How to AML-check a crypto wallet address in 2026: 18 risk factors explained
An AML check on a wallet address tells you whether that address has touched dirty funds before you ever interact with it. The check reads on-chain history, cross-references sanctions lists, and looks for ties to hacks, scams, mixers, and ransomware payouts. You get a verdict in seconds, before money moves.

Original analysis, verified sources, real-world experience
You need this if you sell crypto on P2P, run an OTC desk, freelance for clients paying in stablecoins, or simply deposit to a centralized exchange. Anyone receiving USDT, USDC, BTC, or ETH from a counterparty they did not personally vet is one bad transaction away from a frozen account. We built our free tool at coinmagnetic.com because we got tired of seeing users lose access to funds over receiving tainted coins they had no way to detect.
Why exchanges freeze deposits without warning
Major exchanges run their own AML engines on every incoming deposit. Binance, Bybit, OKX, Coinbase, and Kraken all subscribe to chain analytics providers (Chainalysis, TRM Labs, Elliptic) and compare incoming transactions against sanctions and risk databases. If your deposit touches an OFAC-sanctioned address within one or two hops, your funds get flagged. The account gets locked. Support asks for a source-of-funds declaration with documents you may not have.
We have seen this happen to users who did nothing wrong. A P2P seller in Turkey accepted USDT from a buyer whose previous wallet had passed through Tornado Cash six months earlier. The exchange froze 4,200 USDT. The seller spent five weeks providing screenshots, KYC documents, and a written explanation before getting partial access back. Another user received 0.3 BTC from a client; the coins had been mixed via a sanctioned service two hops back. Funds gone, account locked, no recovery. AML-checking the wallet before accepting the transfer would have caught both cases in under ten seconds.
How to run the check using our tool
Open https://coinmagnetic.com/en/tools/aml-check. Three steps:
- Paste the wallet address you want to verify. The tool auto-detects which blockchain it belongs to.
- Click Check. The query takes 3 to 8 seconds.
- Read the result. You see a score from 0 to 100, the matched risk factors, and a recommendation.
The tool covers 12 chains: Ethereum, BNB Chain, Polygon, Arbitrum, Avalanche, Base, Optimism, zkSync Era, Scroll, Linea, Solana, and Tron. That covers roughly 95 percent of stablecoin and altcoin transfer volume in 2026.
Score bands:
- 70 to 100: clean. Safe to transact, no flagged history.
- 31 to 69: medium risk. One or two soft flags. Worth investigating before large transfers.
- 0 to 30: critical. Do not accept funds from this address. Walk away.
No login, no wallet connection, no logging of the queries you run.
The 18 risk factors, explained
The score is built from 18 distinct risk signals provided by GoPlus Security and Chainalysis. We weight them by severity. Here is what each one means and why it matters.
Severe (weight 7 to 10)
OFAC sanctions (weight 10). The address is on the US Treasury sanctions list, or has direct exposure to one. This includes North Korean Lazarus Group wallets, Iranian state actors, Russian oligarch sanctioned addresses, and individuals listed under SDN. Any contact pulls your transaction into a compliance review at every major exchange. There is no recovery path, just freeze and forfeiture risk. We had a user receive 800 USDT that had touched a Garantex-related address two transactions back. Exchange flagged it on deposit.
Cybercrime (weight 8). Address has confirmed links to ransomware operations, DDoS extortion, banking trojans, or stolen credentials marketplaces. Recent examples include addresses tied to LockBit affiliate payments and BlackCat ransomware proceeds.
Money laundering (weight 8). The wallet has been used to layer or structure funds in a way typical of laundering, often through shell tokens, repeated small transfers, or chain-hopping. This signal triggers regardless of the original source.
Darkweb transactions (weight 7). Wallet has interacted with darknet markets (Hydra successors, drug marketplaces, stolen card forums) or escrow services running on Tor. Even a single confirmed darkweb tie is enough to flag.
Theft and hacking (weight 7). The address received or distributed funds from a confirmed exploit. Examples in 2026 alone: the Bybit cold wallet theft, the FTX bankruptcy estate breach, several DeFi protocol drains. Coins from these wallets are tracked for years.
Financial crime (weight 7). Catch-all for confirmed fraud: rug pulls, Ponzi structures, fake investment platforms, unauthorized payment processors. Often overlaps with money-laundering signals.
High (weight 6)
Blackmail and extortion (weight 6). Wallet is associated with sextortion campaigns, ransomware-as-a-service operators, or business email compromise extortion. These are usually fresh wallets that received one or two payments and dumped fast.
Malicious contracts (weight 6). The address either deployed or interacted heavily with smart contracts flagged for backdoors, owner-drain functions, or unauthorized mint capability. Common in scam tokens and fake liquidity pools.
Phishing (weight 6). Wallet has drained funds through fake airdrop pages, fake exchange interfaces, malicious browser extensions, or address-poisoning attacks. Wallet drainers like Inferno, Angel, and their forks generate dozens of new phishing wallets per day.
Mixer usage (weight 6). The address sent or received funds via Tornado Cash, Wasabi CoinJoin, Samourai Whirlpool, or chain-specific privacy tools. We cover this in detail in the section below because the signal needs context.
