© 2026 AnChain.AI. All Rights Reserved | Privacy Policy
This is the first time a blockchain analytics provider has shared consumer-grade, global-scale crypto wallet insights.
In cryptocurrency, risk unfolds in seconds. A single signature can irreversibly route funds to a sanctioned wallet, malicious smart contract, or exploit infrastructure. There are no reversals—only the opportunity to stop it before execution.
Through its integration with MetaMask, AnChain.AI deploys real-time risk screening directly within the wallet via Snaps. For the first time, we are sharing customer-grade, global-scale insights into decentralized wallet activity, based on live risk signals from 17,000+ MetaMask installations. This integration brings institutional-grade AML and fraud prevention into the transaction flow—before users click “Confirm.”
Key highlights:
From the anonymous telemetry collected from 17K MetaMask Snap installs, AnChain.AI team has helped users avoid signing 1,300 high‑risk transactions via real time pre‑transaction screening.
“High‑risk” includes interactions with known scam infrastructure, hacker‑linked clusters, and sanctions exposure
In 2025, One anonymous Metamask wallet owner in the United States, was about to pay this Ethereum wallet address 0xd882cfc20f52f2599d84b8e8d58c7fb62cfe344b. With the Anchain.ai integration with Metamask Snap, the pre-transaction screen was conducted in real time within 1 second, and alerting the users it’s a suspicious address.
It turns out this wallet is owned by SECONDEYE SOLUTION (SES) (link) is a sanctioned entity identified by the Office of Foreign Assets Control as a provider of synthetic identities and fake documents. It enabled actors—linked to Russian influence operations—to open accounts and move funds while hiding their real identities. This makes any interaction with it high-risk and prohibited. We are fortunate that this Ethereum transaction was blocked by AnChain.AI , to prevent the user from losing their crypto assets.
More intelligence and context can be found on the AnChain.AI CISO platform, the leading blockchain analytics platform. https://ciso.anchainai.com/s/5zb9wNjYOWQ
In 2025, over $2B+ in crypto fraud and exploits were recorded, increasingly driven by AI-enabled attacks (deepfakes, LLM-assisted scams). Across MetaMask activity, the highest-risk transactions consistently involve malicious contracts, address poisoning, and sanctioned wallets.
In crypto, failure happens in one step: the signature. Once executed, it’s irreversible. At the same time, attackers are moving faster across DeFi, and even nation-state actors are using crypto for sanctions evasion. A recent example is Iran’s use of Bitcoin and USDT stablecoins to charge tolls for oil shipments through the Strait of Hormuz, explicitly designed to bypass traditional financial controls.
The takeaway is simple: risk must be detected before signing—when prevention is still possible.
AnChain.AI’s Web3 Security Snap integrates directly into MetaMask, enabling real-time risk screening in the transaction confirmation flow. It has 17,000+ installs and ranks among the most widely adopted security Snaps. Install from the official MetaMask website.
When a user initiates a transaction in MetaMask wallet:
The output includes:
This counterparty lens is critical. Most losses occur not from sending funds to the wrong person—but from interacting with the wrong contract.
We take a deep dive into the AnChain.AI x MetaMask telemetry log data, and reveal interesting facts, not just in the risk management, but even global cryptocurrency adoption trends, multi-chain ecosystem, and more:
1. Crypto wallet adoption is global
Heavy representation across Asia (South Korea, Indonesia, India, Turkey) and Europe shows wallets like MetaMask are now mainstream, retail-driven, and cross-border.
2. Prevention must happen in real time
When transactions settle instantly, post-transaction monitoring is too late. This data underscores why pre-transaction screening, such as AnChain.AI’s real-time risk API, is becoming a critical control—operating directly at the wallet layer, at global scale.
3. The edge is the control point
Based on the IP analysis, MetaMask request log is dominated by consumer ISPs, with little cloud infrastructure presence. This indicates activity from real users on decentralized wallets, not backend systems—making the moment of signing the only place where risk can be stopped.
