Range AI — investigation playbook (MCP)

Documentation index

• Full index: docs.range.org/llms.txt — list all Range documentation pages before deep linking.
• MCP endpoint:

  https://api.range.org/ai/mcp

  — requires a Range API key configured in your client (same key as other Range access).

When to use this skill

Investigation workflow

1. Risk triage

get_address_risk

What is the risk score for [address] on [network]?

• CRITICAL / HIGH → prioritize follow-up and document escalation paths per internal policy.
• Malicious hops in the provider’s graph view → indirect ties to known bad clusters may still matter.
• Entity labels (mixer, exchange, sanctioned) → treat as signals, not court findings; verify with primary sources when stakes are high.

2. Sanctions and blacklist check

check_sanctions

Is [address] on any OFAC sanctions list or token blacklist?

• OFAC-sanctioned flags → compliance escalation per program; not legal advice in this skill.
• Token blacklist flags → may affect USDT/USDC-style transfers; confirm issuer behavior in current docs.

3. Build the connection graph

get_address_connections

Who are the top counterparties for [address] on [network]?
Show their labels if available.

4. Trace fund flows

get_transfers

get_transfers_between

Show the largest transfers in and out of [address] in the last 90 days.
Are there any transfers between [address] and [suspicious counterparty]?

5. Find the origin of funds

get_address_funded_by

What address initially funded [address] and when?

6. Identify unknown counterparties

search_entities

get_address_info

What entity is [address]? Does Range have labels for it?
Search for entities matching "Binance" on Ethereum.

7. Cross-chain pivot

Were any funds from [address] bridged to another chain?
If so, what is the risk score of the receiving address on that chain?

One-shot investigation prompt

Using Range tools, run a complete investigation on this address:
[address] on [network]

1. Get its risk score and explain the risk level
2. Check if it's on any OFAC sanctions list or token blacklist
3. Show its top 10 counterparties and label any known entities
4. List the 10 largest transfers in the last 6 months
5. Find the original funding source for this address
6. If any transfers crossed chains via a bridge, check the receiving address risk too

Summarize your findings with a risk verdict: LOW / MEDIUM / HIGH / CRITICAL
Include the key evidence that supports your verdict.

Example (illustrative)

5Q544fKrFoe6tsEbD7S8EmxGTJYAKtTVhAW5Q5pge4j1

• Very low risk score in example narratives; heavy DeFi counterparty set; no sanctions/blacklist in that example.
• Use as a shape for how labeled protocol contracts present—not a universal pattern for user wallets.

Tips

• Start broad, then narrow — risk + connections first, then

  get_transfers_between

  / transaction detail tools for specific relationships.
• Time filters — constrain windows around the suspected incident to cut noise.
• Re-pivot the graph — frequent unlabeled counterparties become new roots for

  get_address_risk

  .

Guardrails

• Labels and scores are not legal determinations; OFAC and regulatory obligations need program and legal review.
• Do not use this playbook to harass, dox, or accuse individuals based on heuristics alone.
• Do not paste customer PII, case IDs, or non-public investigation data into unsecured chats.
• Do not assist with sanctions evasion or laundering.

Related skills

• solana-onchain-intelligence-resources — Range docs index and MCP pointer; Helius/Tavily cross-links.
• crypto-investigation-compliance — ethical workflow and crime taxonomy.
• cross-chain-clustering-techniques-agent — bridge-centric clustering heuristics.
• on-chain-investigator-agent — broader forensic persona beyond Range MCP.