Self-Hosted Blockchain Analysis & Compliance

Privacy-First Regulatory Compliance

Self-hosted Bitcoin transaction analysis for organizations requiring compliance monitoring without third-party privacy risks or excessive costs.

Self-Hosted Compliance & Data Sovereignty

Regulatory Compliance Without Third-Party Dependencies

Companies forced to conduct blockchain analysis for regulatory compliance can now do so with complete data sovereignty:

  • No Privacy Leaks: All transaction analysis, customer data, and business intelligence remains within your infrastructure
  • Cost Reduction: Eliminate expensive licensing fees from commercial chain analysis providers
  • Data Control: Tags, memos, and transaction records never leave your systems
  • Compliance Equivalence: Achieve the same regulatory standards as commercial tools like Chainalysis, Elliptic, or TRM Labs
Public Database Integration

Import comprehensive address databases from trusted public sources:

  • Open Sanctions: Official government sanctioned entity lists for AML compliance
  • ChainAbuse: Community-maintained database of known criminal addresses
  • Public Watchlists: Publicly available address databases from security researchers
  • Bulk Import: Upload hundreds of thousands of addresses via CSV with no practical limits
Privacy Advantage: By using publicly available data sources, organizations minimize their reliance on proprietary third-party services that require sharing sensitive transaction data.

Enterprise Address Database Management

Bulk Address Import Capabilities

Organizations can upload and maintain comprehensive address databases for compliance monitoring:

  • Hundreds of Thousands of Addresses: Import massive CSV files with no practical limits from public sources
  • Open Sanctions Integration: Upload publicly available sanctioned entity databases for comprehensive AML compliance monitoring
  • ChainAbuse Database Support: Import community-maintained databases of known malicious addresses and criminal activity
  • Self-Hosted Privacy Protection: Keep all address tags, memos, and transaction records within your infrastructure without sharing with third parties
  • Custom Tagging System: Add internal labels, risk categories, sources, and detailed compliance notes
  • Real-Time Monitoring: Automatic alerts when monitored addresses appear in transaction analysis
  • Cost-Effective Compliance: Achieve equivalent functionality to expensive commercial chain analysis tools while maintaining complete data sovereignty
Privacy & Cost Advantages

Self-hosting eliminates the privacy leaks and excessive costs of third-party chain analysis services:

  • Zero Data Sharing: Customer transactions never leave your infrastructure
  • No Third-Party Fees: Eliminate expensive per-transaction or subscription costs
  • Complete Control: Set your own risk thresholds and compliance rules
  • Full Audit Trail: Complete transparency of all analysis activities and decisions
  • Regulatory Independence: Meet compliance requirements without external dependencies
Industry Use Cases for Self-Hosted Compliance
Financial Institutions

Meet AML/KYC requirements by screening customer Bitcoin transactions against sanctioned addresses without exposing sensitive customer data to external chain analysis firms.

Cryptocurrency Exchanges

Screen deposits and withdrawals against comprehensive risk databases while maintaining customer privacy and avoiding the high costs of commercial chain analysis services.

Payment Processors

Implement comprehensive compliance monitoring for Bitcoin payments while protecting merchant and customer transaction privacy from external blockchain surveillance companies.

Core Value Proposition: Privacy-First Compliance

This self-hosted solution enables companies that are legally required to perform blockchain analysis to achieve full regulatory compliance while minimizing privacy exposure and operational costs. Transaction data, customer information, and business intelligence remain completely within your infrastructure, eliminating the privacy risks and excessive fees associated with third-party chain analysis services like Chainalysis, Elliptic, or TRM Labs.

Enterprise Address Database Management: Users can upload hundreds of thousands of addresses from publicly available lists such as Open Sanctions and ChainAbuse. This allows organizations to achieve compliance equivalent to commercial chainanalysis tools without relying on third-party services that cause privacy leaks and cost substantial amounts of money. Services running this platform can self-host tags and memos for addresses and transactions they conduct with their users without sharing sensitive information with external chain analysis providers.

Table of Contents

Transaction Pattern Flags
Privacy & Behavior Flags

Analysis Overview

The Bitcoin Transaction Analyzer uses the mempool.space API to perform comprehensive blockchain analysis. Every transaction discovered during the analysis (initial transaction plus all transactions found during 3-hop network traversal) is analyzed against 9 different patterns to identify behavioral characteristics, privacy practices, and potential risks.

