← About

Methodology

How I investigate on-chain financial crime — from initial address to attributed entity.

Assert only what the data supports.

Phase 01

Address Clustering & Entity Identification

Every investigation begins with the source address and works outward. I cluster wallets by shared funding sources, timing patterns, and behavioral signatures — identifying whether multiple addresses represent one actor before tracing any further. Entity labels from Arkham and Breadcrumbs are cross-referenced against on-chain behavior rather than accepted at face value.

ToolsArkham IntelligenceBreadcrumbsEtherscan V2BSCScan

Phase 02

Transaction Graph Traversal

From the clustered entity, I trace fund flows hop by hop using forward and backward BFS — following both where funds went and where they came from. Custom Python tooling (wallet_investigator.py, multi_hop_tracer.py) automates the traversal across large address sets. All hops are verified against raw chain data, not inferred.

Toolswallet_investigator.pymulti_hop_tracer.pyEtherscan V2 APIAlchemy RPCDuneSQL

Phase 03

Exchange & Bridge Attribution

When funds reach a bridge or exchange, I identify the specific contract, reconstruct the cross-chain transfer using timing and amount matching, and attribute the destination address. Bridge protocols traced include THORChain, deBridge, and Chainflip. Exchange attribution is recorded at the deposit-address level where possible.

ToolsTHORChaindeBridgeChainflipEtherscan V2BSCScanAlchemy RPC

Phase 04

Reporting & Confidence Grading

Findings are written up as structured intelligence briefs. Every claim is graded: Confirmed (directly verifiable on-chain), Probable (consistent with evidence, alternative explanation possible), or Unconfirmed (hypothesis requiring further data). Nothing is collapsed into a single verdict. Reports are delivered as PDF for formal investigations and as structured markdown write-ups on this site.

ToolsPDF (formal delivery)Markdown (site write-ups)

A Note on Confidence

On-chain data is immutable but interpretation is not. The confirmed / probable / unconfirmed framework exists because collapsing uncertain findings into confident verdicts causes real harm — to investigations, to subjects, and to the credibility of the analysis. Every claim in every write-up on this site is graded. When I don't know, I say so.