Training snippets

Proving vs. Inferring in Blockchain Investigations

Every blockchain investigation report blends verified facts with heuristic guesses. If you don't clearly separate the two, someone else will — and it won't go in your favor.

Training snippetsMarch 2026 · 4 min read

Most reports I review blend verifiable transaction data with heuristic inferences without clearly separating the two. That's a problem. Anyone reviewing your work only needs to show you presented an interpretation as a fact to undermine the entire report.

What counts as proof

A transaction identified by its hash is a verifiable fact. Anyone can confirm that Wallet A sent 10 ETH to Wallet B at a specific block number. That's proof.

Most investigation conclusions go further. They infer who controls a wallet, link a mixer deposit to a withdrawal, or attribute a cluster of addresses to one entity. These steps use heuristic analysis — pattern-based reasoning that produces probable associations, not certainties. The core question for every claim is simple: "Is that a fact, or your interpretation?"

The heuristic toolkit

Direct proof of ownership or intent is rarely available. We bridge the gap with heuristics:

  • Timing correlations: A deposit enters a mixer at 14:02 and a matching withdrawal at 14:07. Suggestive — but a busy mixer might process dozens of transactions in that window.
  • Amount matching: Wallet A deposits 5.23 ETH, Wallet B withdraws 5.20 ETH shortly after. Close, but fees and rounding can produce coincidences.
  • Behavioral clustering: Several wallets transact at similar times, use the same contracts, show parallel patterns. Suggests common control — but coordinated groups produce the same signature.
  • Gas funding patterns: Multiple wallets receive initial gas from the same address. One of the stronger heuristics, though not conclusive alone.

Each produces a hypothesis, not a verdict. The report must say so.

Classifying your findings

A framework I use for every claim:

  • High confidence — verified fact: Directly observable on-chain data confirmed by transaction hash.
  • Medium confidence — supported inference: Multiple heuristic indicators converge, but alternative explanations haven't been fully eliminated.
  • Low confidence — speculative lead: Single heuristic indicator or limited data. Useful for directing further investigation, not for reporting as a finding.

Tagging every claim with its category forces precision. It also gives the reader the information they need to weigh the finding appropriately.

Where reports fall apart

The most common failures: a paragraph starts with a verified transaction and ends with a heuristic conclusion, with no marker showing where one became the other. Writing "Wallet A is controlled by suspect X" when the evidence supports "likely controlled by, based on gas funding and timing." Missing alternative explanations that someone else will raise. Stating a conclusion without explaining which heuristic produced it.

The most damaging reports aren't wrong in their conclusions. They're unclear in how those conclusions are presented.