Each leaked record is graded on a deterministic 5-tier confidence ladder: `confirmed_stolen` → `sanctioned` → `academic_dataset` → `community_curated` → `dict_derived`. Higher tiers mean stronger evidence that the address was actually compromised, not just theoretically derivable.

- **confirmed_stolen**: Address appears in a verified dump from a security researcher or law enforcement (e.g., a confirmed breach dump). - **sanctioned**: Address tied to OFAC- or UN-listed wallets—not necessarily stolen, but high-risk. - **academic_dataset**: Published in peer-reviewed blockchain analysis papers (e.g., Deanonymization datasets). - **community_curated**: Curated by trusted OSINT contributors from darknet forums or phishing archives. - **dict_derived**: Generated by applying dictionary attacks (e.g., brain-wallet BIP-39 passphrases) to known address-hash ranges — strictly a theoretical match, not evidence of actual compromise.

`confirmed_stolen` implies the private key or mnemonic was found verbatim in a breach. `dict_derived` means the address could be generated from a weak passphrase, but there is no record of that key being exfiltrated. Treat a `dict_derived` hit as a signal to rotate funds immediately — the key structure is weak enough that automated enumeration found it.