Crypto Source-of-Funds Analysis: Reading the Risk Categories

A risk score of 78 tells you a wallet is risky. It doesn't tell you why — and "why" is what decides the outcome. A 78 driven by direct sanctions exposure is a hard decline; a 78 driven by indirect, three-hop exposure to a high-risk exchange is an analyst's judgment call. Source-of-funds analysis is the layer that turns the number into a decision.

Didit's Wallet Screening API attributes every risk score to specific source-of-funds categories — 14+ of them, from SANCTIONED to EXCHANGE — and reports each as direct or indirect exposure with a share and hop count. You get the score, the band, and the breakdown that explains it, at $0.02 per screening.

This guide explains what each category means and how to read the exposure table.

Key takeaways

• Risk score = the number; categories = the reason. Every 0–100 score is backed by the source-of-funds categories driving it.
• 14+ categories span sanctions, terrorist financing, ransomware, darknet, mixers, stolen funds, scams, gambling, P2P, and ordinary exchange exposure.
• Direct vs indirect exposure. Direct means the wallet transacted with the entity; indirect means value reached it through intermediary hops (with the hop count).
• A network graph traces the path so an analyst can see exactly how funds connect to a risky entity.
• Read by severity, not just score. Sanctions and CSE exposure are categorical no-gos; exchange exposure is usually benign.
• $0.02 per screening with BYOK (Crystal or Merkle Science).

What source-of-funds analysis is

On-chain, every wallet's balance has a history — the addresses it received from and sent to, recursively. Source-of-funds analysis clusters those addresses into real-world entities (a known exchange, a sanctioned wallet, a mixer, a darknet market) and measures how much of a wallet's value connects to each category. The output isn't just "risky / not risky"; it's a typed breakdown: this share of inbound value traces to a mixer, that share to a sanctioned entity, the rest to a regulated exchange.

Didit normalizes that breakdown into a consistent set of categories and an exposure table, regardless of whether Crystal or Merkle Science supplied the underlying intelligence.

Why it matters

Two wallets can share a risk score and demand opposite actions. Compliance policy lives in the categories, not the number. Sanctions and child-exploitation exposure are categorical — any direct exposure is a stop, full stop. Mixer, darknet, ransomware, and stolen-funds exposure are high-severity but context-dependent: direct exposure usually blocks, deep indirect exposure may warrant review. Exchange and (sometimes) P2P exposure are often the expected, benign shape of normal crypto activity.

Without the breakdown, an analyst is guessing. With it, the same score resolves into a defensible decision in seconds — and the network graph gives the evidence to back it up in an audit or a SAR.

The 14+ source-of-funds categories

Didit reports exposure across these categories:

Category	What it means	Typical severity
SANCTIONED	Connected to a sanctioned address or entity	Critical — categorical block
TERRORIST_FINANCING	Linked to terrorist-financing activity	Critical — categorical block
CHILD_EXPLOITATION	Linked to child sexual exploitation material	Critical — categorical block
RANSOMWARE	Proceeds or payments tied to ransomware	High
STOLEN_FUNDS	Funds traced to a hack or exploit	High
DARKNET_MARKET	Exposure to darknet marketplaces	High
MIXER	Funds passed through a mixing/tumbling service	High
SCAM	Linked to known scams or fraud schemes	High
HIGH_RISK_EXCHANGE	Exchange with weak or no KYC	Medium–High
HIGH_RISK_JURISDICTION	Entity in a high-risk jurisdiction	Medium
GAMBLING_UNLICENSED	Unlicensed gambling exposure	Medium
P2P_EXCHANGE	Peer-to-peer exchange activity	Low–Medium
EXCHANGE	Regulated/known exchange	Low — usually benign
UNNAMED_SERVICE	Identified service without a specific label	Context-dependent

Reading the exposure table

Each category in a screening result is tagged direct or indirect and carries a share of the wallet's value and, for indirect exposure, a hop count:

{
  "wallet_screening": {
    "risk_score": 78,
    "risk_band": "HIGH",
    "exposure": [
      { "category": "MIXER", "type": "INDIRECT", "hops": 2, "share": 0.34 },
      { "category": "DARKNET_MARKET", "type": "INDIRECT", "hops": 3, "share": 0.11 },
      { "category": "EXCHANGE", "type": "DIRECT", "share": 0.55 }
    ]
  }
}

• Type. DIRECT means the wallet transacted with the entity itself; INDIRECT means value reached it through one or more intermediary hops.
• Hops. For indirect exposure, how many transactions away the risky entity sits — closer hops weigh heavier.
• Share. How much of the wallet's value is attributable to that category.

Read together: the example above is a 78 because a third of the value passed through a mixer two hops out and a slice traces to a darknet market — high enough to hold for review, but the absence of direct sanctions exposure is why it isn't an automatic decline.

Technical details

Source-of-funds analysis is part of every wallet screening on the unified /v3/ API:

curl -X POST https://verification.didit.me/v3/transactions/ \
  -H "x-api-key: $DIDIT_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "transaction_id": "txn_c40b",
    "category": "finance",
    "currency_kind": "crypto",
    "direction": "INBOUND",
    "wallet_address": "0x71f3...0a9d",
    "include_crypto_screening": true,
    "subject": { "vendor_data": "user_8820", "role": "RECEIVER" }
  }'

The verdict carries the 0–100 score, the LOW/MEDIUM/HIGH/CRITICAL band, and the typed exposure table shown above — plus a network graph an analyst can open in the Console. Price: $0.02 per screening with BYOK (Crystal or Merkle Science).

Use cases

• Crypto exchanges — auto-decline any direct SANCTIONED exposure; route deep MIXER/DARKNET_MARKET exposure to review.
• On/off-ramps — distinguish benign EXCHANGE exposure from risky HIGH_RISK_EXCHANGE before converting.
• Custodians — use the category breakdown and network graph as evidence for any frozen-asset decision.
• Wallets — warn users when a destination address carries SCAM or STOLEN_FUNDS exposure.
• VASPs — pair source-of-funds categories with Travel Rule counterparty data for a complete risk picture.

How to integrate with Didit

1. Map categories to policy. Decide which categories are categorical blocks (sanctions, TF, CSE) and which thresholds trigger review.
2. Screen crypto transactions. POST /v3/transactions/ with currency_kind: "crypto" and a direction.
3. Branch on the breakdown, not just the score. Read the exposure table; act on category + type (direct/indirect) + share.
4. Investigate in the Console. High-risk screenings open alerts with the network graph attached.

Frequently asked questions

Why does the score alone not tell me what to do?

Because two wallets with the same score can need opposite actions. The categories and exposure type (direct vs indirect) are what make the decision defensible.

What's the difference between direct and indirect exposure?

Direct means the wallet transacted with the risky entity itself; indirect means value reached it through intermediary hops. Indirect exposure includes a hop count so you can weigh how close it is.

Which categories should always block?

SANCTIONED, TERRORIST_FINANCING, and CHILD_EXPLOITATION are categorical no-gos for any direct exposure. The high-severity financial-crime categories usually warrant review or decline depending on type and share.

Is exchange exposure a problem?

Plain EXCHANGE exposure is usually benign — it's the expected shape of normal activity. HIGH_RISK_EXCHANGE (weak or no KYC) is the one to watch.

How much does it cost to get this breakdown?

It's included in every wallet screening at $0.02 with BYOK — the categories and exposure table come back with the score, no extra call.

Ready to get started?

Read the Wallet Screening overview in the docs, see how it fits the platform on the Wallet Screening product page, and check per-call pricing on the pricing page. When you're ready, start free — 500 free KYC checks every month, and wallet screening at $0.02 per screening.