How Crypto Risk Scoring Works: 0-100 Explained

Q: Does the score change over time?

Yes. As new transactions are added to the blockchain and as new sanctions lists are published, scores update. An address that was clean six months ago can develop risk exposure if a counterparty it interacted with later gets sanctioned. Recurring checks on frequently used wallets are good practice.

The number 73 means your wallet has significant exposure to high-risk addresses. The number 12 is borderline normal. But how does on-chain transaction data turn into a single number, and why does that number change over time? This is the full breakdown of how AML risk scoring works.

Why a single score matters

A compliance analyst reviewing a wallet can spend 20 minutes tracing transactions manually and still miss something. An automated score condenses millions of potential data points into a signal that takes two seconds to read. The score does not replace judgment; it directs where to look.

For exchanges, the score is the trigger for automated review. For P2P traders, it is the 8-second check before confirming a deal. For OTC desks, it is part of the due-diligence file. The methodology is the same in all cases.

Stage 1: Direct list matching

The fastest and most definitive stage. The wallet address is compared against every sanctions and law-enforcement database in the system:

OFAC SDN list (U.S. Treasury), refreshed every 24 hours
EU Consolidated List of persons, groups, and entities
UN Security Council consolidated list
UK HM Treasury financial sanctions list
FBI and Europol seizure wallets from publicly announced operations
Known darknet market deposit addresses (Hydra, Mega, Solaris, AlphaBay successors)
Ransomware payment wallets (Conti, REvil, LockBit, and active successors)

A direct hit here produces a score of 90 to 100. There is no counterparty trace needed. The address is directly sanctioned or directly associated with criminal infrastructure.

Stage 2: Four-hop counterparty trace

This is where most of the interesting scoring happens. A wallet might have no direct list exposure but still be two transactions away from a sanctioned address. The system walks the transaction graph outward from the target wallet in both directions.

At each hop, the exposure is weighted by three factors:

Proximity. One hop away carries far more weight than four hops away. A direct counterparty that is sanctioned adds approximately 40 to 60 points. A four-hop exposure from the same source adds 5 to 15 points.
Transaction volume. A single $10 transaction with a risky counterparty adds less exposure than 50 transactions totaling $50,000.
Transaction frequency. Repeated interactions with the same risky address suggest an ongoing relationship rather than a one-time coincidence.

Why stop at four hops? The Bitcoin transaction graph is densely connected. Tracing further than four hops makes nearly every wallet on the network look risky, which is not useful. Beyond four hops, statistical exposure becomes indistinguishable from normal network activity.

Stage 3: Behavioral heuristics

Some risk patterns are not about WHO a wallet transacted with, but HOW it transacted. The heuristic layer adds or subtracts points based on behavioral signals:

Mixer entry detection. If a wallet sent funds into Tornado Cash, a CoinJoin pool, or another mixer, points are added regardless of whether the post-mix funds appear "clean."
Peel chain pattern. A long series of single-output transactions that gradually drain a balance is a known layering technique. Wallets that are part of an active peel chain receive a higher score.
Dust attack recipient. If a wallet received tiny amounts from a known dust attack address, it is flagged as a possible surveillance target or scam setup.
Honeypot contract interaction. Wallets that interacted with known honeypot or drainer contracts are flagged for scam exposure.

What the numbers actually mean

Score range	Risk level	What to do
0 to 29	Clean	Proceed normally. Save a screenshot for records.
30 to 59	Caution	Indirect exposure detected. For small amounts, acceptable with documentation. For large amounts, request source-of-funds from counterparty.
60 to 79	High risk	Decline or require re-sourcing of funds. Most exchanges flag automatically at this range.
80 to 100	Critical	Direct sanctions contact or direct darknet/ransomware exposure. Do not proceed.

Why almost no wallet scores exactly zero

A score of zero would mean a wallet has never, at any hop distance, touched any flagged address. In practice, this is extremely rare on Bitcoin and Ethereum. Major exchanges process millions of transactions daily, and some fraction of those originate from risky sources. If your wallet received funds from Binance, Binance itself has processed some transactions from risky addresses.

A score of 5 to 20 on a wallet that only uses regulated exchanges is normal. It is baseline network noise. The meaningful threshold starts at 30.

How scores change over time

Risk scores are not static. Three things can change a score after the fact:

A counterparty that was clean gets added to the OFAC list. Their score jumps, and it pulls up the scores of wallets that transacted with them.
A law-enforcement seizure identifies a set of darknet wallets. All wallets with transaction exposure to those addresses see their scores update within 24 to 48 hours.
New transactions on the blockchain. If a wallet keeps transacting with clean counterparties over time, its score may improve as older risky interactions become more distant.

This is why a one-time check at wallet creation is not sufficient for wallets you use regularly. Check before each significant incoming payment.

Frequently asked questions

Why does my new wallet have a score above zero?

A score of 5 to 20 on a new wallet is normal. The Bitcoin and Ethereum transaction graphs are densely connected. Even a wallet that received funds from a major exchange will pick up small fractions of exposure. This baseline noise does not represent a compliance problem.

Can a clean wallet suddenly get a high score?

Yes. If you receive a payment from a wallet with high exposure, your score increases. The score reflects current transaction history, not a fixed reputation. This is why running a check before accepting large payments matters.

What score will cause my exchange to freeze my account?

Most major exchanges begin automated review at scores above 60. At 75 and above, many exchanges freeze the incoming transaction automatically. The exact threshold varies by exchange, but 60 is a reliable practical cutoff.

Does the score change over time?

Yes. When new sanctions lists are published or law-enforcement seizures identify new criminal wallets, scores update within 24 to 48 hours. An address that was clean six months ago can develop risk exposure if a counterparty later gets sanctioned.

Check any wallet's risk score in 8 seconds

Paste any Bitcoin, Ethereum, TRON, Solana, or BNB address into @scorechain_amlbot. Free basic score, no registration.

Open @scorechain_amlbot

Alex Morgan

Blockchain compliance analyst, co-founder of CryptoAML.ai. 7+ years in financial crime investigations and OFAC/FATF screenings. View all articles

How Crypto Wallet Risk Scoring Works: 0 to 100 Explained