Last Updated: February 2026
Change outputs are the forensic breadcrumbs that Bitcoin’s design forces every transaction to leave behind. When a wallet spends a UTXO worth more than the intended payment, the leftover value returns to the sender as a change output – and the patterns in that change reveal which addresses belong to the same entity. Investigators at blockchain analytics firms use six to twelve distinct heuristics to identify change outputs, and when those identifications combine with the common-input-ownership heuristic, entire wallet clusters emerge from what appeared to be unrelated addresses. Independent research published at USENIX Security 2025 confirmed clustering accuracy rates above 94% with false positive rates below 0.15%.
At Crypto Trace Labs, our forensic team applies change output analysis across hundreds of investigations – from tracing peel chain laundering operations to attributing wallets in exchange fraud cases. This guide explains the specific heuristics investigators use, how they combine to expose wallet ownership, what real cases demonstrate about their effectiveness, and where the method reaches its limits.
How Does Bitcoin’s UTXO Model Create Change?
Bitcoin does not work like a bank account where you subtract the payment amount from a balance. Every Bitcoin transaction consumes entire Unspent Transaction Outputs (UTXOs) and creates new ones. If you hold a 1.0 BTC UTXO and want to send 0.3 BTC, the transaction consumes the full 1.0 BTC input, creates a 0.3 BTC output to the recipient, and sends approximately 0.6999 BTC back to your own wallet as change – minus the transaction fee.
This mechanism is what makes change output analysis possible. The change output goes to an address the sender controls, which means it belongs in the same wallet cluster as the input address. If investigators can correctly identify which output is the payment and which is the change, they link the change address to the sender’s existing cluster – expanding the known set of addresses that entity controls.
The challenge is distinguishing payment outputs from change outputs. Both are just outputs in a transaction. Nothing in the raw blockchain data labels one as “payment” and the other as “change.” That distinction comes from heuristic analysis – pattern-based rules that exploit how wallet software constructs transactions.
Which Heuristics Identify Change Outputs?
Researchers Moser and Narayanan cataloged 26 distinct change address heuristics in their 2022 Financial Cryptography paper. In practice, blockchain forensic teams rely on six core heuristics that cover the majority of identifiable change outputs. Each exploits a different behavioral or structural pattern in how wallets create transactions.
Address type heuristic
Bitcoin supports multiple address formats – P2PKH (starting with 1), P2SH (starting with 3), P2WPKH/bech32 (starting with bc1q), and P2TR/Taproot (starting with bc1p). Most wallets send change to an address matching the format of the inputs. When all inputs are bech32 addresses and the transaction has two outputs – one bech32 and one P2SH – the bech32 output is likely change. The mismatched output is likely the payment, because the sender cannot control what address format the recipient uses.
Round number heuristic
Humans send round numbers. Automated change calculations produce irregular values. An output of exactly 0.5 BTC is more likely a deliberate payment. An output of 0.4997231 BTC is more likely the leftover after subtracting a payment and fee. Crypto Trace Labs applies this heuristic carefully alongside round-number pattern detection in money laundering investigations, where structuring operations deliberately break this assumption.
Optimal change heuristic
If the change output is smaller than the smallest input, the coin selection algorithm likely needed that input to cover the payment. If the change were larger than the smallest input, the algorithm would not have included it – the larger inputs alone would have sufficed. This mathematical constraint identifies the smaller output as probable change in many two-output transactions.
Fresh address heuristic
Wallet software typically sends change to a newly generated address that has never appeared on the blockchain before. If one output goes to an address with prior transaction history and the other goes to a never-before-seen address, the fresh address is likely the change address.
Wallet fingerprint heuristic
Different wallet software leaves distinct fingerprints in transaction construction. Bitcoin Core sets nLockTime to the current block height for anti-fee-sniping. Electrum uses BIP-69 lexicographic ordering of inputs and outputs. Wasabi Wallet sets nVersion to 1 and nLockTime to 0. When investigators identify the wallet software from these fingerprints, they can predict change output behavior with higher confidence – because each wallet has known coin selection and change handling algorithms.
Peeling pattern heuristic
In peel chains, a transaction consistently sends a small amount to one address and the large remainder to a new address, repeating this pattern dozens or hundreds of times. The large-value output in each hop is change. The pattern is self-reinforcing – once identified, every subsequent transaction in the chain reveals its change output with near-certainty.
How heuristics combine
No single heuristic is reliable in isolation. Research from a 2024 study on BlockSci’s heuristic framework found individual true positive rates between 10% and 30%. But when multiple heuristics agree on the same output, confidence compounds. If the address type, round number, and fresh address heuristics all point to the same output as change, the probability of correct identification rises substantially. Blockchain analytics platforms like Chainalysis run hundreds of heuristics simultaneously, using both deterministic rules and machine learning to weight conflicting signals.
How Do Change Patterns Build Wallet Clusters?
Change output identification is not the end goal – it feeds into wallet clustering, the process of grouping addresses under common ownership. The investigation workflow moves through four stages.
