Last Updated: February 2026

Output distribution patterns – how cryptocurrency transaction values are split across receiving addresses – reveal whether funds are moving for legitimate purposes or being systematically fragmented to evade detection. In Bitcoin’s UTXO model, every transaction produces outputs that carry specific value amounts to specific addresses, and the mathematical relationships between those output values create forensic signatures that distinguish normal commerce from laundering, structuring, and automated fraud operations. When a single input of $500,000 splits into 47 outputs each valued between $9,200 and $9,900, no investigator needs machine learning to recognize what is happening.

At Crypto Trace Labs, our team analyzes output distribution patterns as a core component of blockchain forensics investigations, from tracing peel chain operations to identifying structured transactions designed to stay below regulatory thresholds. This guide explains what output distributions reveal, how to read them, and where the analysis has real limitations.

What Are Output Distribution Patterns?

Every Bitcoin transaction consumes inputs and creates outputs. When someone sends 1 BTC to pay a 0.3 BTC invoice, the transaction produces two outputs: 0.3 BTC to the recipient and approximately 0.7 BTC back to the sender as change, minus the mining fee. This is Bitcoin’s UTXO – Unspent Transaction Output – model, and it governs every transaction on the network.

Output distribution is the pattern formed by how transaction values divide across those outputs. How many outputs exist, what their relative values are, whether they follow round numbers or precise irregular amounts, and how they compare to the input values. These characteristics combine into a forensic profile for the transaction.

A simple payment produces two outputs with obvious asymmetry: one matches the purchase price, one is leftover change. A business processing payroll might produce dozens of outputs at varied but predictable amounts. Investigators read these distributions the way a forensic accountant reads a ledger – the shape tells them what type of activity produced the transaction before they trace where the funds went.

How Do Legitimate Outputs Differ From Criminal Ones?

Legitimate transactions produce output distributions shaped by real economic needs. Someone buying equipment generates a two-output transaction with a specific payment and larger change return. A business paying suppliers creates outputs matching invoice amounts – irregular, varied numbers like $4,287.50 or $12,091.33 that reflect actual prices rather than round thresholds.

UTXO patterns from legitimate users show consistent characteristics. Output values vary widely because real purchases come in unpredictable amounts. Change outputs tend to be larger than payment outputs for everyday transactions. Timing follows business hours or personal schedules. And the output count stays low – typically one to three for personal use, perhaps ten to twenty for business batch processing.

Criminal output distributions look fundamentally different because they serve a different purpose. The goal is not to pay for something. It is to move value while avoiding detection. This produces three observable distortions:

• Uniform output values – Multiple outputs of identical or near-identical amounts suggest automated splitting rather than organic payments. No legitimate business sends exactly $9,800 to 15 different addresses in a single transaction.
• Threshold-aligned amounts – Outputs clustered just below $10,000 (FINCEN reporting threshold) or just below €1,000 (EU CASP due diligence threshold) signal deliberate regulatory evasion.
• Disproportionate output counts – Transactions with 20, 50, or 100+ outputs without a corresponding business justification indicate fund dispersion for laundering purposes.

These patterns are why round-number transaction detection and layering identification have become standard components of blockchain forensic analysis.

What Do Equal Splits and Round Numbers Reveal?

Equal-value output splits are among the strongest fraud indicators in on-chain analysis because they almost never occur in legitimate commerce.

When a transaction divides $100,000 into ten outputs of exactly $10,000 each, the mathematical precision exposes automated operation. Legitimate payments do not result in equal splits across multiple recipients – invoices, salaries, and purchase prices vary. The FATF Virtual Assets Red Flag Indicators report identifies transactions involving round numbers and repetitive patterns as indicators requiring enhanced scrutiny, based on over 100 case studies from member jurisdictions.

Equal splits serve specific criminal purposes. Mixing services use equal-denomination outputs to break the link between inputs and outputs – if every output from a mixer is exactly 0.1 BTC, observers cannot determine which input funded which output based on amount alone. Research analyzing Bitcoin mixer transactions found that in 1:2 structured transactions, 97% of cases showed P2SH output amounts exceeding non-P2SH output amounts by more than fivefold, creating a detectable signature despite the mixing attempt.

Automated laundering operations use equal splits for speed. Rather than calculating varied amounts for each output, criminal software divides stolen funds into uniform portions across dozens of addresses. This efficiency comes at a forensic cost – the uniformity itself becomes evidence.