Medium (weight 4 to 5)
Honeypot (weight 5). Address is linked to honeypot token contracts where buyers can purchase but cannot sell. Common scam pattern. If a wallet is a known honeypot deployer or beneficiary, treat it as adversarial.
Fake KYC (weight 4). Wallet was used by services selling stolen or AI-generated identity documents for KYC bypass. Suggests the operator is helping others evade controls.
Malicious mining (weight 4). Address received proceeds from cryptojacking malware or unauthorized mining on compromised servers. Lower severity but still a clear taint.
Blacklist suspicion (weight 4). The address is on a watchlist maintained by stablecoin issuers (Tether, Circle) or aggregator databases, but not yet frozen. Often a precursor to formal blacklisting.
Low (weight 2 to 3)
Fake interface (weight 3). Wallet deployed or hosted UIs impersonating legitimate dApps.
Fake token (weight 3). Address created or distributed tokens that copy the name and ticker of established projects.
Gas abuse (weight 2). Pattern of spam transactions used to exhaust target wallets or congest networks.
Reinitialization risk (weight 2). Address shows patterns associated with contract reinitialization exploits.
False positives: when good wallets look bad
Not every flagged address is actually dirty. Four common false-positive patterns we see in our tool's output:
Bridge contracts. Cross-chain bridges (Stargate, Across, deBridge, LayerZero relays) handle volumes from every kind of user, including sanctioned ones. Bridge router addresses themselves sometimes carry medium scores even though using them is normal. Verify the score belongs to a user wallet, not a bridge router. Compare against the bridge's official contract list before rejecting.
Fresh exchange hot wallets. When a centralized exchange rotates a hot wallet, the new address may not yet have history that pulls it down, or it may inherit flags from prior aggregation patterns. Check whether the address belongs to a known exchange before treating a flag as fatal.
DEX aggregator routing. Addresses that interact with 1inch, ParaSwap, Matcha, or CoW Protocol often touch large numbers of counterparties including occasional flagged ones. A single hop through a DEX aggregator does not poison the wallet unless the user's own funds are tied to confirmed bad activity.
Legitimate mixer use cases. Privacy is not a crime in many jurisdictions. A wallet that interacted with Tornado Cash before its 2022 sanctioning may carry a flag even though the user's intent was lawful. Context matters.
If our tool returns medium risk (31 to 69) and the counterparty insists the funds are clean, ask for the transaction graph. Have them show the chain of incoming transactions for the last 90 days. If they cannot or will not, treat the score as the answer.
Tornado Cash and Lazarus Group: why mixer interaction is flagged
Tornado Cash was sanctioned by OFAC in August 2022. The sanctions covered specific contract addresses, not the concept of privacy. Funds entering or leaving those contracts after the sanction date are considered sanctioned-touched by every major chain analytics provider. Exchanges enforce this strictly.
North Korea attribution is methodologically narrow but reliable. Chainalysis and TRM Labs cluster Lazarus Group wallets based on:
- Repeated patterns of cross-chain swaps through specific bridge routes
- Timing correlations with confirmed Lazarus operations (Ronin Bridge, Atomic Wallet, WazirX)
- On-chain ties to wallets used in known DPRK weapons-procurement transactions
When our tool flags a wallet with Lazarus exposure, the link is usually within two or three hops of a confirmed DPRK address. That is the threshold most exchange AML teams use. Intent does not matter. If your USDT moved through a wallet that moved through a Lazarus wallet, that is enough for a freeze.
Privacy of the query
We do not log the addresses you check. We do not link queries to any account. We do not share queries with third parties. Each lookup goes to GoPlus and Chainalysis APIs, results return to your browser, nothing persists on our servers.
When to walk away from a counterparty
Practical rules of thumb for P2P sellers and OTC operators based on what we have seen work:
- Critical score (0 to 30): no transaction. Walk away even if the counterparty offers a premium. The risk of frozen funds outweighs any margin.
- Medium score (31 to 69): ask questions. Where did the funds originate? Can the counterparty provide proof of source? If the answer is vague or aggressive, walk.
- Clean score (70 to 100): proceed with normal caution. Still confirm the receiving exchange has not changed deposit rules.
- Always check the address right before the transfer, not the day before. Address reputations can shift within hours after a new hack or exploit gets attributed.
- For amounts above 5,000 USD equivalent, run the check on the sender's address even if they are someone you have transacted with before.
Conclusion
Our AML-check tool is at https://coinmagnetic.com/en/tools/aml-check. Free, no signup, no log. Twelve chains, 18 risk factors, 0 to 100 score. Run it before every P2P trade, every OTC settlement, every large deposit. Ten seconds of checking saves weeks of frozen-account recovery.
This article is for educational purposes and is not investment advice. Cryptocurrencies carry high risk. Only trade with funds you can afford to lose.
CoinMagnetic Team
Crypto investors since 2017. We trade with our own money and test every exchange ourselves.
Updated: May 2026
Follow our analysis on Telegram
We publish analysis, digests and forecasts on our Telegram channel.
Follow the channel


