Methodologie en procedures

Addresses that appear together as inputs in a transaction very likely belong to the same entity. The base heuristic of blockchain forensics.

• Common-Input-Ownership (sharedspending)
• Co-spending analysis across multiple transactions
• Sub-sharedspending on partial expenditures
• Can be undermined by CoinJoins and mixers

Detecting the return-change output in Bitcoin transactions. Change addresses belong to the sender and extend the cluster.

• Round-number heuristic (round payment amounts vs. odd change)
• Optimal-change heuristic (non-optimal output = change)
• Fresh-address detection (new, unused address = change)
• Peel-chain detection (repeated breaking of large amounts)

Detecting collaborative transactions to avoid clustering CoinJoin participants incorrectly. Used in combination with multi-input heuristics.

• Equal-output CoinJoin (Wasabi, Samourai Whirlpool)
• JoinMarket detector (maker-taker pattern)
• Wasabi-Wallet signature (ZeroLink coordination)
• PayJoin / BIP-78 detector (sender-receiver cooperation)

Identifying classical mixing services by their typical input and output patterns.

• ChipMixer pattern (2^x chip sizes)
• Sinbad / Blender pattern
• Chipping pattern (splitting into standard sizes)
• Tornado-Cash bridge (return flows from EVM mixers)
• Vortex / Helix pattern (timing-based)

Cross-chain swaps allow direct exchange of coins between different blockchains — without a centralised exchange and therefore without KYC. Originally built for arbitrage, they are increasingly used to obscure the origin of funds. Our Coinator recognises the typical on-chain patterns of several established protocols.

• THORChain (BTC ↔ ETH, BNB, AVAX, ATOM, DOGE, LTC, BCH)
• Chainflip (BTC ↔ ETH, SOL, Arbitrum, Polkadot)
• Bridgers aggregator (BTC ↔ various EVM and non-EVM chains)

Recurring temporal patterns reveal wallet characteristics — private vs. service, region, usage type.

• Wallet activity time windows (time-of-day or day-of-week clusters)
• Regular inflows (salary pattern)
• Dust-attack detection (forensic tracking attempts)
• Bursty spending behaviour

Analysing graph structure: who flows where, via how many intermediate hops?

• Fan-out analysis (layering shells)
• Fan-in analysis (aggregation nodes)
• Peel-chain traversal (long chains of small outflows)
• Temporal transaction sequencing (time-coupled chains)

Identifying the entity types behind addresses: exchanges, mining pools, payment gateways, custodians.

• Exchange fingerprinting (typical hot-wallet patterns)
• Mining-pool coinbase detection (payout patterns, coinbase messages)
• Payment-provider pattern (BitPay, NowPayments, Strike …)
• ETF-custodian pattern (Coinbase Custody, Gemini Custody, etc.)

Tracking "contaminated" coins through the blockchain — a core concept for source-of-funds checks and AML.

• Poison taint (every link colours fully)
• Haircut taint (proportional by fraction)
• FIFO (first-in-first-out by inflow time)
• LIFO (last-in-first-out by inflow time)

Additional heuristics that address individual aspects.

• Address-reuse detection (multi-use as a wallet-age indicator)
• Wallet-software fingerprinting (e.g. Electrum, Trezor, Ledger, ...)
• AI-based methods for even more accurate change-address detection
• Machine-learning methods for precise outlier detection