On-Chain Forensics: Advanced Wallet Clustering Techniques
How we trace exploit funds across chains using graph analysis, timing heuristics, and behavioral fingerprinting.
The Problem with Following Money On-Chain
When an exploit happens, the attacker's first move is predictable: fragment and scatter. Split funds across dozens of wallets, bridge to other chains, swap through DEXs, and wait. Traditional block explorers show you individual transactions. What you need is the full graph.
Flow Query was born from this exact need during a real investigation. We were tracing $2.3M in stolen funds that had been split across 47 wallets on 3 chains in under 6 hours.
Clustering Methodology
Behavioral Fingerprinting
Wallets controlled by the same entity exhibit patterns:
- Gas funding: new wallets funded from a common source
- Timing patterns: transactions submitted within narrow time windows
- Nonce sequences: sequential nonces suggesting automated tooling
- Token interaction overlap: interacting with the same obscure contracts
interface ClusterSignal {
type: 'gas_funding' | 'timing' | 'nonce' | 'interaction';
confidence: number; // 0-1
wallets: [string, string]; // pair
evidence: TransactionHash[];
}
function computeClusterScore(signals: ClusterSignal[]): number {
// Weighted confidence with diminishing returns per signal type
const byType = groupBy(signals, s => s.type);
return Object.entries(byType).reduce((score, [type, sigs]) => {
const weight = SIGNAL_WEIGHTS[type];
const typeScore = 1 - Math.pow(0.5, sigs.length); // diminishing returns
return score + weight * typeScore;
}, 0);
}Cross-Chain Tracing
Bridges are the attacker's best friend — and our biggest challenge. When funds move from Ethereum to Solana via Wormhole, the on-chain link is:
- Lock tx on source chain → VAA (Verifiable Action Approval) → Mint tx on destination
- The VAA contains enough metadata to link both sides
- But attackers use intermediary wallets on each side
We maintain a mapping of bridge contract events across 8 chains. When we detect a bridge deposit, we scan the destination chain for matching mints within a time window, then apply our clustering heuristics to link the destination wallet to the attacker's cluster.
Graph Visualization
Raw transaction data is useless without visualization. Flow Query renders wallet clusters as force-directed graphs where:
- Node size = total volume
- Edge thickness = transaction count between wallets
- Color = chain (blue for Ethereum, green for Solana, purple for Arbitrum)
- Clusters are visually grouped using community detection algorithms
Investigators can click any node to see the full transaction history, expand connected wallets, and annotate the graph with findings.
Case Study: DEX Exploit Tracing
In a recent engagement, we traced funds from a flash loan exploit through:
- Initial split: 1 wallet → 12 wallets (Ethereum)
- DEX swaps: ETH → USDC via 4 different DEXs
- Bridge: USDC bridged to Arbitrum and Solana
- Consolidation: 3 weeks later, funds consolidated into 2 wallets
- CEX deposit: Final deposit to a centralized exchange
Total tracing time: 4 hours. Manual analysis estimate: 2-3 weeks.
Conclusion
On-chain forensics is an arms race. Attackers get more sophisticated, but so do our tools. The key insight is that humans are creatures of habit — even sophisticated attackers leave behavioral fingerprints that clustering algorithms can detect.