Knogin
[Developers]

Blockchain Wallet Similarity Engine

A threat intelligence team investigating a ransomware group noticed something unusual: despite using fresh wallets for each campaign, the operators kept the same gas price preferences, the same transaction construction p

Back to All Modules
Category: BlockchainLast Updated: Feb 5, 2026
blockchaincompliance

Overview#

A threat intelligence team investigating a ransomware group noticed something unusual: despite using fresh wallets for each campaign, the operators kept the same gas price preferences, the same transaction construction patterns, and the same active hours. Those behavioural constants, invisible to traditional address clustering, were enough for the similarity engine to link eight apparently unrelated wallets to the same operator within days of their first transactions. The attacker changed addresses. They couldn't change their habits.

The Blockchain Wallet Similarity Engine employs behavioural analysis and pattern matching to identify related wallets, detect coordinated activity, and uncover hidden entity relationships across blockchain networks. Combining multiple analysis dimensions, it achieves high accuracy in identifying wallet clusters belonging to the same controlling entity, reducing investigation time while surfacing more related addresses than traditional heuristic methods. Exchange compliance officers, law enforcement cryptocurrency teams, financial intelligence units, and AML compliance analysts all use this capability for entity expansion and coordinated activity detection.

Key Features#

  • Multi-Dimensional Similarity Scoring: Combines six analysis dimensions (transaction patterns, temporal behaviour, counterparty overlap, gas usage profiling, smart contract interactions, and entity co-occurrence) into an overall similarity score (0-100)
  • Transaction Pattern Fingerprinting: Creates unique behavioural fingerprints for wallets based on transaction amounts, frequencies, counterparty distributions, and operational patterns
  • Temporal Behaviour Correlation: Analyses activity timing patterns to identify wallets operated on the same schedule, time zone, or by the same automation systems
  • Counterparty Overlap Analysis: Identifies wallets that transact with the same set of counterparties, indicating shared relationships or common control
  • Gas Usage Profiling: Detects wallet software signatures through gas price preferences, gas limit patterns, and transaction construction characteristics
  • Smart Contract Interaction Patterns: Compares DeFi protocol usage, token preferences, and contract interaction sequences to establish behavioural similarity
  • Real-Time Similarity Queries: Low-latency scoring enables instant investigation expansion from known addresses to related wallets
  • Continuous Learning: Machine learning models continuously improve through observed entity resolutions and validated similarity assessments

Supported Networks#

  • Major Blockchains: Bitcoin, Ethereum, Tron, BNB Chain, Solana, Cardano, Polkadot, Avalanche
  • Layer 2 Solutions: Polygon, Arbitrum, Optimism, Base, zkSync Era, Starknet, Linea
  • EVM-Compatible Chains: Cronos, Moonbeam, Fantom, Gnosis Chain, Aurora, Celo, and more
  • Additional Networks: Ripple, Stellar, Algorand, Cosmos, Near, Tezos

Similarity Score Interpretation#

  • Very High (90-100): Almost certainly the same entity; multiple strong behavioural matches across dimensions
  • High (75-89): Strong evidence of common control; suitable for investigative expansion and enhanced due diligence
  • Moderate (50-74): Notable similarities warranting investigation; may represent same entity or similar operational patterns
  • Low (25-49): Weak similarities; may be coincidental or reflect common behavioural patterns across unrelated entities
  • Minimal (0-24): No meaningful behavioural similarity detected

Investigation Use Cases#

Entity Expansion#

  • Starting from a single known address, discover all related wallets controlled by the same entity
  • Expand investigation scope beyond traditional clustering by incorporating behavioural analysis
  • Identify operational wallets, reserve wallets, and test wallets belonging to the same entity

Coordinated Activity Detection#

  • Detect sybil attacks where a single entity operates multiple wallets to manipulate markets or governance
  • Identify coordinated wash trading across apparently unrelated addresses
  • Uncover pump-and-dump coordination through synchronised behavioural patterns

Money Laundering Investigation#

  • Identify when a single entity operates multiple wallets to structure transactions below reporting thresholds
  • Detect related wallets used in layering schemes where funds are distributed and reconsolidated
  • Connect mixing service input and output addresses through pre/post-mixing behavioural consistency

