Skip to main content
This playbook shows how to run a complete blockchain investigation using Range MCP tools inside any AI client. The workflow applies to any suspicious address — whether you received it as a counterparty, found it in a transaction, or are screening for compliance.
Before starting, make sure Range is connected to your AI client. See the Quickstart if you haven’t done that yet.

The investigation workflow

1

Risk triage

The first call in any investigation. Get the address risk score to understand the severity before going deeper.Tool: get_address_riskAsk your AI:
What is the risk score for [address] on [network]?
What to look for:
  • Risk level CRITICAL or HIGH → escalate, investigate thoroughly
  • Malicious hops in the graph → the address is connected to known bad actors even if not directly flagged
  • Entity attribution → if it’s labeled as a mixer, exchange, or sanctioned entity, that’s immediately actionable
2

Sanctions and blacklist check

Independent of risk scoring — check whether the address appears on OFAC lists or has been blacklisted by stablecoin issuers.Tool: check_sanctionsAsk your AI:
Is [address] on any OFAC sanctions list or token blacklist?
What to look for:
  • is_ofac_sanctioned: true → immediate compliance action required
  • is_token_blacklisted: true → USDT/USDC/USDC.e transfers may be frozen
  • Check the event history for when and why it was listed
3

Build the connection graph

Identify who the address has been transacting with. This is the core of any fund flow investigation.Tool: get_address_connectionsAsk your AI:
Who are the top counterparties for [address] on [network]?
Show me their labels if available.
What to look for:
  • Direct connections to exchanges (good — funds may be traceable)
  • Direct connections to mixers or privacy protocols (red flag)
  • Unlabeled counterparties that appear frequently (investigate those too)
4

Trace fund flows

Dig into the actual transfers — amounts, tokens, timing, and direction.Tools: get_transfers, get_transfers_betweenAsk your AI:
Show me the largest transfers in and out of [address] in the last 90 days.
Are there any transfers between [address] and [suspicious counterparty]?
What to look for:
  • Rapid in/out patterns (layering behavior)
  • Large USD amounts with no clear business purpose
  • Bridge transfers (IBC, CCTP) used to move funds cross-chain quickly
  • Time clustering — many transactions in a short window
5

Find the origin of funds

Trace where the address got its initial funding. The funding source often reveals the true nature of the wallet.Tool: get_address_funded_byAsk your AI:
What address initially funded [address] and when?
What to look for:
  • Funded by a sanctioned or high-risk address → high concern
  • Funded by a known exchange with a verified withdrawal → lower concern
  • Funded by another unlabeled address → continue tracing that address too
6

Identify unknown counterparties

For any addresses you don’t recognize, look them up in Range’s entity database.Tools: search_entities, get_address_infoAsk your AI:
What entity is [address]? Does Range have any labels for it?
Search for any entities matching "Binance" on Ethereum.
What to look for:
  • Known exchange hot/cold wallets
  • Mixer or tumbler addresses
  • Protocol contracts (DEXes, bridges, lending protocols)
  • Previously flagged addresses in Range’s database
7

Cross-chain pivot

If transfers crossed chains via bridges (IBC, CCTP, Wormhole), follow the funds to the destination chain and repeat the investigation there.Ask your AI:
Were any funds from [address] bridged to another chain?
If so, what is the risk score of the receiving address on that chain?
Range covers Cosmos, Solana, EVM, Stellar, and Tron — you can pivot across all of them without switching tools.

Complete investigation prompt

Paste this into Claude Desktop or Claude.ai for a full investigation in one shot: 
Using Range tools, run a complete investigation on this address:
[address] on [network]

1. Get its risk score and explain the risk level
2. Check if it's on any OFAC sanctions list or token blacklist
3. Show its top 10 counterparties and label any known entities
4. List the 10 largest transfers in the last 6 months
5. Find the original funding source for this address
6. If any transfers crossed chains via a bridge, check the receiving address risk too

Summarize your findings with a risk verdict: LOW / MEDIUM / HIGH / CRITICAL
Include the key evidence that supports your verdict.

Example output

Address: 5Q544fKrFoe6tsEbD7S8EmxGTJYAKtTVhAW5Q5pge4j1 Network: SolanaRisk Assessment
  • Risk level: VERY_LOW (score: 1/10)
  • Entity: Raydium Protocol (DEX liquidity authority)
  • No OFAC sanctions, no token blacklist entries
Connection Graph
  • 500+ unique counterparties
  • Primarily interacts with known Solana DeFi protocols and user wallets
  • No connections to mixers or sanctioned addresses
Verdict: LOW RISK This is a verified Raydium Protocol contract address used for AMM liquidity management. The volume and counterparty diversity are consistent with a legitimate high-traffic DeFi protocol.

Tips for better investigations

Start broad, then narrow. Use get_address_risk and get_address_connections first to get the big picture, then use get_transfers_between and get_transaction_details to zoom into specific relationships.
Use time filters. If you know when a suspicious event occurred, filter transfers and payments to that window. This dramatically reduces noise and focuses the AI on what matters.
Chain the graph. Each suspicious counterparty you find can be a new starting point. Ask the AI to run get_address_risk on any unlabeled counterparty that shows up frequently.
Last modified on March 5, 2026