behavioral-risk-screening-concepts
Behavioral risk screening (concepts)
Educational reference only. Heuristic alerts are not proof of crime. Investigate with crypto-investigation-compliance, address-clustering-attribution, and on-chain evidence. For label-based exposure (sanctions, scam tags), see risk-exposure-screening-concepts. Product specifics live in your vendor docs (phalcon-compliance-documentation where applicable).
Behavioral Risk Engine (idea)
A behavioral risk engine flags suspicious transaction patterns using statistics and rules (thresholds, windows, frequencies) rather than—or in addition to—static address labels. Baselines may be global, peer-group, or customer-specific. False positives are common; triage before escalation.
Address-level behavior (common templates)
Many compliance stacks offer address-centric rules similar to the following:
| Template | What it approximates | Notes |
|---|---|---|
| Large-value transfers | Outbound or aggregate volume far above a typical-user or rolling baseline | Often uses USD notional at observation time; threshold is configurable. |
| High-frequency transfers | Many transfers in a short window, sometimes many just below a reporting or alert threshold (“structuring-like” pattern in traditional AML language) | Requires count and time bounds; may filter by asset. |
| Transit / pass-through | Address receives then sends most funds quickly, acting as an intermediary | Used as a layering-style signal; legitimate payment processors can resemble this—context matters. |
Illustrative scenarios (hypothetical):
- A wallet sends a single outbound transfer whose notional is far above the configured large-value threshold.
- An address sends fifteen transfers of just under a chosen threshold within 24 hours.
- An address receives a large amount and forwards nearly all of it within minutes to other addresses.
Use valid chain identifiers in real work; examples here stay generic to avoid implying real flagged wallets.
Transaction-level behavior (common templates)
At single-transaction granularity, platforms often add:
| Template | What it approximates | Notes |
|---|---|---|
| Large-value transfer | Transfer amount exceeds a user-defined notional cap | May apply per asset, per corridor, or per counterparty class. |
| Rapid transit | Funds leave shortly after arrival along a monitored path (same tx chain or multi-hop within a time window) | “Rapid” is policy-defined (for example within N minutes). Overlaps with transit heuristics at graph level. |
Illustrative scenario: a transfer exceeds a $100k policy threshold, or value moves A → B within five minutes while policy treats ten minutes as the rapid-transit window.
Relationship to exposure screening
| Engine style | Focus |
|---|---|
| Exposure (see risk-exposure-screening-concepts) | Who the funds touched—labels, hops, taint-style exposure. |
| Behavioral (this skill) | How the address or tx behaves—size, speed, frequency, pass-through timing. |
Both may fire together; analysts should reconcile narratives and avoid double-counting the same fact pattern.
Guardrails
- Do not assist with structuring advice to evade reporting thresholds or gaming monitoring rules.
- Do not treat alerts as adverse media or legal findings without case-level review.
- Legitimate businesses (payroll, market makers, bridges) can trigger behavioral rules—use corroboration and off-chain context when available.
Goal: shared vocabulary for behavioral AML-style pattern concepts aligned with common commercial monitoring templates, without binding any specific product configuration.
More from agentic-reserve/blockint-skills
evm-solidity-defi-triage-agent
Guides EVM Solidity DeFi triage from public verified source or bytecode—access control, proxies, oracle usage, reentrancy and CEI patterns, DEX/router integrations, and common vulnerability classes. Use when the user asks for Ethereum or L2 smart contract security review, Solidity audit triage, OpenZeppelin proxy risks, or EVM-specific DeFi patterns—not for live exploits or private keys.
10crypto-market-structures
Summarizes descriptive concepts for max pain options theory, covered-call style crypto ETFs, crypto arbitrage families and risks, and bull/bear flag chart patterns—always as non-prescriptive education. Use when the user asks about max pain, premium income ETFs, arbitrage, funding rates, flash loans, or bull/bear flags in crypto trading context.
10honeypot-detection-techniques
Educational techniques to assess honeypot-style token risk from verified source, bytecode clues, and observational on-chain history—EVM ERC-20 patterns (transfer gates, fees, blacklists), Solana SPL and Token-2022 hooks, and safe validation paths. Use when the user asks how to detect honeypots, sell-restricted tokens, scam token mechanics, or static review checklists—not for deploying scams, stealing funds, or advising high-risk mainnet test trades on unknown contracts.
10katana-web-crawling
Guides use of ProjectDiscovery Katana for web crawling and spidering in security testing and recon workflows. Covers installation, standard vs headless mode, scope and rate limits, JSONL output, and piping from httpx or URL lists. Use when the user mentions Katana, projectdiscovery/katana, web crawling, spidering, endpoint discovery, attack surface mapping, or chaining crawlers in automation pipelines.
10solana-defi-vulnerability-analyst-agent
Guides discovery and documentation of Solana DeFi protocol risks from public code and chain state—Anchor/native programs, PDAs, CPIs, oracles, pools, SPL mechanics, and historical tx reconstruction. Use when the user asks for Solana program security review, DeFi vulnerability triage, PDA or CPI safety, oracle or liquidity-pool risk, launchpad/bonding-curve issues, or evidence-backed severity findings without exploits or private keys.
10solana-tracing-specialist
Guides Solana-specific on-chain forensics—ATA resolution, SPL instruction parsing, transaction history via RPC and indexers (e.g. Helius-style APIs), fund-flow graphs, Solana clustering heuristics, and program authority review. Use when the user investigates Solana wallets, SPL tokens, DEX/Jito flows, rug or phishing patterns on Solana, or needs evidence-structured tracing reports with public data only.
10