Methodology

When a transaction spends multiple inputs, those input addresses are almost always controlled by one entity — you need every private key to sign. We union-find all co-spent addresses into a single cluster. CoinJoins are explicitly excluded, because their whole purpose is to break this assumption.

Caveat — PayJoin and some multi-party protocols deliberately violate this. Treat clusters as strong hints, not identities.

CoinJoins leave a structural signature: many outputs of identical value funded by a comparable number of inputs. We match against known schemes — Whirlpool (fixed 5×5 denominations), Wasabi 1 (~0.1 BTC base), Wasabi 2 / WabiSabi (large participant sets), and JoinMarket (small equal-output sets) — and emit a confidence per match.

Caveat — A high-participant payment batch can look like a coinjoin. Confidence below ~0.6 means 'structurally plausible', not 'confirmed'.

For two-output spends we combine several signals: the output whose script type matches the inputs is likely change; a round-number output is likely the payment, leaving the remainder as change. Signals are scored and the winner is reported with a confidence.

Caveat — Wallets that randomize change position and match address types defeat this. It is the weakest heuristic here by design.

The score estimates how a regulated exchange's compliance desk would treat these coins — higher means less likely to be accepted, more likely to be flagged or frozen. Two independent factors combine (by max): label taint flows downstream from documented hacks, seizures, and sanctioned wallets (these go RED); and mixing exposure rises with the number of coinjoins the coins passed through. A coinjoin is a legitimate privacy tool, so one or a few mixes is MEDIUM — only heavy, repeated remixing trends toward HIGH, and a coinjoin only goes RED when its source is actually flagged.

Caveat — This models exchange behaviour, not guilt — privacy is legitimate and a high score is not an accusation. Attribution combines the full U.S. Treasury OFAC SDN sanctioned-address list (the authoritative 'do not touch' source) with a small curated set of documented entities, each with a source. PayJoin defeats detection entirely, so payjoined coins score low — a known blind spot, not a clean bill.

Any address can be screened for direct exposure (the labelled entities it transacts with) and indirect exposure (labelled entities reached by tracing its funding history — the same 'go back until you hit a known service' approach commercial tools use). Results aggregate by risk category into one acceptance-risk score, available both in the UI and as a JSON API at /api/screen/<address>. Sanctions screening runs against the live OFAC list.

Caveat — Screening quality is bounded by the label set: it lights up on sanctioned and documented entities but stays blank for unknown ones. The engine is complete; broader attribution data is the ongoing work.

Beyond the headline verdicts, we surface behavioural tells: address reuse (paying back to a funding address — a privacy leak), dusting (clusters of economically meaningless outputs used for tracking), round-number payments (which usually mark the payment vs. the change), and self-transfers (every output returns to an input address). On the graph, edges believed to carry self-change render dashed amber rather than solid.

Caveat — These are weak, individually-defeatable signals — useful in aggregate to characterise a wallet's behaviour, not to prove intent.