Analysis Methods

Deep dive into the analytical techniques used for blockchain investigation

Transaction Pattern Analysis

Understanding how transactions move through the blockchain is fundamental to tracing funds.

1. Direct Transfers

The simplest pattern where Address A sends to Address B:

Transaction:
  Input:  Address A (2.5 BTC)
  Output: Address B (2.49 BTC)
          Address A (0.005 BTC change)
  Fee:    0.005 BTC

Analysis: Clean transfer with change back to sender

2. Consolidation Transactions

Multiple inputs combined into fewer outputs:

Transaction:
  Input 1: Address A (1.2 BTC)
  Input 2: Address B (0.8 BTC)  
  Input 3: Address C (1.5 BTC)
  Output:  Address D (3.48 BTC)
  Fee:     0.02 BTC

Analysis: Three addresses consolidating into one
Detection: Multiple inputs > 1, single main output

3. Split Transactions

One input divided into multiple outputs:

Transaction:
  Input:   Address A (5.0 BTC)
  Output 1: Address B (2.0 BTC)
  Output 2: Address C (1.5 BTC)
  Output 3: Address D (1.0 BTC)
  Output 4: Address A (0.49 BTC change)
  Fee:     0.01 BTC

Analysis: Funds splitting into multiple branches
Detection: Single input, multiple significant outputs (2-9)

4. Payment with Change

Standard wallet behavior:

Transaction:
  Input:   Address A (3.0 BTC)
  Output 1: Address B (2.5 BTC) ← payment
  Output 2: Address A (0.49 BTC) ← change
  Fee:     0.01 BTC

Analysis: Payment with change back to sender
Detection: Exactly one output not back to input address

Amount Matching Logic

Following specific amounts through transactions requires intelligent tolerance handling.

Tolerance Calculation

tolerance = max(
    target_amount * 0.01,  // 1% of amount
    100,000 satoshis       // 0.001 BTC minimum
)

match = abs(output_amount - target_amount) <= tolerance

Why Tolerance is Necessary

Transaction Fees: Every transaction reduces the amount slightly
Dust Amounts: Very small fees can vary
Consolidation Math: Combined inputs may not exactly match target
Rounding: Some wallets round to specific precision

Example Matching Scenarios

Scenario 1: Direct Match

Target: 2.50000000 BTC
Output: 2.49950000 BTC
Diff:   0.00050000 BTC (0.02%)
✅ Match - within 1% tolerance

Scenario 2: Consolidation Match

Target: 2.50000000 BTC
Input contributions:
  - Our address: 2.50000000 BTC
  - Other input: 1.20000000 BTC
Output: 3.69800000 BTC (combined minus fee)
✅ Our 2.5 BTC contributed to consolidation

High-Volume Address Handling

Addresses with 1000+ transactions require special techniques.

Pagination Strategy

IF address has > 1000 transactions:
  1. Fetch initial 50 transactions
  2. If no match in time window:
     - Fetch next 50 (offset = 50)
     - Continue up to 500 total
  3. Use Bitcoin Core node for detailed analysis
  4. Focus on time window around entry timestamp

Mixer Exit Detection

For high-volume addresses (potential mixers), specialized logic applies:

Time Window: Look for exits within 6 hours of entry
Amount Matching: Find outputs matching our tracked amount (1% tolerance)
Multiple Matches: If several matches, select the closest amount + earliest time
Local Node Priority: Use Bitcoin Core to avoid API rate limits

Temporal Analysis

Time relationships between transactions reveal important patterns.

Entry/Exit Timing

Entry time:  Block 750000 (2023-01-15 10:30:00)
Exit time:   Block 750002 (2023-01-15 10:50:00)
Delay:       20 minutes

Analysis:
  - Fast exit (< 1 hour) suggests automated system
  - Typical mixer delay is 10 minutes to 6 hours
  - Very long delays (> 24h) suggest manual wallet

Block Height Tracking

Block heights provide immutable timestamps:

Confirmed Order: Later block = definitely later in time
Investigation Depth: Can trace back to genesis block if needed
Legal Evidence: Block heights are objective, verifiable timestamps

Value Transformation Tracking

How amounts change through transactions:

