TL;DR: On-chain data gives investors real-time visibility into token movement, holder concentration, service usage, liquidity, and market composition, according to Chainalysis, which uses those metrics to compare a sampling of crypto assets. That shifts crypto risk assessment from narrative-driven judgment to evidence-based analysis, especially for compliance, market surveillance, and fraud monitoring.
At a glance
What this is: This report argues that on-chain data lets practitioners assess crypto assets with real-time visibility into token distribution, liquidity, market composition, and participant behavior.
Why it matters: It matters because identity, fraud, and compliance teams need evidence when deciding whether activity patterns reflect legitimate market use, concentration risk, or laundering pressure.
By the numbers:
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
👉 Read Chainalysis' report on on-chain data for crypto asset risk assessment
Context
Cryptocurrency asset assessment depends on evidence that is visible in the network itself, because market structure and participant behaviour are harder to infer from disclosures alone. On-chain data provides that evidence by showing how tokens move, how concentrated holdings are, which services are being used, and where liquidity sits, all of which matter for risk, compliance, and fraud analysis.
For practitioners in financial crime, AML, and digital asset oversight, the governance question is not whether blockchain data exists, but whether it is being used systematically enough to support decisions. That makes the report relevant to identity-adjacent programmes too, because exchange access, wallet clustering, and service usage can all reveal patterns of trust, control, and abuse.
Key questions
Q: How should compliance teams use on-chain data in crypto risk assessments?
A: Compliance teams should use on-chain data as an evidence layer for token movement, concentration, liquidity, and service interaction, then combine it with KYC, sanctions, and transactional monitoring. The goal is to separate normal market behaviour from patterns that suggest laundering, fraud, or manipulation. On-chain data is most useful when it feeds a documented triage process, not when it sits in a standalone dashboard.
Q: Why does token concentration matter for crypto governance?
A: Token concentration matters because a small number of holders can distort market behaviour, amplify volatility, and increase the likelihood of coordinated manipulation. High concentration also reduces confidence that the asset is broadly distributed or resilient. For governance teams, concentration is a risk signal that should shape listing reviews, exposure limits, and ongoing monitoring.
Q: What do security teams get wrong about blockchain analytics?
A: Teams often assume blockchain analytics is enough on its own. In reality, on-chain data shows movement and relationships, but it rarely explains intent without identity, account, and service context. The strongest programmes combine transaction analysis with fraud controls, AML rules, and clear escalation criteria so analysts can convert visibility into decisions.
Q: How can organisations tell when crypto risk is becoming operational?
A: Crypto risk becomes operational when concentration, liquidity, service patterns, or wallet clustering start influencing real decisions about custody, listing, investigation, or reporting. At that point, the issue is no longer abstract market research. It has become a control problem that needs ownership, thresholds, and repeatable review steps.
Technical breakdown
How on-chain data changes crypto risk assessment
On-chain data is transaction and balance information recorded on a blockchain that can be analysed without relying on an intermediary's disclosures. In practice, it supports visibility into token distribution, liquidity, and market composition, which are all signals that traditional asset data usually obscures. The technical value lies in traceability and timeliness: analysts can observe movement, concentration, and service interactions as they happen rather than waiting for periodic reporting. That does not prove intent on its own, but it does create a defensible evidence base for screening and monitoring.
Practical implication: use on-chain analytics to supplement, not replace, KYC, AML, and market surveillance controls.
Token distribution and liquidity as governance signals
Token distribution measures how ownership is spread across holders, while liquidity shows how easily an asset can be traded without major price distortion. Together, they help distinguish healthy market activity from concentration risk or engineered volatility. If a small number of wallets control a large share of supply, a token may be more exposed to manipulation, coordinated dumping, or governance capture. If liquidity is thin, suspicious trades can have outsized impact and reduce the usefulness of traditional price-based monitoring.
Practical implication: treat concentration and liquidity thresholds as part of risk triage for listings, trading permissions, and ongoing monitoring.
Market composition and participant behaviour in crypto
Market composition looks at which services, wallets, and transaction patterns make up the ecosystem around a token. This matters because service usage can reveal whether activity is concentrated in exchanges, bridges, mixers, or other high-risk pathways. For investigators and compliance teams, the pattern is often more important than any single transaction. Repeated interaction with risky services, or abnormal movement through clustered wallets, can indicate laundering attempts, fraud proceeds, or synthetic activity that needs escalation.
Threat narrative
Attacker objective: The attacker objective is to convert or conceal illicit value while preserving enough market plausibility to avoid detection.
- Entry begins when criminals place illicit funds, scam proceeds, or manipulated tokens into a market structure that can still look normal at first glance.
- Escalation occurs as they route value through exchanges, OTC desks, bridges, or clustered wallets to obscure provenance and exploit gaps in monitoring.
- Impact follows when investigators, exchanges, or compliance teams miss the behavioural pattern and allow laundering, fraud conversion, or market manipulation to continue.
NHI Mgmt Group analysis
On-chain visibility is now a governance control, not just an analytics layer. The report's core point is that crypto risk cannot be managed by looking only at price, custody, or exchange disclosures. Token movement, holder concentration, and service usage are operational signals that compliance and fraud teams need to interpret. For practitioners, that means on-chain evidence belongs inside governance workflows, not as a specialist afterthought.
