$ICNT Holding a certain AI concept token, among the top 10 holders, 6 are flagged by wallet platforms as "suspected phishing addresses." That moment felt like being at a high-end wine tasting, only to be pulled aside by the host and told—half of the guests in the room are professional pickpockets.

**What exactly are on-chain tags?**

Actually, these risk labels are not final judgments but more like warning lights. Platforms typically assign tags to addresses based on two main clues. One is abnormal behavior—such as frequent small test transfers, fake address patterns, etc., that match phishing characteristics. The other is association with blacklists—funds moving between the wallet and known scam accounts or clustering features.

But algorithms can also be misled. Project-controlled addresses that frequently perform test transactions might be mistakenly flagged; large holders sometimes deliberately "disguise" their activity as retail traders to protect privacy.

**What does the ICNT case tell us?**

Looking through the ICNT holder rankings, the flagged "phishing addresses" share a clear pattern: all built up positions intensively from October to November this year, with each transaction amount roughly the same (around $5,000 to $8,000).

What does this resemble? Most likely, the same organization split their funds into multiple accounts to evade monitoring. But on-chain algorithms see this highly similar behavior pattern and automatically infer it as a "phishing gang operation."

Even if it's not phishing, the problem becomes more serious—the top 10 addresses already lock over 40% of the circulating supply. The risk of market manipulation is now very real.