How It Works
Understanding the investigation process and analytical methodology
Overview
Blockchain Detective employs a two-phase investigation approach that combines fund flow tracking with multi-path analysis. This dual methodology provides both depth (following specific amounts) and breadth (analyzing all major transaction paths).
Phase 1: Fund Flow Tracking
The first phase identifies and tracks the single largest incoming transaction to the target address. This reveals where the most significant funds originated and where they went.
Process Steps
- Address Analysis: Fetches complete transaction history for the target address
- Incoming Identification: Scans all transactions to find the largest incoming payment
- Amount Tracking: Follows that specific amount through subsequent transactions
- Pattern Recognition: Detects consolidations, splits, and mixers along the path
- Endpoint Detection: Continues until funds reach an exchange, disperse, or trail goes cold
Tolerance Handling
Bitcoin transactions include fees, which means the exact amount rarely matches perfectly. The system uses intelligent tolerance thresholds:
- Standard Tolerance: 1% or 0.001 BTC (whichever is larger)
- Consolidation Detection: Tracks when multiple inputs combine into a single output
- Split Handling: When funds divide into multiple outputs, follows the largest
Phase 2: Multi-Path Analysis
The second phase examines all major outflows from the target address, investigating each path independently to build a comprehensive picture.
Path Selection Criteria
The system selects paths for investigation based on:
- Transactions involving ≥0.1 BTC (major outflows)
- If fewer than 4 major outflows exist, includes the top 6 by value
- Each path is traced through up to 4 hops
Per-Path Analysis
For each selected path, the system:
- Fetches address data for the destination
- Identifies spending transactions (where address is an input)
- Checks for mixer activity using CoinJoin detection
- Verifies against known exchange databases
- Performs heuristic analysis for exchange-like behavior
- Follows to the next hop and repeats
Real-Time Streaming
Unlike batch processing systems, Blockchain Detective streams results in real-time. This provides several advantages:
- Immediate Feedback: See reasoning as the investigation progresses
- Transparency: Every API call and decision is visible
- Interruptibility: Can stop investigations that are taking too long
- Progress Tracking: Know exactly what stage the analysis is in
Data Sources
The system uses multiple data sources for comprehensive analysis:
| Source Type | Purpose | Reliability |
|---|---|---|
| Public Blockchain APIs | Transaction and address data | High - cryptographically verified |
| Bitcoin Core Node | High-volume address analysis | Highest - direct node access |
| Known Exchange Database | Exchange identification | High - confirmed wallets only |
| Heuristic Analysis | Behavioral pattern detection | Medium - probabilistic |
Decision Logic
All decisions follow explicit, transparent rules:
A transaction is flagged as a mixer if its score ≥7 points:
- ≥100 inputs: +4 points
- ≥50 inputs: +3 points
- ≥100 outputs: +4 points
- ≥50 equal-value outputs: +4 points
- Transaction size ≥20KB: +2 points
Confidence levels: ≥10 = very high, ≥7 = high, ≥4 = medium
Next Steps
Learn about the different investigation modes in Investigation Modes, or dive into specific detection systems:
- Mixer Detection - How CoinJoin patterns are identified
- Exchange Identification - Known wallet databases and heuristics
- Pattern Analysis - Consolidations, splits, and behaviors