API Endpoints Used:
  • GET /api/tx/{txid} - Retrieve transaction details
  • GET /api/address/{address} - Get address statistics
  • GET /api/address/{address}/txs - Get address transaction history
Analysis Process:
  1. Fetch initial transaction data
  2. Check for Large CoinJoin Early Termination: If initial transaction has ≥10 inputs AND ≥10 outputs, analysis stops immediately with "Large coinjoin detected" message
  3. Analyze initial transaction against all 9 flags (structural and behavioral patterns)
  4. Extract addresses from initial transaction
  5. Trace backward through transaction inputs (3 hops maximum)
  6. Check each discovered transaction for Large CoinJoin: If ≥10 inputs AND ≥10 outputs detected, analysis stops with hop location information
  7. Analyze each newly discovered transaction against all 9 flags
  8. Trace forward through transaction outputs (3 hops maximum)
  9. Check each discovered transaction for Large CoinJoin: If ≥10 inputs AND ≥10 outputs detected, analysis stops with hop location information
  10. Analyze each newly discovered transaction against all 9 flags
  11. Check all discovered addresses against monitored address database
  12. Generate comprehensive network map and complete flag analysis report
Large CoinJoin Override: When a transaction with ≥10 inputs AND ≥10 outputs is detected at any stage (initial transaction or during 3-hop traversal), the analysis immediately terminates with a "Large coinjoin detected" message. This prevents resource exhaustion on complex mixing transactions. The system reports exactly where the large CoinJoin was found (e.g., "initial transaction", "2 hops back", "1 hop forward").
Comprehensive Analysis (Normal Cases): For transactions without large CoinJoin patterns, all 11 transaction analysis flags are applied to every transaction discovered during the network traversal, providing complete behavioral pattern analysis across the entire transaction network.

Large CoinJoin Early Termination

Analysis Override

Purpose: Immediately terminates analysis when encountering very large CoinJoin transactions (≥10 inputs AND ≥10 outputs) to prevent resource exhaustion and excessive API usage.

Detection Algorithm:
  1. Fetch Transaction Data
    API Call: GET /api/tx/{txid}

    Retrieves complete transaction details including inputs (vin) and outputs (vout).

  2. Count Inputs and Outputs

    Checks if transaction has ≥10 inputs AND ≥10 outputs (indicates very large mixing transaction).

  3. Verify CoinJoin Pattern

    Confirms transaction follows CoinJoin pattern with similar output amounts.

  4. Immediate Termination

    Analysis stops immediately, returns "Large coinjoin detected" message with hop location.

Termination Criteria:
  • ≥10 inputs AND ≥10 outputs
  • Follows CoinJoin pattern (similar output amounts)
  • Can be detected at any stage: initial transaction or during 3-hop traversal
  • Overrides all other analysis when triggered
Response Format:
{ "message": "Large coinjoin detected", "transaction_details": { "txid": "abc123...", "input_count": 15, "output_count": 15, "detected_at": "2 hops back", "discovered_at_hop": "backward_2" }, "analysis_stopped_early": true, "stop_reason": "Large CoinJoin detected 2 hops back with 15 inputs and 15 outputs" }
Location Tracking: The system precisely reports where the large CoinJoin was discovered - either at the "initial transaction" or with hop information like "1 hop back", "2 hops forward", etc.

CoinJoin Detection

Privacy Enhancement

Purpose: Identifies privacy-enhancing transactions that mix multiple inputs and outputs with similar amounts to obscure transaction trails.

Detection Algorithm:
  1. Fetch Transaction Data
    API Call: GET /api/tx/{txid}

    Retrieves complete transaction details including inputs (vin) and outputs (vout).

  2. Count Inputs and Outputs

    Checks if transaction has ≥5 inputs AND ≥5 outputs (minimum for CoinJoin mixing).

  3. Analyze Output Amounts

    Extracts all output values and calculates unique amounts.

  4. Apply CoinJoin Heuristic

    Flags as CoinJoin if: unique_amounts < total_amounts / 3

    This indicates many outputs have identical amounts (mixing characteristic).

Flagging Criteria:
  • ≥5 inputs AND ≥5 outputs
  • Less than 1/3 unique output amounts (indicates amount similarity)
  • Mutually exclusive with other pattern flags
Example: Transaction with 8 inputs, 8 outputs, and only 2 unique amounts → 2 < 8/3 (2.67) → CoinJoin detected

Batch Transaction Detection

Distribution Pattern

Purpose: Identifies transactions that distribute funds from few inputs to many outputs, typical of exchange payouts or salary payments.

