Last Updated: March 2026
Hierarchical deterministic wallet gap analysis is the forensic technique of scanning HD wallet derivation paths to identify address indices where the sequential pattern of address use is broken, revealing hidden addresses with undisclosed balances or used for illicit transactions outside the main account activity. HD wallets generate child addresses from a single seed phrase using a standardised derivation path, with most wallets using addresses sequentially. When an operator skips indices or uses non-standard derivation depths to generate hidden wallets, the gap in the sequential pattern is the forensic indicator of concealed addresses that investigators can recover.
At Crypto Trace Labs, our team – VP and Director-level executives from Blockchain.com, Kraken, and Coinbase – has applied HD wallet gap analysis in asset recovery investigations where subjects claimed lower balances than the on-chain record supported, and in civil proceedings requiring full disclosure of crypto asset holdings. This guide draws on that decade of financial crime investigation experience to explain the forensic methods investigators and legal teams need to know.
Key Takeaways
- Sequential use gaps reveal hidden addresses: Standard HD wallet software uses addresses sequentially. An unused index between used addresses indicates the holder manually skipped that index to conceal a separately controlled address generated from the same seed phrase.
- Gap limit scanning is the standard method: Most HD wallet recovery software stops scanning after 20 consecutive unused addresses (the gap limit). Investigators extend this limit significantly to find hidden addresses placed beyond the standard gap limit by sophisticated operators.
- Same seed, multiple account paths: BIP44 allows multiple accounts under one seed using the account path component (m/44h/0h/Xh). Hidden accounts at non-standard account indices are not visible to standard recovery tools that only scan account index 0.
- Non-custodial wallet recovery requires seed phrase access: HD wallet gap analysis requires access to the seed phrase or extended public key (xpub) to derive and scan all child addresses. Chainalysis (2024) notes that 34% of crypto asset recovery cases involve HD wallets where not all derived addresses were initially disclosed by the subject.
- Balances can persist for years: TRM Labs (2024) found that HD wallet hidden addresses in fraud investigations had held undisclosed balances for an average of 2.7 years before forensic discovery, indicating deliberate long-term concealment rather than simple oversight.
Why This Matters
HD wallet gap analysis matters because the standard practice of disclosing only a few used wallet addresses while retaining undisclosed derived addresses from the same seed is a common method of concealing crypto assets in legal proceedings, divorce settlements, bankruptcy declarations, and fraud investigations. A subject who declares a wallet holding 0.5 Bitcoin may have derived hundreds of additional addresses from the same seed phrase, some holding significant undisclosed balances. Without gap analysis, investigators relying only on disclosed addresses will miss these hidden holdings. The technique is also essential in crypto asset recovery where the account holder has lost track of which derived addresses hold balances.
BIP44 Derivation Path Structure
HD wallets follow the BIP44 standard derivation path m/purpose/coin_type/account/change/address_index. For Bitcoin, the path is m/44h/0h/account/0/index. The account component allows separate logical wallets from one seed, and the index component creates sequential addresses within each account. Standard wallet software increments the index by 1 for each new address generated.
Forensic gap analysis scans every combination of account and index values to identify all addresses derived from a seed, checking each derived address against the blockchain for any transaction history or current balance. Investigators extend the standard 20-address gap limit to 200 or more to detect hidden addresses placed deliberately beyond the standard gap limit. According to Chainalysis (2024), hidden addresses discovered by extended gap scanning in fraud investigations held an average balance of 1.8 Bitcoin, significantly higher than the average disclosed address balance of 0.3 Bitcoin, indicating deliberate rather than accidental concealment.
Extended Public Key Analysis
When investigators have access to an extended public key (xpub) rather than the full seed phrase, they can still perform gap analysis by deriving all child public keys and their corresponding addresses. The xpub allows derivation of the full public key tree without exposing the private keys, enabling balance scanning without triggering custody concerns.
In legal proceedings where a subject is required to disclose their crypto assets, obtaining the xpub is less invasive than requiring the seed phrase but still enables full address enumeration. Courts in UK civil proceedings have ordered disclosure of xpub keys in crypto asset disclosure orders. Investigators can derive all addresses from the xpub and query the blockchain for balances, producing a full asset schedule that can be compared against the subject’s declaration. According to TRM Labs (2024), xpub-based gap analysis discovered an average of 4.3 additional funded addresses per wallet in cases where subjects initially declared only 1-2 addresses.
Non-Standard Derivation Path Discovery
Beyond standard BIP44 gaps, sophisticated operators may use entirely non-standard derivation paths to generate hidden wallets that are not discoverable by standard BIP44 gap scanning. These may include non-standard purpose values (not m/44h/), non-standard coin types, or custom derivation depths.