Stage 1: Common-input-ownership. The foundational heuristic, described in the original Bitcoin whitepaper, assumes all inputs to a single transaction are controlled by the same entity – because spending requires the private key for each input address. This creates the initial cluster.
Stage 2: Change output linking. When heuristics identify a change output, the change address joins the sender’s cluster. That address may later appear as an input in a future transaction alongside other addresses – expanding the cluster further through common-input-ownership again.
Stage 3: Cluster growth. Each new change address identified opens pathways to additional transactions and additional co-spending events. A cluster that starts with 2 addresses can grow to hundreds or thousands as the entity continues transacting. Transaction graph analysis maps these growing clusters visually, revealing the full scope of an entity’s blockchain activity.
Stage 4: Entity attribution. Once a cluster reaches sufficient size, investigators cross-reference addresses against known entity databases. If any address in the cluster has been identified – through exchange KYC records, public payment addresses, or previous investigations – the entire cluster inherits that attribution. This is where change output analysis converts anonymous addresses into named entities.
At Crypto Trace Labs, we see this workflow produce results consistently across investigations involving on-chain analysis. A single correctly identified change address in a cluster of 50 addresses provides the anchor that attributes the remaining 49.
What Have Real Investigations Revealed?
Change output analysis has contributed to the largest cryptocurrency seizures and convictions in history. Three cases demonstrate the method at different scales.
Bitfinex hack – $4.5 billion recovery
When 119,756 BTC was stolen from Bitfinex in August 2016, the hackers used automated peel chains to fragment stolen funds through thousands of transactions. Each peel created a change output that investigators at Chainalysis and Elliptic tracked forward. The laundering operation moved approximately $3 million per month through darknet market Hydra, but change output clustering maintained the connection between fragmented funds and the original theft. Ilya Lichtenstein and Heather Morgan were arrested in February 2022. Lichtenstein was sentenced to 5 years in November 2024.
Silk Road – James Zhong seizure
James Zhong exploited a Silk Road vulnerability in 2012 to steal 50,676 BTC. He attempted to obscure ownership through years of transfers across multiple wallets. Change output analysis and co-spending heuristics allowed IRS Criminal Investigations to link his addresses despite the prolonged obfuscation. The resulting seizure in November 2021 – worth $3.36 billion – was one of the largest cryptocurrency seizures in history and relied on transaction input pattern analysis to connect Zhong’s wallet clusters.
Bitcoin Fog – forensic admissibility precedent
The Roman Sterlingov prosecution for operating Bitcoin Fog, a cryptocurrency mixing service, set the legal standard for blockchain forensic evidence. The judge ruled in March 2024 that Chainalysis blockchain tracing data was admissible under the Daubert standard as “the product of reliable principles and methods.” However, the case remains contested – ChainArgos filed an amicus brief in September 2025 challenging the forensic methodology as “fundamentally unscientific,” arguing that claimed zero false-positive rates are unrealistic for any analytical tool.
This ongoing legal debate matters for the entire field. Crypto Trace Labs follows the evidentiary standards closely because blockchain forensic evidence must withstand scrutiny in court proceedings – not just produce investigative leads.
What Defeats Change Output Analysis?
Investigators who understand the limitations of change output heuristics produce more reliable analysis than those who treat the method as infallible. Several technologies and techniques directly counter change detection.
CoinJoin transactions combine inputs from multiple unrelated users into a single transaction with equal-value outputs, breaking both the common-input-ownership assumption and change output identification. Crypto Trace Labs has published separate analysis on how investigators approach CoinJoin transactions. The WabiSabi protocol used in Wasabi Wallet 2.0 eliminated fixed output sizes, making CoinJoin transactions harder to distinguish from regular transfers.
PayJoin (Pay-to-Endpoint) is more dangerous to forensic analysis than CoinJoin because both the sender and recipient contribute inputs. The resulting transaction looks indistinguishable from a normal payment. Unlike CoinJoin – which creates visually distinctive transactions with many inputs and equal outputs – PayJoin transactions appear entirely ordinary. This directly undermines the common-input-ownership heuristic because the inputs genuinely belong to different entities.
Taproot adoption, activated in November 2021, makes all output types look identical on-chain. Complex multi-signature arrangements, smart contracts, and simple payments all produce the same P2TR output format. This erodes the address type heuristic, which historically was one of the most reliable change detection methods. As Taproot adoption increases, address type matching becomes less useful for distinguishing payment from change.
Silent Payments (BIP 352) represent the newest challenge. This protocol allows recipients to publish a single static address while each payment generates a unique Taproot output. No address reuse occurs. The fresh address heuristic loses its signal because all outputs go to never-before-seen addresses – both payments and change.
Despite these countermeasures, change output analysis remains effective against the majority of cryptocurrency transactions. Privacy-enhancing technologies see limited adoption outside privacy-focused communities. Most criminal operations prioritize speed over operational security, leaving standard change patterns intact across their transaction chains.