Fee Accumulation

Start:  10.00000000 BTC
Hop 1:   9.99950000 BTC (-0.0005 fee)
Hop 2:   9.99880000 BTC (-0.0007 fee)  
Hop 3:   9.99810000 BTC (-0.0007 fee)
Total:   9.99810000 BTC (-0.0019 total fees)

Average fee per hop: 0.00063 BTC

Consolidation Value Expansion

Our contribution: 2.50000000 BTC
Other inputs:     1.80000000 BTC
Output:           4.29950000 BTC

Analysis: Now tracking 4.3 BTC (expanded from 2.5)
Action: Continue with new amount

Split Value Contraction

Input:   5.00000000 BTC (tracking)
Outputs:
  - 2.50000000 BTC (largest)
  - 1.20000000 BTC
  - 1.00000000 BTC
  - 0.29950000 BTC

Analysis: Following largest = 2.5 BTC (reduced from 5.0)
Action: Continue tracking 2.5 BTC

Endpoint Detection Logic

Determining when to stop following a trail:

Endpoint Conditions

STOP IF:
  1. Exchange identified (SUCCESS)
  2. No matching outgoing amount found
  3. Funds split into 10+ outputs (DISPERSAL)
  4. Maximum hops reached (10 for flow, 4 for paths)
  5. Amount below minimum threshold (< 0.001 BTC)
  6. Circular reference detected (back to earlier address)

Dispersal Detection

Input: 5.0 BTC
Outputs: 15 outputs ranging from 0.1 to 0.5 BTC each

Analysis:
  - No single output > 50% of input
  - More than 10 outputs
  - Conclusion: DISPERSAL (funds scattered)
  
Action: STOP (cannot reliably track further)

Address Relationship Mapping

Understanding how addresses connect:

Common Input Heuristic

Addresses used as inputs in the same transaction likely belong to same entity:

Transaction:
  Input 1: 1ABC...
  Input 2: 1DEF...
  Input 3: 1GHI...
  
Heuristic: 1ABC, 1DEF, 1GHI → Likely same wallet
Confidence: High (> 90%)

Change Address Detection

Identifying which output is change vs. payment:

Transaction:
  Input: 1ABC... (3.0 BTC)
  Output 1: 1XYZ... (2.5 BTC)
  Output 2: 1ABC... (0.49 BTC)

Analysis: Output 2 is change (back to input address)
Payment: 2.5 BTC to 1XYZ...

Scoring Confidence

All detections include confidence scores based on evidence strength.

Confidence Tiers

Level	Score Range	Meaning	Action
Confirmed	100%	In verified database	Rely on fully
Very High	≥77%	≥10 indicators	Treat as confirmed
High	54-76%	7-9 indicators	Strong evidence
Medium	31-53%	4-6 indicators	Possible, verify
Low	< 31%	< 4 indicators	Weak evidence

Optimization Techniques

Caching Strategy

Cache key format: "address_limit_offset"
Examples:
  - "1ABC..._50_0"   (first 50 transactions)
  - "1ABC..._10_0"   (first 10 transactions)
  - "1ABC..._50_50"  (transactions 51-100)

Reuse logic:
  - If limit=50 cached, reuse for limit=10 requests
  - Cache hits reduce API calls by ~60%
  - Valid for duration of investigation

API Call Minimization

Batch Decisions: Check multiple conditions before fetching more data
Early Termination: Stop investigation when exchange found
Local Node Usage: Prefer Bitcoin Core for high-volume analysis
Lazy Loading: Only fetch transaction details when needed

Error Handling

API Failures

IF API call fails:
  1. Retry once after 1 second delay
  2. If still fails, try alternative API
  3. If all APIs fail, try Bitcoin Core
  4. If Core fails, mark endpoint as "API unavailable"
  5. Continue with partial results

Data Quality Issues

Missing Timestamps: Use block height instead
Incomplete Transactions: Skip and continue to next
Invalid Addresses: Log and mark as endpoint
Zero-Value Outputs: Ignore (OP_RETURN or similar)

Next Steps

Learn about specific Mixer Detection algorithms
Understand Exchange Identification methods
See Pattern Analysis in action