Knogin
[Developers]

Investigation Graph Visualisation

A blockchain analyst tracking a cryptocurrency theft quickly finds that the funds moved through eleven intermediate wallets before reaching an exchange. In a spreadsheet, that chain is hard to follow. In a graph, the pat

Back to All Modules
Category: InvestigationLast Updated: Feb 23, 2026
investigationreal-timecomplianceblockchain

Overview#

A blockchain analyst tracking a cryptocurrency theft quickly finds that the funds moved through eleven intermediate wallets before reaching an exchange. In a spreadsheet, that chain is hard to follow. In a graph, the path is immediate. The Graph Visualisation module makes that kind of spatial reasoning possible at enterprise scale, rendering thousands of nodes at high frame rates so investigators can explore complex transaction networks interactively rather than statically.

Designed for financial crime teams, AML analysts, and digital asset investigators, the module combines hardware-accelerated rendering with ML-powered pattern classification, temporal analysis, and forensic export tools. Networks that would take hours to analyse in tabular form become navigable in minutes.

Key Features#

  • High-Performance Rendering: Hardware-accelerated rendering engine displays large-scale graphs with thousands of nodes at sustained frame rates, with progressive loading for very large networks.
  • Interactive Navigation: Pan, zoom, select, and hover interactions with keyboard shortcuts and touch gesture support provide intuitive graph exploration across desktop and mobile devices.
  • Network Statistics Engine: Computes basic metrics (node count, edge count, density), advanced centrality measures (betweenness, closeness, eigenvector, PageRank), and risk metrics (community detection, hub identification, layering detection).
  • Entity Risk Distribution: Automated risk categorisation classifies entities into critical, high, medium, and low risk tiers with appropriate escalation and review workflows.
  • Transaction Pattern Detection: ML-powered classification identifies mixing patterns, layering patterns, rapid dispersal, and concentration behaviours with confidence scoring and recommended investigator actions.
  • Temporal Analysis: Timeline and activity tracking reveals dormant periods, active transaction bursts, and coordination patterns across related entities.
  • Bookmarking and State Preservation: Saves investigation graph states including node selection, filter settings, zoom level, pan position, analysis results, and annotations for session continuity.
  • Advanced Search and Filtering: Entity, risk, temporal, and transaction filters enable investigators to focus on specific subsets of the graph while maintaining awareness of the broader network context.
  • Multi-Format Export: Exports investigation graphs in JSON, CSV, GraphML, image (PNG/SVG), and PDF report formats for integration with external analysis tools and evidence documentation.
  • Node Type Classification: Distinguishes wallets, exchanges, services, and identified entities with visual differentiation, supporting both regulated and unregulated entity categorisation.

Use Cases#

  • Blockchain Transaction Investigation: Investigators visualise multi-hop cryptocurrency transaction flows, identifying mixing services, exchange interactions, and ultimate fund destinations through interactive graph exploration.
  • Network Risk Assessment: Risk distribution analysis across entity graphs enables compliance teams to prioritize investigation resources on the highest-risk clusters and connection patterns.
  • Pattern Recognition: Visual clustering algorithms surface illicit transaction patterns including mixing, layering, rapid dispersal, and concentration that are difficult to detect in tabular data formats.
  • Collaborative Investigation: Shared graph views with bookmarked states enable investigation teams to coordinate analysis, share discoveries, and build on each other's findings.
  • Evidence Presentation: High-resolution graph exports with annotations and risk indicators provide visual evidence documentation for regulatory filings, legal proceedings, and management briefings.
  • Temporal Behaviour Analysis: Timeline visualisations reveal activity patterns, dormancy periods, and burst transactions that indicate coordinated or evasive behaviour.

Integration#

The Graph Visualisation module integrates with the investigation platform's data pipeline, entity resolution, and case management systems. Real-time data updates flow through subscriptions, and analysis results feed into investigation reports and compliance workflows. The module supports live data integration from blockchain networks, transaction monitors, and external alert systems.

Open Standards#

  • GraphQL (June 2018 specification): All graph data queries, mutations, and real-time subscription streams are served through a typed GraphQL API, enabling interoperability with any standards-compliant GraphQL client.
  • GEXF 1.3 (Graph Exchange XML Format): Investigation graphs are exported as GEXF 1.3 XML documents, allowing direct import into graph analysis tools such as Gephi that support the open GEXF Working Group specification.
  • GraphML: Investigation graph exports interoperate with the XML-based GraphML format, permitting downstream analysis in tools and libraries that consume the GraphML graph description language.
  • STIX 2.1 / TAXII 2.1 (OASIS): Threat indicators and intelligence objects ingested or exported via STIX 2.1 bundles over TAXII 2.1 feeds are mapped into graph nodes and edges, linking investigation networks to the wider threat intelligence ecosystem.
  • WebSocket Protocol (RFC 6455): Real-time graph update subscriptions are delivered over persistent WebSocket connections, enabling live node and edge changes to be pushed to investigators without polling.
  • JSON (RFC 8259): Graph data, node properties, bookmarked investigation states, and bulk exports are all serialised as JSON, providing a lingua franca for pipeline integration and evidence preservation.
  • ISO 8601: All temporal data on nodes and edges, including transaction timestamps, activity bursts, and dormancy periods, is stored and exchanged using ISO 8601 datetime strings, ensuring unambiguous interoperability with external analysis tools.

Last Reviewed: 2026-02-23 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.