Methodology

Methodology & procedures

More than 40 openly documented heuristics and AI methods that Coinator uses for Bitcoin forensics.

Transparency

Why transparency?

Unlike many other transaction-tracing tools, Coinator deliberately relies on transparency instead of secrecy. We make no mystery of our algorithms, heuristics, and analysis procedures — on the contrary, every method used is openly documented and always reviewable.
More than 40 clearly traceable procedures — including multi-input heuristics, change-address analyses, CoinJoin and PayJoin detectors, and numerous filters — ensure maximum traceability, high trustworthiness, and court-admissible results at European data-protection standards.

Classical procedures

Procedures at a glance

We organise our classical procedures into ten categories. Each contains several specific heuristics that, combined, feed into cluster and transaction analysis — all openly documented and traceable.

Multi-input heuristics

Addresses that appear together as inputs in a transaction very likely belong to the same entity. The base heuristic of blockchain forensics.

Common-Input-Ownership (sharedspending)
Co-spending analysis across multiple transactions
Sub-sharedspending on partial expenditures
Can be undermined by CoinJoins and mixers

Change detection

Detecting the return-change output in Bitcoin transactions. Change addresses belong to the sender and extend the cluster.

Round-number heuristic (round payment amounts vs. odd change)
Optimal-change heuristic (non-optimal output = change)
Fresh-address detection (new, unused address = change)
Peel-chain detection (repeated breaking of large amounts)

CoinJoin & PayJoin detection

Detecting collaborative transactions to avoid clustering CoinJoin participants incorrectly. Used in combination with multi-input heuristics.

Equal-output CoinJoin (Wasabi, Samourai Whirlpool)
JoinMarket detector (maker-taker pattern)
Wasabi-Wallet signature (ZeroLink coordination)
PayJoin / BIP-78 detector (sender-receiver cooperation)

Mixer & tumbler recognition

Identifying classical mixing services by their typical input and output patterns.

ChipMixer pattern (2^x chip sizes)
Sinbad / Blender pattern
Chipping pattern (splitting into standard sizes)
Tornado-Cash bridge (return flows from EVM mixers)
Vortex / Helix pattern (timing-based)

Cross-chain swap detection (X-chain)

Cross-chain swaps allow direct exchange of coins between different blockchains — without a centralised exchange and therefore without KYC. Originally built for arbitrage, they are increasingly used to obscure the origin of funds. Our Coinator recognises the typical on-chain patterns of several established protocols.

THORChain (BTC ↔ ETH, BNB, AVAX, ATOM, DOGE, LTC, BCH)
Chainflip (BTC ↔ ETH, SOL, Arbitrum, Polkadot)
Bridgers aggregator (BTC ↔ various EVM and non-EVM chains)

Behaviour & time patterns

Recurring temporal patterns reveal wallet characteristics — private vs. service, region, usage type.

Wallet activity time windows (time-of-day or day-of-week clusters)
Regular inflows (salary pattern)
Dust-attack detection (forensic tracking attempts)
Bursty spending behaviour

Network & topology analysis

Analysing graph structure: who flows where, via how many intermediate hops?

Fan-out analysis (layering shells)
Fan-in analysis (aggregation nodes)
Peel-chain traversal (long chains of small outflows)
Temporal transaction sequencing (time-coupled chains)

Provider identification

Identifying the entity types behind addresses: exchanges, mining pools, payment gateways, custodians.

Exchange fingerprinting (typical hot-wallet patterns)
Mining-pool coinbase detection (payout patterns, coinbase messages)
Payment-provider pattern (BitPay, NowPayments, Strike …)
ETF-custodian pattern (Coinbase Custody, Gemini Custody, etc.)

Taint analyses

Tracking "contaminated" coins through the blockchain — a core concept for source-of-funds checks and AML.

Poison taint (every link colours fully)
Haircut taint (proportional by fraction)
FIFO (first-in-first-out by inflow time)
LIFO (last-in-first-out by inflow time)

Further procedures

Additional heuristics that address individual aspects.

Address-reuse detection (multi-use as a wallet-age indicator)
Wallet-software fingerprinting (e.g. Electrum, Trezor, Ledger, ...)
AI-based methods for even more accurate change-address detection
Machine-learning methods for precise outlier detection

Artificial Intelligence

AI-powered cluster analysis

Classical heuristics are augmented by modern machine-learning methods — for higher precision and fewer misclassifications.

Advanced clustering methods:

Coinator combines classical heuristic procedures with machine-learning (ML) and data-mining (DM) methods to analyse Bitcoin addresses and transactions more precisely. The goal is to detect relationships that go significantly beyond conventional rules.

Neural networks for address analysis:

We employ neural networks (Graph Neural Networks in particular) to uncover address relationships that escape classic heuristics like multi-input or change-address analysis. The GNNs are trained on carefully curated datasets to deliver reliable network analyses in real-time production use.

Behaviour-based transaction clustering:

Sometimes the "key" to insight lies not in the network topology itself but hidden in user behaviour. Coinator leverages this by grouping transactions with AI based on temporal relationships, sequences, changes in amounts, and recurring (sometimes atypical) usage patterns.

Deep learning for cluster-structure recognition:

"Divide and conquer." This innovative approach runs ML analyses on (sub-)transaction-graphs to identify hidden (sub-)relationship networks and to derive and name entities automatically.

Hybrid models to reduce errors:

Finally, we combine proven classical heuristics with the AI and ML algorithms above to improve entity recognition and reduce false positives.

Questions about methodology?

We're happy to explain which procedures best fit which case.

Get in touch →