
- Check the source of funds: Trace back 2–3 hops. Where did the funds come from?
- Check for mixer interaction: Did the address ever interact with Tornado Cash or similar services?
- Check contract deployments: Did this address deploy any smart contracts? If so, are they flagged?
- Run an API check: Use the address risk API for automated, comprehensive screening
For a step-by-step breakdown of how to trace wallet activity, see our wallet labels guide and on-chain analysis workflow.
Using the Address Risk API
For developers building compliance or safety features, Onchain Diary provides an address risk API that returns a structured risk assessment for any wallet address. The API aggregates:
- Phishing and scam association data
- Sanctions list matching
- Money laundering pattern detection
- Exploit and hack fund tracing
- Exchange blacklist status
For implementation details, see the address risk scoring API guide.
Limitations of Address Risk Scoring
Risk scoring is not perfect. Be aware of these limitations:
- False positives: An address may be flagged due to receiving unsolicited tokens from a flagged address (dusting attacks). The owner may be completely innocent.
- False negatives: New addresses have no history, so they appear clean — scammers exploit this by creating fresh addresses for each campaign.
- Contamination by association: The interconnected nature of blockchain means risk can propagate through transaction chains, flagging innocent users who are several hops removed from the actual crime.
- Off-chain risk: An address with a clean on-chain history may still belong to a scammer who operates off-chain (social engineering, Discord fraud).
- Evolving threats: Risk scoring systems must constantly update their databases as new malicious addresses appear. There is always a lag between a scam happening and the address being flagged.
The Bottom Line
Address risk scoring is a tool, not a guarantee. It dramatically improves your ability to identify dangerous addresses before interacting, but it cannot replace basic operational security:
- Use a hardware wallet for storing significant value
- Never sign transactions from unverified sources
- Use separate wallets for DeFi interaction and long-term storage
- Check addresses before sending funds, especially large amounts
- Be cautious with unsolicited token transfers — they may be phishing bait
For a complete introduction to on-chain analysis techniques, start with our beginner’s guide.
Related Reading
- How to Verify a Token Before Buying — token-level security checks
- Wallet Labels: How to Identify Who Owns What — understanding on-chain identities
- How to Spot Rug Pulls and Honeypots — recognizing malicious contracts
- Token Flow Analysis: Following the Money Trail — tracing fund movements