Crystal Intelligence

Overview 

alphaMountain is a leading provider of threat intelligence, web reputation, and content categorization.

The alphaMountain threat response integration for Maltego enables users to conduct investigations informed by reputation of the hosts, domains, and IP addresses of the target. The alphaMountain Transforms return indicators with a risk score and a relevant content categorization.

About Crystal

Crystal Intelligence provides advanced blockchain analytics tools designed to facilitate cryptocurrency investigations. By offering real-time access to blockchain data, transaction tracing, and risk assessment, Crystal equips investigators with the insights needed to identify fraudulent activities, trace illicit funds, and ensure regulatory compliance. With features such as a proprietary labeling algorithm, risk scoring system, and API integration, Crystal simplifies complex investigations, enabling law enforcement agencies, financial institutions, and compliance professionals to efficiently detect, analyze, and act on suspicious blockchain activity.

Use Cases

Achieve real-time visibility

Follow funds through multiple wallets and chains with powerful visualization capabilities 

Identify real-world suspects

Link pseudonymous blockchain transactions to real-world organizations 

Connect the dots

See how individuals and organizations are connected 

Recover lost or stolen crypto assets

Trace and recover lost or stolen cryptocurrencies. Crystal experts in blockchain forensics can unravel complex transactions, identify suspicious addresses, and provide actionable insights to assist in asset recovery efforts.

Collect evidence for court

Create clear visualizations illustrating flow of funds and links between entities as evidence for court.

Glossary

Below you can find definitions of the specific terms used in this document:

• Address

A blockchain address is a unique alphanumeric string that serves as an identifier for sending, receiving, or storing cryptocurrency or digital assets on a blockchain network. It acts as a publicly visible destination for transactions and is derived through cryptographic algorithms.

Addresses with the same owner are grouped into clusters. Crystal collects data from various sources and connects part of the clusters to real-world entities (named clusters). After that, each of the named clusters is assigned an expert estimate of the Risk Score value and Type. The Risk Score is then propagated to unknown clusters using the label propagation algorithm.

In Maltego system, if users want to add a cluster to a graph to run a transform on it, they should add a new cluster, and then enter a cluster name, after which they can run the necessary transform. If the user defines a cluster name that is not in the Crystal database, a message will be displayed informing the user that the cluster is not found.

The individual or organization legally or operationally associated with a cluster of blockchain addresses.

Crystal’s Risk Score is a metric that helps to estimate the chance that an address or a cluster is related to illegal activity. The value can vary from 0% to 100%, where 0% means that the address is safe, and 100% indicates the highest degree of probability that the address is involved in illegal activity. 

Risk Score ranges in Crystal:

• 0 - 25% Risk Score - Low risk
• 26 - 74% Risk Score - Medium risk
• 75 - 100% Risk Score - High risk
  
  

• Shortest Path

The minimum number of hops between addresses or clusters for sent or received funds. Each hop represents a single step in the transactional path, such as a transfer from one address or cluster to another.

A transaction in blockchain is a record of the transfer of cryptocurrency, digital assets, or data between two parties on a blockchain network. It is initiated by a sender and contains details such as the sender’s address, recipient’s address, the amount transferred, and sometimes additional metadata or instructions.

Supported Blockchains

Crystal Transforms described below work for each of the supported blockchains: 

• Arbitrum (ARB)
• Binance Smart Chain (BSC)
• Bitcoin (BTC)
• Bitcoin Cash (BCH)
• Ethereum (ETH)
• Ethereum Classic (ETC)
• Litecoin (LTC)
• Polygon (Matic)
• Tron (TRX)

Each transform name starts with the chain abbreviation. Example: "BTC Address to Address Attribution", "ETH Address to Address Attribution", etc.

Crystal Transforms

This section provides information on Crystal Transforms including inputs and meta information.