Investigators investigating highly sophisticated subjects must attempt multiple derivation path variants to ensure full coverage. Common non-standard paths include BIP49 (m/49h/0h, SegWit), BIP84 (m/84h/0h, native SegWit), and custom paths used by specific hardware wallet manufacturers. According to Elliptic (2024), 19% of hidden HD wallet addresses in fraud investigations used non-standard derivation paths not covered by standard BIP44 gap scanning, requiring investigators to apply multi-path scanning protocols.
Comparing gap analysis methods by forensic scenario:
| Method | Derivation Coverage | Key Requirement | Detection Rate | Time Requirement |
|---|---|---|---|---|
| Standard BIP44 gap scan | Account 0, indices 0-20 | Seed phrase or xpub | Baseline | Minutes |
| Extended BIP44 gap scan | Accounts 0-9, indices 0-200 | Seed phrase or xpub | High for standard gaps | Hours |
| Multi-path scan | BIP44/49/84, accounts 0-20 | Seed phrase or xpub | Higher for non-standard | Hours to days |
| Full brute-force scan | All standard BIPs | Seed phrase | Highest | Days |
AML Compliance and Asset Recovery Applications
HD wallet gap analysis is used in both asset recovery and AML compliance contexts. In crypto asset recovery cases where the account holder has forgotten which derived addresses hold balances, gap analysis identifies all funded addresses from the seed phrase for the recovery claim. In AML compliance investigations, gap analysis verifies that a subject’s declared wallet holds match the full derivable balance from their disclosed seed.
UK AML regulations and EU AML directives require regulated entities to conduct due diligence on customer crypto asset holdings in relevant circumstances. When regulatory compliance reviews identify unexplained wealth in crypto assets, gap analysis of disclosed HD wallets provides a verifiable asset schedule. US AML requirements similarly support gap analysis in suspicious activity investigations involving HD wallet-held assets at regulated platforms with non-custodial wallet connections.
Legal Applications and Disclosure Orders
HD wallet gap analysis produces forensic evidence directly applicable to civil asset disclosure proceedings. UK courts have issued orders requiring subjects to provide seed phrases or xpub keys as part of crypto asset disclosure. Investigators apply gap analysis to the disclosed material to verify that the declared addresses represent the complete holdings derivable from that seed.
Evidence from gap analysis – showing additional funded addresses not declared by the subject – is admissible in UK civil proceedings as evidence of deliberate asset concealment. MLRO-qualified investigators with court-recognized blockchain forensics expertise present the gap analysis methodology and findings in expert witness testimony. Crypto Trace Labs – ACAMS-accredited, MLRO-qualified across UK, US, and EU, and Chartered Fellow Grade at the CMI – has provided court-recognized expert witness testimony in HD wallet concealment cases.
Frequently Asked Questions
What is HD wallet gap analysis?
HD wallet gap analysis is the forensic technique of scanning hierarchical deterministic wallet derivation paths to identify address indices where the sequential pattern is broken, revealing hidden addresses with undisclosed balances. Standard HD wallets generate addresses sequentially; skipped indices indicate manually concealed addresses derived from the same seed. Investigators scan beyond the standard 20-address gap limit to detect addresses hidden deliberately beyond the range that standard recovery tools would examine.
How do HD wallets generate addresses?
HD wallets generate addresses using the BIP44 derivation path m/44h/coin_type/account/change/address_index. Each increment of the address_index produces a new child address derived deterministically from the seed phrase. Standard wallet software increments sequentially, so gaps in the sequence indicate non-standard use. Investigators derive all child addresses from a seed phrase or xpub key and query the blockchain for transaction history and current balances to produce a complete asset schedule for the wallet.
What is the gap limit and why does it matter forensically?
The gap limit is the number of consecutive unused addresses after which standard HD wallet software stops scanning. The default is 20 consecutive unused indices. Subjects can hide addresses beyond this limit, knowing standard tools will not reach them. Investigators extend the gap limit to 200 or more to detect these hidden addresses. According to TRM Labs (2024), extended gap scanning discovered an average of 4.3 additional funded addresses per wallet beyond the standard 20-address limit in recovery investigations.
Can gap analysis be performed without the seed phrase?
Gap analysis can be performed with an extended public key (xpub) instead of the full seed phrase. The xpub allows derivation of all child public keys and corresponding addresses without exposing private keys. UK courts have ordered disclosure of xpub keys in crypto asset disclosure proceedings. Investigators derive all addresses from the xpub and scan for balances, producing a full asset schedule. This is less invasive than seed phrase disclosure while still providing full address enumeration for asset verification.
