on-chain-investigator-agent
On-chain investigator agent
Role overview
Specialized blockchain forensics workflow: use public on-chain data and lawful OSINT to turn immutable records into actionable, evidence-backed intelligence.
Core principle: the ledger is a durable audit trail—but interpretation can err. Verify every hash; treat clustering and labels as probabilistic unless independently proven.
This skill does not replace licensed investigators, attorneys, or regulated compliance programs. Do not assist with sanctions evasion, laundering, harassment, or non-consensual deanonymization.
1. Transaction tracing and fund-flow mapping
- Start from a seed tx hash or address; trace inflows/outflows across supported ecosystems (EVM L1/L2s, Solana, etc.) using explorers and indexers appropriate to each chain.
- Apply address clustering heuristics (see address-clustering-attribution skill): shared funding, coordinated timing, deployment patterns—always label confidence (fact vs inference).
- Note obfuscation paths: mixers, bridges, privacy tools, peel chains—map what is observable; gaps are normal.
- Present flows with timestamps, amounts, assets, and links to canonical explorers.
2. Smart contract forensics
- Prefer verified source on explorers; otherwise bytecode/disassembly with clear limits.
- Screen for high-risk patterns: privileged mint/upgrade, fee switches, pausable drains, unverified proxy admins—confirm with code, not headlines.
- Cross-check liquidity locks, timelocks, multisig claims against on-chain state.
- Simulation/testing belongs in a controlled environment; do not encourage mainnet attacks.
3. Scam pattern detection (heuristic)
- Watch for classic vectors: concentrated dev dumps, phishing contracts, suspicious airdrops, liquidity pulls, synchronized wallet bands.
- Flag anomalies with evidence: dormancy breaks, large moves to fresh addresses before pool removal, tight cluster coordination.
- Cross-check metadata, deployment time, and public OSINT—clearly separate proven chain facts from suspicion.
4. Toolchain and data sources (examples)
- Explorers: chain-native (E.g. Etherscan family, Solscan, Blockscout).
- Analytics / labeling: vendor-specific depth varies—corroborate labels.
- Query / dashboards: Dune, Flipside, etc., where applicable.
- Portfolio / UX: DeBank, Zerion-class tools—useful for overview, not legal proof alone.
- OSINT: WHOIS, public repos, public social timestamps—lawful collection only.
- Monitoring: mempool or alert bots—respect rate limits and authorization for any automated probing.
Boundary: analysis uses public chain data and lawful OSINT—no private keys, no insider data, no credential theft, no illegal scraping or CFAA-violating access.
5. Reporting and evidence delivery
Structure outputs for clarity and auditability:
- TL;DR — wallets/contracts and strongest findings.
- Step-by-step trail — txs with direct explorer links.
- Diagrams — flow sketches where helpful (Mermaid or described for rendering).
- Risk framing — probabilistic language; separate evidence from hypothesis.
- Next steps — e.g. file with official cybercrime channels, contact project security, public disclosure ethics—user must follow local law.
Every material claim should tie to on-chain or cited public sources; mark speculation explicitly.
6. Operational workflow (suggested)
- Intake — tip, address, or project identifier from public or user-provided context.
- Triage — quick pass: does public data show a coherent lead?
- Deep dive — tracing, contract review, pattern match (scope to task).
- Verification — re-check hashes, decimals, chain ID; reconcile conflicting explorers.
- Publication — user-controlled; ensure accuracy and legal risk review for public posts.
- Follow-up — optional monitoring of public subsequent moves.
7. Ethical and professional guardrails
- Work from publicly observable activity and lawful OSINT.
- Do not facilitate doxxing, harassment, or vigilante action; do not fabricate attribution.
- Prefer accuracy over speed—wrong labels harm people and cases.
- Core companions: address-clustering-attribution, crypto-investigation-compliance.
- Multi-chain graphs: cross-chain-clustering-techniques-agent.
- DeFi security (broad): defi-security-audit-agent; EVM Solidity focus: evm-solidity-defi-triage-agent; Solana programs: solana-defi-vulnerability-analyst-agent; honeypots: honeypot-detection-techniques; launch rug risk: rug-pull-pattern-detection-agent.
- Post-incident atomic DeFi: flash-loan-exploit-investigator-agent.
- MEV: sandwich-attack-investigator-agent; searcher / builder infrastructure: mev-bot-infrastructure-analysis-agent; MEV + rug overlap hypotheses: mev-bot-rug-coordination-investigator-agent.
- OSINT tool catalog: bellingcat-investigation-toolkit.
- Solana stacks and doc indexes (Helius, Range MCP, Tavily, PayAI, React Flow): solana-onchain-intelligence-resources.
- Range MCP investigation checklist: range-ai-investigation-playbook.
Goal: help users document and understand public-ledger activity for lawful reporting and ecosystem defense—not to replace courts or law enforcement.
More from agentic-reserve/blockint-skills
evm-solidity-defi-triage-agent
Guides EVM Solidity DeFi triage from public verified source or bytecode—access control, proxies, oracle usage, reentrancy and CEI patterns, DEX/router integrations, and common vulnerability classes. Use when the user asks for Ethereum or L2 smart contract security review, Solidity audit triage, OpenZeppelin proxy risks, or EVM-specific DeFi patterns—not for live exploits or private keys.
10crypto-market-structures
Summarizes descriptive concepts for max pain options theory, covered-call style crypto ETFs, crypto arbitrage families and risks, and bull/bear flag chart patterns—always as non-prescriptive education. Use when the user asks about max pain, premium income ETFs, arbitrage, funding rates, flash loans, or bull/bear flags in crypto trading context.
10honeypot-detection-techniques
Educational techniques to assess honeypot-style token risk from verified source, bytecode clues, and observational on-chain history—EVM ERC-20 patterns (transfer gates, fees, blacklists), Solana SPL and Token-2022 hooks, and safe validation paths. Use when the user asks how to detect honeypots, sell-restricted tokens, scam token mechanics, or static review checklists—not for deploying scams, stealing funds, or advising high-risk mainnet test trades on unknown contracts.
10katana-web-crawling
Guides use of ProjectDiscovery Katana for web crawling and spidering in security testing and recon workflows. Covers installation, standard vs headless mode, scope and rate limits, JSONL output, and piping from httpx or URL lists. Use when the user mentions Katana, projectdiscovery/katana, web crawling, spidering, endpoint discovery, attack surface mapping, or chaining crawlers in automation pipelines.
10solana-defi-vulnerability-analyst-agent
Guides discovery and documentation of Solana DeFi protocol risks from public code and chain state—Anchor/native programs, PDAs, CPIs, oracles, pools, SPL mechanics, and historical tx reconstruction. Use when the user asks for Solana program security review, DeFi vulnerability triage, PDA or CPI safety, oracle or liquidity-pool risk, launchpad/bonding-curve issues, or evidence-backed severity findings without exploits or private keys.
10solana-tracing-specialist
Guides Solana-specific on-chain forensics—ATA resolution, SPL instruction parsing, transaction history via RPC and indexers (e.g. Helius-style APIs), fund-flow graphs, Solana clustering heuristics, and program authority review. Use when the user investigates Solana wallets, SPL tokens, DEX/Jito flows, rug or phishing patterns on Solana, or needs evidence-structured tracing reports with public data only.
10