Introduction
If I had to name the single most common structural pattern in Bitcoin laundering operations, it would be the peel chain. In my thesis research, analyzing over 900 days of transaction data, peel chains appeared in approximately 33.2% of traced laundering flows, more than any other identifiable pattern. Yet here is the uncomfortable truth: this same structure appears in countless legitimate transactions every day.
The peel chain is deceptively simple. One input becomes two outputs, with most of the value flowing in one direction and a small amount diverted to the other. Repeat this fifteen, twenty, or fifty times, and you have a classic fund extraction pattern. The logic is intuitive: maintain the bulk of your funds while gradually siphoning off portions to different destinations.
What makes peel chains both powerful for investigators and problematic for analysis is their dual nature. They are simultaneously one of the most reliable indicators of structured fund movement and one of the easiest patterns to mistake for ordinary wallet behavior. In this issue, I aim to explore exactly what a peel chain is, how to detect one, and—critically—where this detection method breaks down.
The Pattern Defined
A peel chain is a sequence of transactions where each transaction has exactly one input and two outputs, with a consistent asymmetric value distribution between outputs. The term "peel" captures the iterative stripping behavior: a large amount enters, a small amount is peeled off, and the remainder continues to the next transaction.
Formal definition:
- Input count = 1
- Output count = 2
- Value ratio between outputs is asymmetric (typically 90:10 to 99:1)
- Pattern repeats across 3+ consecutive transactions
- The larger output of each transaction becomes the input of the next
The underlying logic explains why this pattern exists. When an actor wants to extract funds gradually—whether for legitimate business payments, privacy, or illicit purposes—peeling offers several advantages. The bulk of funds remains under control at all times. Each extraction can go to a different destination. The pattern does not require pre-planning; it can continue indefinitely as needed.
Academic documentation of peel chains traces back to early blockchain analysis work. Ron and Shamir (2012) identified "long chains" in their quantitative analysis of the Bitcoin transaction graph, noting chains of sequential transactions that suggested structured fund movement. Meiklejohn et al. (2013) formalized the observation that certain transaction patterns exhibited "layering" behavior consistent with money laundering typologies from traditional finance.
The analogy to physical currency peeling is apt. Imagine holding a stack of hundred-dollar bills and repeatedly pulling off a few bills to pay for something while keeping the stack intact. Each peel is a separate transaction, but the stack—the main fund—persists through the chain.
What makes this pattern analytically interesting is its relationship to the change-output problem I will cover in a future issue. In a standard payment, one output represents the payment, and the other represents change returned to the sender. A peel chain exploits this exact structure: the "payment" is the peeled amount, and the "change" is the continuing fund that feeds the next transaction.
How to Apply It
Detecting peel chains requires looking beyond individual transactions to identify sequential patterns. Here is my step-by-step approach:
Step 1: Identify candidate transactions
Start by filtering for transactions with the basic structural signature:
- Exactly 1 input
- Exactly 2 outputs
- Neither output is provably unspendable (OP_RETURN)
This initial filter will return millions of transactions—most Bitcoin transactions fit this structure. The pattern emerges only when we examine sequences.
Step 2: Calculate output asymmetry
For each candidate transaction, compute the ratio between the larger and smaller output values. I typically use the formula:
asymmetry_ratio = larger_output / (larger_output + smaller_output)
A ratio above 0.90 (90:10 split) suggests potential peel behavior. Ratios above 0.95 (95:5) are stronger signals. In my research dataset, confirmed peel chains averaged 0.94 asymmetry, though legitimate change transactions often fall in the same range.
Step 3: Chain traversal
This is where detection becomes meaningful. Starting from a transaction of interest:
- Identify the larger output (the "continuing" output)
- Find the transaction that spends this output
- Check if that transaction also matches the 1-input, 2-output, asymmetric structure
- Repeat until the pattern breaks or terminates
I consider a sequence a peel chain when it extends for at least 3-5 consecutive transactions meeting all criteria. In practice, laundering-related peel chains I have analyzed typically run 10-50 transactions, with some extending over 100.
