Exchange Identification

Detecting deposits to known KYC exchanges

Why Exchanges Matter

Exchange deposits are the most valuable finding in any blockchain investigation because:

KYC Requirements: Exchanges know their customers' real identities
Legal Cooperation: Subject to subpoenas and legal requests
Complete Records: Maintain transaction history, IPs, and documents
Recovery Potential: Funds may be frozen or recovered

Two-Tier Detection System

Blockchain Detective uses two complementary methods for exchange detection.

Tier 1: Confirmed Exchange Database

Known exchange addresses maintained in a verified database.

Database Contents

known_exchanges = {
  "bc1qgdjqv0av3q56...": "Coinbase",
  "1NDyJtNTjmwk5xP...": "Binance",
  "bc1qjasf9z3h7w3j...": "Kraken",
  "1Kr6QSydW9bFQG1...": "Bitfinex",
  "3Cbq7aT1tY8kMxW...": "Coinbase Commerce",
  // ... more exchanges
}

Detection Algorithm

FUNCTION identify_exchange(address):
  IF address IN known_exchanges:
    RETURN {
      "identified": TRUE,
      "name": known_exchanges[address],
      "confidence": "confirmed",
      "type": "database_match"
    }
  ELSE:
    RETURN {
      "identified": FALSE,
      "note": "Not in known exchange database"
    }

Advantages

100% Confidence: These are definitively exchange wallets
Instant Detection: Simple lookup, no analysis needed
Legal Weight: Court-admissible evidence
Actionable: Know exactly which exchange to contact

Limitations

Database must be maintained and updated
Doesn't catch new or unknown exchanges
Exchanges rotate addresses regularly
Smaller exchanges may not be included

Tier 2: Heuristic Behavioral Analysis

Identifies exchange-like behavior even without database match.

Exchange Behavioral Patterns

1. Very High Transaction Count

Score calculation:
  IF transactions >= 1000: +3 points
  ELSE IF transactions >= 100: +2 points
  
Reasoning: Exchanges process thousands of deposits/withdrawals

2. High Total Volume

Score calculation:
  IF total_received >= 100 BTC: +2 points
  
Reasoning: Exchanges handle massive volumes

3. Low Balance Ratio

balance_ratio = final_balance / total_received

Score calculation:
  IF balance_ratio < 0.01: +2 points
  
Reasoning: Hot wallets maintain low balances (< 1%)
Funds are quickly moved to cold storage

Complete Heuristic Algorithm

Exchange Behavior Detection

FUNCTION analyze_exchange_behavior(address):
  // Fetch address statistics
  address_data = fetch_address(address)
  
  tx_count = address_data.n_tx
  total_received = address_data.total_received_btc
  total_sent = address_data.total_sent_btc
  final_balance = address_data.final_balance_btc
  
  score = 0
  indicators = []
  
  // High transaction count
  IF tx_count >= 1000:
    score += 3
    indicators.append("Very high transaction count ({})".format(tx_count))
  ELSE IF tx_count >= 100:
    score += 2
    indicators.append("High transaction count ({})".format(tx_count))
  
  // High volume
  IF total_received >= 100:
    score += 2
    indicators.append("High volume ({:.2f} BTC received)".format(total_received))
  
  // Low balance ratio (typical of hot wallets)
  balance_ratio = final_balance / total_received IF total_received > 0 ELSE 0
  IF balance_ratio < 0.01:
    score += 2
    indicators.append("Low balance ratio ({:.4f}) - typical of hot wallet".format(balance_ratio))
  
  // Determine likelihood
  IF score >= 7:
    likelihood = "high"
  ELSE IF score >= 4:
    likelihood = "medium"
  ELSE:
    likelihood = "low"
  
  RETURN {
    "exchange_likelihood": likelihood,
    "confidence_score": score,
    "max_score": 10,
    "indicators": indicators,
    "statistics": {
      "transaction_count": tx_count,
      "total_received_btc": total_received,
      "final_balance_btc": final_balance
    }
  }

Example Detections

Example 1: Clear Exchange (Score: 7/10)

Address: bc1q...xyz
Transactions: 2,847
Total Received: 234.5 BTC
Final Balance: 0.23 BTC
Balance Ratio: 0.0010 (0.1%)

Scoring:
  TX count >= 1000: +3
  Volume >= 100 BTC: +2
  Balance ratio < 0.01: +2
  Total: 7/10 = "high" likelihood

✅ LIKELY EXCHANGE (heuristic)

Example 2: Not an Exchange (Score: 2/10)