Fraud Network Mapping#

  • Map the complete wallet infrastructure of fraud operations from a single known address
  • Identify accomplice wallets through behavioural similarity to known fraudulent addresses
  • Detect new fraud wallets being established by previously identified scam operators

Exchange Compliance#

  • Identify when multiple customer accounts are controlled by the same entity to detect market manipulation or sanctions evasion
  • Enhance Know Your Customer processes with behavioural entity linking
  • Detect attempts to create multiple accounts to circumvent trading limits or sanctions controls

Threat Actor Attribution#

  • Link new wallets to known threat actors through behavioural fingerprint matching
  • Identify when threat actors create fresh wallets by detecting operational pattern continuity
  • Connect ransomware payment wallets to operator infrastructure through behavioural similarity

Analysis Dimensions#

Transaction Pattern Analysis#

  • Transaction amount distributions (mean, median, standard deviation)
  • Transaction frequency and regularity patterns
  • Preferred transaction value ranges and structuring behaviours
  • Input/output patterns for UTXO-based blockchains

Temporal Behaviour Analysis#

  • Active hours and day-of-week patterns revealing operator time zones
  • Transaction frequency trends and seasonal patterns
  • Response time patterns (time between receiving and sending funds)
  • Dormancy patterns and activity cycles

Counterparty Analysis#

  • Shared counterparty addresses and overlap ratios
  • Similar counterparty entity types: exchanges, DeFi protocols, services
  • Common funding sources or destination patterns
  • Counterparty relationship timing and sequence

Operational Fingerprinting#

  • Gas price and gas limit preferences indicating wallet software
  • Transaction construction patterns unique to specific wallet implementations
  • Smart contract interaction sequences and DeFi protocol preferences
  • Token holding patterns and portfolio composition similarity

Open Standards#

  • FATF Recommendation 16 (Travel Rule): The compliance workflows directly support Virtual Asset Service Provider (VASP) obligations under FATF Recommendation 16, enabling entity linking and due diligence required before transferring virtual assets above threshold.
  • ERC-20 / ERC-721 / ERC-1155 (EIP-20, EIP-721, EIP-1155): Smart contract interaction pattern analysis covers Ethereum token transfer events defined by these standards, identifying wallet behaviour across fungible token, non-fungible token, and multi-token transfers.
  • GraphQL (June 2018 Specification): All similarity queries, cluster lookups, and wallet attribution results are exposed through a GraphQL API, enabling precise, field-level queries and typed responses for investigative tooling.
  • ISO 8601: All transaction timestamps, evidence export metadata, and audit trail records use ISO 8601 date-time format to ensure interoperability with regulatory and forensic systems.
  • RFC 8259 (JSON): Similarity scores, behavioural fingerprints, cluster results, and compliance export payloads are serialised as JSON for interchange with downstream investigation and case-management platforms.
  • FATF AML/CTF Recommendations (including Bank Secrecy Act alignment): The capability supports Suspicious Activity Report (SAR) workflows and risk-based decision-making aligned with FATF AML/CTF standards and the US Bank Secrecy Act, with a full audit trail suitable for regulatory examination.
  • GDPR (EU Regulation 2016/679): Processing is limited to publicly available on-chain data with no personal information retained, in compliance with GDPR data minimisation and purpose limitation principles.
  • SOC 2 Type II: The underlying infrastructure is SOC 2 Type II certified, with encryption in transit and at rest, providing auditable controls for customers with third-party assurance requirements.

Compliance#

  • Similarity analysis methodology documented for regulatory examination and expert testimony
  • Confidence-scored results enable risk-based decision-making with configurable thresholds
  • Supports Bank Secrecy Act, AML/CTF, and FATF Travel Rule compliance workflows
  • Complete audit trail of all similarity queries, scores, and investigation decisions
  • Results suitable for enhanced due diligence documentation and compliance reporting
  • GDPR-compliant processing of public blockchain data without personal information storage
  • SOC 2 Type II certified infrastructure with encryption in transit and at rest

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.