Pattern Analysis

Identifying behavioral patterns in blockchain transactions

Overview

Pattern analysis examines transaction structures and behaviors to infer intent, identify entities, and detect suspicious activity. Unlike mixer detection or exchange identification which look for specific services, pattern analysis reveals how addresses are being used.

Key Pattern Types

1. Consolidation Patterns

Multiple inputs combined into fewer outputs—typical of wallets collecting funds.

Characteristics

• Many inputs (3-20+) from different addresses
• Few outputs (1-3)
• Output value ≈ sum of inputs minus fee
• Often precedes large payment or exchange deposit

Example

Transaction: Consolidation
  Inputs:
    1ABC...  0.5 BTC
    1DEF...  0.3 BTC
    1GHI...  0.8 BTC
    1JKL...  0.4 BTC
    1MNO...  0.6 BTC
  Outputs:
    1XYZ...  2.59 BTC  (consolidated)
    1ABC...  0.005 BTC (dust change)
  Fee: 0.005 BTC

Analysis:
  - 5 inputs → 2 outputs
  - All inputs likely same entity (common input heuristic)
  - Preparing for large payment or exchange deposit
  - 1ABC... appears in both inputs and outputs → likely change

Investigation Implications

• Entity Clustering: All input addresses likely controlled by same party
• Intent Signal: Consolidating suggests imminent large action
• Tracking: Follow consolidated output—it's where funds are going

2. Split Patterns

One input divided into multiple outputs—distributing funds or layering.

Characteristics

• Single input or few inputs
• Many outputs (3-9 is trackable, 10+ is dispersal)
• Outputs may be similar sizes (equal distribution)
• May indicate money laundering layering

Example

Transaction: Split
  Input:
    1ABC...  5.0 BTC
  Outputs:
    1XYZ...  1.5 BTC
    1DEF...  1.2 BTC
    1GHI...  1.0 BTC
    1JKL...  0.8 BTC
    1MNO...  0.49 BTC
  Fee: 0.01 BTC

Analysis:
  - 1 input → 5 outputs
  - Funds splitting into multiple branches
  - No change address (all outputs different from input)
  - Follow largest output (1.5 BTC) to continue investigation

Investigation Implications

• Layering: Classic money laundering technique
• Multiple Trails: Investigate multiple paths in parallel
• Priority: Follow largest amounts first
• Complexity: May require more resources to track

3. Peeling Chains

Sequential small payments from a large balance—characteristic of payment processing or gradual cashing out.

Characteristics

• Address starts with large balance
• Series of transactions sending small amounts
• Change always returns to same address
• Pattern continues until balance depleted

Example

Address: 1ABC... starts with 10 BTC

TX 1: 1ABC... → 0.5 BTC to 1XYZ..., 9.49 BTC change to 1ABC...
TX 2: 1ABC... → 0.3 BTC to 1DEF..., 9.18 BTC change to 1ABC...
TX 3: 1ABC... → 0.8 BTC to 1GHI..., 8.37 BTC change to 1ABC...
TX 4: 1ABC... → 0.4 BTC to 1JKL..., 7.96 BTC change to 1ABC...
...continues...

Analysis:
  - Classic peeling chain
  - Methodically sending to different addresses
  - Suggests payment processor OR gradual cash-out
  - Track each payment destination for pattern

Investigation Implications

• Payment Processing: May be legitimate business activity
• Gradual Liquidation: Or suspect cashing out slowly
• Destination Analysis: Check if recipients are exchanges
• Timing: Regular intervals suggest automation

4. Round-Trip Patterns

Funds that eventually return to original address—could indicate circular trading or shell game.

Example

1ABC → 1DEF → 1GHI → 1JKL → 1ABC

Analysis:
  - Funds returned to starting point
  - Possible explanations:
    1. Circular trading to create fake volume
    2. Layering with return to wallet
    3. Failed payment returned
    4. Testing or demonstration

Investigation Implications

• Obfuscation: May be deliberate complexity
• Circular Trading: Could violate exchange ToS
• Stop Following: Mark as circular reference in investigation

Temporal Patterns

Burst Activity

Sudden spike in transactions after long dormancy.