Address: 1ABC...
Transactions: 45
Total Received: 12.3 BTC
Final Balance: 8.1 BTC
Balance Ratio: 0.6585 (65.85%)

Scoring:
  TX count >= 100: +0 (only 45)
  Volume >= 100 BTC: +0 (only 12.3)
  Balance ratio < 0.01: +0 (65.85% is high)
  Total: 0/10 = "low" likelihood

❌ NOT AN EXCHANGE

Combined Detection Strategy

Blockchain Detective runs both methods sequentially:

FUNCTION detect_exchange(address):
  // Try database lookup first (fastest, most reliable)
  confirmed = identify_exchange(address)
  
  IF confirmed.identified:
    RETURN {
      "type": "confirmed",
      "name": confirmed.name,
      "confidence": 100%,
      "source": "verified_database"
    }
  
  // If not in database, use heuristic analysis
  heuristic = analyze_exchange_behavior(address)
  
  IF heuristic.likelihood == "high":
    RETURN {
      "type": "heuristic",
      "name": "Possible exchange (behavioral analysis)",
      "confidence": heuristic.score / 10,
      "source": "behavior_patterns",
      "indicators": heuristic.indicators
    }
  
  RETURN {
    "type": "none",
    "conclusion": "No exchange detected"
  }

Legal Implications by Type

Confirmed Exchange (Database Match)

Action Priority: HIGHEST

Subpoena Immediately: Request account holder info, KYC docs, transaction history
Evidence Quality: Court-admissible, definitive proof
Success Rate: Very high - exchanges maintain complete records
Victim Action: Contact exchange fraud dept immediately with police report

Heuristic Exchange (High Confidence)

Action Priority: HIGH

Verify First: Use commercial tools (Chainalysis, Elliptic) to confirm
Evidence Quality: Circumstantial but strong
Success Rate: Moderate - requires confirmation
Victim Action: Monitor address for additional confirmatory behavior

No Exchange Detected

Action Priority: ONGOING MONITORING

Set Alerts: Funds may move to exchange later
Periodic Re-checks: Run investigation again in 1-2 weeks
Evidence Quality: Investigation shows due diligence
Victim Action: Preserve all evidence, file reports, wait

Exchange-Specific Intelligence

Major Exchanges

Exchange	KYC Level	Legal Cooperation	Notes
Coinbase	Strict	Excellent	US-based, full compliance
Kraken	Strict	Good	US-based, responsive to LE
Binance	Moderate	Variable	International, improving
Bitfinex	Moderate	Moderate	Offshore, selective cooperation
Gemini	Strict	Excellent	US-based, regulated

Address Rotation

Exchanges generate new addresses frequently:

Deposit Addresses: New for each user deposit
Hot Wallet Rotation: Weekly or monthly
Cold Storage: Rarely changes

This means database must be continually updated with newly discovered addresses.

False Positives

Entities That Look Like Exchanges

Payment Processors: BitPay, Coinbase Commerce (high volume)
Mining Pools: Very high transaction count
Large Merchants: Accept many payments
Gambling Sites: Deposits/withdrawals resemble exchanges

Reducing False Positives

Additional checks to improve accuracy:

Transaction Pattern: Exchanges have balanced in/out
Amount Distribution: Exchanges see very varied amounts
Time Distribution: Exchanges active 24/7
Connected Addresses: Cluster analysis reveals organization

Investigation Workflow

When Exchange is Found

Document Everything
- Exchange name
- Deposit address
- Transaction hash
- Amount deposited
- Timestamp and block height
Gather Supporting Evidence
- Complete blockchain trail leading to exchange
- Any mixer usage along the path
- Related addresses (clustering)
For Law Enforcement
- Draft subpoena with specific address and dates
- Request: KYC docs, account holder info, transaction history, IP logs
- Include blockchain evidence in request
For Victims
- Contact exchange compliance/fraud team
- Provide police report and case number
- Request account freeze
- Submit blockchain evidence

Database Maintenance

How Addresses Are Added

Exchange Disclosure: Some exchanges publish wallet addresses
Community Research: Blockchain researchers identify and verify
Cluster Analysis: Related addresses inferred from transaction patterns
Commercial Data: Chainalysis, Elliptic publish exchange addresses

Verification Process

Before adding to database:

Confirm through multiple independent sources
Verify transaction patterns match exchange behavior
Check for official disclosure or confirmation
Document source and confidence level

Next Steps

Learn about Pattern Analysis techniques
Understand Reading Reports to find exchange findings
Review Law Enforcement Guide for subpoena procedures