Data Analysis 7 min June 26, 2026

1.43 Million Intelligence Flags — Reading Sanctuary's Internal Ledger Of 2026 Crypto Crime

Sanctuary Research

The composition

**Entity labels by chain** (10.58M total): - Bitcoin: 10,112,582 (95.5 percent — the legacy dominance from WalletExplorer-class scrapers covering 2010s-era BTC attribution) - Ethereum: 236,075 - BSC: 44,540 - Polygon: 32,576 - Base: 26,403 - Arbitrum: 25,489 - Optimism: 25,036 - Avalanche: 23,849 - TRON: 19,227 - Celo: 10,456 - Gnosis: 10,304 - Solana: 10,251 - TON: 4,050

**Entity types** (top 10 by count): - exchange: 4,633,134 - exchange_high_risk: 2,516,650 - fraudulent_exchange: 1,649,599 - sanctioned_entity: 510,338 - grey_exchanger: 434,761 - custodial_wallet: 336,621 - p2p_exchange: 200,005 - defi_protocol: 84,845 - ransomware: 82,347 - mining_pool: 38,734 - dprk_theft: 17,915 - mixer: 3,499

**Top entity-label sources** (selected): - scraper_walletexplorer: 9,633,535 (historical BTC scraping) - graphsense_tagpacks: 378,743 - cross_chain_replication: 155,693 - lockbit_leak: 59,975 (LockBit ransomware leak data) - etherscan_labels: 36,465 - coingecko_tokens: 19,294 - tayvano_lazarus: 18,168 (Tayvano's curated Lazarus list) - opensanctions: 12,657 - ransomwhere: 11,186 - ofac_sdn_advanced: 1,139 - a7a5_token_scan: 271 (our own A7A5 cluster scan)

The intelligence flags

**Intelligence flags by risk_type** (selected): - scam: 799,024 - ransomware: 136,494 - criminal: 135,471 - suspicious: 125,258 - phishing: 49,137 - entity: 40,850 - external_dataset: 34,547 - sanctions: 23,523 - proximity_exposure_unknown: 19,184 - frozen_stablecoin: 12,037 - fraud: 11,853 - graph_neighbor: 10,441 - mixer: 7,778 - money_laundering: 2,529 - associated_with_flagged: 2,135 - exploit: 2,073 - darknet: 1,717 - terrorist_financing: 1,524

**Intelligence flags by source** (selected): - stableaml: 492,571 (Sanctuary's own stablecoin AML scraper) - real_cats: 219,002 - github: 170,039 (GitHub-public address corpora) - graphsense_tagpacks: 120,084 - lockbit_leak: 59,975 - ransomwhere: 55,076 - tayvano_lazarus: 18,168 - opensanctions: 12,657 - tornado_cash_depositor: 7,708 (every wallet that has interacted with Tornado Cash as a depositor) - forta_malicious: 7,259 - tether_blacklist: 2,920 - usdt_blacklist: 2,644

The breakdown is operationally informative. The scam category — at 799K flags — represents nearly six times the next-largest category (ransomware, 136K). This reflects the dominant 2026 retail-loss vector: pig butchering and approval-phishing scams, not state-actor hacks or ransomware.

The 12,037 frozen_stablecoin flags map to the Tether and Circle blacklist events the engine tracks via fifteen-minute polling. The 7,258 tornado_cash_depositor flags map to every wallet that has interacted with Tornado Cash as a depositor — a propagation-source for the `tornado_cash_recipient` behavioral detector that fires on downstream wallets.

The 1,524 terrorist_financing flags — at the lowest absolute count among major categories — represent the highest-confidence designations because they typically come from OFAC, Israel NBCTF, UK FCDO, and similar government sanction lists. Quality vs. quantity inverts at this category.

Behavioral signatures

Sanctuary's behavioral detector — the pattern-matching engine that produces flags from on-chain activity without requiring an external designation — produced the following counts as of mid-May 2026:

- dust_flood: 338 - fan_out_pattern: 166 - dormancy_spike: 141 - counterparty_funnel: 116 - mass_spam: 112 - mule_chain: 100 - rapid_relay_mule: 83 - high_freq_processing: 63 - same_amount_batch: 56 - cluster_risk_propagation: 54

Each row is a distinct on-chain behavioral signature. The dust_flood 338 is the count of wallets the engine detected as targets of address-poisoning attempts (the structural signature: low-value transfers from many sources designed to populate the wallet's recent-counterparty history with attacker-controlled lookalike addresses).

The dormancy_spike 141 is structurally the most consequential. The category captures wallets that have been dormant for an extended period and then activated suddenly with high-value action — the same behavioral pattern that characterized the attacker wallet `HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES` in the April 1, 2026 Drift Protocol exploit. The Drift attacker's wallet was created eight days before the exploit and remained dormant until the 12-minute drain window. That signature is one of 141 the engine has detected. The remaining 140 may or may not produce protocol-scale exploits; they share the structural signal.

