Mixer Detection

Identifying CoinJoin and tumbler services through transaction analysis

What is a Bitcoin Mixer?

A Bitcoin mixer (also called a tumbler) is a service that obscures the connection between sender and receiver by combining many users' transactions. The most common type is CoinJoin, where multiple parties create a single transaction with many inputs and outputs.

Why Criminals Use Mixers

• Break the Trail: Makes it difficult to follow specific amounts
• Plausible Deniability: "Not my transaction, just participated in mixing"
• Time Delay: Funds may exit hours or days after entry
• Amount Obfuscation: Output amounts may differ from inputs

CoinJoin Pattern Recognition

Blockchain Detective uses a scoring system to detect mixing patterns.

Detection Indicators

1. High Input Count

Normal transactions have 1-3 inputs. CoinJoin transactions can have 50-500+.

Score calculation:
  IF inputs >= 100: +4 points
  ELSE IF inputs >= 50: +3 points
  ELSE IF inputs >= 20: +2 points

2. High Output Count

Many participants means many outputs.

Score calculation:
  IF outputs >= 100: +4 points
  ELSE IF outputs >= 50: +3 points
  ELSE IF outputs >= 5: +1 point

3. Equal-Value Outputs

The signature of CoinJoin: many outputs with identical values.

Example outputs:
  - 0.10000000 BTC (appears 87 times)
  - 0.01234567 BTC (change, unique)
  - 0.00987654 BTC (change, unique)
  ...

Score calculation:
  IF equal_outputs >= 50: +4 points
  ELSE IF equal_outputs >= 10: +2 points

4. Large Transaction Size

More inputs/outputs = larger transaction.

Score calculation:
  IF size >= 20,000 bytes: +2 points
  ELSE IF size >= 10,000 bytes: +1 point

Complete Scoring Algorithm

FUNCTION detect_coinjoin(transaction):
  score = 0
  indicators = []
  
  // Analyze inputs
  IF num_inputs >= 100:
    score += 4
    indicators.append("Very high input count ({})".format(num_inputs))
  ELSE IF num_inputs >= 50:
    score += 3
    indicators.append("High input count ({})".format(num_inputs))
  ELSE IF num_inputs >= 20:
    score += 2
    indicators.append("Many inputs ({})".format(num_inputs))
  
  // Analyze outputs
  IF num_outputs >= 100:
    score += 4
    indicators.append("Very high output count ({})".format(num_outputs))
  ELSE IF num_outputs >= 50:
    score += 3
    indicators.append("High output count ({})".format(num_outputs))
  ELSE IF num_outputs >= 5:
    score += 1
    indicators.append("Multiple outputs ({})".format(num_outputs))
  
  // Check for equal-value outputs
  value_counts = count_equal_values(outputs)
  max_equal = max(value_counts.values())
  
  IF max_equal >= 50:
    score += 4
    indicators.append("Many equal outputs ({})".format(max_equal))
  ELSE IF max_equal >= 10:
    score += 2
    indicators.append("Equal outputs detected ({})".format(max_equal))
  
  // Check transaction size
  IF size_bytes >= 20000:
    score += 2
    indicators.append("Large transaction ({} bytes)".format(size_bytes))
  ELSE IF size_bytes >= 10000:
    score += 1
    indicators.append("Large transaction ({} bytes)".format(size_bytes))
  
  // Determine confidence
  IF score >= 10:
    confidence = "very_high"
    is_mixer = TRUE
  ELSE IF score >= 7:
    confidence = "high"
    is_mixer = TRUE
  ELSE IF score >= 4:
    confidence = "medium"
    is_mixer = FALSE
  ELSE:
    confidence = "low"
    is_mixer = FALSE
  
  RETURN {
    "is_mixer": is_mixer,
    "confidence": confidence,
    "score": score,
    "max_score": 13,
    "indicators": indicators
  }

Example Detections

Example 1: Clear CoinJoin (Score: 12/13)

Transaction: abc123...
Inputs: 127
Outputs: 128
Equal-value outputs: 125 outputs of 0.05 BTC
Size: 28,492 bytes

Scoring:
  Inputs >= 100: +4
  Outputs >= 100: +4
  Equal outputs >= 50: +4
  Size >= 20KB: +2
  Total: 12/13 = "very_high" confidence

✅ IS MIXER

Example 2: Possible Mixer (Score: 5/13)

Transaction: def456...
Inputs: 23
Outputs: 15
Equal-value outputs: 8 outputs of 0.1 BTC
Size: 4,521 bytes

