Detecting Mixer & Darknet Exposure in Real Time
Mixers, darknet markets, ransomware proceeds, and stolen funds are the highest-severity on-chain risks. Here's how Didit detects exposure to each in real time — direct and indirect — at $0.02 per screening.
Most on-chain risk is gradient. Mixer and darknet exposure is not — it's the sharp end. Funds that passed through a mixer were deliberately obscured; funds touching a darknet market financed something illegal; ransomware proceeds and stolen funds are the direct output of crimes. When any of these show up in a wallet's history, "review later" is the wrong answer. You need to know at the moment the transaction is in flight.
Didit's Wallet Screening API detects exposure to these categories in real time. Every crypto transaction can be screened before it settles, returning a 0–100 risk score, a LOW/MEDIUM/HIGH/CRITICAL band, and the specific high-severity categories driving it — MIXER, DARKNET_MARKET, RANSOMWARE, STOLEN_FUNDS — reported as direct or indirect exposure. It costs $0.02 per screening.
Key takeaways
- Four sharp-edge categories —
MIXER,DARKNET_MARKET,RANSOMWARE,STOLEN_FUNDS— are detected on every screening alongside the rest of the source-of-funds breakdown. - Real time, before settlement. Pre-transfer screening reads the wallet address before you accept a deposit or release a withdrawal.
- Direct and indirect. Detection includes value that reached a mixer or darknet market through intermediary hops, with the hop count.
- 0–100 score → CRITICAL band for the heaviest exposure, so policy can auto-decline without manual triage.
- Network graph traces the path from the wallet to the mixer or market for analyst review and SAR evidence.
- $0.02 per screening with BYOK (Crystal or Merkle Science).
What mixer and darknet exposure looks like on-chain
A mixer (or tumbler) pools funds from many users and redistributes them to break the link between source and destination — its entire purpose is to obscure provenance, which is why exposure to one is a strong laundering signal. A darknet market is an illicit marketplace; funds touching it are presumptively criminal proceeds. Ransomware wallets collect extortion payments. Stolen funds are the output of hacks and exploits, often moved fast through intermediaries.
On-chain, these entities are clustered and labeled by the analytics layer (Crystal or Merkle Science). Didit reads a wallet's transaction history against those labels and reports how much of its value connects to each — directly, or through one or more hops.
Why it matters
These categories carry the heaviest regulatory and reputational weight. Accepting funds with mixer or darknet exposure can constitute facilitating money laundering; mishandling sanctioned-mixer exposure (several mixers are themselves sanctioned) compounds the violation. The cost of missing it is not a fine line item — it's enforcement action and de-banking risk.
Speed is the other half. These decisions have to happen before settlement, because once you've credited a deposit sourced from a mixer, you're unwinding rather than declining. Real-time, pre-transfer detection at $0.02 makes screening every transaction affordable, so the sharp-edge categories never slip through on cost grounds.
Technical details
Detection runs on every crypto screening on the unified /v3/ API. Screen the address before accepting the funds:
curl -X POST https://verification.didit.me/v3/transactions/ \
-H "x-api-key: $DIDIT_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"transaction_id": "dep_9c12",
"category": "finance",
"amount": 30000,
"currency": "ETH",
"currency_kind": "crypto",
"direction": "INBOUND",
"wallet_address": "0xab90...77ef",
"include_crypto_screening": true,
"subject": { "vendor_data": "user_4410", "role": "RECEIVER" }
}'When the wallet's funds trace to a mixer and a darknet market, the verdict makes the reason explicit:
{
"transaction_id": "dep_9c12",
"status": "DECLINED",
"wallet_screening": {
"risk_score": 91,
"risk_band": "CRITICAL",
"exposure": [
{ "category": "MIXER", "type": "DIRECT", "share": 0.62 },
{ "category": "DARKNET_MARKET", "type": "INDIRECT", "hops": 2, "share": 0.19 },
{ "category": "STOLEN_FUNDS", "type": "INDIRECT", "hops": 4, "share": 0.05 }
]
}
}- Direct mixer exposure (the wallet sent to or received from a mixer) is the strongest single signal and typically pushes the score into the CRITICAL band.
- Indirect exposure is weighted by hop distance — a darknet market two hops out matters more than stolen funds four hops out.
- A network graph accompanies the result so an analyst can see the path and attach it to a SAR.
Price. $0.02 per screening with BYOK (Crystal or Merkle Science).
Setting policy for the sharp-edge categories
Because these categories are high-severity, most teams hard-code their handling rather than leaving it to analyst discretion:
| Category + type | Recommended action |
|---|---|
MIXER direct | Decline / freeze |
DARKNET_MARKET direct | Decline / freeze |
RANSOMWARE direct | Decline / freeze + escalate |
STOLEN_FUNDS direct | Decline / freeze + escalate |
| Any of the above, indirect, close hops | Hold for review |
| Any of the above, indirect, distant hops | Review with logging |
In Transaction Monitoring, you can express this once in the rule engine — the Crypto screening bundle — so that a CRITICAL screening sets the transaction status to DECLINED and opens an alert automatically.
Use cases
- Crypto exchanges — auto-decline deposits with direct mixer or darknet exposure; freeze and investigate ransomware/stolen-funds matches.
- On/off-ramps — block fiat conversion of funds that traced through a mixer before they reach the banking rails.
- Custodians — screen at intake and re-screen stored assets; the network graph is the evidence for a freeze.
- Wallets — warn or block users sending to addresses with darknet or scam exposure.
- VASPs — pair sharp-edge detection with Travel Rule data so a risky counterparty is caught from both directions.
How to integrate with Didit
- Turn on crypto screening. In Console → Transactions → Settings, enable screening and set your provider key.
- Encode policy. Use the Crypto screening rule bundle to auto-decline CRITICAL exposure and route HIGH to review.
- Screen before settlement.
POST /v3/transactions/with the deposit/withdrawalwallet_addressand act on the band. - Investigate and file. CRITICAL screenings open alerts with the network graph; escalate to a case and file a SAR from the same Console.
Frequently asked questions
Why is mixer exposure treated so severely?
A mixer's only purpose is to obscure the source of funds, so exposure to one is a strong laundering signal — and several mixers are themselves sanctioned, which adds a sanctions dimension on top.
Does it catch funds that only touched a mixer indirectly?
Yes. Indirect exposure is detected with a hop count, so value that reached a mixer or darknet market through intermediaries is still flagged, weighted by distance.
Can I auto-decline these categories?
Yes. Use the Crypto screening rule bundle in Transaction Monitoring to set the status to DECLINED and open an alert automatically when exposure crosses your threshold.
Is detection real-time enough to block a deposit?
Yes. Pre-transfer screening reads the wallet address before the transaction settles, so you can decline rather than unwind.
What evidence do I get for a SAR?
A network graph tracing the wallet to the mixer, darknet market, or other risky entity, plus the typed exposure breakdown — both available in the Console alert.
Ready to get started?
Read the Wallet Screening overview in the docs, see how it fits the platform on the Wallet Screening product page, and check per-call pricing on the pricing page. When you're ready, start free — 500 free KYC checks every month, and wallet screening at $0.02 per screening.