Step 4: Analyze termination points
Where a peel chain ends often reveals intent. Common termination patterns include:
- Deposit to a known exchange address (suggesting cash-out)
- Split into a distribution pattern (funds dispersing to multiple destinations)
- Consolidation with other inputs (breaking the single-input signature)
- Entry into a mixing service
In TrailBit's Pattern Intelligence dashboard, the peel chain detector automates steps 1-3 and flags chain length, average asymmetry ratio, and termination type. When I identify a suspected laundering cluster, I first examine whether the graph displays the characteristic "spine" structure—a linear sequence of transactions with small branches peeling off at regular intervals.
Step 5: Cross-reference with timing
Peel chains created by automated systems often exhibit consistent inter-transaction timing, with each hop occurring within minutes or at regular intervals. Human-driven peel chains tend to show irregular timing. This is not definitive, but the consistency of timing raises my confidence that I am looking at programmatic behavior rather than coincidental wallet activity.
Where It Breaks
This is the section I wish every blockchain analysis course emphasized more heavily. Peel chain detection has significant failure modes that, if ignored, lead to false accusations and wasted investigative resources.
False positive: Normal change-making transactions
The most common failure mode is misidentifying routine wallet behavior as suspicious. When you pay 0.05 BTC from a wallet holding 1.0 BTC, your wallet creates a transaction with two outputs: 0.05 to the recipient and approximately 0.95 back to yourself as change. If you make another payment tomorrow from that change output, you have created a two-transaction "peel chain" that is entirely innocent.
HD wallets compound this problem. Modern wallets generate new addresses for each change output, so even legitimate sequential payments create address chains that structurally resemble those used in laundering patterns. The pattern is the same; only the intent differs—and intent is not visible on-chain.
The ratio threshold problem
What asymmetry ratio defines a peel chain? I mentioned 90:10 as a starting threshold, but this is arbitrary. A business making regular small payments from a large treasury will naturally produce highly asymmetric transactions. A person paying rent from their savings does the same. There is no ratio that cleanly separates "suspicious" from "normal."
In my research, I found confirmed laundering peel chains with ratios as low as 85:15 and legitimate payment chains with ratios above 98:2. The ratio is a signal, not a classifier.
Sophisticated actors deliberately vary ratios
Attackers aware of peel chain detection introduce variation. Instead of consistent 95:5 splits, they might alternate between 92:8, 96:4, and 89:11. Some inject occasional 2-input or 3-output transactions to break the structural signature while maintaining the same overall fund flow. These "noisy" peel chains require more sophisticated detection that looks at aggregate flow direction rather than strict structural matching.
Legitimate business operations
Payroll processors, payment services, and treasury management operations often produce peel-chain-like patterns. A company paying contractors might process payments sequentially from a single source address, creating a chain of 1-in-2-out transactions that is operationally legitimate. Without off-chain context, this is indistinguishable from laundering.
Multi-chain obfuscation
Sophisticated actors break through blockchain boundaries. They might run a short peel chain on Bitcoin, bridge to Ethereum, execute transactions there, bridge back, and continue peeling. Each chain segment, when viewed in isolation, appears unremarkable. Only cross-chain analysis reveals the full pattern—and cross-chain analysis introduces its own uncertainty about address linkage.
The chain length problem
How long must a chain be to warrant suspicion? A 3-transaction chain might be someone paying for three things in a week. A 30-transaction chain suggests a more deliberate structuring approach. But I have seen legitimate cold-wallet withdrawals create 20+ transaction chains as a security practice (limiting exposure per transaction). The length threshold, like the ratio threshold, is a dial without an objectively correct setting.
Intentional pattern mimicry
Privacy-conscious users who want to avoid clustering sometimes deliberately create peel-chain-like structures when making legitimate payments. Their goal is to maintain plausible deniability—if their transaction pattern appears to be a peel chain, it also resembles normal payment behavior, making attribution more difficult. This is not evasion of the law; it is exercising the same privacy that cash provides.
