risk_categories[], deduped + ordered
by contribution. The taxonomy is shared with our internal AML
policy engine — it’s the same vocabulary the
app.aegis-kyt.com UI renders.
Sanctioned
| Slug | Meaning | Example sources |
|---|---|---|
ofac-sdn | Direct hit on the US OFAC Specially Designated Nationals list | OFAC SDN |
uk-ofsi | UK OFSI consolidated sanctions list | UK OFSI |
eu-sanctions | EU consolidated financial sanctions | EU FSF |
High-risk activity
| Slug | Meaning |
|---|---|
mixer | Tornado Cash, Wasabi CoinJoin, Sinbad, etc. |
darknet-market | Hydra, Genesis, AlphaBay, etc. |
ransomware | Strain-attributed addresses (Conti, REvil, LockBit, …) |
child-exploitation | CSAM-funded clusters |
terrorism-financing | Hamas, Al-Qaeda, ISIS attributions |
hack | Stolen funds from a specific exploit (e.g. Ronin Bridge, Wormhole) |
scam | Generic phishing / impersonation / rug-pull |
phishing | Specifically phishing wallets (Inferno Drainer cluster, etc.) |
Service categories (informational, not necessarily risky)
| Slug | Meaning |
|---|---|
exchange | Centralised exchange wallet (CEX deposit / hot / cold) |
dex | Decentralised exchange contract |
defi | DeFi protocol (lending, staking, AMM, etc.) |
bridge | Cross-chain bridge |
wallet | Self-custody wallet provider (e.g. MetaMask Swaps Router) |
mining | Mining pool / payout wallet |
psp | Crypto payment service provider (BitPay, Heleket, etc.) |
bot | Trading bot (Telegram-style or on-chain) |
gambling | Online casino / betting platform |
nft_marketplace | OpenSea, Blur, etc. |
Risk levels
risk_level rolls up the categories into one of:
| Level | When |
|---|---|
sanctioned | Any sanctions slug present (ofac-sdn, uk-ofsi, eu-sanctions) |
critical | mixer, darknet-market, ransomware, child-exploitation, terrorism-financing |
high | hack (when address is the attacker), scam, phishing |
medium | Mixed categories below critical; risk_score ≥ 50 |
low | risk_score 20..49, no high-severity category |
none | risk_score 0..19 OR clean address |