Last updated: April 9, 2026
All analysis results produced by Trailbit are probabilistic, heuristic-based assessments derived from publicly available Bitcoin blockchain data. No finding should be treated as a deterministic fact.
Results require human verification before being used as the basis for regulatory filings, legal proceedings, or other consequential action. Compliance teams and analysts are expected to apply professional judgment when interpreting platform outputs.
Trailbit applies transparent, documented heuristics to on-chain data. Every risk score, pattern detection result, and entity attribution label is traceable to a specific documented methodology with known confidence characteristics. This transparency is intentional — it supports defensible compliance workflows and enables analysts to explain their reasoning in audits, court filings, and regulatory reviews.
Each address and transaction receives an overall risk score on a 0–100 scale derived from multi-factor analysis. The score aggregates signals from pattern detection, risk screening, temporal analysis, and behavioral fingerprinting.
| Level | Score range | Interpretation |
|---|---|---|
| Low | 0–25 | Minimal risk indicators detected |
| Medium | 26–50 | Some concerning patterns present |
| High | 51–75 | Significant risk indicators detected |
| Critical | 76–100 | Multiple severe risk factors present |
The following heuristics are applied to transaction data. Each entry documents what the heuristic detects, its confidence characteristics, and known false-positive scenarios.
Confidence: Medium
Detects sequential 1-input to 2-output transactions where one output retains 80–99% of the incoming value and the smaller output is spent. Requires a minimum chain length of 3 linked transactions to qualify as a confirmed peel chain.
Known false positives: Regular payment sequences where one party consistently receives smaller amounts; exchange withdrawal batches that produce structurally similar output ratios.
Confidence: Medium-High
Two sub-patterns are detected. Large consolidation: 10 or more inputs merged into one or more outputs. Perfect consolidation: 3 or more inputs combined into a single output.
Known false positives: Standard wallet UTXO cleanup operations; exchange cold-wallet consolidation after a high-volume period; mining pool payout aggregation.
Confidence: Medium
Uses an equal-output sliding window algorithm to identify transactions where 5 or more inputs and 5 or more outputs share similar values within a 2% tolerance. This covers Wasabi Wallet, Whirlpool (Samourai), JoinMarket, and structurally similar protocols.
Known false positives: Batch payment transactions where multiple recipients receive similar amounts (e.g., payroll disbursements, recurring billing aggregation).
Confidence: Medium
Applies a multi-factor scoring system using 7 heuristics: address reuse, value analysis, script type matching, output position, round-number detection, dust threshold proximity, and script version consistency. An output is classified as change when it scores 45 or higher with at least 2 independent supporting indicators.
Known false positives: Multi-party transactions (e.g., CoinJoin); payment-splitting arrangements where both outputs are intentional payments.
Confidence: High
Calculates a privacy grade based on the single-use address ratio across the analysed address set. Grades: Excellent (>80% unique addresses), Good (>60%), Fair (>40%), Poor (<40%).
Known false positives: Rare — address reuse is directly observable on-chain. The grade reflects a factual metric, not an inference. However, reuse is not inherently suspicious in all contexts (e.g., static donation addresses).
Confidence: Low-Medium
Identifies wallet software from transaction structure signatures. Covered wallet types include Bitcoin Core, Electrum, Wasabi Wallet, Samourai, hardware wallets (Ledger, Trezor), major exchanges, and common mobile wallets. Confidence thresholds range from 0.3 to 0.5 depending on how distinctive the wallet's on-chain signature is.
Known false positives: Custom wallet implementations that coincidentally match the structural signature of a known wallet type; updated wallet versions that change signing behavior; users who modify default wallet settings.
Confidence: Medium
Identifies exchange-like behaviour patterns including characteristic peeling, large consolidations, batch withdrawal structures, and consistent fee policies. A likelihood threshold of 0.7 is required before an address cluster is flagged as exchange-like.
Known false positives: Large payment processors with high transaction volume; high-volume merchants operating at exchange-like scale; OTC desks.
Confidence: Medium
Identifies round-trip transactions where value returns to an originating address after passing through one or more intermediate hops. Confidence is adjusted downward for longer hop chains (increasing likelihood of coincidence) and upward for fast round-trips occurring within 1 hour.
Known false positives: Coincidental address reuse at separate points in time; exchange deposit-withdrawal cycles where the same user controls both ends; wallet recovery operations.
Confidence: Medium-High
Compares transaction fee rates against yearly median benchmarks calibrated to network conditions. Extreme overpayment (more than 10× the median benchmark) carries a confidence score of 0.9. Significant overpayment (more than 3× the median) carries a confidence score of 0.75.
Known false positives: Emergency transactions submitted during fee spikes; users relying on default fee estimators during congestion; RBF fee-bumped transactions where only the replacement is analysed.
Confidence: Medium
Based on published academic research. Detects recursive splitting trees where a transaction produces N outputs and each is subsequently spent in a similar structure. Minimum requirements: 3 non-dust outputs per node, at least 2 validated generations, and 50% or more valid descendants. Tracing is capped at 7 generations to manage computational bounds.
Known false positives: Legitimate fund distribution networks (e.g., affiliate payouts, grant disbursements); merchant payment processors that use fan-out structures for operational reasons.
Temporal pattern analysis examines when transactions occur to identify activity concentration patterns that may indicate geographic origin, operational schedules, or automated behaviour.
Risk screening compares addresses against publicly available watchlist data, including government-published flagged-address lists.
Entity attribution associates Bitcoin addresses with known entities (exchanges, services, mining pools, dark-market infrastructure) using community-sourced label data.
| Level | Meaning |
|---|---|
| Confirmed | Label verified by the entity or through on-chain proof |
| High | Strong corroborating evidence from multiple independent sources |
| Medium | Plausible attribution with limited corroboration |
Attribution data is informational, not authoritative. Confidence levels are always preserved and displayed to users — they are never stripped or aggregated away in exports or reports.
Community-sourced labels vary in accuracy by source and entity type. Labels should be treated as investigative context, not verified identity.
Trailbit optionally integrates AI-assisted analysis via the Anthropic Claude API. This feature uses a bring-your-own-key (BYOK) architecture — users provide their own API key and are subject to Anthropic's usage policies directly.
For questions about specific heuristics, confidence assessments, or methodology suitability for a particular compliance or legal context, contact us at contact@trailbit.io.