Get Address Risk Score
Risk Endpoints
Address Risk Score
Returns the risk score for a specific blockchain address based on network proximity analysis, machine learning, and behavioral pattern recognition.
GET
Get Address Risk Score
Returns a risk score (1–10) for a blockchain address based on its proximity to known malicious actors, ML-based behavioral analysis, and threat intelligence data. See Understanding Risk Scores for methodology details.
EVM Chains
Other
Cosmos Ecosystem
Where “hits” refers to the number of malicious addresses found along the relevant paths. Risk analysis examines paths up to 5 hops from the input address.
This endpoint includes sanctions and blacklist screening. You do not need to call the Sanctions & Blacklist Check separately — addresses flagged by OFAC or stablecoin issuer blacklists are already factored into the risk score.For payment flows where you need to assess both sender and recipient in the context of a transaction, use the Payment Risk Assessment instead. It includes everything this endpoint does, plus additional payment-specific checks: new wallet detection, dormant wallet detection, address poisoning detection, interaction history between sender and recipient, token risk assessment, and cross-chain analysis.
Query Parameters
| Name | Type | Required | Description |
|---|---|---|---|
address | string | Yes | The blockchain address to assess. |
network | string | Yes | Blockchain network identifier. Must match the address format. See Supported Chains for the full list. |
Supported Networks
The following 27 networks are fully supported with complete transaction graph analysis and proximity scoring: Solana| Network | Identifier |
|---|---|
| Solana | solana |
| Network | Identifier |
|---|---|
| Ethereum Mainnet | eth |
| Optimism Mainnet | oeth |
| BNB Smart Chain | bnb |
| Polygon Mainnet | pol |
| Polygon zkEVM | zkevm |
| Moonbeam | moonbeam |
| Base | base |
| Arbitrum One | arb1 |
| Celo Mainnet | celo |
| Avalanche C-Chain | avax |
| Network | Identifier |
|---|---|
| Stellar | stellar |
| Bitcoin Mainnet | bitcoin |
| Tron | tron |
| Network | Identifier |
|---|---|
| Celestia | celestia |
| Osmosis | osmosis-1 |
| Cosmos Hub | cosmoshub-4 |
| dYdX Mainnet | dydx-mainnet-1 |
| Neutron | neutron-1 |
| Dymension | dymension_1100-1 |
| Agoric | agoric-3 |
| Mantra | mantra-1 |
| Stride | stride-1 |
| PIO Mainnet | pio-mainnet-1 |
| Noble | noble-1 |
| ZigChain | zigchain-1 |
| Union | union-1 |
Partial Network Support
Partial Network Support
Other networks may yield results in two scenarios:
- Direct Attribution — When we have direct attribution data for an address on that network (e.g., a known malicious contract address)
- Cross-Chain Propagation — When malicious activity propagates through inter-chain bridges or cross-chain transactions
Response Schema
| Field | Type | Description |
|---|---|---|
riskScore | number (1–10) | Numerical risk value. Higher scores indicate greater risk. |
riskLevel | string | Human-readable risk description aligned to the score. |
numHops | integer (≥0) | Minimum token-transfer steps to any known malicious address. 0 means the address itself is malicious. |
maliciousAddressesFound | array | Evidence used in scoring (see below). |
reasoning | string | Plain-English explanation of why the score was assigned. |
attribution | object | null | Attribution metadata for known non-malicious addresses. When present, indicates a verified entity with risk override applied. |
Malicious Evidence Object
| Field | Type | Description |
|---|---|---|
address | string | Malicious or ML-flagged address on the path. |
distance | integer (≥0) | Number of hops from the input address. |
name_tag | string | null | Human-readable label describing the activity. |
entity | string | null | Known organization or cluster. |
category | string | Type of malicious activity. |
When
name_tag, entity, or category are blank or null, this indicates either: (1) data from confidential intelligence sources where attribution details cannot be disclosed, or (2) the address was identified through ML models and lacks traditional attribution data. In both cases, the address presents potential risk but detailed attribution may be limited.Attribution Object
When present, indicates the address is a verified non-malicious entity with risk override to score 1.| Field | Type | Description |
|---|---|---|
name_tag | string | Human-readable name (e.g., “Token Program”) |
entity | string | Organization or protocol (e.g., “Solana”) |
category | string | Classification type (e.g., “SYSTEM”) |
address_role | string | Functional role (e.g., “Program”) |
Risk Scoring Logic
| Score | Risk Level | Typical Situation |
|---|---|---|
| 10 | CRITICAL RISK (directly malicious) | Address itself is flagged (0 hops) |
| 9–8 | Extremely high risk | 1 hop from malicious; ≥3 hits → 9, otherwise 8 |
| 7–6 | High risk | 2 hops; ≥3 hits → 7, otherwise 6 |
| 5–4 | Medium risk | 3 hops; ≥3 hits → 5, otherwise 4 |
| 3–2 | Low risk | 4 hops; ≥3 hits → 3, otherwise 2 |
| 1 | Very low risk | ≥5 hops OR known attributed non-malicious address |
Examples
High-Risk Address (Score 10)
Low-Risk Solana Address (Score 1)
System Address with Attribution Override
Celestia Network
Cross-Chain Address
Errors
| HTTP Code | Cause | Recommended Action |
|---|---|---|
| 400 | Missing or invalid address/network | Validate parameters before requesting. |
| 404 | Address/network not found or unsupported | Use a supported network value; ensure address correctness. |
| 429 | Rate limited | Reduce request rate; follow Retry-After header for backoff. |
| 5xx | Server error | Retry after a delay; contact support if persistent. |
Best Practices
- Always provide a
networkvalue consistent with the address format. - Use both
riskScoreandriskLevelin your UI, and displayreasoningas explanatory text. - Check the
attributionfield — when present, it indicates a verified non-malicious address with risk override applied. - When multiple malicious addresses are found, display at least the entry with the smallest
distance. numHopsrepresents the minimum token-transfer distance; greater distances generally reduce risk.
TypeScript Types
TypeScript Types
Authorizations
Use Authorization: Bearer
Query Parameters
Address to search
Network ID of the address. Supports multiple networks including solana, osmosis-1, dydx-mainnet-1, cosmoshub-4, neutron-1, stellar, and others.
Example:
"solana"
Response
200 - application/json
Transactions associated with a specific address. This includes both incoming and outgoing transactions.
Calculated normalized risk score (higher = riskier)
Example:
8
Human readable risk level classification
Available options:
CRITICAL RISK (Directly malicious), Extremely high risk, High risk, Medium risk, Low risk, Very low risk Minimum number of hops to the closest malicious address
List of malicious or related addresses discovered in the path
Explanation of why the risk level/score was assigned
Attribution information for known non-malicious addresses
Last modified on March 2, 2026