Transaction Graph Analysis

This foundational technique groups multiple addresses controlled by a single entity using deterministic rules or heuristics. Common methods include the common-input-ownership heuristic (inputs to a transaction are assumed to be owned by the same entity) and change address detection. This is critical for mapping wallet activity, estimating entity balances, and de-anonymizing users for compliance or research.

Identifies the most influential or important nodes (addresses) within the transaction graph. Key metrics include:

• Degree Centrality: Number of direct connections (simple transaction count).
• Betweenness Centrality: How often a node lies on the shortest path between others, identifying bridges or intermediaries.
• Eigenvector Centrality: Measures a node's influence based on the influence of its neighbors. Used to find key hubs in DeFi protocols or money laundering networks.

Also known as graph clustering, this technique algorithmically partitions the graph into densely connected subgroups (communities or clusters) with sparse connections between them. It reveals natural structures like:

• Money laundering rings or coordinated groups.
• Arbitrage bot fleets operating in unison.
• Protocol-specific user cohorts (e.g., loyal stakers, yield farmers). Algorithms like Louvain or Leiden are commonly used.

Involves searching for specific, predefined topological structures (motifs or patterns) within the larger graph. This is essential for identifying known behavioral signatures, such as:

• Tornado Cash-style mixing patterns (deposit/withdrawal cycles).
• Pump-and-dump schemes with coordinated buying and selling.
• Flash loan attack patterns involving rapid, collateral-free borrowing and complex arbitrage.

Analyzes how value and influence move through the graph over time, not just as a static snapshot. This includes tracking:

• Funds flow paths from a source to a destination.
• Velocity of assets through specific addresses or protocols.
• Time-series analysis of graph metrics to detect anomalous spikes (e.g., sudden mass exits from a protocol) or seasonal patterns.

Applies advanced ML models like Graph Neural Networks (GNNs) to learn complex, non-linear patterns for tasks standard heuristics miss. Common applications include:

• Fraud and anomaly detection by learning normal vs. abnormal subgraph structures.
• Wallet profiling and classification (e.g., exchange, miner, smart contract).
• Predictive modeling of future transactions or price impacts based on network dynamics.

Heuristic clustering is the foundational technique of transaction graph analysis, where multiple addresses are linked to a single entity using deterministic rules. Common heuristics include:

• Common Input Ownership: All inputs to a transaction are assumed to be controlled by the same entity.
• Change Address Detection: Identifying new output addresses that receive the 'change' from a transaction.
• CoinJoin & Mixer Identification: Clustering all participants in a privacy-enhancing transaction, which can paradoxically link them together.

The underlying blockchain data model fundamentally shapes analysis. UTXO-based chains (e.g., Bitcoin) are analyzed via coin movement graphs, where each UTXO has a clear lineage. Account-based chains (e.g., Ethereum) are analyzed via state transition graphs, focusing on balance changes and smart contract interactions. While different, both models leak metadata (timestamps, amounts, gas fees) that feed into clustering algorithms.

CoinJoin is a cooperative privacy technique where multiple users combine their UTXOs into a single transaction with multiple inputs and outputs. It breaks the common-input-ownership heuristic by creating a transaction where inputs are provably controlled by different parties. Implementations vary in trust assumptions, from centralized coordinators (Wasabi Wallet) to peer-to-peer protocols (JoinMarket).

Confidential Transactions (CT) is a cryptographic protocol that hides the transaction amount using Pedersen Commitments and range proofs. By encrypting amounts, CT removes a critical data point for graph analysis, preventing analysts from tracing value flow based on precise sums. It is a core component of privacy-focused protocols like Mimblewimble.

Privacy can be compromised at the network layer. Network-level analysis involves monitoring the peer-to-peer network to link transaction broadcasts to specific IP addresses. Even if on-chain data is obfuscated, the initial propagation of a transaction can reveal its origin. Countermeasures include using Tor or Dandelion++ propagation protocols to obscure the source.

The most potent de-anonymization attacks often involve correlating on-chain activity with off-chain data. This includes:

• Exchange KYC Data: Linking a deposit/withdrawal address to a real identity.
• Public Social Media: Users publicly discussing their addresses or transactions.
• Merchant Payment Processors: IP addresses and order details linked to a receiving address. This creates a 'poison pill' that can unravel otherwise private on-chain behavior.

The process of grouping multiple blockchain addresses that are controlled by the same entity (e.g., an exchange, a user, or a smart contract). Techniques include:

• Common Input Ownership Heuristic: If multiple addresses are inputs to the same transaction, they are likely controlled by the same entity.
• Change Address Detection: Identifying which output of a transaction is the 'change' returned to the sender.
• Behavioral Analysis: Clustering based on transaction patterns, timing, and interaction with known entities.

Quantitative measures used to identify influential or critical nodes (addresses) within a transaction graph. Key metrics include:

• Degree Centrality: Counts the number of direct connections (edges) an address has.
• Betweenness Centrality: Measures how often an address lies on the shortest path between other addresses, identifying bridges or choke points.
• Eigenvector Centrality: Identifies addresses connected to other highly connected addresses, finding influential hubs in the network.

Identifying specific, recurring structures or sequences of transactions that correspond to known behaviors. Common patterns include:

• Mixer/Tumbler Flows: Complex webs of transactions designed to obfuscate fund origins.
• Ponzi or Pyramid Scheme Structures: Recursive funding patterns with new deposits paying earlier investors.
• Arbitrage Bot Activity: Rapid, cyclical transactions across multiple decentralized exchanges (DEXs).
• Airdrop Farming: Sybil clusters creating many addresses to interact with a protocol and claim rewards.

The two fundamental accounting models that define how transaction graphs are constructed and analyzed.

• UTXO Model (Bitcoin, Cardano): The graph is a directed acyclic graph (DAG) of unspent transaction outputs. Analysis focuses on the chain of ownership of discrete 'coins'.
• Account-Based Model (Ethereum, Solana): The graph is a network of stateful accounts (EOAs and contracts) and value transfers between them. Analysis focuses on balance changes and smart contract interactions.
• Impact: The underlying model dictates the heuristics and algorithms used for clustering and flow analysis.

Tools and services that provide processed transaction graph data and visualizations for end-users. They abstract the underlying graph complexity.

• Examples: Chainalysis, Nansen, Dune Analytics, Etherscan's token flow tool.
• Core Function: They apply clustering, labeling, and pattern detection to raw blockchain data, presenting insights via dashboards, alerts, and APIs.
• User Base: Used by compliance teams, investors, researchers, and protocol developers to monitor activity, investigate fraud, and identify trends.