ClearChain analyzes crypto wallets for financial risk. This page explains exactly what each score, signal, and flag means — in plain English, no finance background required.
Every wallet gets a score from 0 to 100. The score is based on six signals — each one weighted by how serious it is. Here's what each signal means and how many points it can add.
OFAC (the US Treasury) publishes a list of wallets linked to sanctioned individuals, criminal organizations, and foreign governments. If a wallet appears on this list, transacting with it may be illegal — regardless of whether you knew.
Crypto mixers (like Tornado Cash) are services designed to break the link between a sending and receiving wallet. They're used to obscure where money came from. The US government has sanctioned Tornado Cash. Any wallet that has deposited into or withdrawn from a mixer raises serious red flags.
If a wallet receives a large sum and immediately sends most of it out to another wallet (and repeats this multiple times in a short window), that's a pattern associated with "layering" — a technique used to make dirty money harder to trace. Note: this signal only counts if the wallet also has a sanctions or mixer flag, so normal high-volume wallets like exchanges don't get penalized.
Even if a wallet isn't directly flagged, who it's been transacting with matters. If one of its counterparties is a sanctioned address, a mixer, or a labeled scam wallet, that connection is a risk signal — similar to how a bank would flag transactions with known fraudulent accounts.
A brand new wallet handling hundreds of thousands of dollars in crypto without any other history is worth a second look. It could be legitimate, but it's a signal worth noting — especially if combined with other flags.
The crypto community maintains open-source databases of wallets known to be involved in scams, phishing attacks, rug pulls, and exploits. If a wallet or anyone it's transacted with shows up in these lists, it's flagged here.
The "Rapid Fund Movement" signal only activates if the wallet also has a sanctions flag or mixer interaction. This is intentional — exchanges and DeFi protocols move huge amounts of crypto quickly by design. Without this rule, they'd all score HIGH unfairly.
Rapid fund movement only fires alongside sanctions or mixer flags. Exchange hot wallets and DeFi protocols move large amounts quickly by design — without this gate, they'd all score HIGH incorrectly.
Known exchanges (Binance, Coinbase), DeFi protocols (Uniswap, Aave), and public wallets (Vitalik Buterin) are pre-labeled so their activity doesn't get misread. If a wallet is Binance's hot wallet, it won't trigger a high-risk counterparty flag just because it moves a lot of ETH.
Every analysis includes a signal simulator — toggle individual risk signals on or off to see exactly what's driving the score. If a wallet scores HIGH primarily because of a single mixer interaction two years ago, you can isolate that and decide whether it warrants escalation. Run an analysis and scroll to the Simulator tab to try it.
Current limitation: mixer and coinjoin signals are binary today — timing, transaction size, and frequency aren't factored into the signal weight yet. This is on the roadmap.
No significant flags detected. This doesn't guarantee the wallet is legitimate — no tool can — but there's nothing in the data that stands out as concerning.
Something minor triggered — an indirect connection to a flagged wallet, or an unusual transaction pattern. Not necessarily a problem, but worth doing a bit more research before transacting.
Multiple risk signals fired, or a serious one like mixer interaction. We'd recommend against transacting with this wallet until you understand what's behind the score.
The wallet is either directly sanctioned by the US government, has direct mixer exposure alongside other flags, or both. Transacting with a sanctioned wallet can have legal consequences. Do not proceed without legal guidance.
Beyond a simple score, ClearChain identifies specific behavioral patterns on-chain. These are based on internationally recognized money laundering techniques published by FATF (the global financial crime watchdog) and FinCEN (US financial intelligence).
These patterns don't automatically mean a wallet is doing something illegal — but they're the same red flags that trained investigators look for.
Instead of sending $10,000 at once (which triggers reporting requirements), someone might send $990 ten times across different wallets. On-chain, this shows up as many transactions clustered just below round-number thresholds. It's illegal under US law regardless of whether the underlying funds are legitimate.
Crypto mixers pool deposits from many users and send back equivalent amounts from different wallets — making it nearly impossible to trace where the money originally came from. Tornado Cash, the most well-known Ethereum mixer, was sanctioned by the US government in 2022 for laundering over $7 billion.
Money moves through a chain of wallets — each one immediately forwarding almost all of the received funds to the next — before reaching its final destination. The intermediate wallets are typically burner addresses used only once. This mirrors a technique called "wire stripping" in traditional banking fraud.
