TL;DR - Across 3,887 labeled addresses, 86.3% are tagged scam and 90.8% sit in the high or critical risk tier, while sanctioned wallets sit in a separate 780-address list.
Every wallet screening result is a lookup against a pile of addresses someone already looked at and classified. That pile is not neutral. It skews hard toward confirmed bad actors, because that is the whole point of building it. Pulling apart what is actually in a labeled crypto risk dataset - and what sits in the sanctions list next to it - shows how lopsided that mix really is, and why a "flagged" result rarely means what people assume.
What's actually inside a labeled crypto risk dataset?
A screening tool is only as useful as the data feeding it. Before any address gets a score, it gets compared against a corpus of addresses that have already been identified and classified. One such labeled corpus holds 3,887 addresses, each carrying a risk tier: high, medium, neutral, or critical.
The split is not even. 3,478 addresses sit in the high tier (89.5%), 259 in medium (6.7%), 100 in neutral (2.6%), and 50 in critical (1.3%). Combine the two most severe tiers and 3,528 addresses, 90.8% of the whole corpus, come back flagged high or critical.
That skew is not a flaw. A dataset like this exists specifically to catch bad actors, so it naturally accumulates far more confirmed-risky addresses than borderline or clean ones. A separate list, built from a different process entirely, tracks addresses under government sanctions: 780 crypto addresses tied to the OFAC Specially Designated Nationals program. That list is roughly a fifth the size of the labeled risk corpus and is maintained on its own.
Composition of Plastron's committed screening corpus: 3887 labeled addresses plus 780 OFAC SDN entries.
Key findings: how does the risk mix break down?
Risk tier only tells you severity. Entity type tells you why an address was flagged in the first place. Across the same 3,887-address corpus, six entity types cover 3,861 addresses, 99.3% of the total.
Scam addresses are the largest single category: 3,354 of them, 86.3% of the corpus. Fraud adds another 280 (7.2%). Combined, scam and fraud account for 3,634 addresses, 93.5% of every labeled entry. Hack and exploit addresses number 121 (3.1%), tied to specific incidents rather than ongoing schemes. Mixer addresses are the smallest labeled category at 28 (0.7%).
Exchange and DeFi addresses, by contrast, are not risk labels in the usual sense. There are 41 exchange addresses (1.1%) and 37 DeFi addresses (1.0%) in the corpus, 78 combined (2.0%). These are typically tagged for identification, so a counterparty check can tell a legitimate venue apart from a look-alike, not because touching them is inherently dangerous.
Methodology
The risk-tier and entity-type figures come from data/known-addresses.json, which holds 3,887 labeled addresses. Each record carries a risk field (high, medium, neutral, critical) and an entity_type field (scam, fraud, hack_exploit, exchange, defi, mixer, and others). Counts per tier and per entity type were read directly from that file, then divided by the 3,887 total to produce each percentage, rounded to one decimal place.
The sanctions figure comes from a second, independent file: data/ofac-sdn.json, which holds 780 OFAC SDN crypto addresses. That list is not merged into the entity-type breakdown above. It is built from a government designation process rather than scam or fraud reporting, so it is counted and reported on its own throughout this piece.
Why do scams and fraud dominate the corpus?
Retail scams are high-volume by nature. Phishing pages, fake token launches, and impersonation wallets each need a new receiving address, and every one can be individually reported and labeled on its own. That is likely why scam and fraud together make up 93.5% of the corpus while hack_exploit sits at 3.1% and mixer sits at 0.7%: there are simply more distinct scam addresses generated than there are distinct exploit contracts or mixing services.
Low address counts do not mean low importance. A single mixer contract can process transactions from many unrelated wallets before it is ever added to a list, so a 0.7% share represents a chokepoint, not a minor category. The same logic applies to hack_exploit addresses: 121 entries can each represent one large incident rather than dozens of small ones.
Sanctioned addresses follow a different logic again. The 780 entries in the OFAC list are not judged by transaction volume or victim count. An address lands there through a formal government designation process, which is why it is tracked in a separate file instead of being folded into the entity_type field used for scam and fraud reporting.
What does this mean when you screen your own wallet?
If a wallet you are checking comes back flagged, the entity type matters more than the headline risk score. A scam or fraud tag, the outcome behind 93.5% of labeled addresses, usually points to a specific reported incident: a phishing wallet, a fake giveaway, a romance-scam collection address. A sanctions hit is rarer and carries different consequences, since it ties back to one of only 780 addresses under a formal government designation rather than a community scam report.
Cross-referencing an address against 3,887 labeled entries and a separate 780-address sanctions list by hand is not realistic for a routine check. Screen the address with Plastron to run both lookups at once and see exactly which category, if any, produced the flag.
Do not read every match the same way, either. An exchange or DeFi hit, together just 2.0% of the corpus, is not the same signal as a scam or mixer hit. Before assuming the worst, check whether the flagged entity type is a known venue or a genuinely adversarial address.
FAQ
What share of the labeled dataset is high or critical risk?
90.8%. Of the 3,887 labeled addresses, 3,478 are tagged high risk and 50 are tagged critical, for a combined 3,528.
How many OFAC-sanctioned addresses are tracked, and are they part of the same dataset?
780 crypto addresses appear in the separate OFAC SDN list. They are not merged into the entity-type counts for scam, fraud, or mixer addresses, since sanctions designations follow a different process.
Does an exchange or DeFi tag mean the address is risky?
Not on its own. Exchange addresses make up 41 entries (1.1%) and DeFi addresses 37 (1.0%) of the corpus, a combined 2.0%. These are typically labeled for identification, not because interacting with them carries risk.
Why are mixer addresses such a small share of the labeled corpus?
Mixer addresses total 28, just 0.7% of the 3,887 labeled entries. The count is small because a single mixer contract can be reused by many unrelated wallets before it gets individually labeled, unlike scam addresses, which are usually created fresh per incident.
Disclaimer: This article is for educational and informational purposes only and is not legal, financial, tax, or compliance advice. Crypto carries risk; you act on this information at your own risk. Always do your own research and consult a qualified professional before making decisions. Views are the author's own and do not constitute financial, legal, or investment advice.
About Plastron
Plastron is a free, non-custodial wallet screening tool. It checks Ethereum and six EVM chains for AML and KYT risk — sanctions exposure, mixer contact, and stolen-funds proximity — and returns a risk report in seconds. It reads public on-chain data only: it never takes custody of funds and never asks for private keys.