Loading ForensicBlock
Preparing your blockchain forensics platform...
Preparing your blockchain forensics platform...
ForensicBlock's risk scoring model is designed to be transparent, reproducible, and legally defensible. Every score can be traced back to specific on-chain data and verifiable risk factors.
Model version: v1.7.0 | Last updated: March 2026
The ForensicBlock risk score is a weighted composite of multiple independent risk signals. Each signal is scored individually on a 0–100 scale, then combined using fixed weights to produce a final score between 0 and 100. The model uses no black-box components — every factor, weight, and threshold is documented here.
Each factor contributes proportionally to the final score based on its assigned weight. Weights are normalized so that the available factors always sum to 100% of the score, regardless of which signals are available for a given address.
Verified ground-truth entity match. When an address matches a known entity in our curated database (159+ entities including OFAC SDN, state actors, known hackers), the entity's risk score is used directly. Entity attribution always overrides all other scoring methods. Confidence: ≥99%. False-positive rate: <0.1%.
Data source: ForensicBlock Intelligence Database, OFAC SDN List
Deterministic scoring based on counterparty transaction exposure. For each transaction, the counterparty address is categorized (sanctions, darknet, mixer, fraud, exchange, DeFi, unknown). The risk score is the weighted sum of exposure percentages × category risk weights. Formula: Σ(categoryWeight × exposurePct × confidence), capped at 100. Auto-CRITICAL if any sanctioned exposure detected. False-positive rate: ~5%.
Data source: Graph analysis, pre-computed exposure_analysis, entity database lookups
Risk derived from the full transaction graph traversal — node-level risk aggregation, high-risk path detection, and cluster analysis. Used when exposure analysis data is not yet available or as supplementary context.
Data source: ForensicBlock Graph Engine, Alchemy Asset Transfers API
AI agent-based behavioral scoring — transaction velocity, pattern detection, anomaly analysis. Used as supplementary context when entity and exposure data are unavailable. The MAX of all tiers is used as the final score — behavioral analysis never dilutes a higher-tier score.
Data source: ForensicBlock AI Agent Pipeline (6 agents)
Sanctions/OFAC (weight 1.0), Terrorist Financing (1.0), State Actor (1.0), Darknet Market (0.85), Ransomware (0.85), Stolen Funds (0.85), Mixer/Tumbler (0.80), Fraud/Scam (0.80), Cybercrime (0.80), High-Risk Exchange (0.55), P2P Exchange (0.45), Gambling (0.35), Unregulated Service (0.40), Cross-chain Bridge (0.30), Regulated Exchange (0.05), DeFi Protocol (0.10), NFT Marketplace (0.05), Unknown (0.15).
Data source: lib/risk-categories.ts — FATF typology framework
CRITICAL: ≥75/100. HIGH: 50–74. MEDIUM: 25–49. LOW: <25. Same address + same blockchain state = identical score every time. Methodology version: 2.1.
Data source: Deterministic computation — reproducible and court-defensible
Number of distinct token types held or transacted. Unusually high token diversity may indicate DeFi farming, airdrop harvesting, or wash trading.
Data source: Alchemy getTokenBalances
Time since the address's first on-chain activity. Addresses less than 30 days old receive elevated risk scores (up to 70 for brand-new addresses) as they are more likely to be disposable addresses used in laundering schemes.
Data source: First transaction timestamp
finalScore = round( sum(factor_score[i] * weight[i]) / sum(weight[i]) )
Where factor_score[i] is the 0-100 score for each available factor and weight[i] is the fixed weight. The denominator normalizes for available signals — if only 4 of 9 factors are computable for an address, the weights of those 4 factors are re-normalized to sum to 1.0.
Every risk assessment includes a confidence score (0.20–0.95) reflecting the completeness and quality of available data:
No significant risk indicators. Standard due diligence sufficient.
Some risk indicators present. Enhanced due diligence recommended.
Multiple risk indicators. Investigation and compliance review required.