Our logs observe wallet activity from 68 countries, underscoring truly global adoption of MetaMask crypto wallet coverage.
The distribution spans Asia, Europe, and emerging markets, indicating that decentralized wallet usage is broadly distributed across diverse geographies.
We further break down IP geolocation to the Autonomous System Number (ASN) level—network identifiers that map activity to specific ISPs, mobile carriers, and enterprise networks—allowing us to go beyond country-level insights and understand where wallet activity is actually originating. This provides a clearer signal of behavior, distinguishing real end-user traffic from cloud or infrastructure sources and revealing how decentralized wallet usage is distributed across global networks.
Ethereum accounts for ~14.9% of MetaMask activity, followed by Linea (7.9%) and Arbitrum (6.7%). Beyond these leaders, the data shows a long tail of 10+ EVM-compatible L1 and L2 networks, indicating a rapidly expanding ecosystem where user activity is increasingly distributed across multiple chains rather than concentrated on a single network.
We mapped all API request logs into a 24×7 heatmap to understand aggregated MetaMask user behavior.
Activity is clearly weekday-driven, with 75.4% of requests occurring Monday–Friday.
Thursday emerges as the most active day (15.65%), and the busiest hour is 12:00–13:00 UTC (6.32%), with a peak concentration at Thursday 14:00 UTC (~1.3%).
The temporal pattern aligns closely with daytime hours in Europe to West Asia (UTC+1 to UTC+4), while still reflecting a globally distributed user base. This is consistent with earlier geolocation signals, where activity clusters around regions such as South Korea, Turkey, Ukraine, and Indonesia—indicating a mix of overlapping time zones rather than a single dominant market.
Microsoft Windows accounts for ~77% of MetaMask wallet installs, followed by Apple macOS at ~22%. This distribution reinforces that MetaMask usage is primarily consumer, desktop-driven, rather than mobile- or infrastructure-based.
AnChain.AI’s Data API is designed for decisioning at the transaction boundary.
Core architecture:
The risk scoring layer uses Gradient Boosted Tree models over:
The system returns explainable outputs, not black-box scores—enabling auditability and human decision-making. Production performance targets ~150ms TP95, ensuring no friction in the signing experience.
This is the first time a blockchain analytics provider has shared consumer-grade, global-scale crypto wallet insights. That visibility comes with a clear constraint: privacy cannot be compromised.
This approach aligns with the design of MetaMask. Its parent company, ConsenSys, states that it does not collect private keys, does not sell personal data, and only processes IP addresses transiently when required (e.g., for basic functionality, DDoS protection, or regulatory compliance). MetaMask Snaps further enforce strict isolation. They run inside a sandboxed Secure ECMAScript (SES) environment, with no DOM access and tightly permissioned network calls. Every Snap, including AnChain.AI’s, must pass a rigorous security review before deployment.
The result is a model where security is delivered at the transaction layer, without exposing user identity—enabling real-time protection while preserving the core privacy guarantees of Web3.
Regulatory expectations around crypto payment rails are tightening. In April 2026, the U.S. Department of the Treasury outlined proposed rules to implement the GENIUS Act, extending AML and sanctions compliance requirements to payment stablecoin issuers.
Globally, the Financial Action Task Force continues to monitor adoption of AML/CFT standards for virtual assets and VASPs, noting measurable progress since 2024 alongside persistent gaps.
As crypto usage scales—particularly amid geopolitical volatility—prevention at the wallet layer is becoming baseline infrastructure, not an advanced capability.
🦊 MetaMask users can install the AnChain.AI Web3 Security Snap to enable real-time protection directly in the transaction flow:
https://snaps.metamask.io/snap/npm/web3-security-snap/
👷♂️For builders and platforms, explore the AnChain.AI Data API to integrate real-time risk screening into payments and exchanges:
https://www.anchain.ai/data 🚀
© 2026 AnChain.AI. All Rights Reserved | Privacy Policy