Frequently Asked Questions
How accurate is change output-based wallet clustering?
Independent research published at the USENIX Security Symposium in 2025 confirmed true positive clustering rates above 94% with false positive rates below 0.15% when using Chainalysis data. Individual heuristics perform much worse in isolation – a 2024 study found single-heuristic true positive rates between 10% and 30%. The accuracy comes from combining multiple heuristics and cross-referencing against known entity databases. Accuracy varies significantly by entity type, ranging from approximately 25% for mixers to 95% for darknet marketplaces.
Can change output analysis work on non-Bitcoin blockchains?
Change outputs exist on all UTXO-based blockchains including Litecoin, Bitcoin Cash, Zcash’s transparent pool, and Cardano. The same heuristics apply with minor adjustments for each chain’s address formats and transaction structures. Account-model blockchains like Ethereum do not produce change outputs in the same way, though analogous patterns exist in how smart contracts handle token transfers. Cross-chain investigations apply change output analysis on each UTXO chain independently, then connect findings through bridge transactions or exchange deposits.
What is the common-input-ownership heuristic and when does it fail?
The common-input-ownership heuristic assumes all input addresses in a single transaction belong to the same entity. It works because spending a UTXO requires the corresponding private key. The heuristic fails when multiple parties contribute inputs to a single transaction – which is exactly what CoinJoin and PayJoin are designed to do. Outside of deliberate privacy protocols, the heuristic approaches near-100% accuracy because standard wallet software does not combine inputs from different owners.
Do criminals know about change output heuristics?
Sophisticated criminal operations are increasingly aware of forensic heuristics. Some use coin control features to manually select which UTXOs to spend, avoiding multi-input transactions that trigger common-input-ownership clustering. Others route funds through mixing services or use privacy wallets with built-in CoinJoin. However, operational security is expensive and error-prone. A single transaction that violates the operator’s privacy practices can collapse months of careful obfuscation by linking a clean address back to a previously clustered entity.
How do investigators handle conflicting heuristic results?
When the round number heuristic points to one output as change but the address type heuristic points to the other, analysts evaluate the confidence level of each signal. Some heuristics carry more weight than others depending on the wallet software involved and the transaction context. Blockchain analytics platforms use weighted scoring models – and increasingly machine learning – to resolve conflicts. At Crypto Trace Labs, our analysts flag transactions with conflicting heuristics for manual review rather than accepting automated conclusions.
Is blockchain forensic evidence admissible in court?
Yes, in multiple jurisdictions. The Bitcoin Fog case in 2024 established that Chainalysis data meets the Daubert standard for scientific reliability in US federal courts. UK courts have accepted blockchain evidence in freezing injunction proceedings. However, the ongoing Bitcoin Fog appeal and the ChainArgos challenge to forensic methodology mean that admissibility standards continue to evolve. Expert witnesses must demonstrate not just the heuristic results, but explain the methodology, its limitations, and the confidence levels involved.
What tools do investigators use for change output analysis?
Commercial platforms include Chainalysis Reactor, Elliptic Investigator, and TRM Forensics – all of which apply change detection as part of their clustering engines. Open-source tools include BlockSci (from Princeton’s Center for Information Technology Policy), which implements 8+ composable heuristics, and OXT.me for visual transaction graph analysis. The choice of tool matters because each implements heuristics differently and may produce different clustering results for the same set of transactions.
Need Help Tracing Funds Through Change Output Patterns?
This guide was prepared by the blockchain forensics team at Crypto Trace Labs, drawing on direct experience applying change output heuristics in criminal investigations, asset recovery cases, and AML compliance reviews. Our founders held VP and Director positions at Blockchain.com, Kraken, and Coinbase, and hold ACAMS certifications, MLRO qualifications across UK, US, and Europe, and Chartered status at Fellow Grade.
If you need to trace cryptocurrency through complex transaction chains, identify wallet ownership from on-chain patterns, or recover stolen digital assets, professional forensic investigation can determine where your funds went and what recovery options exist. We provide no upfront charge for non-custodial wallet recoveries – you only pay after successful fund recovery.
Contact Crypto Trace Labs to discuss your case with our forensic investigation team.
About the Author
This guide was prepared by the blockchain forensics team at Crypto Trace Labs. Our founding members held VP and Director-level positions at Blockchain.com, Kraken, and Coinbase, bringing over 10 years of combined experience in cryptocurrency operations, on-chain analysis, and forensic investigation. Our team holds ACAMS certifications, MLRO qualifications across UK, US, and European jurisdictions, and Chartered status at Fellow Grade. We have applied change output heuristics in hundreds of investigations and provided expert witness testimony on wallet clustering methodologies in court proceedings.
This content is for informational purposes only and does not constitute legal, financial, or compliance advice. Crypto asset recovery outcomes depend on specific circumstances, regulatory cooperation, and technical factors. Consult qualified professionals regarding your situation.