Crypto asset risk assessment is only as strong as the monitoring model behind it. On-chain analysis improves what can be seen, but it does not remove the need for control design, escalation thresholds, and investigative ownership. Without clear case handling rules, even strong analytics produce noise instead of action. Practitioners should treat on-chain telemetry as a decision input that needs policy, not as a standalone answer.
Concentration and liquidity are the closest thing crypto has to access-control context. When a small number of wallets dominate supply or liquidity is shallow, market behavior becomes easier to distort and harder to trust. That makes distribution metrics relevant to market integrity, not just trading strategy. For compliance teams, the practical question is whether a token's structure creates a higher abuse surface before the first suspicious transaction ever appears.
Identity-adjacent controls matter because crypto abuse often travels through trusted services. Exchanges, OTC desks, bridges, and wallet providers sit at the boundary between legitimate use and laundering pathways. That is where identity verification, account monitoring, and transaction screening intersect. For practitioners, this means the strongest crypto controls combine on-chain analytics with identity and service-level governance, especially where high-risk flows are involved.
Crypto governance is moving toward evidence-based triage. The report reflects a broader shift away from narrative due diligence and toward measurable signals that can be defended to regulators and auditors. That does not eliminate uncertainty, but it narrows it. Practitioners should expect risk scoring for digital assets to become more operational, more repeatable, and more dependent on traceable network behavior.
What this signals
Crypto analytics is becoming a governance discipline, not a niche investigative skill. As token distribution and liquidity become more central to risk decisions, teams will need clearer rules for when an on-chain signal becomes a compliance event. That means building escalation criteria now, before analysts are forced to interpret the same pattern differently across cases.
Identity and transaction controls will increasingly converge at service boundaries. Exchanges, OTC desks, and wallet platforms are where trust decisions become operational, and that is where KYC, authentication, monitoring, and fraud review need to meet. Programmes that keep these functions separate will struggle to explain risk coherently to auditors or regulators.
Asset risk models should be treated as living controls. On-chain behaviour changes quickly, and so should the thresholds used to classify liquidity, concentration, and suspicious routing. Practitioners who keep static review models will miss the shift from theoretical exposure to actionable abuse.
For practitioners
- Use on-chain metrics in listing and exposure decisions Require token distribution, liquidity, and service composition review before approving trading, custody, or product exposure. Treat abnormal concentration or thin liquidity as a risk flag, not just a market statistic.
- Define escalation thresholds for suspicious wallet behaviour Document when clustered wallet activity, repeated bridge usage, or unusual service routing should move from monitoring to investigation. Build the thresholds into compliance playbooks so analysts do not improvise case by case.
- Combine blockchain analytics with identity controls Correlate wallet-level signals with KYC data, account behaviour, and service authentication records where available. This helps distinguish legitimate customer activity from laundering patterns that only become visible when identity and transaction data are combined.
- Separate market risk from financial crime risk Create distinct review paths for volatility, manipulation, sanctions exposure, and laundering indicators. A single dashboard should not force every signal into one severity model, because the response for each risk type is different.
Key takeaways
- On-chain data turns crypto risk assessment into an evidence-led discipline by exposing token movement, liquidity, and concentration patterns directly.
- The main governance challenge is not data scarcity but converting behavioural signals into repeatable compliance and fraud decisions.
- Practitioners should combine blockchain analytics with identity, KYC, and escalation controls before suspicious patterns become operational incidents.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | DE.CM-1 | Ongoing monitoring of network and service activity fits the article's evidence-led risk model. |
| NIST SP 800-53 Rev 5 | AU-6 | The report depends on reviewing and correlating activity evidence for compliance decisions. |
| CIS Controls v8 | CIS-8 , Audit Log Management | Auditability is central to turning blockchain visibility into defensible control evidence. |
Use on-chain signals as continuous monitoring inputs and escalate deviations through defined response workflows.
Key terms
- On-chain data: Data recorded directly on a blockchain, including transfers, balances, and contract interactions. It provides a time-stamped view of activity that can be analysed without depending on a service provider's narrative, making it useful for tracing risk, behaviour, and market structure.
- Token distribution: The spread of token ownership across holders and wallets. Distribution helps analysts understand whether an asset is broadly held or concentrated in a few addresses, which affects manipulation risk, market resilience, and the credibility of governance signals.
- Liquidity: The ease with which an asset can be bought or sold without causing large price movement. In crypto, liquidity is a practical risk indicator because thin markets are easier to distort, harder to monitor, and more likely to hide abnormal trading or laundering patterns.
- Wallet clustering: The practice of grouping wallets that likely belong to the same actor based on transaction behaviour, timing, or shared service use. It helps investigators move from isolated addresses to behavioural patterns, which is often necessary to detect fraud, laundering, or coordinated market activity.
What's in the full report
Chainalysis' full report covers the operational detail this post intentionally leaves for the source:
- Example metrics for token distribution, liquidity, and market composition across sampled crypto assets
- The report's comparative method for judging opportunity and risk across different tokens
- The underlying research framing for how on-chain data supports law enforcement and compliance decisions
- The specific case-study detail behind the market trends summarized here
👉 The full Chainalysis report includes the example metrics and token comparisons behind this analysis.
Deepen your knowledge
NHI Mgmt Group covers identity security, NHI governance, and agentic AI through independent research, practitioner guides, and the NHI Foundation Level course. Explore nhimg.org for resources that connect identity governance to the broader security disciplines your programme depends on.
Published by the NHIMG editorial team on 2026-05-12.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org