Ethereum is where most of crypto's bad behaviour lives in 2026. Smart-contract drainers, fake airdrop campaigns, address-poisoning, and the long shadow of Tornado Cash. The same 0x address that pays your freelance invoice can also be three transactions away from a sanctioned mixer.
Why ETH addresses are messier than BTC
A Bitcoin wallet usually holds one thing: BTC. An Ethereum wallet holds hundreds of tokens, calls smart contracts, signs permits, and interacts with DeFi protocols every week. Each interaction creates a new line in the wallet's history. A clean wallet from yesterday can be tainted today because the owner clicked an innocent-looking airdrop link.
Ethereum's compositional nature is also its compliance nightmare. One bad approve() signature can drain a wallet and instantly link your address to a known scammer cluster — even if you were the victim.
The Tornado Cash situation, explained
In August 2022 the U.S. Treasury added Tornado Cash to its SDN list. From that moment, any address that received ETH from Tornado Cash carried a sanctions flag. The protocol is just code — but Coinbase, Kraken and Binance treat funds emerging from it as restricted.
If you receive payment from someone who used Tornado Cash for legitimate privacy reasons, your wallet inherits the exposure. Most exchanges will hold your deposit until you can document the source.
Real case from 2024: a freelancer accepted 1.2 ETH for a logo design. The client had withdrawn from Tornado Cash six months earlier. The freelancer's Kraken account was restricted for nine weeks while they gathered invoices and proof of work.
What gets checked on Ethereum
- OFAC SDN matches — direct hits, plus the 1-hop and 2-hop neighbours that most exchanges treat the same.
- Tornado Cash exposure — both deposits and withdrawals, weighted by recency.
- DeFi rug pulls — wallets tied to known exit scams (Squid Game token, AnubisDAO, dozens of smaller "stealth" launches).
- Phishing drainers — Inferno Drainer, Pink Drainer, Angel Drainer and successor kits.
- Sanctioned protocols — Hamas-linked addresses, North Korea's Lazarus Group, Russian and Iranian-sanctioned entities.
- Address poisoning wallets — used for zero-value-transfer attacks that trick users into copying lookalike addresses.
How to read an ETH risk score
- 0–25 (low): Normal wallet. DeFi usage, exchange deposits and withdrawals — nothing concerning.
- 26–50 (medium): One or two ambiguous hops — an old MEV bot, or a token that later turned out to be a rug.
- 51–75 (high): Direct exposure to Tornado Cash, a drainer cluster, or a wallet frozen by at least one major exchange.
- 76–100 (critical): Sanction match. Walk away.
EVM chains and sidechains
The same 0x address works on Polygon, Arbitrum, Optimism, Base, BNB Chain and Avalanche. Our scan looks at all of them automatically. A wallet clean on mainnet can have high-risk history on BNB Chain. Cross-chain bridges are particularly attractive to bad actors.
USDT and USDC freezes on Ethereum
Circle and Tether routinely blacklist addresses tied to ransomware or sanctions, freezing the underlying balance. If you accept stablecoins from a freshly created or unknown wallet, this is the first thing to worry about. Run the address through our USDT checker before accepting.
Get the full ETH transaction graph in Telegram
Source of funds across all EVM chains, Tornado Cash exposure scoring, downloadable PDF. Use @scorechain_amlbot — first 3 full reports are free.
Open @scorechain_amlbot