Behavioral Pattern Detection

Behavioral Pattern Detection analyzes on-chain transaction patterns to classify wallet behavior and identify suspicious activity such as structuring, layering, peel chains, and mixer-like patterns. These classifications feed directly into the wallet screening risk assessment.

How It Works

The platform analyzes the last 20 transactions (both native and ERC-20 transfers) for each address to compute a behavioral fingerprint. This fingerprint classifies the wallet into one of five behavior types based on its transaction patterns.

Behavior Classifications

| Type | Pattern | Threat Level | |---|---|---| | DEPOSIT_ADDRESS | Sends all funds to a single address (typically an exchange hot wallet) | SAFE | | DISTRIBUTOR | Receives from few addresses, sends to many (airdrop, payroll, or distribution) | SAFE | | DEFI_USER | Majority of transactions are ERC-20 token interactions | SAFE | | SWEEP_WALLET | Consolidates funds from many senders into a single recipient | LOW | | MIXER_SUSPECT | Receives round amounts and sends to previously unseen addresses | MEDIUM |

Each classification includes a confidence score (0–1) indicating how closely the wallet's behavior matches the identified pattern.

Analysis Criteria

The classification engine evaluates:

• Outgoing transfer concentration — How many unique recipients vs. total outgoing transactions
• Incoming transfer distribution — Number and diversity of funding sources
• Amount patterns — Round numbers, equal splits, or structured amounts below reporting thresholds
• Address novelty — Whether funds are sent to newly created or previously unseen addresses
• Token vs. native ratio — Proportion of ERC-20 transfers to native currency transfers

Supported Chains

Behavioral analysis is currently available for:

• Ethereum (ETH)
• Polygon
• Arbitrum
• Base
• Optimism
• BSC (Binance Smart Chain)
• Avalanche

How It Appears in Screening Reports

When a wallet has a behavioral classification, it appears in the screening report as:

• Entity label — The behavior type (e.g., "MIXER_SUSPECT") is shown as an entity classification
• Threat level indicator — Color-coded based on the threat level
• Confidence score — How confident the classification is
• Contributing factors — Description of which transaction patterns triggered the classification

Risk Score Impact

Behavioral classifications influence the overall risk score:

| Classification | Risk Impact | |---|---| | MIXER_SUSPECT | Increases mixer/privacy exposure factor | | SWEEP_WALLET | Minor increase to structuring risk factor | | DEPOSIT_ADDRESS | Neutral — common legitimate pattern | | DISTRIBUTOR | Neutral — common legitimate pattern | | DEFI_USER | Neutral — reduces risk from unknown entity status |

Suspicious Patterns Detected

Beyond the five primary classifications, the behavioral engine also flags specific suspicious patterns:

Structuring

Transactions deliberately broken into amounts below reporting thresholds (e.g., multiple deposits of $9,999 to avoid the $10,000 CTR requirement).

Layering

Complex chains of transfers through multiple intermediary wallets designed to obscure the origin of funds. Detected by analyzing transfer chains for rapid pass-through behavior.

Peel Chains

A technique where a large amount is sent to a wallet, a small portion is "peeled off" to a new address, and the remainder is forwarded — repeating through many hops. Creates a chain of diminishing balances.

Data Pipeline

Behavioral fingerprints are computed in batch from on-chain transaction data and stored in the Oracle PostgreSQL Entity Database. The pipeline processes CSV exports from blockchain data providers and runs continuously, with checkpoint-based resume capability for reliability.

New behavioral data is regularly incorporated into the screening platform, ensuring wallet classifications stay up to date with the latest on-chain activity.