Detection Algorithm:
  1. Fetch Transaction Data
    API Call: GET /api/tx/{txid}
  2. Calculate Input/Output Ratio

    Computes: ratio = input_count / output_count

  3. Apply Batch Heuristic

    Flags as batch if: ratio < 0.2 (less than 1:5 ratio)

Flagging Criteria:
  • Input/Output ratio < 0.2 (1:5 or greater distribution)
  • Indicates single source distributing to multiple recipients
Example: 2 inputs, 20 outputs → 2/20 = 0.1 < 0.2 → Batch detected Common in: Exchange withdrawals, payroll distributions, airdrops

Consolidation Detection

Collection Pattern

Purpose: Identifies transactions that combine many inputs into fewer outputs, typical of wallet cleanup or exchange consolidation.

Detection Algorithm:
  1. Fetch Transaction Data
    API Call: GET /api/tx/{txid}
  2. Calculate Input/Output Ratio

    Computes: ratio = input_count / output_count

  3. Apply Consolidation Heuristic

    Flags as consolidation if: ratio > 5 (more than 5:1 ratio)

Flagging Criteria:
  • Input/Output ratio > 5 (5:1 or greater collection)
  • Indicates combining multiple UTXOs into fewer outputs
Example: 20 inputs, 3 outputs → 20/3 = 6.67 > 5 → Consolidation detected Common in: Wallet maintenance, exchange hot wallet management

Exchange Withdrawal Detection

Institutional Source

Purpose: Identifies transactions originating from high-activity addresses, typically indicating exchange or institutional withdrawals.

Detection Algorithm:
  1. Fetch Transaction Data
    API Call: GET /api/tx/{txid}
  2. Stage 1: Check Immediate Inputs

    For each input address:

    API Call: GET /api/address/{address}

    Flags if address has >100 transactions (high activity threshold)

  3. Stage 2: Check One Hop Backward

    Get previous transaction for each input:

    API Call: GET /api/tx/{prev_txid}

    Check inputs of previous transactions for high-activity addresses

  4. Aggregate Results

    Categorizes findings by hop distance (immediate vs. one-hop-back)

Flagging Criteria:
  • Input addresses with >100 transactions (immediate or one hop back)
  • Indicates funds flowing from high-volume addresses
  • Common in exchange withdrawals, institutional transfers
Two-stage detection ensures comprehensive coverage: - Stage 1: Direct exchange withdrawal - Stage 2: Exchange → Intermediate → Target pattern

Exchange Deposit Detection

Institutional Destination

Purpose: Identifies transactions sending funds to high-activity addresses, typically indicating exchange or institutional deposits.

Detection Algorithm:
  1. Fetch Transaction Data
    API Call: GET /api/tx/{txid}
  2. Stage 1: Check Immediate Outputs

    For each output address:

    API Call: GET /api/address/{address}

    Flags if address has >100 transactions

  3. Stage 2: Check One Hop Forward

    For each output address, get spending transactions:

    API Call: GET /api/address/{address}/txs

    Then check those spending transactions' outputs for high-activity addresses

  4. Validate Spending Relationship

    Confirms transactions actually spend from the original output addresses

  5. Analyze Next-Hop Destinations

    For validated spending transactions:

    API Call: GET /api/address/{next_address}

    Check if next-hop destinations have >100 transactions

Flagging Criteria:
  • Stage 1: Immediate output addresses with >100 transactions
  • Stage 2: Next-hop destination addresses with >100 transactions
  • Indicates funds flowing to high-volume institutional addresses
  • Common patterns: exchange deposits, institutional receipts, custodial services
Two-Stage Detection Examples: Stage 1 (Direct): Transaction → Exchange address (>100 txs) Stage 2 (Indirect): Transaction → Intermediate → Exchange address (>100 txs) Both patterns trigger exchange deposit flag with hop information.

Address Reuse Detection

Privacy Risk

Purpose: Identifies transactions sending funds to previously used addresses, reducing privacy and creating linkable patterns.

Detection Algorithm:
  1. Fetch Transaction Data
    API Call: GET /api/tx/{txid}
  2. Analyze Each Output Address

    For each output address:

    API Call: GET /api/address/{address}

    Retrieves address statistics including transaction count

  3. Check Usage History

    Flags if address has >1 transaction (indicating previous use)

  4. Calculate Reuse Metrics

    Computes reuse percentage and identifies most-used addresses

Flagging Criteria:
  • Any output address with >1 historical transaction
  • Calculates reuse percentage and maximum previous usage
  • Privacy concern: enables transaction linking
Privacy Impact: Address reuse allows adversaries to: - Link multiple transactions to same entity - Track spending patterns over time - Correlate with other blockchain analysis

Rapid Payment Forwarding

Routing Behavior

Purpose: Identifies transactions where >95% of output value is quickly forwarded within 6 blocks, indicating payment routing or intermediary behavior.

