> ## Documentation Index
> Fetch the complete documentation index at: https://docs.range.org/llms.txt
> Use this file to discover all available pages before exploring further.

# Investigation Playbook

> How to investigate a suspicious blockchain wallet from first look to final report using Range AI tools.

This playbook shows how to run a complete blockchain investigation using Range MCP tools inside any AI client. The workflow applies to any suspicious address, whether you received it as a counterparty, found it in a transaction, or are screening for compliance.

<Info>
  Before starting, make sure Range is connected to your AI client. See the [Quickstart](/ai/quickstart) if you haven't done that yet.
</Info>

***

## The investigation workflow

<Steps>
  <Step title="Risk triage">
    The first call in any investigation. Get the address risk score to understand the severity before going deeper.

    **Tool:** `get_address_risk`

    Ask your AI:

    ```
    What is the risk score for [address] on [network]?
    ```

    **What to look for:**

    * Risk level CRITICAL or HIGH → escalate, investigate thoroughly
    * Malicious hops in the graph → the address is connected to known bad actors even if not directly flagged
    * Entity attribution → if it's labeled as a mixer, exchange, or sanctioned entity, that's immediately actionable
  </Step>

  <Step title="Sanctions and blacklist check">
    Independent of risk scoring, check whether the address appears on OFAC lists or has been blacklisted by stablecoin issuers.

    **Tool:** `check_sanctions`

    Ask your AI:

    ```
    Is [address] on any OFAC sanctions list or token blacklist?
    ```

    **What to look for:**

    * `is_ofac_sanctioned: true` → immediate compliance action required
    * `is_token_blacklisted: true` → USDT/USDC/USDC.e transfers may be frozen
    * Check the event history for when and why it was listed
  </Step>

  <Step title="Build the connection graph">
    Identify who the address has been transacting with. This is the core of any fund flow investigation.

    **Tool:** `get_address_connections`

    Ask your AI:

    ```
    Who are the top counterparties for [address] on [network]?
    Show me their labels if available.
    ```

    **What to look for:**

    * Direct connections to exchanges (good, funds may be traceable)
    * Direct connections to mixers or privacy protocols (red flag)
    * Unlabeled counterparties that appear frequently (investigate those too)
  </Step>

  <Step title="Trace fund flows">
    Dig into the actual transfers, amounts, tokens, timing, and direction.

    **Tools:** `get_transfers`, `get_transfers_between`

    Ask your AI:

    ```
    Show me the largest transfers in and out of [address] in the last 90 days.
    Are there any transfers between [address] and [suspicious counterparty]?
    ```

    **What to look for:**

    * Rapid in/out patterns (layering behavior)
    * Large USD amounts with no clear business purpose
    * Bridge transfers (IBC, CCTP) used to move funds cross-chain quickly
    * Time clustering, many transactions in a short window
  </Step>

  <Step title="Find the origin of funds">
    Trace where the address got its initial funding. The funding source often reveals the true nature of the wallet.

    **Tool:** `get_address_funded_by`

    Ask your AI:

    ```
    What address initially funded [address] and when?
    ```

    **What to look for:**

    * Funded by a sanctioned or high-risk address → high concern
    * Funded by a known exchange with a verified withdrawal → lower concern
    * Funded by another unlabeled address → continue tracing that address too
  </Step>

  <Step title="Identify unknown counterparties">
    For any addresses you don't recognize, look them up in Range's entity database.

    **Tools:** `search_entities`, `get_address_info`

    Ask your AI:

    ```
    What entity is [address]? Does Range have any labels for it?
    Search for any entities matching "Binance" on Ethereum.
    ```

    **What to look for:**

    * Known exchange hot/cold wallets
    * Mixer or tumbler addresses
    * Protocol contracts (DEXes, bridges, lending protocols)
    * Previously flagged addresses in Range's database
  </Step>

  <Step title="Cross-chain pivot">
    If transfers crossed chains via bridges (IBC, CCTP, Wormhole), follow the funds to the destination chain and repeat the investigation there.

    Ask your AI:

    ```
    Were any funds from [address] bridged to another chain?
    If so, what is the risk score of the receiving address on that chain?
    ```

    Range covers Cosmos, Solana, EVM, Stellar, and Tron, you can pivot across all of them without switching tools.
  </Step>
</Steps>

***

## Complete investigation prompt

Paste this into Claude Desktop or Claude.ai for a full investigation in one shot:

```
Using Range tools, run a complete investigation on this address:
[address] on [network]

1. Get its risk score and explain the risk level
2. Check if it's on any OFAC sanctions list or token blacklist
3. Show its top 10 counterparties and label any known entities
4. List the 10 largest transfers in the last 6 months
5. Find the original funding source for this address
6. If any transfers crossed chains via a bridge, check the receiving address risk too

Summarize your findings with a risk verdict: LOW / MEDIUM / HIGH / CRITICAL
Include the key evidence that supports your verdict.
```

***

## Example output

<Accordion title="Example: Raydium Authority V4 on Solana">
  **Address:** `5Q544fKrFoe6tsEbD7S8EmxGTJYAKtTVhAW5Q5pge4j1`
  **Network:** Solana

  **Risk Assessment**

  * Risk level: VERY\_LOW (score: 1/10)
  * Entity: Raydium Protocol (DEX liquidity authority)
  * No OFAC sanctions, no token blacklist entries

  **Connection Graph**

  * 500+ unique counterparties
  * Primarily interacts with known Solana DeFi protocols and user wallets
  * No connections to mixers or sanctioned addresses

  **Verdict: LOW RISK**
  This is a verified Raydium Protocol contract address used for AMM liquidity management. The volume and counterparty diversity are consistent with a legitimate high-traffic DeFi protocol.
</Accordion>

***

## Tips for better investigations

<Tip>
  **Start broad, then narrow.** Use `get_address_risk` and `get_address_connections` first to get the big picture, then use `get_transfers_between` and `get_transaction_details` to zoom into specific relationships.
</Tip>

<Tip>
  **Use time filters.** If you know when a suspicious event occurred, filter transfers and payments to that window. This dramatically reduces noise and focuses the AI on what matters.
</Tip>

<Tip>
  **Chain the graph.** Each suspicious counterparty you find can be a new starting point. Ask the AI to run `get_address_risk` on any unlabeled counterparty that shows up frequently.
</Tip>
