Knogin
[Developers]

Blockchain Address Clustering

A financial intelligence unit investigating a darknet fentanyl marketplace started with one known vendor wallet. Within forty seconds, the clustering engine had identified 312 additional addresses under the same operator

Back to All Modules
Category: BlockchainLast Updated: Feb 5, 2026
blockchainaireal-timecompliance

Overview#

A financial intelligence unit investigating a darknet fentanyl marketplace started with one known vendor wallet. Within forty seconds, the clustering engine had identified 312 additional addresses under the same operator's control, including three exchange deposit accounts and a consolidation wallet holding the equivalent of $1.8M. That kind of entity expansion, from a single seed to a complete financial picture, is what address clustering is for.

The Blockchain Address Clustering module uses advanced heuristic algorithms and machine learning to group cryptocurrency addresses into entities, revealing the real-world identities and relationships behind blockchain transactions. Processing hundreds of millions of addresses across multiple networks, it delivers real-time entity resolution in seconds rather than the weeks of manual analysis that preceded modern automated approaches.

Key Features#

  • Multi-Heuristic Clustering: Implements seven proven clustering heuristics including common input ownership, change address detection, and co-spending analysis for high-accuracy entity resolution
  • Real-Time Entity Resolution: Delivers instant clustering results, maintaining current entity profiles as new transactions are confirmed on-chain
  • Cross-Chain Entity Detection: Identifies entities operating across multiple blockchain networks through behavioural correlation and address linking
  • Advanced Graph Algorithms: Processes wallet networks with millions of connected addresses, identifying entity boundaries through community detection and structural analysis
  • Change Address Detection: Proprietary algorithms identify change outputs with high precision, critical for UTXO-based blockchain analysis
  • Confidence-Scored Results: Every cluster relationship includes a confidence score enabling risk-based decision-making
  • Cluster Evolution Tracking: Monitors how entity clusters grow, merge, and split over time, maintaining historical context for investigations

Supported Networks#

  • UTXO Chains: Bitcoin, Bitcoin Cash, Litecoin, Dogecoin, Zcash, Dash
  • EVM-Compatible Chains: Ethereum, Polygon, BNB Chain, Arbitrum, Optimism, Base, Avalanche, Fantom, Cronos, Moonbeam, and more
  • Alternative Networks: Solana, Cardano, Tron, Ripple, Polkadot, Cosmos, Near, Algorand, Tezos
  • Layer 2 Solutions: Arbitrum, Optimism, Base, zkSync Era, Polygon zkEVM, Starknet, Linea

Investigation Use Cases#

Law Enforcement Investigations#

  • Rapidly expand from a single known address to the full set of addresses controlled by a suspect entity
  • Map criminal organisation financial infrastructure by clustering payment, operational, and cash-out wallets
  • Generate court-admissible evidence packages showing entity-level fund flows rather than individual transactions

Ransomware Attribution#

  • Cluster ransomware payment wallets to identify operator infrastructure
  • Connect apparently unrelated ransom payments to the same criminal organisation
  • Track proceeds from multiple victims through consolidation and cash-out patterns

Exchange Compliance#

  • Identify when multiple customer accounts are controlled by the same entity
  • Detect structuring attempts using multiple addresses to circumvent reporting thresholds
  • Enhance Know Your Customer (KYC) processes through entity-level risk assessment

Darknet Market Analysis#

  • Group vendor wallets to estimate total illicit revenue per marketplace seller
  • Map marketplace operational wallets including escrow, hot wallets, and administrator funds
  • Track entity activity across marketplace shutdowns and migrations

Sanctions Enforcement#

  • Expand sanctioned address lists by identifying additional wallets controlled by designated entities
  • Detect sanctions evasion through address rotation and entity restructuring
  • Quantify total asset exposure to sanctioned entities across clustered wallet networks

Open Standards#

  • GraphQL (June 2018 specification): All clustering queries and mutations are exposed via a typed GraphQL API, enabling structured entity resolution requests with confidence-scored responses and paginated cluster member retrieval.
  • FATF Recommendation 16 (Travel Rule): Entity-level clustering results are used directly to support Virtual Asset Service Provider obligations under FATF R.16, identifying when multiple addresses constitute a single counterparty for transaction reporting purposes.
  • FIPS 180-4 (SHA-256): Forensic evidence packages are integrity-sealed using SHA-256 cryptographic hashing, with the hash stored alongside each court-ready report to allow tamper detection during legal proceedings.
  • Ethereum Virtual Machine (EVM) specification: The multi-chain service applies a uniform clustering interface across all EVM-compatible networks, and ERC-20 Transfer event decoding is used to attribute token flows within entity clusters.
  • Bitcoin UTXO model (BIP standards): The common-input-ownership heuristic and change-address detection algorithms are grounded in the UTXO transaction model defined by Bitcoin Improvement Proposals, applied across all supported UTXO-based chains.
  • OpenSanctions open data standard: Clustered entity profiles are screened in real time against the OpenSanctions consolidated dataset (covering OFAC SDN, UN, and EU designations) to flag sanctioned entities across their full wallet network.
  • ISO 8601: All timestamps in clustering results, forensic reports, and audit trails are serialised in ISO 8601 format, ensuring interoperability with downstream case-management and regulatory-reporting systems.
  • GDPR (Regulation (EU) 2016/679): Data handling for clustering of public blockchain addresses is performed in accordance with GDPR requirements, with appropriate safeguards applied when personal data may be inferred from on-chain activity.

Compliance#

  • Clustering intelligence supports AML/CTF program requirements for virtual asset service providers
  • Entity-level risk assessment aligns with FATF Recommendation 16 (Travel Rule) obligations
  • OpenSanctions integration ensures sanctioned entity clusters stay current with the latest designations
  • Audit trail documentation for all clustering decisions and confidence scores
  • Results suitable for regulatory reporting and Suspicious Activity Report (SAR) preparation
  • Supports Bank Secrecy Act and FATF Travel Rule compliance workflows
  • Data handling compliant with GDPR requirements for public blockchain data analysis

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.