Blockchain · Compliance · Analytics

On-Chain Risk Scoring

Crypto wallet flag analysis methodology: a case study in wallet-level risk tiering, connected-address investigation, and registry integration for a tokenized real-world asset platform.

ContextRisk analytics engagement for a tokenized real-world asset (RWA) platform
ScopeWallet-level flag analysis, risk tier assignment, and connected-address investigation

Engagement Context

The platform in question operated as a tokenized real-world asset vehicle, with token holders using crypto wallets to hold and transact platform-issued stablecoins and asset tokens. As part of a compliance and risk management build-out, a systematic review of the active wallet population was conducted to identify wallets with known or suspected exposure to financial crime, fraud, or high-risk services.

The review was conducted using on-chain analytics tooling (chainalysis platform) combined with manual investigation of connected-address networks. The output was a flagged wallet registry with risk tier assignments and supporting evidence, structured to feed into the platform’s ongoing transaction monitoring and KYC refresh processes.

Flag Taxonomy

Each wallet in the review was assigned one of four flag levels based on the nature and severity of identified risk indicators:

  • High — Direct confirmed exposure to sanctioned addresses, known fraud infrastructure, or darknet services
  • Medium — Direct exposure to scam addresses, phishing infrastructure, or services with confirmed financial crime history
  • Low — Indirect exposure only (one or more hops removed from high-risk addresses via connected wallets)
  • No Data — New wallet with insufficient transaction history to score; flagged for monitoring

Flag level determined the compliance response: High required immediate account review and potential restriction; Medium required enhanced due diligence and increased monitoring frequency; Low required standard monitoring; No Data required monitoring activation and a KYC refresh request.

Analytical Methodology

Step 1: Initial Wallet Screen

All active platform wallets were submitted to an on-chain analytics platform for automated risk scoring. The initial screen identified wallets with any exposure (direct or indirect) to addresses previously associated with: scams and phishing sites; mixing and tumbling services; exchange accounts with confirmed sanctions violations; darknet markets; and known exploit/theft addresses.

Step 2: Connected Address Investigation

For each flagged wallet, the connected-address network was traced to identify: the specific risk source (named scam site, flagged service, or known bad actor address); the number of hops between the flagged wallet and the risk source; whether the exposure was incoming (funds received from risk source) or outgoing (funds sent to risk source); and whether any connected wallets in the network were separately registered on the platform.

In several cases, a wallet flagged at Low exposure was connected to a separate wallet registered under a different platform account that carried a higher exposure rating. These cross-account connections were documented separately as they presented a consolidated risk picture distinct from the individual account view.

Step 3: Risk Tier Assignment and Rationale

Each wallet received a final risk tier assignment with a brief rationale documenting: the specific exposure identified; the chain analysis platform findings; the manual investigation results; and the recommended compliance action. Rationale was structured to be auditable and to support any subsequent SAR filing decision.

Step 4: Registry Integration

The completed flag registry was formatted for integration into the platform’s compliance system, with fields structured to support: ongoing monitoring triggers; KYC refresh scheduling; transaction hold/review workflows; and periodic flag-level reassessment as the on-chain analytics platforms update their risk models.

Key Findings (Anonymized)

The review identified the following distribution of risk across the wallet population (categories, not counts):

  • A meaningful share of flagged wallets had direct exposure to phishing infrastructure (the most common risk type identified, consistent with the broad prevalence of DeFi phishing scams in the period)
  • A smaller share had exposure to organized scam networks, typically through interaction with yield-farming or liquidity pool contracts that were later confirmed as rug pulls
  • Several wallets with No Data flags were connected via on-chain links to wallets in higher risk tiers, suggesting coordinated account creation (these were escalated for enhanced due diligence)
  • Cross-account connections (same controller, different platform accounts) were identified in a small number of cases and flagged separately for KYC review

Outputs and Integration

The engagement produced: a structured flag registry formatted for compliance system ingestion; a methodology document for ongoing wallet monitoring; and a set of risk threshold recommendations for the platform’s transaction monitoring rules, informed by the wallet risk profile distribution identified in the review.

The registry was designed to be a living document; flag levels update as on-chain analytics platforms refresh their risk models, and the review process is designed to be repeatable on a defined cadence.