Investigators must account for legitimate equal-split scenarios, however. Exchanges processing batch withdrawals sometimes produce equal-output transactions. Mining pool distributions can generate uniform outputs. Context matters – equal splits from an exchange’s known hot wallet mean something entirely different from equal splits originating from an address that received ransomware payments.

How Do Peel Chains Manipulate Output Distribution?

Peel chains are one of the most common laundering techniques in cryptocurrency, and they produce a distinctive output distribution signature that experienced forensic teams recognize immediately.

The pattern works by repeatedly peeling small amounts from a large balance. A criminal receiving $500,000 in stolen Bitcoin creates a transaction sending $15,000 to one address while routing the remaining $485,000 to a new self-controlled address. The next transaction peels another amount – perhaps $12,000 – sending the remaining $473,000 forward. This repeats dozens or hundreds of times.

The output distribution signature is consistent: every transaction produces exactly two outputs with extreme size asymmetry. One output is small, headed toward an exchange or cash-out point. One is large, carrying the remaining balance forward. Academic research published through DFRWS confirmed that peel chain nodes show single receiving and single sending transactions, with self-change addresses linking each hop.

A single two-output transaction with size asymmetry is completely normal – that describes most Bitcoin payments. But a chain of 50 consecutive two-output transactions, each feeding the next with diminishing balances while small amounts peel off to different destinations, is not normal. The repetitive structure across sequential transactions is what transaction velocity analysis and graph mapping flag for investigation.

Crypto Trace Labs has traced peel chain operations where hundreds of hops dispersed stolen funds to exchange deposit addresses, with each peel sized between $5,000 and $15,000 to stay below exchange monitoring thresholds.

How Do Investigators Detect Structuring in Outputs?

Structuring – splitting transactions to stay below regulatory reporting thresholds – produces output patterns that are paradoxically easy to detect because the avoidance behavior itself creates a signature.

Under US regulations, financial institutions must report transactions exceeding $10,000 to FINCEN. The EU’s Transfer of Funds Regulation requires Crypto-Asset Service Providers to conduct enhanced due diligence for transactions at or above €1,000. Criminals aware of these thresholds structure their output distributions to stay just below them.

The detection logic is straightforward. When an address consistently produces outputs between $9,200 and $9,999 across multiple transactions – never exceeding $10,000 – the clustering below the threshold reveals deliberate avoidance. The statistical probability of organic transactions clustering that tightly below a regulatory limit without ever crossing it is effectively zero over a meaningful sample.

Smurfing extends this pattern across multiple actors. Rather than one address structuring its own outputs, a network of addresses each processes small amounts below thresholds. Blockchain analytics platforms including Chainalysis, Elliptic, and TRM Labs detect these network-level patterns by analyzing output distributions across address clusters rather than individual transactions.

The FATF report on virtual asset red flags identifies structuring below reporting thresholds as a primary money laundering indicator, and AML compliance teams at regulated exchanges use output pattern screening as a first-line detection mechanism.

Where Does Output Analysis Break Down?

No forensic technique is infallible, and output distribution analysis has specific limitations that investigators need to understand to avoid false conclusions.

The change output heuristic – a foundational technique that identifies which output is the sender’s change and which is the payment – carries significant error rates. Research evaluating the one-time change heuristic showed an average error rate of 92.66% in some test conditions, meaning the technique incorrectly identified the change output far more often than it got it right. When change is misidentified, the entire direction of fund tracing reverses. Chainalysis has documented how this mistake compounds across multi-hop investigations.

This is where careful change address analysis with multiple corroborating signals becomes essential rather than relying on a single heuristic.

Sophisticated criminals have also adapted. Modern laundering operations deliberately introduce randomized output values, avoiding the equal splits and round numbers that trigger detection. Some operations add noise outputs – small random amounts sent to unrelated addresses – to disguise the real destination among decoys.

CoinJoin transactions present another challenge. These privacy-enhancing transactions combine multiple users’ inputs and outputs into a single large transaction, intentionally creating equal-denomination outputs to prevent tracing. Distinguishing criminal mixing from legitimate CoinJoin privacy usage requires context beyond output distribution alone – input pattern analysis, timing data, and counterparty information all factor in.

Machine learning approaches are narrowing these gaps. Models trained on the Elliptic dataset have achieved 97.5% accuracy classifying illicit transactions. But these systems require labeled training data and struggle with novel techniques outside their training distribution. Crypto Trace Labs addresses these limitations by combining output analysis with behavioral clustering, timing correlation, and direct exchange cooperation rather than depending on any single method.

