Drawing Paths to Risk Sources in the AML Platform


When generating Risk Reports, Coinfirm’s AML Platform checks over 270 algorithms and risk analysis scenarios. Some are direct risks (such as addresses belonging to a hacker or addresses present on sanction lists) and some are indirect.

What are Indirect Risks?

These indirect risks appear when blockchain addresses that Coinfirm are investigating has transactions with other addresses that are directly involved in illicit activities. When generating Risk Reports on the AML Platform, users can often find such indicators:

  • Address with significant part of incoming transactions in close proximity to addresses related to drugs trade
  • Address with part of incoming transactions in close proximity to addresses found on deep web
  • Address with part of outgoing transactions in close proximity to obliged service with limited KYC process

These kinds of red flags generally have 3 levels of importance:

  1. Address with a “significant part” of transactions… – when illicit-tainted funds is over 30% of all incoming values (raises C-scores considerably)
  2. Address with a “part” of transactions… – when illicit-tainted funds are less than 30% but more than 1% of incoming values (raises C-score marginally)
  3. Address with “dust funds tainted”… – when illicit-tainted funds are less than 1% of incomes (no change to C-score)

In the above examples, addresses analyzed themselves may not be malicious but have been interacting – whether knowingly or unknowingly – with criminal actors. The question then raised is what addresses have been interacting with those analyzed? Where does the risk indicator come from?

So, Where Does the Risk Come From?

To allow clients and partners to a) submit more detailed Suspicious Activity Reports (SARs) to regulators, b) easier mark malicious addresses for the purpose of automatic blacklisting and c) for their own investigations on the blockchain, Coinfirm’s product development team have built in a brand new feature, Risk Source, to the AML Platform.

The Risk Source feature allows users of the AML Platform to view the exact source of the risk for deeper analysis, giving a more bird’s eye view for efficient risk management.


As shown above, a user can understand:

  • From which address was the illicit-tainted money transferred?
  • How much dirty money was received?
  • How far away was the suspicious address (in “hops” – how many transfers were needed in a row)?

This works both for incoming transactions (receiving money from hackers, scammers etc.) and for outgoing transactions (e.g. sending money to terrorists or to sanctioned subjects).

Picture is Worth 1000 Words

What’s even cooler – and kudos to our brilliant dev team on this – is that users can actually view the graph demonstrating how the money was transferred.

Sometimes the flow of funds is quite simple:

But sometimes it can be quite sophisticated:


If the user of the AML Platform needs to perform their own analysis, the CSV file with complete transaction data can be downloaded right away.

Crucially, the graph and analysis are done in a fully automated way and require zero assistance from the user. Allowing our partners and clients to get the results within mere seconds. Happy hunting!