DEV Community

CIPRIAN STEFAN PLESCA
CIPRIAN STEFAN PLESCA

Posted on

I Built a Free, Open-Source Blockchain Forensics Library Because AML Tools Shouldn't Cost a Fortune

πŸ•΅οΈ TL;DR β€” Blockchain forensics tools like Chainalysis and Elliptic are excellent, and completely out of reach for journalists, NGOs, students, and independent researchers. So I built an open, auditable, MIT-licensed alternative that runs entirely on your machine, explains every score it gives you, and costs exactly $0. Forever.


πŸ’Έ The Problem: Forensics for the Few

Somewhere between $14 billion and $24 billion in cryptocurrency moves through illicit addresses every single year, depending on which annual crime report you trust. Ransomware payouts, sanctions evasion, darknet proceeds, rug-pull cash-outs β€” all of it eventually needs to look "clean" before it can touch a real bank account.

The tools that can trace that laundering process? Locked behind enterprise sales calls.

🏦 Chainalysis  β†’ enterprise pricing, sales team required
🏦 Elliptic      β†’ enterprise pricing, sales team required
πŸ§‘β€πŸ’» You, an independent researcher β†’ ???
Enter fullscreen mode Exit fullscreen mode

If you're a grad student, an investigative journalist, or a two-person NGO trying to document a fraud network, your options have historically been:

  1. Undocumented scripts scraped together from five different Stack Overflow answers
  2. Nothing at all

Neither is acceptable when the stakes involve real financial crime and real victims. That gap is exactly where ofi-chain-forensics lives.


🧬 What It Actually Does

ofi-chain-forensics is a pure-Python library that performs structural analysis on blockchain transaction graphs. It does not try to unmask real-world identities β€” it looks for behavioral patterns that the research literature has associated with money laundering for over a decade.

πŸ” Click to expand: the four things it detects

Pattern What it means Real-world analogy
πŸ§… Peeling chain A large amount is gradually "peeled" through a sequence of transactions Breaking a $10,000 bill into small withdrawals over weeks
πŸ“€ Fan-out One address sends funds to an unusually large number of new addresses Splitting cash across dozens of couriers
πŸ“₯ Fan-in Many addresses converge on a single aggregation point Couriers meeting to hand off cash before a big buy
⚑ Rapid pass-through An address receives and forwards >95% of funds within minutes A pass-through mule account

On top of detection, it adds:

  • πŸ•ΈοΈ Address clustering via the Common-Input-Ownership Heuristic (Meiklejohn et al., 2013) β€” if multiple addresses sign the same transaction, they share an owner.
  • 🎯 Explainable, rule-based risk scoring β€” no black box, ever.
  • πŸ“€ Export to CSV / JSON / OFI-compatible format for direct import into threat-intel pipelines (OpenCTI/MISP-compatible).

🧠 Why "Explainable" Isn't a Buzzword Here

Most modern fraud-detection tooling reaches for a trained ML model that spits out 0.87 and calls it a day. In a domain with real legal consequences, an unexplainable score isn't just unhelpful β€” it's dangerous.

So every single point of every score comes with a plain-English reason:

CASHOUT0003: 100.0 (high)
  -> known_blacklist: +100.0 | The address appears on a list of
     addresses known to be associated with fraud/sanctions.

PEEL0003: 45.0 (moderate)
  -> rapid_passthrough: +25.0 | The address forwarded 100.0% of the
     funds in 1163s β€” possible automated layering.
  -> mixer_proximity: +20.0 | The address interacted directly (1 hop)
     with a blacklisted address.
Enter fullscreen mode Exit fullscreen mode

⚠️ This is the part I want to be loud about: no score this library produces is legal proof of anything. It's a prioritization tool for a human analyst β€” never a verdict. The docs say this explicitly, more than once, on purpose.


βš™οΈ See It Work in Under 60 Seconds

No account. No API key. No rate limit. Just clone and run:

git clone https://github.com/Ciprian-LocalPulse/ofi-chain-forensics-en.git
cd ofi-chain-forensics-en
pip install -r requirements.txt

python -m ofi_chain_forensics.cli data/sample/sample_transactions.json \
    --blacklist data/sample/sample_blacklist.txt \
    --show-clusters
Enter fullscreen mode Exit fullscreen mode

Output:

Graph built: 88 addresses, 42 transactions.

Top 15 addresses by risk score:
Address                                         Score  Level
----------------------------------------------------------------------
CASHOUT0003                                    100.00  high
CASHOUT0005                                    100.00  high
PEEL0003                                        45.00  moderate
PEEL0005                                        45.00  moderate
...
Enter fullscreen mode Exit fullscreen mode

Or use it as a library:

from ofi_chain_forensics import TransactionGraph, score_addresses, top_risk_addresses

graph = TransactionGraph.from_transactions(my_transactions)
scores = score_addresses(graph, blacklist=my_known_bad_addresses)

for s in top_risk_addresses(scores, n=10):
    print(s.address, s.score, s.risk_level)
Enter fullscreen mode Exit fullscreen mode

βœ… Built to Be Trusted, Not Just Used

  • [x] No black-box scoring β€” every weight and threshold is a plain Python dict you can read, audit, and override.
  • [x] No inflated claims β€” the docs are explicit about what it can't do (CoinJoin, well-implemented mixers, and shielded privacy coins can evade these heuristics).
  • [x] 21/21 tests passing, covering graph construction, clustering, every detector, and the scoring engine.
  • [x] Zero network calls β€” it never touches a live blockchain. You bring normalized data; it stays 100% local and auditable.
  • [x] MIT licensed β€” no tiers, no "free for personal use" asterisk, no feature paywall three commits down the line.
+ Free forever
+ Fully auditable
+ Zero telemetry
+ Runs 100% offline
- No sales call required πŸ˜‰
Enter fullscreen mode Exit fullscreen mode

🧩 Part of a Bigger Picture

ofi-chain-forensics is a companion module to Open Fraud Intelligence (OFI), a broader open-source fraud-intelligence ecosystem. Risk-scored addresses export directly into OFI's data structures β€” so the analysis doesn't live in a silo, it becomes a reusable indicator in a larger, freely accessible map of how fraud actually moves.


🀝 Contribute

This grows with contributors, not just users. Especially welcome:

  • πŸ”Œ Connectors for real data sources (Etherscan, Blockstream, your own node)
  • πŸ§ͺ New pattern detectors, backed by cited research (tests required β€” no "trust me" detectors)
  • 🌐 Support for additional networks (EVM contract/event parsing is still shallow)
  • πŸ“Š Benchmarks against labeled public datasets

Check CONTRIBUTING.md in the repo for the exact ground rules.


πŸ”— Links

Repository: https://github.com/Ciprian-LocalPulse/ofi-chain-forensics-en

If this saves you β€” or someone you know doing this kind of work on a shoestring budget β€” even a few weeks of building the same infrastructure from scratch, it's done its job. A ⭐ on the repo helps more people find it.

Top comments (0)