Visual Example
Let me walk through a hypothetical peel chain that illustrates the pattern and its ambiguity.
Imagine I am tracing a transaction flagged for investigation. The source address received 10.0 BTC from a suspected illicit source. In TrailBit's transaction graph, I trace forward and see the following chain:
Transaction 1: 10.0 BTC in → 9.5 BTC + 0.5 BTC out (5% peel)
Transaction 2: 9.5 BTC in → 9.1 BTC + 0.4 BTC out (4% peel)
Transaction 3: 9.1 BTC in → 8.7 BTC + 0.4 BTC out (4% peel)
Transaction 4: 8.7 BTC in → 8.3 BTC + 0.4 BTC out (5% peel)
...continuing for 18 total transactions...
Transaction 18: 3.2 BTC in → 2.9 BTC + 0.3 BTC out (9% peel)
Transaction 19: 2.9 BTC in → deposited to known exchange cluster
The visualization in TrailBit shows this as a "spine" with small branches—the main fund flowing left to right with regular offshoots. The peeled amounts (the small branches) go to 18 different addresses, none of which appear in known entity databases.
The pattern metrics:
- Chain length: 19 transactions
- Average asymmetry: 95.2%
- Time span: 6 days
- Inter-transaction timing: 4-12 hours (irregular)
- Termination: Exchange deposit
This pattern is consistent with structured extraction and exchange cash-out. However, I must acknowledge what I do not know: whether those 18 peeled amounts represent payments to vendors, bribes, personal expenses, or something else entirely. The pattern suggests that funds were systematically extracted; however, it does not reveal the reason.
When presenting this analysis, I describe the structural evidence without overclaiming its significance. The peel chain pattern with exchange termination is consistent with layering behavior; however, alternative explanations—such as a trading operation managing positions or a business making sequential payments—cannot be ruled out based solely on on-chain data.
Open Questions
Several questions about peel chain analysis remain underexplored, and I would welcome input from researchers working on these problems.
Optimal detection thresholds: What combination of chain length, asymmetry ratio, and timing consistency maximizes true positive rate while minimizing false positives? The thresholds I use (5+ transactions, >90% asymmetry) are empirically derived from my dataset but may not be applicable in a general context. Systematic threshold optimization against labeled datasets would advance the field.
Distinguishing intent from structure: Can we develop heuristics that separate malicious peel chains from coincidental patterns? Potential signals include: correlation between peel amounts and known service fees, relationship between peeled addresses and the source cluster, and behavioral analysis of how peeled funds are subsequently used. None of these is conclusive, but combined signals might improve confidence scoring.
Machine learning versus rule-based detection: Current peel chain detectors are largely rule-based. ML approaches could potentially learn subtler patterns—such as irregular ratios, timing signatures, and address reuse behavior—that rules miss. However, labeled training data is scarce, and the class imbalance (vastly more legitimate chains than laundering chains) creates challenges.
Integration with clustering: How should peel chain detection interact with CIOH clustering? A peel chain creates new addresses at each step, but if those addresses are later consolidated with others, clustering can retroactively link them. The interplay between sequential pattern detection and clustering-based entity resolution deserves more attention.
Minimum chain length for confidence: At what chain length does structural evidence become meaningful? I have argued that 3-5 transactions is a minimum, but longer chains increase confidence non-linearly. Quantifying this relationship—perhaps through Bayesian analysis of chain length versus posterior probability of structured activity—would provide investigators with better calibrated confidence scores.
These are not purely academic questions. Every threshold choice affects who gets investigated and who does not. Getting peel chain detection right is crucial for both detecting actual financial crime and preventing false accusations against legitimate users.
Geo Nicolaidis
Builder, TrailBit.io
If you found this useful, subscribe to get the next issue in your inbox. Each issue breaks down a different heuristic used in Bitcoin forensics — what it assumes, where it breaks, and why it matters.