Every cryptocurrency address tells a story through its transaction history. Risk scoring reads that story and assigns a quantitative measure of how likely an address is to be associated with illicit activity. For exchanges, payment processors, and compliance teams, risk scores drive automated decision-making — whether to allow a deposit, flag a withdrawal, or escalate a case for manual review.
What Is a Wallet Risk Score?
A wallet risk score is a numerical assessment of the likelihood that a cryptocurrency address is linked to criminal activity, sanctions violations, or other compliance concerns. The score derives from analyzing the address's transaction history, its connections to known bad actors, and behavioral patterns visible on the blockchain.
Risk scores are not binary. An address is rarely simply "safe" or "dangerous." Scoring systems assign a spectrum of risk that reflects the nuance of on-chain activity. An address that received a small payment from an intermediary two hops away from a blacklisted address carries less risk than one that received millions directly from a sanctioned entity.
Graph-Based Proximity Scoring
The most effective approach to wallet risk scoring is graph-based proximity analysis. This technique models the blockchain as a directed graph where addresses are nodes and transactions are edges. By traversing outward from known bad addresses, a scoring system determines how close any address is to illicit activity.
The concept parallels social network analysis. Just as you might assess someone's trustworthiness partly by examining their associates, graph-based scoring evaluates an address's risk by examining its transaction counterparties — and their counterparties in turn.
This approach relies on two core components: a comprehensive transaction database covering all on-chain activity across supported chains, and a graph traversal engine capable of computing distances between addresses across billions of transactions.
Understanding Depth Levels
At the heart of proximity scoring is the concept of "depth" (also called "hops") — the shortest path between an address and the nearest blacklisted address through the transaction graph. Each depth level carries a different risk implication. The following is an illustrative framework — specific platforms apply additional proprietary factors that adjust these thresholds:
Depth 0 means the address itself is blacklisted. This is the highest risk level. The address has been identified on a sanctions list (such as the OFAC SDN list) or a stablecoin issuer's blacklist. For tokens with on-chain blacklist enforcement — USDT, USDC, and others — transfers from this address are blocked at the smart-contract level. Native tokens like ETH remain technically movable but are flagged by compliance screening systems.
Depth 1 means the address has transacted directly with a blacklisted address. This first-degree connection to known illicit activity triggers elevated scrutiny. Some exchanges automatically hold or reject deposits from depth-1 addresses depending on the asset, transfer volume, and internal policy.
Depth 2 means one intermediary separates the address from a blacklisted address. The risk is lower than depth 1 but still significant. Criminals frequently route funds through intermediary wallets to create distance from known addresses, making depth-2 connections a routine focus for compliance monitoring.
Depth 3 and beyond represents increasingly indirect connections. Risk diminishes with each additional hop but does not disappear. Additional factors such as transfer value, entity types, and timing may elevate or reduce the assessed risk at any depth level.
Beyond Simple Hop Counting
Effective risk scoring goes beyond counting hops. Several additional factors influence the final score:
Transaction value plays a significant role. Receiving 0.001 ETH from a depth-1 address is materially different from receiving 500 ETH. Scoring systems weight exposure by the scale of funds involved, not just the existence of a connection.
Temporal proximity matters. A transaction that occurred before an address was blacklisted carries different risk weight than one that occurred after the designation. Scoring systems factor in when connections formed relative to when risk designations were published.
Entity classification affects how risk propagates through the graph. Exchanges, DeFi protocols, and personal wallets transmit risk differently. Eagle Virtual's scoring engine applies entity classification to prevent inflated scores from incidental shared-platform connections — such as two unrelated users both depositing to the same exchange — while preserving genuine exposure signals.
Multi-chain analysis adds another dimension. When the same entity operates across multiple EVM-compatible chains (for example, the same address on Ethereum and Polygon), risk from one chain propagates to the others. This cross-chain linking is straightforward for networks that share an address space.
How Services Use Risk Scores
Different organizations consume risk scores differently, but the pattern is consistent: automated decisions for clear-cut cases, human review for borderline ones.
Cryptocurrency exchanges are the largest consumers of risk data. They check incoming deposits against a risk scoring API before crediting accounts. High-risk deposits (depth 0–1) may be automatically frozen, medium-risk deposits (depth 2) held for review, and low-risk deposits pass through normally. Some exchanges also screen withdrawal destinations, refusing to send funds to addresses with known blacklist proximity.
Payment processors accepting cryptocurrency use risk scores to decide whether to process transactions. A merchant accepting USDT needs assurance that incoming tokens are not connected to sanctioned or criminal addresses.
DeFi protocols increasingly integrate risk checks into front-end applications. While the underlying smart contract may be permissionless, the front-end interface can block interactions from high-risk addresses, reducing the protocol's exposure to illicit funds.
Law enforcement and forensic investigators use risk scores as investigation starting points. Clusters of high-risk, high-volume addresses may indicate money laundering networks warranting deeper graph analysis.
Limitations and Tradeoffs
No risk scoring system is perfect.
False positives occur when legitimate addresses are flagged due to incidental contact with risky addresses. In the dense transaction graphs of popular DeFi protocols, most active addresses have some degree of proximity to blacklisted funds. Scoring systems must balance sensitivity (catching genuine threats) with specificity (avoiding false flags on legitimate users).
False negatives are equally concerning. Sophisticated actors use techniques such as chain-hopping, privacy mixers, intermediate wallet chains, and fresh address generation to increase their distance from known bad addresses. No scoring system guarantees detection of all illicit activity.
Graph-based risk scoring remains the most effective automated approach to cryptocurrency compliance. Combined with sanctions screening, stablecoin blacklist monitoring, and human expertise, it forms one critical layer in a comprehensive compliance program.
Frequently Asked Questions
What is a good crypto wallet risk score?
A "good" score means the address has no direct or close connections to blacklisted addresses. In depth-based systems, addresses at depth 3 or greater from any blacklisted address are generally considered low risk. Each organization sets its own thresholds based on risk appetite and regulatory requirements.
How often do wallet risk scores change?
Risk scores can change whenever new blacklist entries are published, new transactions create connections to flagged addresses, or existing designations are removed. Effective compliance systems monitor scores continuously rather than checking only at the time of a transaction.
Can a wallet's risk score be improved?
An address's risk score is determined by its on-chain transaction history, which is immutable. An address that received funds from a blacklisted entity will always carry that connection. However, scores may shift if blacklist entries are removed or if the scoring model is updated with new entity classifications.