Detection Algorithm:
  1. Fetch Transaction Data
    API Call: GET /api/tx/{txid}

    Requires confirmed transaction with block height

  2. Calculate Total Output Value

    Sum all output values for percentage calculations

  3. Trace Each Output Spending

    For each output address:

    API Call: GET /api/address/{address}/txs

    Find transactions that spend from this output

  4. Check Timing and Amount

    For each spending transaction:

    • Verify block height difference ≤ 6 blocks
    • Calculate spent amount from this specific output
  5. Calculate Rapid Forwarding Percentage

    Sum rapidly forwarded amounts and check if >95% of total

Flagging Criteria:
  • Transaction must be confirmed (has block height)
  • Outputs spent within 6 blocks of original transaction
  • >95% of total output value rapidly forwarded
Use Cases: Rapid forwarding indicates: - Payment routing services - Exchange hot wallet operations - Automated trading systems - Tumbling/mixing services

Suspicious Address Reuse

High Risk

Purpose: Identifies transactions sending funds to previously used addresses that had zero balance, indicating potential address recycling or surveillance evasion.

Detection Algorithm:
  1. Fetch Transaction Data
    API Call: GET /api/tx/{txid}

    Requires confirmed transaction with block height

  2. Check Output Address Usage

    For each output address:

    API Call: GET /api/address/{address}

    Verify address has >1 transaction (reused)

  3. Calculate Historical Balance

    Get complete transaction history:

    API Call: GET /api/address/{address}/txs

    Calculate balance at time of current transaction

  4. Balance Calculation Process

    For each historical transaction (before current):

    • Add amounts received by address (outputs)
    • Subtract amounts spent by address (inputs)
    • Stop at transactions after current block height
  5. Flag Zero Balance Reuse

    Flag if address was reused but had zero balance

Flagging Criteria:
  • Address has >1 historical transaction (reused)
  • Address had zero balance at time of current transaction
  • Confirmed transaction with block height
Suspicious Patterns: - Deliberately reusing emptied addresses - Potential surveillance evasion - Address recycling for obfuscation - Unusual wallet management practices

Blacklisted Address Detection

Critical Alert

Purpose: Identifies transactions involving monitored addresses flagged for suspicious activity, compliance violations, or regulatory concerns.

Detection Algorithm:
  1. Extract All Transaction Addresses

    From transaction data, collect all addresses from inputs and outputs

  2. Query Monitored Address Database
    SELECT * FROM monitored_addresses WHERE address IN (discovered_addresses) AND is_active = true
  3. Create Detailed Alerts

    For each match, record:

    • Address and associated label
    • Source of monitoring (regulatory, compliance, etc.)
    • Transaction ID and address type (input/output)
    • Hop information (distance from original transaction)
  4. Database Alert Storage

    Store alerts in database for compliance reporting and audit trails

Flagging Criteria:
  • Any address in transaction matches monitored address list
  • Monitored address must be active (not disabled)
  • Creates detailed alert with contextual information
Alert Categories: - Sanctioned addresses (OFAC, UN, etc.) - Exchange hack addresses - Darknet marketplace addresses - Fraud/scam addresses - Compliance watchlist addresses

Complete Analysis Workflow

1. Initial Transaction Analysis

All 11 transaction analysis flags are applied to the initial transaction immediately after fetching from the API.

2. Network Traversal

The analyzer performs 10 hops total:

  • 5 Backward Hops: Follow transaction inputs to trace fund origins
  • 5 Forward Hops: Follow transaction outputs to trace fund destinations
3. Comprehensive Flag Analysis

All 11 transaction analysis flags are applied to every transaction discovered during the 5-hop backward and 5-hop forward traversal:

  • Initial transaction + 5 backward hops + 5 forward hops = 11 transactions maximum
  • Each discovered transaction analyzed for all behavioral patterns
  • Comprehensive coverage of entire transaction network
4. Address Monitoring

Throughout the analysis, all discovered addresses are checked against the monitored address database.

5. Rate Limiting

All API calls include rate limiting (0.5 second delays) to respect mempool.space API limits.

6. Caching Strategy

Transaction and address data are cached during analysis to minimize API calls and improve performance.

7. Result Aggregation

All flags, alerts, and analysis data from every analyzed transaction are compiled into a comprehensive report with:

  • Flag details and triggering conditions from all discovered transactions
  • Address and transaction statistics across the entire network
  • Hop-by-hop analysis breakdown with transaction details
  • Compliance alerts and monitoring results
  • Network-wide behavioral pattern detection

This documentation covers all 11 transaction analysis flags implemented in the Bitcoin Blockchain Analyzer.
For technical support or questions, please refer to the system administrator.