paint-brush
Blockchain Investigations in NTerminal - Powered by Splunk & CipherTraceby@zfinzi
1,436 reads
1,436 reads

Blockchain Investigations in NTerminal - Powered by Splunk & CipherTrace

by Zach FinziNovember 8th, 2020
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

NTerminal is a data aggregation and open source intelligence tool, which allows users to index blockchain data and run their own investigations using the power of Splunk. Now partnering with CipherTrace, you can use the data to run KYC and KYT investigations on blockchain activity on the blockchain using the Splunk tool. NTerminals is now enriched with a larger attribution database, allowing for tagging of blockchain addresses with geolocations, risk scores, known entities and much more. The 3D Graph Network Topology Visualization can be used to graphically represent relationships between addresses and tagged entities.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail

Coins Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - Blockchain Investigations in NTerminal - Powered by Splunk & CipherTrace
Zach Finzi HackerNoon profile picture

NTerminal is a data aggregation and open source intelligence tool, which allows users to index blockchain data and run their own investigations using the power of Splunk (check out our intro blog post).

Now partnering with CipherTrace, you can use CipherTrace data through NTerminal for KYC and KYT investigations on blockchain activity. NTerminal is now enriched with a larger attribution database, allowing for tagging of blockchain addresses with geolocations, risk scores, known entities and much more.

In addition to this, leveraging the Splunk developer community, investigations can integrate a number of graphical visualizations empowering users to develop flexible and complex risk assessment tools. Alongside NTerminal’s natural language and financial data, users can conduct ecosystem wide investigations on the blockchain through a number of different methods.

NTerminal’s Natural Language Processing module monitors a number of law enforcement and regulatory feeds to scan for newly posted sanctions on blockchain addresses. When a new address is sanctioned by the US government, NTerminal will register this address within our attribution database, logging the date of attribution.

NTerminal Sources identifying US Sanctioned addresses

Timeline of newly sanctioned addresses by US Government.

Newly sanctioned addresses are added to NTerminal, then enriched with a number of other sources such as CipherTrace to identify the country of origin, any known abuse reports, and risk scores.

Addresses transacting with sanctioned entities following the date of sanctioning can be identified and visualized using a number of Splunk based graphical tools.

The Link Analysis visualization tool in Splunk allows users to graph directional relationships between blockchain addresses. Using time series data within NTerminal, transactions following the sanction date for a particular entity can be mapped using the Link Analysis tool.


Attribution data for US sanctioned addresses, with identified inflow and outflow addresses.

Directional relationships between addresses can identify addresses associated with a sanctioned entity, which might be used following a sanction event to relocate funds. Using the Sankey diagram the weight of these connections can be visualized for in-depth CTF and AML investigations.

Transaction flow in NTerminal using Sankey diagram and CipherTrace attribution.

Sankey diagrams can be used to identify points of exchange, convergence between distributed funds and new storage addresses for sanctioned entities.

Link analysis can be effective for not only relating new addresses to sanctioned entities but also characterizing relationships between CipherTrace risk tagged addresses. Using flagged transactions and addresses, link analysis functionality can correlate dark market participants with gambling services, risk tagged exchanges, and regulated USD markets.

Link analysis within NTerminal using CipherTrace attribution to identify bitcoin pipelines moving funds through dark markets, gambling services, high risks exchanges and regulated USD markets.

Highlighting dark market associated addresses through link analysis and CipherTrace attribution. Connected addresses can then be flagged as dark market participants and related to other tagged services.

In addition to the link analysis tool, the 3D Graph Network Topology Visualization can be used to graphically represent relationships between addresses and tagged entities by the value and quantity of transactions, CipherTrace risk scores, and associations to illicit activity. Using the same data represented above, relationships between unknown addresses with risky entities and services can be visualized and aggregated in 3 dimensional space.

Network topology of addresses with associations to dark markets and high risk exchanges. Additional addresses with associations to smart contracts and gambling services.

These graphs can be used to determine the associated risk and behavior of blockchain addresses based on proximity and connection strength to tagged entities. Graph network topology visualizations allows users and NTerminal analysts to construct risk and compliance scoring calculations based on the number and strength of connections to highlighted entities through CipherTrace.

CipherTrace cryptocurrency intelligence can also be used to display the types of entities an address transacts with, in addition to the quantity of transactions. In the following Sunburst visualization, relationships depicted in the Graph network topology visualization were displayed in relation to entity tags. The center ring refers to the set of addresses under investigation. The outer ring reflects the types of entities they transact with. This is another method within NTerminal for graphically representing the activity of a given address and for users to develop a profile around a given address.

The Sunburst visualization can also be used to follow funds, map risk based on proximity to original addresses and trace dilution/mixing of funds with other addresses and services. Using CipherTrace attribution of hack-associated blockchain entities, addresses associated with known hack events can be identified, highlighted and then traced to uncover affiliated addresses and locate stolen funds.

Sunburst diagram reflecting fund tracking and risk coloring of Hack associated addresses.

Similarly, Sankey diagrams within NTerminal can be used in tandem with CipherTrace attribution to trace transactions sequentially in order to follow the movement of funds between entities, countries, and services on the blockchain.

Use Sankey diagrams to trace the flow of transactions between addresses as they related to CipherTrace tagged hack addresses.

These investigative visualization tools enriched with CipherTrace data are brought together into one comprehensive analysis framework within NTerminal. Explore a number of KYC and KYT use cases for criminal investigations, compliance, network research and more through NTerminal's blockchain forensics suite.