Risk Indicators of Crypto Addresses: How Not to Get “Dirty” Coins and Avoid Freezes

Crypto services, exchanges, and payment platforms deepen their AML checks and users increasingly face “dirty” coins, the role of risk indicators of crypto addresses has become critical. The correct understanding of these indicators affects not only your money, but also your ability to work with legal platforms, withdraw funds, exchange cryptocurrencies, and avoid criminal liability.

What are risk indicators of crypto addresses and why they are needed

When you send or receive cryptocurrency, you interact not with a wallet as a file, but with the entire history of its transactions—that is, with the sources from which these funds arrived at it. These sources can be:

legal — exchanges, payment services, salary crypto wallets;
suspicious — P2P, unlicensed exchangers, bitcoin ATMs;
outright dangerous — hacker attacks, scams, scam projects, darknet, sanctioned addresses.

Risk indicators of crypto addresses are tags that AML systems place on the source of funds (usually at the transaction or address level) to show how risky it is. They are not taken “out of thin air”—they result from analyzing:

the blockchain history of the address;
connections with known scam and sanctioned addresses;
the wallet’s behavior (mixers, complex chains, “garbage” transactions);
data from exchanges, regulators, sanction lists, and criminal databases.

Based on the indicators, the AML system forms the overall risk level of the address—Risk Score (from 0 to 100 or 0–100%). The higher the Risk Score, the greater the probability that the address is linked to fraud, money laundering, sanctions, or other criminal schemes.

Start checking cryptocurrency

How Risk Score is formed for a crypto address

Risk Score is not a “magic number,” but a composite metric that takes into account:

sources of incoming funds: where the coins actually came from (exchange, P2P, bitcoin ATM, mixer, sanctioned service, etc.);
address behavior: transaction frequency, amounts, participants in the chain, use of mixers;
historical data: whether there are flags in sanction or blacklists, associations with known scam projects;
transformation operations: hops, anonymous services, complex routes.

Risk Score usually looks like this:

0–25% — low risk;
26–50% — medium risk;
51–70% — elevated risk;
71–100% — high risk.

If the Risk Score exceeds 60%, that’s already a serious reason to reconsider the deal or at least conduct a detailed manual review (transaction history, links to exchanges, counterparties, etc.).

The three main categories of risk indicators

Most AML services working with risk indicators of crypto addresses divide them into three basic classes. The structure is exactly as you described, and it is now widely accepted in the industry.

1. ❌ Danger — dangerous sources

This category includes sources associated with serious violations:

stolen coins — after hacker attacks on exchanges, smart contracts, wallets;
funds obtained fraudulently — phishing, scam ICOs, P2P scams, social engineering;
extortion — ransomware, double extortion ransomware, worm‑based extortion;
cyberattacks, hacks, scam projects — loss of funds due to hacking activity;
link to darknet marketplaces, sanctioned addresses, sanctioned exchangers.

Such tags usually greatly increase the Risk Score and require immediate attention. If you receive funds from an address with Danger‑level indicators, the risk of freeze, confiscation, and criminal liability increases dramatically.

2. 👤 Suspicious Sources — suspicious sources

This category does not always mean a direct violation but gives reason to be cautious:

bitcoin ATMs — cash to crypto, where KYC is minimal and the risk of money laundering is high;
exchange through unlicensed services — unregulated crypto exchangers that do not support AML/KYC;
P2P platforms — where there is no direct link to licensing requirements and counterparty verification is minimal;
some crypto exchanges without licenses — especially in regulatory “gray zones.”

Suspicious indicators increase the risk but do not always mean criminality. Often they are a signal:

“check the source manually”;
“do not use this address as the main one for large volumes”;
“if the Risk Score is above 50–60%, reconsider the deal.”

3. ✅ Trusted Sources — reliable sources

These are the safest and most predictable sources:

licensed exchanges (Binance, Bybit, Kraken, KuCoin, etc., with regular AML checks);
mining — blockchain mining where the address is directly linked to a mining pool or ASIC farm;
verified wallets and payment services — with KYC, liquid transactions, and regular crowd‑based operations.

Such indicators usually do not raise the Risk Score and may even lower it if the address primarily receives funds from Trusted sources. However, it is still important not to relax: if later “dirty” coins arrive at the wallet from a Danger‑source, the Risk Score can jump sharply.

What indicators do you see in real‑world services

For example, here is how BestChange describes its risk indicators for crypto addresses:

❌ Danger — funds arriving from crypto addresses linked to extortion, hackers, scam projects, darknet markets, and sanctioned services.
👤 Suspicious Sources — funds received via bitcoin ATMs, P2P, unlicensed exchangers, and a number of anonymous services.
✅ Trusted Sources — inflows from licensed exchanges, well‑known wallets, payment services, mining‑related payment addresses, etc.

