On-Chain Intelligence
Every transaction, every transfer, every smart contract call — it all lands on-chain, immutable and public. The question is how to read it.
On-chain intelligence is the discipline of extracting signal from the blockchain's raw transaction stream. It spans forensic analysis (tracing fund flows through mixers and bridges to identify entities and reconstruct attacks), observability (instrumenting blockchain data pipelines for production reliability), regime detection (identifying statistically distinct market environments from on-chain volume, flow, and gas patterns), and security research (mapping the exposed attack surface of blockchain infrastructure).
The tools are quantitative. Transaction graph analysis traces value through multi-hop paths, often across chains via bridge contracts. Behavioral clustering groups addresses by shared characteristics — deposit patterns, gas funding sources, temporal signatures — to de-anonymize entities. Statistical anomaly detection flags transactions that deviate from baseline behavioral distributions, surfacing exploits and unusual market activity. Regime detection models (Hidden Markov Models, structural break tests, GARCH variants) partition on-chain time series into distinct epochs with different dynamics.
This section covers the full spectrum: from building real-time blockchain data pipelines instrumented with OpenTelemetry, to demixing Tornado Cash transactions using timing and amount fingerprinting, to detecting mule accounts on live TRON transfer streams, to mapping the Shodan-exposed surface of blockchain nodes. We also cover market-level analysis — regime stationarity testing, exploit post-mortems, protocol security research, and the architectural shifts (like RIP-7212's end of EOAs) that reshape the on-chain landscape.
Research Areas
- Transaction Forensics — Fund flow tracing, address clustering, mixer demixing, exploit post-mortem analysis. Following the money across the blockchain graph.
- On-Chain Observability — Real-time data pipelines, OpenTelemetry instrumentation, monitoring and alerting for blockchain data infrastructure.
- Regime Detection — Statistical identification of market regime shifts from on-chain volume, volatility, flow, and gas data.
- Security Research — Smart contract vulnerability discovery, infrastructure attack surface mapping (Shodan, Google Dorks), chain halt post-mortems.
- Network Simulation — Transaction gossip propagation, node network topology, P2P layer analysis.
Featured Research
Using Onchain Trades to Identify Regime Changes and Stationarity of Financial Data
How to use on-chain DEX trade data to detect regime changes and test stationarity of financial time series. Covers flow-to-volume ratios, ADF tests, and how to avoid training ML models on non-stationary data.
All On-Chain Intelligence Articles
Using Onchain Trades to Identify Regime Changes and Stationarity of Financial Data
How to use on-chain DEX trade data to detect regime changes and test stationarity of financial time series. Covers flow-to-volume ratios, ADF tests, and how to avoid training ML models on non-stationary data.
Mule Detection on Realtime TRON Streams
Structural mule detection on a live TRON transfer stream: fan-in and fan-out clusters, a causal gate that separates mules from market makers, and a 0 to 99 risk score. Includes the math and links the deployed TRON mule detector.
Tornado Cash Intelligent Demixer: Transaction Attribution Through Behavioral Analysis
A proof-of-concept algorithm that matches Tornado Cash deposits to withdrawals using a 4-point behavioral scoring system. Demonstrates how transaction attribution can break mixer privacy guarantees.
Blockchain Data Observability: When Your Data Pipeline Goes Offline
How to build an observability pipeline for blockchain data infrastructure using OpenTelemetry. Covers metrics, logs, and traces for Solana trading bots and node operators to detect stale feeds and pipeline failures.
Google Dorks for Smart Contract Security: Finding Vulnerabilities Before They're Exploited
Using Google Dorking to find exposed smart contract vulnerabilities before attackers do. Practical search queries for auditors and security researchers, with a video walkthrough.
Hedgey Finance Exploit: Six Months Later, Lessons Learned, and Code Revamped
Six months after the Hedgey Finance exploit ($2M lost on Ethereum + Arbitrum BONUS tokens), a post-mortem on the ClaimCampaigns.sol vulnerability, what was learned, and how the code was revamped.
Four Addresses, Unlimited Authority! This Test Code Snippet Halted Polygon Nodes on Dec 18, 2025
A hard-coded test exception allowing four addresses to bypass validator rules halted Polygon Bor nodes on December 18, 2025. Analysis of the consensus failure, the patch, and what it reveals about validator set security.
The End of EOAs? How RIP-7212 Changes Everything
RIP-7212 introduces secp256r1 precompile support on Ethereum rollups, enabling hardware-backed signatures and passkey-based account abstraction. Here's what changes and why it matters.
Simulating a TRON Transaction's Gossip Trace from Public Listener IPs
A TRON transaction spreads across the network the same way a rumor spreads across a crowded room. This post takes 7,637 public TRON listener IPs from the TronScan nodemap, connects listeners within 800 km using the haversine formula, and walks a synchronous BFS wavefront outward from a synthetic Frankfurt origin — reaching 3,380 nodes in eight hops with visible geographic chokepoints and isolated islands. Covers what raw listener IPs reveal once paired with coordinates, and the random geometric graph and percolation mathematics underneath.
How to Track the Internet with Shodan API
A hands-on tutorial for using the Shodan API to query internet-connected devices, analyze network infrastructure, and understand security postures across global internet exposure data.