The rapid_relay_mule 83 captures wallets in laundering chains where funds enter and exit within minutes, with no behavioral indication of legitimate usage. The mule_chain 100 captures wallets that participate as intermediate hops in longer laundering chains. Together with counterparty_funnel and same_amount_batch, the behavioral categories produce the operational structure for detecting laundering operations like the DSJ Exchange chain (Tokenlon → Bridgers → Butter Network → USDT0 → USDD), the Drift attacker's CCTP routing, and the KelpDAO Umbra Cash splits.

The April 2026 surge

Monthly intelligence-flag ingestion since December 2025:

- December 2025: not separately broken out in our quick query - February 2026: 287,298 - March 2026: 49,502 - April 2026: **1,077,465** — the surge - May 2026 (through May 15): 16,912

April 2026 ingested approximately 22 times more flags than March 2026. The composition of the April surge:

- scam: 560,391 - criminal: 135,471 - suspicious: 125,257 - ransomware: 102,911 - entity: 40,773 - phishing: 39,682 - sanctions: 7,257 (one month of sanctions designations — the highest monthly cadence in our records) - frozen_stablecoin: 11,797 (one month of stablecoin freezes) - terrorist_financing: 844 - address_poisoning: 288 (one month of address-poisoning detections)

The April surge maps to multiple real-world events:

- The April 18 KelpDAO exploit ($292M, Lazarus-attributed) produced direct flag-level entries for the attacker cluster and downstream cash-out addresses. - The April 1 Drift Protocol exploit ($285M) produced similar downstream propagation. - The April 23 EU 20th sanctions package adoption and April 23-27 OFAC Iran updates produced sanctions-category flags. - The April 23 Tether $344 million Iran freeze produced frozen_stablecoin entries. - The April 23 DOJ Shunda Park indictment plus 503 fake-domain seizures produced scam-category flags at the upstream level (the domains themselves) and downstream propagation (the wallets the domains directed victims to).

In aggregate: April 2026 was the most enforcement-intensive single month of 2026 to date. The flag ingestion mirrors the enforcement activity.

Chain concentration in sanctions and freezes

Sanctioned addresses by chain (active, source-of-truth subset): - bitcoin: 16,002 - ethereum: 4,493 - tron: 2,073 - arbitrum: 331 - polygon: 326 - litecoin: 171 - solana: 68 - monero: 16 - dash: 14 - zcash: 9

The sanctions concentration ratio (sanctioned / total entity-labels per chain): - Bitcoin: 16,002 / 10,112,582 = 0.16 percent - Ethereum: 4,493 / 236,075 = 1.9 percent - TRON: 2,073 / 19,227 = **10.8 percent**

TRON's sanctions concentration is approximately 68 times higher than Bitcoin's and 5.7 times higher than Ethereum's. The structural reading: TRON's user base in our attribution dataset is disproportionately criminal. This is consistent with TRON's role as the dominant USDT TRC-20 rail for pig butchering, sanctions evasion (Iran, A7A5), and Cambodian-compound flows.

Frozen stablecoin addresses by chain: - TRON: 8,918 (75 percent) - Ethereum: 3,110 (26 percent) - Other chains: less than 10 combined

Three-quarters of stablecoin freezes happen on TRON. This is structurally the consequence of where the illicit-flow concentration lives — Tether's freeze tooling acts on the chain where the flagged addresses are, and TRON is where the flagged addresses are.

What this means

The Sanctuary dataset is one of dozens of crypto-AML datasets operating in 2026. It is not the largest by raw attribution count (Chainalysis exceeds 50 billion address-attribution-records by their own claims; TRM Labs operates at similar scale). What it produces operationally is consistent, behaviorally-derived risk scoring that combines external-designation propagation (sanctions, blacklists, ransomware leaks) with on-chain behavioral detection (dust_flood, dormancy_spike, mule_chain).

For a CASP or OTC desk integrating Sanctuary, the screening API returns:

- The address's direct entity-label match (if any) - Propagated risk from upstream hops (configurable hop depth) - Behavioral signature flags from the on-chain pattern detector - Cross-chain edge attribution where the address has bridge exposure - Freeze-pipeline status (frozen / not frozen / freeze candidate)

The composite score is the output. The 1.43 million intelligence flags is the source data the composite operates against.

The rule

10.58 million entity labels. 1.43 million intelligence flags. The April 2026 enforcement surge produced 1.08 million flags in one month. Behavioral signatures captured the same on-chain patterns that drove the year's largest exploits.

For compliance teams in 2026: the dataset that screens your customer flows is itself the operational artifact. Audit which sources your vendor uses, how the propagation works, which behavioral detectors fire, and what the freeze-pipeline coverage looks like. The dataset is the screening. The screening is the decision.

Read the ledger. The patterns are visible. The decisions follow.