Address Activity:
  2022-01: 0 transactions
  2022-02: 0 transactions
  ...
  2023-06: 0 transactions
  2023-07: 47 transactions in 6 hours
  2023-08: 0 transactions

Analysis:
  - Address activated suddenly
  - High-velocity activity then stops
  - Suggests:
    1. Stolen funds being moved quickly
    2. Automated service activated
    3. Owner finally accessing old wallet

Regular Intervals

Transactions occurring at predictable times.

Transaction Times:
  Monday 09:00
  Monday 09:05
  Monday 09:10
  Tuesday 09:00
  Tuesday 09:05
  ...

Analysis:
  - Precise regular intervals
  - Clearly automated
  - Suggests:
    1. Payment processor
    2. Salary payments
    3. Automated trading bot

Value Patterns

Round Numbers

Amounts like 1.0, 0.5, 10.0 suggest human-initiated payments.

Transactions:
  1.00000000 BTC
  0.50000000 BTC
  2.00000000 BTC

Analysis: Round amounts = human user, not automated

Precise Amounts

Odd-looking amounts suggest automated calculation.

Transactions:
  0.12347891 BTC
  0.08429371 BTC
  0.19283746 BTC

Analysis: Precise amounts = likely automated/calculated

Equal Outputs

Many outputs with identical values.

Outputs:
  0.05 BTC (appears 87 times)
  0.0234 BTC (change)

Analysis: Equal outputs = mixer OR batch payment

Address Reuse Patterns

Single-Use Addresses (Good Privacy)

1ABC... receives once, sends once, never used again

Analysis: Modern wallet, good privacy practices

Heavily Reused Addresses (Poor Privacy)

1ABC... used in 500+ transactions

Analysis:
  - Exchange deposit address OR
  - Donation address OR
  - Old wallet with bad practices
  - Easier to track (more data points)

Network Analysis

Hub Addresses

Addresses connected to many others—centralization points.

Address 1ABC... connects to 200+ other addresses

Analysis:
  - Exchange hot wallet OR
  - Payment processor OR
  - Mixer service
  
Implication: Critical node in the network

Isolated Clusters

Groups of addresses that only transact with each other.

Cluster:
  1ABC ↔ 1DEF
  1DEF ↔ 1GHI
  1GHI ↔ 1ABC
  No external connections

Analysis: Likely same entity testing or moving funds

Suspicious Pattern Combinations

High-Risk Pattern Stack

Multiple suspicious behaviors together.

• Receives funds → immediate split into 6 paths
• All 6 paths go through mixers within 2 hours
• Outputs consolidate at new address
• New address immediately sends to exchange

Analysis: Sophisticated money laundering—split, mix, consolidate, cash out.

Moderate-Risk Pattern

• Receives funds → waits 2 weeks
• Single transfer to new address
• New address sends to exchange after 1 day

Analysis: Simple layering with time delay—less sophisticated but still deliberate.

Low-Risk Pattern

• Receives funds
• Immediate direct transfer to known exchange
• No mixers, splits, or delays

Analysis: Legitimate user or unsophisticated actor.

Investigation Decision Trees

When Split is Detected

IF outputs count == 2:
  One is likely payment, one is change → Follow non-change
ELSE IF outputs count between 3-9:
  Trackable split → Investigate all paths (prioritize largest)
ELSE IF outputs count >= 10:
  Dispersal → End investigation (too many paths)

When Consolidation is Detected

Consolidation detected:
  1. Note: All input addresses likely same entity
  2. Follow consolidated output (main destination)
  3. Check if output goes to exchange (common pattern)
  4. Document: Consolidation often precedes important action

Pattern-Based Confidence

Pattern	Confidence Boost	Reasoning
Consolidation → Exchange	+High	Common legitimate pattern
Split → Multiple mixers	+Very High	Clear obfuscation intent
Peeling to exchanges	+Moderate	Could be business or cashing out
Immediate mixer usage	+High	Suggests guilt consciousness
Long dormancy then burst	+Moderate	Suspicious timing

Next Steps

• See patterns in action: Reading Reports
• Understand detection confidence: Confidence Scores
• Learn investigation best practices: Best Practices