Scoring:
  Inputs >= 20: +2
  Outputs >= 5: +1
  Equal outputs >= 10: +0 (only 8)
  Size >= 10KB: +0 (only 4.5KB)
  Total: 3/13 = "low" confidence

❌ NOT MIXER (below threshold of 7)

Example 3: High Confidence Mixer (Score: 9/13)

Transaction: ghi789...
Inputs: 68
Outputs: 72
Equal-value outputs: 65 outputs of 0.025 BTC
Size: 15,234 bytes

Scoring:
  Inputs >= 50: +3
  Outputs >= 50: +3
  Equal outputs >= 50: +4  (65 outputs)
  Size >= 10KB: +1
  Total: 11/13 = "very_high" confidence

✅ IS MIXER

Mixer Service Recognition

Some mixers are well-known and can be identified beyond pattern matching.

Known Mixer Addresses

Blockchain Detective maintains a database of confirmed mixer addresses (not revealed in documentation for security).

Mixer Signatures

Different services have unique patterns:

Tracking Through Mixers

While mixers obscure trails, they don't make tracking impossible.

Amount Correlation

If you know the input amount, look for matching outputs within a time window:

Entry: 2.50000000 BTC at 10:30 AM
Mixer transaction: 10:35 AM (127 inputs, 128 outputs)

Search outputs for ~2.50 BTC (within 1% tolerance):
  - 2.49950000 BTC → to Address ABC
  - 2.49980000 BTC → to Address DEF
  - 2.50020000 BTC → to Address GHI

Multiple matches found → Requires additional analysis
Best match: 2.49950000 (closest) + earliest timestamp

Temporal Analysis

Mixers typically have consistent delay patterns:

• Fast mixers: 5-30 minutes
• Standard mixers: 1-6 hours
• Delayed mixers: 24-72 hours

Volume Tracking

Even if exact amount changes, relative size may be preserved:

Entry: 2.5 BTC (one of the larger inputs)
Outputs sorted by size:
  1. 2.8 BTC
  2. 2.5 BTC  ← Likely our exit (similar size ranking)
  3. 2.3 BTC
  ...

Heuristic: Follow similarly-sized output

Limitations

What Mixers Break

• Direct Tracing: Can't follow "this output from that input"
• Amount Certainty: Multiple outputs may match your amount
• Timing Clarity: Delays make correlation harder

What Mixers DON'T Break

• Mixer Detection: We can identify that mixing occurred
• Entry/Exit Points: We know funds entered and left the mixer
• Amount Ranges: Total in ≈ total out (minus fees)
• Eventual Exchange: Funds must eventually convert to fiat

Legal Implications

Evidence Value

Mixer detection has legal significance:

• Consciousness of Guilt: Why hide if legitimate?
• Money Laundering Charges: Mixers can constitute structuring
• Subpoena Targets: Mixer services may keep logs
• Forensic Focus: Concentrate resources on mixer analysis

Mixer Service Cooperation

Some mixers maintain logs despite claims:

• Centralized Services: May respond to legal requests
• Decentralized CoinJoin: No central party to subpoena
• Coordinator Logs: JoinMarket/Wasabi coordinators may log metadata

Investigation Strategy

When Mixer is Detected

1. Document: Record mixer transaction hash and all details
2. Time Window Analysis: Check all outputs within 6 hours
3. Amount Correlation: Find matching amounts (even if multiple)
4. Monitor All Matches: If multiple outputs match, track all of them
5. Look for Patterns: Same-entity outputs may have behavioral similarities
6. Wait for Exchange: Eventually funds must convert to fiat

Professional Tools

Commercial forensics companies have advanced mixer analysis:

• Chainalysis: Proprietary mixer penetration algorithms
• Elliptic: Machine learning for output correlation
• CipherTrace: Historical mixer transaction databases

For high-value cases (> $100K), consider engaging these services.

Future Developments

Improving Detection

Future enhancements to mixer detection:

• Machine Learning: Pattern recognition for new mixer types
• Graph Analysis: Cluster analysis of mixer participants
• Timing Patterns: Fingerprinting different services by behavior
• Fee Analysis: Mixers often use distinctive fee patterns

Privacy Technologies

New privacy tech may require adapted detection:

• Taproot: More uniform transactions (harder to distinguish)
• Lightning Network: Off-chain mixing
• Confidential Transactions: Hidden amounts (not on Bitcoin mainnet)

Next Steps

• Learn about Exchange Identification
• Understand Pattern Analysis techniques
• Read Confidence Scores interpretation