Range’s risk scoring engine combines multiple data sources and analytical techniques to produce actionable risk intelligence. This guide explains the methodology behind our risk assessments and how to interpret scores across different endpoints.
Scoring Scales
Different endpoints use different scoring scales depending on the type of assessment:
| Endpoint | Scale | Levels |
|---|
| Address Risk Score | 1–10 (numeric) | Very low risk (1) → CRITICAL RISK (10) |
| Token Risk Assessment | 0–100% (percentage) | LOW (<30%), MEDIUM (30–60%), HIGH (≥60%) |
| Payment Risk Assessment | Categorical | low, medium, high, unknown |
| Sanctions & Blacklist | Boolean | is_token_blacklisted, is_ofac_sanctioned |
Core Methodology
Network Proximity Analysis
Our risk assessment leverages peer-reviewed research establishing that legitimate and malicious blockchain activity exhibit distinguishable network patterns. The approach is grounded in three empirically-validated behavioral characteristics:
- Clustering behavior - Malicious actors demonstrate clustering through coordinated operations, shared infrastructure, or interconnected money laundering chains
- Transactional proximity - Direct transactional relationships with malicious addresses correlate with elevated risk profiles
- Exchange distance - Legitimate users maintain significantly shorter network distances to regulated cryptocurrency exchanges
Empirical analysis of the Ethereum blockchain substantiates these patterns: 56% of high-value USDC wallets maintain direct links to regulated exchanges, while 83% of confirmed exploiter addresses operate at greater distances from these entities (Liao et al., 2025).
Machine Learning Enhancement
Our ML algorithms enhance traditional address matching by learning behavioral patterns from known malicious addresses:
- Behavioral Fingerprinting - Analyzing transaction history to generate 100+ address-level features that capture payment patterns, timing behaviors, and counterparty interactions
- Pattern Recognition - Training classifiers to recognize behavioral patterns that distinguish malicious actors from legitimate users
- Ensemble Classification - Combining multiple ML models to improve accuracy in identifying potentially malicious addresses
Addresses flagged by ML models are treated the same as those from traditional attribution sources.
Threat Intelligence
Our attribution dataset provides off-chain information from multiple sources including internal research, community reports, government sanctions lists, partnerships with security companies, and other public/private sources. This includes:
- Confirmed malicious addresses from threat intelligence feeds
- OFAC, EU, UK, and UN sanctions lists
- Confirmed exploits, scams, and phishing attacks
- Verified non-malicious addresses (system programs, protocols, exchanges)
Attribution Override
Known non-malicious addresses (system programs like Token Program, verified protocols, major exchanges) receive the minimum risk score regardless of proximity to malicious addresses. This prevents false positives where legitimate infrastructure appears risky due to high transaction volumes. The attribution field in API responses provides transparency about this override.
Address Risk Scoring (1–10 Scale)
The Address Risk Score endpoint computes risk using:
- Attribution override - Known non-malicious addresses receive score 1 regardless of proximity
- Direct maliciousness - Flagged addresses receive score 10
- Hop distance - Shortest path to any malicious address (fewer hops = higher risk)
- Hit count - Total malicious addresses found on shortest and near-shortest paths
| Score | Risk Level | Typical Situation |
|---|
| 10 | CRITICAL RISK (directly malicious) | Address itself is flagged (0 hops) |
| 9–8 | Extremely high risk | 1 hop from malicious; ≥3 hits → 9, otherwise 8 |
| 7–6 | High risk | 2 hops; ≥3 hits → 7, otherwise 6 |
| 5–4 | Medium risk | 3 hops; ≥3 hits → 5, otherwise 4 |
| 3–2 | Low risk | 4 hops; ≥3 hits → 3, otherwise 2 |
| 1 | Very low risk | ≥5 hops OR known attributed non-malicious address |
Token Risk Scoring (Percentage Scale)
The Token Risk Assessment evaluates up to 17 independent risk factors across 5 categories. Each factor scores:
- LOW = 0 points
- MEDIUM = 1 point
- HIGH = 2 points
The risk percentage is: (total_score / max_possible_score) × 100
| Classification | Threshold |
|---|
| HIGH RISK | ≥60% of maximum possible score |
| MEDIUM RISK | ≥30% but <60% |
| LOW RISK | <30% |
Token Risk Factor Summary
| Factor | Category | HIGH | MEDIUM | LOW |
|---|
| Circulating Supply Ratio | Authority & Control | <80% | 80–95% | >95% |
| Freeze Authority | Authority & Control | Present | - | Absent/Disabled |
| Mint Authority | Authority & Control | Present | - | Absent/Disabled |
| Market Capitalization | Market Structure | <$1M | 1M–100M | >$100M |
| Token Verification | Market Structure | Unverified | - | Verified |
| Liquidity | Market Structure | <$10K | 10K–100K | >$100K |
| Holder Count | Market Structure | <100 | 100–1000 | >1000 |
| Top Holder Concentration | Market Structure | >90% | 80–90% | <80% |
| Price Volatility | Trading Patterns | >50% | 20–50% | <20% |
| Wash Trading | Trading Patterns | Suspicious ≥2 TF | - | Normal |
| Organic Activity | Trading Patterns | Low | Medium | High |
| Developer Migrations | Platform & Social | ≥5 | 2–4 | <2 |
| Exchange Listings | Platform & Social | No listings | <3/no major | Major exchanges |
| Launchpad Platform | Platform & Social | High-risk (pump.fun) | - | Other platforms |
| Social Media Presence | Platform & Social | No presence | - | Active presence |
| Token Age | Temporal | <7 days | 7–30 days | >30 days |
| Graduation Status | Temporal | - | <7 days | >7 days/N/A |
Payment Risk Scoring (Maximum Risk Approach)
The Payment Risk Assessment runs up to 8 independent assessments. The overall risk level uses a maximum risk approach: if any individual factor returns “high”, the overall risk is “high”.
| Assessment | What It Checks |
|---|
| New Wallet Detection | Recipient transaction history |
| Dormant Wallet Detection | Recipient inactivity (>180 days) |
| Address Poisoning Detection | Poison address pattern matching |
| Interaction History | Previous sender-recipient relationship |
| Malicious Connection Analysis | ML-powered proximity to malicious addresses |
| Attributed Address Check | Known entity database lookup |
| Token Risk (Solana) | Token-specific risk factors |
| Cross-Chain Support | Appropriate index selection for cross-chain payments |
Best Practices for Acting on Risk Scores
- Don’t rely on a single endpoint. For high-value transactions, combine Address Risk Score with Payment Risk Assessment and Sanctions Check for comprehensive coverage.
- Calibrate thresholds to your use case. A consumer wallet may block at score 6; an exchange compliance system may flag at score 3 for manual review.
- Check the
reasoning field. Risk scores are more useful when combined with the human-readable explanation of why the score was assigned.
- Handle “unknown” gracefully. Payment Risk returns
"unknown" for unsupported networks. This doesn’t mean safe - it means insufficient data.
- Cache cautiously. Risk scores can change as new threat intelligence is incorporated. For compliance-critical flows, query in real-time.
- Display context to end users. Show
riskLevel and reasoning (not just the numeric score) for transparency.
Last modified on March 2, 2026