By rapidly swapping ETH → USDC → WBTC → DAI across decentralized exchanges (which don't require identity verification), the trail of funds gets increasingly difficult to follow. Each swap changes the asset, the contract, and the counterparties involved.
Proceeds from a hack or scam are often split across dozens of wallets first (to avoid detection), then gradually consolidated back into one wallet before being cashed out. This pattern — many inputs, one output, followed by a large outbound transfer — is a classic integration-phase indicator.
Each wallet in the chain receives funds and sends most of it on, keeping a small "peel." The wallets are all new and used only once. This technique is common in ransomware payment processing and crypto exchange hacks — it makes the total amount being laundered hard to see and trace.
A wallet that's only a few days old moving hundreds of thousands in crypto is worth flagging for a closer look. There may be a legitimate explanation — but it should be documented, especially if combined with any of the above patterns.
When you look up a wallet, ClearChain doesn't just check if it's on a government blacklist — it also tries to tell you who it belongs to. Is it a known exchange? A DeFi protocol? A wallet that's been reported for phishing?
ClearChain cross-references every wallet and its counterparties against a database of 17,000+ labeled addresses, sourced from the open-source community and our own curated list.
Major crypto exchanges (Binance, Coinbase, Kraken) and DeFi protocols (Uniswap, Aave, Curve) are labeled so their activity doesn’t get misread as suspicious.
Wallets linked to phishing attacks, rug pulls, and exploit drains are flagged with a “Flagged:” label. If a wallet you’re checking has transacted with one of these, it shows up as a High-Risk Counterparty signal.
Well-known public addresses — Vitalik Buterin, major DAOs, foundation wallets — are labeled so they score correctly. Vitalik’s wallet moves large amounts of ETH but should never score HIGH.
OFAC-designated wallets (Tornado Cash contracts, Lazarus Group, Garantex) are in both the sanctions list AND the label database, so they surface in analysis even when encountered as counterparties.
Label coverage is continuously improving. All sources are open — if you find a mislabeled address, open an issue on GitHub.
Every piece of data ClearChain uses is from a public, verifiable source. No black-box threat databases. No proprietary scores you can't trace back.
This means if a wallet gets flagged, you can go check the source yourself.
The official US government list of sanctioned individuals, companies, and crypto wallet addresses. ClearChain checks every wallet against this list in real time. The list covers ETH, BTC, TRX, and SOL addresses and is refreshed continuously in the background.
ClearChain uses Alchemy to retrieve live on-chain data: full transaction history, token transfers, wallet balances, and ENS name resolution (e.g. vitalik.eth → its address). Alchemy supports all four chains ClearChain covers: Ethereum, Bitcoin, Tron, and Solana.
A publicly maintained database of labeled Ethereum addresses — covering scams, phishing wallets, known protocols, exchanges, and more. Integrated into ClearChain to catch community-flagged addresses that may not appear on official government lists.
A curated list of well-known addresses with verified labels: Tornado Cash contracts, Lazarus Group wallets (linked to North Korea), major exchange hot wallets (Binance, Coinbase), and notable public addresses. All labels are publicly verifiable — nothing is hidden.
A SAR (Suspicious Activity Report) is an official document that financial institutions are required to file with the US government when they detect potential money laundering or financial crime.
ClearChain automatically generates a SAR draft — a pre-filled starting point that a compliance professional can review, edit, and submit. Think of it as a first pass, written by AI, based on everything found in the analysis.
ClearChain fetches live on-chain data, checks against the OFAC list, calculates the risk score, and identifies any suspicious patterns.
Claude (Anthropic's AI model) takes all the findings and writes a structured, plain-English report covering what was found and why it's concerning.
It includes the wallet address and chain, a risk summary, a description of the suspicious activity, and a recommended action (file a SAR, do more research, or clear the wallet).
The draft downloads as a .txt file. A compliance team can then edit it, add their own context, and file it through the official government system.
SAR drafts generated by ClearChain are a starting point — not a finished, legally compliant filing. All drafts should be reviewed and validated by a qualified compliance professional before submission. ClearChain does not provide legal or regulatory advice. If a SAR needs to be filed, it must be submitted through the official FinCEN BSA E-Filing system at bsaefiling.fincen.treas.gov. FinCEN requires SARs to be filed within 30 days of detecting suspicious activity.