Severe risk. Likely sanctions match, mixer usage, or confirmed illicit activity.
During full investigations, ForensicBlock employs nine specialized AI agents. Each agent produces independent findings that are cross-validated by the orchestrator:
Findings must be verified against on-chain evidence before being included in the final report. The overall confidence score is reduced proportionally to unverified findings: adjusted = confidence * (0.5 + 0.5 * verificationRate)
Primary blockchain data provider. Real-time transaction data, asset transfers, token balances, and webhook-based monitoring across EVM chains.
Secondary provider for historical transaction data. Multi-chain support via chain ID parameter.
Official U.S. Treasury Specially Designated Nationals list. Updated regularly and cached locally with 5-minute refresh cycles.
Curated database of 200+ labeled addresses covering exchanges, DeFi protocols, bridges, mixers, scams, and sanctioned entities.
ForensicBlock is designed for legal proceedings:
Federal Rules of Evidence 902(13) and 902(14), in effect since 12/01/2017, allow electronic records to self-authenticate when accompanied by a qualified person's written certification. Rule 902(13) covers records generated by an electronic process; Rule 902(14) covers data copied from an electronic device. Both rules eliminate the need for a live custodian to authenticate at trial.
What our sealed reports carry:
What 902(13)/(14) does NOT do — the over-claim we never make:
Self-authentication is not the same as admissibility. The fact that a record self-authenticates means a court will accept that it is what it claims to be — a record generated by our electronic process. It does not resolve hearsay (FRE 801–807), relevance (FRE 401–403), or the Daubert qualification of the underlying methodology (FRE 702). Those remain separate hurdles your counsel argues independently. ForensicBlock packages for self-authentication; we never represent that a sealed report is "automatically admissible."
In U.S. v. Sterlingov (2024, D.D.C.), the court admitted deterministic Bitcoin clustering under FRE 702 — but put the proprietary methodology behind it under scrutiny that the prevailing label-only tools did not enjoy. ForensicBlock was designed for exactly that scrutiny.
The Daubert factors, mapped to ForensicBlock:
What we don't carry to court:
Every sealed report we ship carries these nine sections, in this order, on every matter type. Standardization is part of the moat: opposing counsel can verify against a fixed spec; expert testimony lands on the same scaffolding every time.
Non-technical narrative. Plain English a judge or jury can read; every claim cites a numbered finding.
Deterministic radial topology of the on-chain flows. Crisp at any zoom; identical across runs.
Each row: source (OFAC SDN, OpenSanctions, on-chain heuristic) + explicit confidence.
Block heights + timestamps across each chain, reconciled to one matter clock.
Deposit address, time, amount, venue identity — the subpoena target.
Methodology version + SHA-256 content hash. Reproducible against the version sealed under.
Every audit-log entry hash-chained. Tamper-evident across the matter lifecycle.
Where the trace pauses (mixers, privacy coins, gap windows). Honesty is the moat.
Qualified-person certification block. Authentication, not admissibility.
Every investigation can produce a single downloadable JSON envelope — the Audit Pack — that carries everything a defense expert, opposing counsel, or regulator needs to reproduce, challenge, or independently verify the report. The pack is sealed under a self-hash so any tampering is immediately detectable.
What the pack contains:
Why this is the moat:
The proprietary incumbents structurally cannot ship this. Their methodology IS the moat they protect — their model weights and label DB stay opaque by design. We win by going the other way: every methodology decision is public on this page, every input recorded, every output exportable, every audit-log entry hash-chained. Defense experts who try to invalidate our reports end up re-deriving the same conclusions — and that is precisely the surface our sealed certifications stand on.
The pack is available per investigation from the investigator's detail page ("Quick Actions → Audit pack") and from the report detail page once a report has been sealed. Authenticated users get the pack scoped to their own matters; for public audit of a specific sealed report, opposing counsel can request the pack from the issuing firm or use the public verifier.
Try a free risk check on any blockchain address, or sign up to run full forensic investigations with all nine AI agents.