Range’s risk scoring engine aggregates data from multiple independent sources to produce comprehensive risk intelligence. This page describes the data sources that feed into our risk scoring methodology.
Sanctions Lists
Range cross-references addresses against major international sanctions lists. Sanctions data is sourced from official government publications and is network-agnostic - any address published by a sanctioning body is covered.
| Source | Jurisdiction | Description |
|---|
| OFAC SDN List | United States | US Treasury Office of Foreign Assets Control - Specially Designated Nationals and Blocked Persons list |
| EU Sanctions | European Union | EU consolidated list of persons, groups, and entities subject to financial sanctions |
| UK Sanctions | United Kingdom | UK financial sanctions targets under the Sanctions and Anti-Money Laundering Act |
| UN Sanctions | International | United Nations Security Council consolidated list |
Stablecoin Issuer Blacklists
Range monitors on-chain blacklist events emitted by stablecoin issuer contracts in real-time. When an issuer blacklists an address, it is blocked from transferring their tokens.
| Issuer | Tokens | Networks Monitored |
|---|
| Tether | USDT | Ethereum, Tron, Solana |
| Circle | USDC | Ethereum, Tron, Solana |
| Coinbase | CBBTC | Ethereum |
| Paxos | USDP | Ethereum |
blacklist and unblacklist events are tracked, providing current status and full event history. See Supported Tokens for the complete coverage matrix.
Threat Intelligence
Range maintains a curated attribution dataset compiled from multiple intelligence sources. This dataset provides off-chain context that enriches on-chain risk analysis.
Sources
| Category | Description |
|---|
| Confirmed exploits | Addresses involved in verified protocol exploits, bridge hacks, and smart contract vulnerabilities |
| Scams & phishing | Known scam addresses, phishing campaigns, and social engineering operations |
| Internal research | Range’s security research team continuously investigates and attributes new threats |
| Community reports | Verified reports from the blockchain security community |
| Security partnerships | Intelligence shared through partnerships with security companies and incident response teams |
| Public sources | Publicly available threat data from blockchain analytics and security research |
Attribution Labels
Each attributed address includes metadata:
name_tag - Human-readable label describing the activityentity - Known organization or clustercategory - Type of activity (e.g., hack_funds, scam, phishing)
When attribution fields are blank or null, this indicates either data from confidential sources where details cannot be disclosed, or addresses identified through ML models without traditional attribution data.
Machine Learning Models
Range’s proprietary ML models extend coverage beyond traditional attribution by identifying previously undetected threats through behavioral analysis.
Capabilities
| Capability | Description |
|---|
| Behavioral fingerprinting | Generates 100+ address-level features capturing payment patterns, timing behaviors, and counterparty interactions |
| Pattern recognition | Classifiers trained on verified malicious addresses to recognize behavioral signatures |
| Ensemble classification | Multiple ML models combined to improve accuracy and reduce false positives |
maliciousAddressesFound array in API responses includes both ML-flagged and traditionally attributed addresses.
Verified Non-Malicious Addresses
Range maintains a database of verified non-malicious addresses to prevent false positives. This includes:
- System programs - Core blockchain infrastructure (e.g., Solana Token Program, System Program)
- Major exchanges - Verified exchange deposit and withdrawal addresses
- Verified protocols - Established DeFi protocols and their program addresses
When an address is in this database, it receives the minimum risk score (1) regardless of its proximity to malicious addresses. The attribution field in API responses provides transparency about this override. See Understanding Risk Scores for details.
Data Freshness
| Data Source | Ingestion Latency | Cross-Chain Propagation |
|---|
| Sanctions lists | Within 1 hour of publication | Instant — related addresses across all chains are flagged immediately |
| Stablecoin issuer blacklists | Instant — monitored via on-chain events in real-time | Instant — cross-chain associated addresses are propagated immediately |
| Threat intelligence | Minutes to hours, depending on data confirmation | Instant once confirmed |
| ML model updates | Continuous — models run on live transaction data | N/A — models are network-aware |
blacklist and unblacklist) are detected in real-time as they are emitted on-chain. Associated addresses on other chains are propagated instantly.
Threat intelligence ingestion timelines vary depending on the source and the level of verification required. Confirmed exploit addresses are typically ingested within minutes. Reports requiring additional investigation (e.g., community-submitted scam reports) may take hours as the research team validates the data before it enters the scoring pipeline.
Coverage Requests
If you have intelligence about malicious addresses or need coverage for specific threat categories, contact us. We continuously expand our data sources based on customer needs and emerging threats. Last modified on March 2, 2026