AML services like AMLCrypto, AMLBot, WhoAML, and others assess:

suspicious hops — routes via mixers, Tornado Cash, anonymous services;
sanction links — addresses frozen by issuers or regulators;
fraud history — participation in scam schemes, phishing campaigns;
wallet behavior — transaction frequency, amounts, number of participants.

The result is the Risk Score and a color tag (green/yellow/red), along with recommendations for the operation.

How the indicators work in practice: scenario examples

Scenario 1. Crypto payment for goods or services

You receive a crypto address from a seller.
Before sending, you should run an AML check (for example, via BestChange, AMLBot, or similar):

if Risk Score is 0–25% and you see Trusted indicators — the deal can be considered relatively safe;
if Risk Score is 50–7 relevant indicators — you should reconsider the deal, use another address, check the counterparty, and avoid sending large amounts;
if Risk Score exceeds 70% or has Danger tags — it is better to abandon the deal entirely, even if the seller claims that “it’s just an old address.”

Scenario 2. Funding through an unlicensed P2P exchanger

You receive crypto from a P2P exchanger where Suspicious indicators appear (P2P, ATMs, unlicensed exchangers).

AML services see these sources and increase the Risk Score;
the exchange you later withdraw to may block the withdrawal or require KYC documents;
in the worst case — the funds may be confiscated or classified as “dirty.”

Best practice is to minimize volumes from such sources and not keep large sums on addresses that received crypto via P2P.

Scenario 3. Working with crypto exchangers and AML services

Most crypto exchangers and AML services (BestChange, AMLCrypto, AML modules of exchanges) offer address checking before an exchange. In the interface you see:

Risk Score;
indicator categories: Danger, Suspicious, Trusted;
details — which addresses, networks, or services are linked to risk.

If you receive “dirty” coins, the service usually:

pauses or blocks the exchange and requires KYC documents;
does not allow withdrawal until the source of the funds is clarified;
may confiscate or return the coins according to regulatory rules.

Which indicators increase Risk Score

Here are real indicators that raise the Risk Score (according to AML services and 2026 practice):

Funds from addresses linked to fraudulent projects — phishing, scam ICOs, P2P scams, social engineering.
Ties to darknet marketplaces — addresses spotted in the sale of stolen wallets, data, or RaaS services.
Use of mixers — Tornado Cash, anonymous services specifically created to obfuscate the chain.
Arrival from sanctioned addresses — frozen by issuers or regulators.
Frequent small‑amount transactions — “garbage” operations, attempts to smear funds across many addresses.
Cash‑out via ATMs and P2P services — without proper KYC.
Links to unlicensed crypto exchanges — without regular AML checks.
Broken chain — using CoinJoin, anonymous services to hide the source.

All these indicators do not work in isolation—they are combined into the overall Risk Score.

Which indicators do not always mean criminality

Not every Suspicious tag is direct crime. In 2026 there is a gray zone:

Links to certain crypto exchanges without licenses — if the service does not violate AML but simply operates in a legally “shadowed” area.
Using ATMs for real customers — if the user simply wants to buy crypto with cash rather than launder money.
Some P2P exchanges — if the counterparty is honest but does not undergo KYC, the indicator may be Suspicious while the Risk Score is moderate.

In such cases, manual context‑checking is important:

transaction history;
frequency and volume;
context of the deal;
KYC data, if available.

Which indicators help lower Risk Score

There are also positive indicators that reduce the Risk Score:

Receipts from licensed exchanges — Binance, Bybit, Kraken, KuCoin, etc.
Income from mining — a direct source, without intermediaries and risky services.
Transactions with reputable payment services — services with KYC and regular AML checks.
Stable volume of legal transactions — salary payments, service payments, legitimate crypto exchanges.

The more Trusted indicators an address has, the lower its Risk Score, even if there are some Suspicious sources in the past.

How to use risk indicators in your own practice

1. Check the address before sending or receiving large amounts

Always run an AML check on the counterparty’s address before:

a large payment;
a deposit to an exchange;
funding a P2P deal;
using a new wallet for regular flows.

Even if the Risk Score is low, Suspicious tags should prompt additional manual review.

2. Watch your own address history

Your wallet’s Risk Score depends not only on where you send funds but also on where you receive them. Avoid:

repeated funding from ATMs and unlicensed P2P exchanges;
receiving funds from known scam or sanctioned addresses;
using mixers or anonymous services unless absolutely necessary and legally justified.

If Risk Score rises sharply after a transaction, contact the AML service/exchange for explanation and documentation.