Frequently Asked Questions

Can output patterns distinguish between different types of fraud?

Yes, and this classification matters early in investigations. Ransomware operations typically show single large inputs fragmenting into smaller outputs headed toward mixing services. Investment fraud reveals gradual accumulation from many small victim payments followed by large consolidation outputs to the operator’s cash-out addresses. Recognizing which pattern is occurring helps investigators classify the crime type and allocate resources accordingly.

How do mixing services alter output distributions?

Mixing services obscure the link between inputs and outputs by producing equal-denomination outputs. A user deposits 5 BTC, and the mixer returns five separate 1 BTC outputs to different addresses after a time delay. When all outputs are identical, observers cannot match inputs to outputs based on value. However, this uniformity is itself a detectable signature that blockchain analytics platforms flag during transaction monitoring, making mixers less effective than their operators claim.

What is the difference between structuring and smurfing?

Structuring is when a single actor splits their own transactions to stay below reporting thresholds – one person sending $9,500 repeatedly instead of $19,000 once. Smurfing uses a network of individuals or addresses to achieve the same goal – ten different wallets each processing $9,500 on behalf of one operation. On-chain, smurfing is harder to detect because transactions originate from separate addresses, but coordinated timing and shared destinations reveal the network through behavioral analysis.

Do Ethereum transactions have output distributions like Bitcoin?

Ethereum uses an account-based model rather than Bitcoin’s UTXO model, so transactions do not produce explicit change outputs. An Ethereum transfer sends a specific amount from one account to another directly. However, the principle of output distribution analysis applies when examining smart contract interactions, token transfers, and multi-send transactions where a single contract call distributes funds to multiple recipients. The analytical logic translates even though the underlying data structure differs.

What FATF red flags relate to output patterns?

The FATF Virtual Assets Red Flag Indicators report identifies several output-related warning signs from over 100 case studies: transactions involving round numbers or repetitive amounts without clear business purpose, structuring below reporting thresholds, making multiple high-value transactions that immediately transfer assets to multiple service providers, and rapid fund movement with no apparent economic rationale. These indicators form the compliance screening baseline at regulated exchanges worldwide.

How reliable is automated output pattern detection?

Machine learning models trained on labeled blockchain datasets achieve accuracy rates above 97% for known illicit transaction patterns. However, these models struggle with novel laundering techniques outside their training distribution, and false positive rates vary by pattern type. Investigators use automated detection as a screening layer – flagging transactions for human review rather than drawing conclusions without manual validation and contextual analysis.

Can criminals defeat output analysis by randomizing amounts?

Sophisticated operators do randomize output values to avoid equal-split and round-number detection. However, truly random amounts still lack the economic logic of legitimate transactions – a wallet producing 30 outputs of varied but economically meaningless amounts to unrelated addresses has no plausible explanation. Randomization defeats simple threshold rules but creates statistical anomalies that behavioral analysis catches through distribution shape rather than individual values.

Seeing Suspicious Output Patterns in Your Data?

If you are investigating suspicious transaction splitting, structured fund movements, or complex output patterns in a cryptocurrency case, professional on-chain analysis can reconstruct the full picture. Whether you need forensic tracing for asset recovery, compliance evidence for regulatory proceedings, or expert analysis for litigation, our team works from the raw transaction data forward.

The team at Crypto Trace Labs brings VP and Director-level experience from Blockchain.com, Kraken, and Coinbase, with ACAMS certifications, MLRO qualifications across UK, US, and Europe, and Chartered status at Fellow Grade. We have analyzed output distribution patterns across hundreds of fraud investigations and produced court-ready forensic reports.

For non-custodial wallet recoveries, we charge no upfront fee – you only pay after successful fund recovery.

Contact Crypto Trace Labs to discuss your investigation with our forensic team.

About the Author

This guide was prepared by the blockchain forensics team at Crypto Trace Labs. Our founding members held VP and Director-level positions at Blockchain.com, Kraken, and Coinbase, bringing over 10 years of combined experience in cryptocurrency operations, on-chain analysis, and forensic investigation. Our team holds ACAMS certifications, MLRO qualifications across UK, US, and European jurisdictions, and Chartered status at Fellow Grade. We have analyzed transaction output patterns across hundreds of fraud investigations and provided expert witness testimony explaining on-chain evidence methodology in court proceedings.

This content is for informational purposes only and does not constitute legal, financial, or compliance advice. Crypto asset recovery outcomes depend on specific circumstances, regulatory cooperation, and technical factors. Consult qualified professionals regarding your situation