Sherlock is a lightweight, local-first Bitcoin transaction chain analysis tool and web application. It parses Bitcoin Core block data (.dat files) directly, reconstructs transaction graphs, and applies a suite of rule-based heuristics to identify and classify on-chain behaviors like CoinJoins, consolidations, batch payments, and peeling chains.
Built with Next.js, TypeScript, and Tailwind CSS, Sherlock provides both machine-readable JSON outputs and a rich, interactive human-readable dashboard.
- Direct
.datParsing: Operates directly on Bitcoin Coreblk,rev, andxorfiles—no full node indexing or external API rate limits required. - Transaction Graph Reconstruction: Uses undo (
rev) data to reconstruct previous outputs (prevouts), enabling deep inspection of input values and scripts. - Interactive Visualization: A modern, dark-mode Next.js UI to explore blocks, visualize transaction flows, and inspect script distributions and fee rates.
- 10+ On-Chain Heuristics:
- Common Input Ownership Heuristic (CIOH)
- Change Output Detection
- Address Reuse
- CoinJoin Fingerprinting (Whirlpool, JoinMarket, Wasabi-like)
- UTXO Consolidation
- Self-Transfer Detection
- Batch Payment Classification
- Peeling Chains
- OP_RETURN Payload Extraction
- Round Number Payment Detection
- Framework: Next.js 15+ (React 19)
- Language: TypeScript
- Styling: Tailwind CSS v4 (with custom Sherlock UI theme)
- Bitcoin Primitives: bitcoinjs-lib
- Testing: Vitest (with v8 coverage)
- Node.js (v18+ recommended)
- npm, yarn, or pnpm
- Clone the repository:
git clone https://github.com/wolgwang1729/Sherlock.git
cd Sherlock- Install dependencies:
npm install- Run the development server:
npm run devOpen http://localhost:3000 in your browser to view the application.
- Run tests:
npm run test
# Or to run with UI: npm run test:uiTo perform an analysis, Sherlock requires three files uploaded simultaneously. These files must come from a synced Bitcoin Core data directory.
blkNNNNN.dat(Raw block data)revNNNNN.dat(Undo data for prevout reconstruction)xor.dat(The XOR key used by Bitcoin Core to obfuscate block data)
Note:
blkandrevfiles must have matching numeric suffixes (e.g.,blk05051.datandrev05051.dat).
- Windows:
%APPDATA%\Bitcoin\blocks - Linux:
~/.bitcoin/blocks - macOS:
~/Library/Application Support/Bitcoin/blocks
If you are using a pruned node, only recent files will be available. If xor.dat is missing, you can create an 8-byte zero-filled file named xor.dat.
Note: You can also click Use Example .dat Files in the UI to load the bundled test fixtures (
blk05051.dat).
Sherlock's architecture is intentionally rule-based and localized.
- Parsing:
src/lib/block.tsXOR-decodes the files, parses raw block payloads, verifies transaction merkle roots, and pairs each block with its undo records. - Normalization:
src/lib/transaction.tsconverts parsed transactions into a normalizedTransactionAnalysisobject, computes fee rates and weights, infers RBF signaling, and decodes script types viasrc/lib/script.ts. - Context Building: A block-local context maps address frequencies and immediate
spend_by_outpointrelationships. - Heuristics:
src/lib/heuristics.tsruns each transaction through the heuristic pipeline. Detailed flowcharts and logic are inAPPROACH.md. - Classification: Transactions are labeled (e.g.,
coinjoin,consolidation,simple_payment) and assigned confidence tiers based on heuristic confluence.
wolgwang1729-sherlock/
├── fixtures/ # Bundled test data (blk, rev, xor)
├── src/
│ ├── app/ # Next.js App Router (Pages, Layout, API Routes)
│ ├── components/ # React UI Components (BlockVisualizer, TransactionVisualizer)
│ ├── lib/ # Core logic (block parsing, script parsing, transaction normalization)
│ │ └── detectors/ # Individual heuristic implementations
│ ├── types/ # TypeScript interfaces and schemas
│ ├── utils/ # Helper functions (BufferCursor, math, parsing)
│ └── __tests__/ # Vitest unit and integration tests
├── APPROACH.md # Deep-dive documentation into heuristic logic
└── README.md # Project overview