Complete guide to bitcoin transaction analysis: from TXID to blockchain forensics

The public Bitcoin ledger is not just a database, but a powerful tool for analysis. With the right approach, every transaction can be traced from address to address. An entire industry is built on this: traders track whale movements, blockchain forensics experts recover stolen funds, and compliance departments filter out "dirty" coins. Let's break down how this works in practice — from manual analysis to automated systems.
Part 1. Manual Analysis: Basic Steps
Step 1: Finding a Transaction by TXID
Every operation on the blockchain has a unique identifier — TXID, the transaction hash. This is a 64-character string obtained by running all data through SHA-256. It cannot be forged: the slightest change in data produces a completely different hash. Essentially, it's a "receipt number" that any network node can use to find and verify the operation. You can get a TXID from your wallet or exchange history, or by entering an address into a blockchain explorer.
Step 2: Understanding the UTXO Model
Bitcoin does not store a balance as a single number. The network operates on the UTXO model: funds exist as separate "banknotes." When making a payment, such a "banknote" is spent in its entirety, and two new outputs are created in return — one for the recipient and one (the change) back to the sender. This mechanism is the foundation of blockchain forensics: a "round" payment is easily distinguishable from "fractional" change.
Step 3: Checking Confirmations and the Mempool
A transaction does not appear on the blockchain instantly. First, it enters the mempool — a queue of operations waiting to be included in a block. Miners prioritize transactions with high fees. The first confirmation appears after inclusion in a block. For small amounts, 1-2 confirmations are sufficient; for large amounts, 6 are needed. An explorer will show the status, fee, and reason for any delay in real time.
Step 4: Tracing the Coin's Path
Each input of a new transaction references a specific output from a previous one. This forms a branched network through which the movement of funds can be traced in both directions — all the way back to the coinbase transaction. An analyst steps through addresses one by one until a complete chain emerges. This reveals characteristic routes on the blockchain: a transfer to an exchange, a sum being split, or the withdrawal of stolen funds.
Part 2. Automating Analysis
Manual analysis is effective for 1-2 transactions, but thousands of transfers cannot be covered by eye. This is where automation comes to the rescue.
Step 5: API Access to Data
Programmatic access to the blockchain via node and explorer APIs is the first level of automation. REST API handles one-off requests, while WebSocket maintains a persistent connection. For mass checks, Blockchair and Bitquery with webhook support are suitable.
Step 6: Automated Analytics
Platforms like Dune and Flipside allow you to write an SQL query once and get a ready-made dashboard that updates automatically. The key difference from the manual method: the query is written once and works continuously.
Step 7: Monitoring and Alerts
The "API plus bot" combination tracks desired addresses and sends notifications about fund movements. Platforms like Arkham offer ready-made alerts, while webhooks allow you to set up your own event processing logic.
Part 3. Blockchain Forensics and Its Limits
Step 8: How Forensic Engines Work
Blockchain forensics is based on clustering addresses using heuristics. Two key ones are: "common input" (if multiple UTXOs are spent in one transaction, they are controlled by one owner) and "change address detection." On top of clustering, recognition of typical money laundering patterns — such as sum splitting or "peeling" — is added. Then comes attribution: linking clusters to real exchanges and services.
Step 9: Can Automation Be Trusted?
Automated analysis has a fundamental limitation: clustering provides a probability, not a fact. Heuristics can be wrong — for example, CoinJoin deliberately combines UTXOs from different users. The risk can be reduced using Coin Control, by choosing which UTXO to spend.
Bitcoin provides not anonymity, but pseudonymity. The result of a risk assessment is merely a basis for an analyst's decision, not a verdict. Automatic address grouping and human-verified attribution are different things: the former is a hypothesis, the latter is a conclusion.
My expert commentary: It makes sense to master on-chain analysis from the bottom up: first the explorer, then APIs and dashboards, and only then specialized tools. The deeper the tracing, the more important it is to distinguish the probable from the proven. In a world where every transaction leaves a digital footprint, the ability to read the blockchain is becoming as basic a skill as reading a balance in a banking app.