pip install cognis-cryptotrace
cryptotrace screen txs.json # → prioritized findings in secondsA full narrated tour — setup, the tool in action, and every demo scenario:
Real, reproducible output from the tool — runs offline:
$ cryptotrace-emit --version
cryptotrace 3.0.0$ cryptotrace-emit --help
usage: cryptotrace [-h] [--version]
{screen,cluster,taint,peel,check,sdn,feeds} ...
OFAC sanctions screening, address clustering, tainted-flow tracking +
laundering-pattern detection over a transaction list (defensive blockchain
forensics).
positional arguments:
{screen,cluster,taint,peel,check,sdn,feeds}
screen full screen: OFAC hits, taint, clusters, patterns
cluster cluster addresses into single-entity wallets
taint propagate value-weighted taint from SDN sources
peel detect peeling-chain laundering patterns
check check a single address against the SDN/actor tables
sdn list the bundled OFAC SDN crypto addresses
feeds ingest the live OFAC SDN list (catalog feed 'ofac-
sdn')
options:
-h, --help show this help message and exit
--version show program's version number and exitBlocks above are real
cryptotraceoutput — reproduce them from a clone.
Sample result format (illustrative values — run on your own data for real findings):
{
"Findings": [
{
"id": "1234567890",
"title": "Suspicious Network Traffic",
"description": "Potential malicious activity detected on network port 443.",
"created": "2023-02-20T14:30:00Z",
"modified": "2023-02-20T14:30:00Z",
"labels": ["Network", "Suspicious"],
"objects": [
{
"id": "obj1",
"type": "ip",
"value": "192.0.2.1"
},
{
"id": "obj2",
"type": "port",
"value": 443
}
]
}
]
}
-
Install the tool:
pip install cognis-cryptotrace
-
Screen a transaction list (JSON/JSONL, or
-for stdin) for OFAC sanctions hits, indirect exposure, and entity clusters:cryptotrace screen txs.json --max-hops 2
-
Check a single address or list the bundled OFAC SDN crypto addresses:
cryptotrace check 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa cryptotrace sdn
-
Read the result.
screenreports tx/address counts, clusters, sanctioned clusters, and findings by severity; add--format json,--format sarif, or-o file. Exit1when sanctioned exposure (critical/high/medium) is found,0otherwise.clustergroups addresses into single-entity wallets,taintpropagates value-weighted dirty flow from SDN sources, andpeelflags peeling-chain laundering. -
Gate / pipe. Stream transactions in and act on the result:
cat txs.jsonl | cryptotrace screen - --format json | jq '.max_severity'
- Why cryptotrace? · Features · Quick start · Live OFAC SDN feed · Example · Demos · Architecture · AI stack · How it compares · Integrations · Install anywhere · Related · Contributing
Free-tier blockchain investigator — ETH/BTC clustering + sanctions xref — without standing up heavyweight infrastructure.
cryptotrace is single-purpose, scriptable, and self-hostable: point it at a target, get prioritized results in the format your workflow already speaks (table · JSON · SARIF), gate CI on it, and let agents drive it over MCP.
- ✅ OFAC SDN screening (direct hits against bundled real SDN crypto wallets)
- ✅ Live OFAC SDN ingestion — refresh screening from the authoritative Treasury list, keyless, offline / air-gap deployable
- ✅ Indirect exposure by hop distance + value-weighted taint propagation
- ✅ Address clustering (common-input-ownership + change-address heuristics)
- ✅ Cluster sanctions inheritance + known-actor attribution + risk scoring
- ✅ Peeling-chain laundering-pattern detection
- ✅ Output as table · JSON · SARIF 2.1.0 (code-scanning / CI)
- ✅ Runs on Linux/macOS/Windows · Docker · devcontainer · MCP-native
- ✅ Ports in Python, JavaScript, Go, and Rust (
ports/)
pip install cognis-cryptotrace
cryptotrace --version
cryptotrace screen txs.json # OFAC + taint + clustering report
cryptotrace screen txs.json --format json # machine-readable
cryptotrace screen txs.json --format sarif # SARIF 2.1.0 for code-scanning
cryptotrace taint txs.json # value-weighted dirty-flow trace
cryptotrace peel txs.json # peeling-chain laundering pattern
cryptotrace check 0x722122df12d4e14e13ac3b6895a86e84145b6967 # single address
cryptotrace sdn # list bundled OFAC SDN addresses
cryptotrace feeds update ofac-sdn # fetch the live OFAC SDN list
cryptotrace screen txs.json --feed # screen against the LIVE SDN setThe bundled SDN table is a curated seed. The feeds layer keeps the screen
current by ingesting the authoritative US Treasury OFAC SDN list and
merging every published Digital Currency Address into the screening index —
so addresses newly designated by OFAC (and absent from the seed) become
screenable.