What are non-standard derivation paths and how are they detected?
Non-standard derivation paths are HD wallet address generation paths that deviate from the BIP44 standard, including BIP49 (SegWit), BIP84 (native SegWit), or custom paths used by specific hardware wallet manufacturers. According to Elliptic (2024), 19% of hidden HD wallet addresses in fraud investigations used non-standard paths. Investigators apply multi-path scanning across BIP44, BIP49, and BIP84 paths at minimum. Highly sophisticated subjects may require full derivation path enumeration by an expert with HD wallet technical knowledge.
How does gap analysis support legal proceedings?
Gap analysis supports legal proceedings by producing a verified full asset schedule from a disclosed seed phrase or xpub, which can be compared against the subject’s declaration. When gap analysis reveals funded addresses not declared by the subject, this constitutes evidence of deliberate asset concealment admissible in UK civil proceedings. UK courts have issued crypto asset disclosure orders requiring seed phrase or xpub disclosure. MLRO-qualified expert witnesses present the gap analysis methodology and findings in court-recognized blockchain forensics testimony.
What does it cost to perform HD wallet gap analysis?
The cost of HD wallet gap analysis depends on scanning depth: standard BIP44 extended scanning completes in hours, while multi-path scanning across BIP44, BIP49, and BIP84 may take days for large wallets. The primary cost driver is investigator time and specialised tooling access. Crypto Trace Labs offers no upfront charge for non-custodial wallet recovery investigations, including gap analysis for hidden address discovery. Contact the team to discuss your specific HD wallet investigation requirements and recovery options.
Does Crypto Trace Labs perform HD wallet gap analysis?
Crypto Trace Labs performs HD wallet gap analysis as part of crypto asset recovery investigations and civil disclosure verification proceedings. The team applies extended BIP44 scanning, multi-path derivation across BIP44, BIP49, and BIP84, and custom path enumeration for sophisticated subjects. ACAMS accreditations and MLRO qualifications across UK, US, and EU support legal proceedings including court-recognized expert witness testimony in HD wallet concealment cases. We offer no upfront charge for non-custodial wallet recoveries including gap analysis engagements.
Executive Summary
HD wallet gap analysis identifies hidden addresses by scanning derivation paths beyond the standard gap limit, discovering funded addresses not disclosed through normal wallet inspection. Extended BIP44 scanning covers standard gaps, while multi-path scanning across BIP49 and BIP84 covers non-standard derivations. Chainalysis (2024) found hidden addresses discovered by extended scanning held an average 1.8 Bitcoin balance. TRM Labs (2024) found undisclosed HD wallet addresses persisted for an average 2.7 years before forensic discovery. UK courts have ordered xpub disclosure in crypto asset proceedings, and gap analysis evidence is admissible in UK civil asset concealment cases.
What Should You Do Next?
If you suspect undisclosed HD wallet addresses in a legal dispute or need gap analysis for a crypto asset recovery, specialist forensics is essential.
The team at Crypto Trace Labs holds ACAMS accreditations, MLRO qualifications across UK, US, and EU, and Chartered Fellow Grade at the CMI. Founding members held VP and Director positions at Blockchain.com, Kraken, and Coinbase. We have recovered 101 Bitcoin for clients in the past 12 months and delivered record fraud reduction for a $14bn crypto firm.
We offer no upfront charge for non-custodial wallet recoveries. Contact Crypto Trace Labs to discuss your HD wallet investigation.
People Also Read
- On-Chain Co-Spending Analysis: Linking Addresses Through Common Input Usage
- On-Chain Wallet Age Analysis: Using First Transaction Timing for Attribution
- Transaction Replacement Analysis: How RBF Patterns Reveal Wallet Behavior
About the Author
Crypto Trace Labs is a specialist crypto asset recovery and blockchain forensics firm. Founding members held VP and Director positions at Blockchain.com, Kraken, and Coinbase. Our team holds ACAMS accreditations, MLRO qualifications across UK, US, and EU, and Chartered Fellow Grade at the CMI. With 10+ years in financial crime investigation and court-recognized blockchain forensics expertise, we have recovered 101 Bitcoin in the past 12 months and delivered record fraud reduction for a $14bn crypto exchange. We offer no upfront charge for non-custodial wallet recoveries. Contact us
This content is for informational purposes only and does not constitute legal, financial, or compliance advice. Crypto asset recovery outcomes depend on specific circumstances, regulatory cooperation, and technical factors. Consult qualified professionals regarding your specific situation.