Real source (keyless, no API key):
| Feed id | Source | URL |
|---|---|---|
ofac-sdn |
US Treasury OFAC Specially Designated Nationals list | https://www.treasury.gov/ofac/downloads/sdn.csv |
The ingestion engine (cryptotrace/datafeeds.py,
catalog cryptotrace/data_feeds_2026.json)
is standard-library only: keyless HTTPS fetch → on-disk cache → re-serve.
cryptotrace feeds list # feeds wired into this tool
cryptotrace feeds update ofac-sdn # fetch + cache (online, once)
cryptotrace feeds get ofac-sdn # parse SDN crypto addresses
cryptotrace feeds get ofac-sdn --offline # parse from cache, no network
cryptotrace screen txs.json --feed # enrich screen with the live SDN set
cryptotrace check <addr> --feed --offline # check against cached live SDN setEvery read supports --offline (serve from cache, never touch the network).
The cache location is set with COGNIS_FEEDS_CACHE. To move the feed into a
disconnected enclave (sneakernet):
# on a connected host
cryptotrace feeds update ofac-sdn
python -m cryptotrace.datafeeds snapshot-export sdn.tar.gz
# carry sdn.tar.gz across the air gap, then inside the enclave:
python -m cryptotrace.datafeeds snapshot-import sdn.tar.gz
cryptotrace screen txs.json --feed --offline # never reaches the networkSee demos/09-ofac-feed-enrichment/ for an
end-to-end offline walkthrough. The test suite exercises the whole path against
a committed trimmed fixture with the network blocked.
$ cryptotrace screen demos/01-tornado-cash-deposit/tx_graph.json
CRYPTOTRACE report (ETH)
================================================================
Transactions analyzed : 4
Distinct addresses : 5
Findings : 5 (critical=1, high=3, medium=1)
Highest severity : CRITICAL
Findings:
[CRITICAL] ofac_direct_hit 0x722122df12d4e14e13ac3b6895a86e84145b6967 <Tornado Cash>
Address on OFAC SDN list: Tornado Cash (mixer, program CYBER2, listed 2022-08-08).
[HIGH ] ofac_indirect_exposure 0x3333... <1 hop(s)>
1 hop(s) from a sanctioned address; 100.0% tainted (39.5000 ETH dirty value).
The same run as SARIF 2.1.0 for GitHub/GitLab code-scanning:
cryptotrace screen tx_graph.json --format sarif -o cryptotrace.sarif
# → upload with github/codeql-action/upload-sarif@v3Each folder under demos/ is a self-contained, runnable scenario: a
transaction graph in the tool's real input format plus a SCENARIO.md that
explains where the data came from, the exact command, what to expect, and how
to act. Every demo is verified to actually produce its findings. Each uses a
real, publicly-documented OFAC SDN address; all other addresses are
fictional placeholders.
| Demo | Scenario | Exercises |
|---|---|---|
01-tornado-cash-deposit |
Exchange screens a customer who routed ETH through Tornado Cash | direct hit · hop grading · taint |
02-deep |
SUEX OTC layering over a BTC graph | direct + indirect + clustering |
03-lazarus-bridge-exit |
DPRK bridge-drain proceeds reach a Lazarus Group wallet | threat-actor attribution · fan-out taint |
04-peel-chain-laundering |
Funds peeled out of Hydra Market down a laundering chain | peel pattern detection |
05-clean-treasury-baseline |
Clean DAO treasury — the negative control | exit 0 · no over-flagging |
06-garantex-cashout |
Fraud proceeds cashed out into the sanctioned Garantex exchange | sink-side / hop-distance exposure |
07-cospend-cluster-taint |
Co-spend proves two wallets belong to a sanctioned entity | common-input clustering · sanctions inheritance |
08-dprk-mixer-chain |
Two chained DPRK mixers (Blender.io → Sinbad.io) | multi-source taint |
python -m cryptotrace screen demos/01-tornado-cash-deposit/tx_graph.json
python -m cryptotrace peel demos/04-peel-chain-laundering/tx_graph.json
python -m cryptotrace taint demos/08-dprk-mixer-chain/tx_graph.jsondemos/NN_name.py drive the real cryptotrace API over those same bundled
fixtures, narrate what each step means, run offline, and exit 0 — so they
double as smoke tests (tests/test_demos.py). See docs/DEMOS.md.
| # | Scenario | Audience | Exercises |
|---|---|---|---|
| 1 | 01_investigator_triage.py |
Crypto investigators / AML | analyze · direct hit · hop grading · taint |
| 2 | 02_exchange_compliance.py |
Exchanges / compliance | deposit-gate decision · exit codes · no over-flagging |
| 3 | 03_journalist_attribution.py |
Investigative journalists | entity attribution · value-weighted taint · reproducibility |
| 4 | 04_incident_response.py |
Incident response / SOC | detect_peel_chains · SARIF 2.1.0 emit |
| 5 | 05_cluster_inheritance.py |
AML / forensic analysts | clustering · common-input ownership · sanctions inheritance |
python demos/run_all.py # all five, end to end
python demos/03_journalist_attribution.py # or just oneflowchart LR
IN["tx graph<br/>JSON / JSONL / stdin"] --> P["cryptotrace<br/>OFAC · cluster · taint · peel"]
SDN[("bundled + live<br/>OFAC SDN")] --> P
P --> OUT["report<br/>table · JSON · SARIF · exit code"]
Full component breakdown and data model in docs/ARCHITECTURE.md.
cryptotrace is interoperable with every popular way of using AI:
- MCP server —
cryptotrace mcp(Claude Desktop, Cursor, Cognis.Studio, uncensored-fleet) - OpenAI-compatible / JSON — pipe
cryptotrace screen txs.json --format jsoninto any agent or LLM - LangChain · CrewAI · AutoGen · LlamaIndex — wrap the CLI/JSON as a tool in one line
- CI / scripts — exit codes + SARIF for non-AI pipelines
| Cognis cryptotrace | graphsense | |
|---|---|---|
| Self-hostable, no account | ✅ | varies |
| Single command, zero config | ✅ | |
| JSON + SARIF for CI | ✅ | varies |
| MCP-native (AI agents) | ✅ | ❌ |
| Polyglot ports (JS/Go/Rust) | ✅ | ❌ |
| Open license | ✅ COCL | varies |
Built in the spirit of graphsense/graphsense-tagpacks, re-framed the Cognis way. Missing a credit? Open a PR.
Pipes into your stack: SARIF for code-scanning, JSON for anything, an MCP server (cryptotrace mcp) for AI agents, and a webhook forwarder for SIEM/Slack/Jira. See docs/INTEGRATIONS.md.
pip install "git+https://github.com/cognis-digital/cryptotrace.git" # pip (works today)
pipx install "git+https://github.com/cognis-digital/cryptotrace.git" # isolated CLI
uv tool install "git+https://github.com/cognis-digital/cryptotrace.git" # uv
pip install cognis-cryptotrace # PyPI (when published)
docker run --rm ghcr.io/cognis-digital/cryptotrace:latest --help # Docker
brew install cognis-digital/tap/cryptotrace # Homebrew tap
curl -fsSL https://raw.githubusercontent.com/cognis-digital/cryptotrace/main/install.sh | sh| Linux | macOS | Windows | Docker | Cloud |
|---|---|---|---|---|
scripts/setup-linux.sh |
scripts/setup-macos.sh |
scripts/setup-windows.ps1 |
docker run ghcr.io/cognis-digital/cryptotrace |
DEPLOY.md (AWS/Azure/GCP/k8s) |
personagraph— Identity resolution dossier — username/email/phone cross-platformmaritimeint— AIS vessel tracking & sanctions-evasion anomaly detectiongeolens— Image geolocation toolkit — EXIF, sun-shadow, OCR, reverse-searchcorpmap— Corporate structure & beneficial-ownership mapperdarkmirror— Surface-web mirror of public Tor leak-site index for brand monitoring
Explore the suite → 🗂️ all 170+ tools · ⭐ awesome-cognis · 🔗 cognis-sources · 🤖 uncensored-fleet · 🧠 engram
PRs, new rules, and demo scenarios are welcome under the collaboration-pull model — see CONTRIBUTING.md and SECURITY.md.
{} composes with the 300+ tool Cognis suite — JSON in/out and a shared
OpenAI-compatible /v1 backbone. See INTEROP.md for the
suite map, composition patterns, and reference stacks.
Source-available under the Cognis Open Collaboration License (COCL) v1.0 — free for personal, internal-evaluation, research, and educational use; commercial / production use requires a license ([email protected]). See LICENSE.