{Blockchain} Address To Address Attribution

Transform Settings

Description

The transform takes an Address as input and returns the following data:

• Transactions Number: The total number of transactions associated with the address, both incoming and outgoing, on the specified chain.
• Received: The total amount received by the address on the specified chain. 
• Balance: The current balance of the of the address on the specified chain.
• Sent: The total amount sent by the address on the specified chain. 
• First Activity: The date of the address's first recorded activity.
• Last Activity: The date of the address's most recent recorded activity.
• Owner: The name of the service or cluster ID associated with the address.
• Owner Type: The owner type as defined by the Crystal labeling system.
• Risk Score: A value between 0 and 100, expressed as a percentage, representing the risk level of the cluster the address belongs to.

Transform Meta Info

{Blockchain} Address To Input Transactions

Transform Settings

Description

The transform takes an Address as an input and returns incoming transactions according to the specified date range.

Transform Meta Info

{Blockchain} Address To Output Transactions 

Transform Settings

Description

The transform takes an Address as an input and returns outgoing transactions according to the specified date range.

Transform Meta Info

{Blockchain} Address to Owner’s Cluster

Transform Settings

Description

The transform takes an Address as an input and returns the Cluster the address belongs to with the following data (properties):

• Owner: The name of the service or cluster ID associated with the address.
• Slug: Owner’s slug.
• First Activity: The date of the address's first recorded activity.
• Last Activity: The date of the address's most recent recorded activity.
• Owner Type: The owner type as defined by the Crystal labeling system.
• Addresses: The number of addresses for a selected blockchain included in the owner’s cluster.
• Blockchains: Blockchains on which owner’s cluster is active.
• Risk Score: A value between 0 and 100, expressed as a percentage, representing the risk level of the cluster the address belongs to.
• Balance: The current balance of the of the address on the specified chain.
• Sent: The total amount sent by the address on the specified chain.
• Received: The total amount received by the address on the specified chain. 
• Transactions: The total number of transactions associated with the address, both incoming and outgoing, on the specified chain.
• Inner Transactions: Number of inner transactions associated with the address (for ETH-based chains).
• Inner Transactions Amount: The total value of outputs of address’s inner transactions on the specified chain (for ETH-based chains).

Note: If the specified address does not belong to any named cluster, the message will be displayed: ‘[INFO] No Owner information was found for {address}’.

Transform Meta Info

{Blockchain} Transaction To Input Addresses

Transform Settings

Description

The transform takes a Transaction as an input and returns input addresses.

Transform Meta Info

{Blockchain} Transaction To Output Addresses 

Transform Settings

Description

The transform takes a Transaction as an input and returns output addresses.

Transform Meta Info

{Blockchain} Cluster To Addresses

Transform Settings

Description

The transform takes Cluster as an input and returns addresses this cluster contains. The number of displayed addresses is limited to 30 addresses with the highest balance. No properties are added to the initial cluster or the resulting addresses.

Transform Meta Info

{Blockchain} Cluster To Input Direct Counterparties

Transform Settings

Description

The transform takes Cluster as an input and returns top ten senders of funds to this Cluster (clusters and / or addresses that had direct interactions with it in receiving direction), and adds information on these counterparties to the properties of the initial Cluster. 

As a result of the transform, a list of direct counterparties with the following data is added to the properties of the initial Сluster:

• Name: Counterparty name / ID of the owner, address hash, or the "Rewards / Fees" statement.
• Type: Owner type, "Unnamed cluster," or "Address."
• Received: The total of funds on the defined blockchain received directly from the counterparty.
• Sent: The total of funds on the defined blockchain sent directly to the counterparty.
• Transactions: The total number of transactions with the counterparty in both directions on a specified blockchain.
• Risk Score: Counterparty Risk Score.
• First interaction: Date and time of the first transaction with the counterparty, regardless of whether the transaction was incoming or outgoing.
• Last interaction: Date and time of the last transaction with the counterparty, regardless of whether the transaction was incoming or outgoing.

Transform Meta Info

{Blockchain} Cluster To Output Direct Counterparties

Transform Settings

Description

The transform takes Cluster as an input and top ten receivers of funds from this Cluster (clusters and / or addresses that had direct interactions with it in sending direction), and adds the list of top counterparties to the properties of the initial Cluster. 

As a result of the transform, a list of direct counterparties with the following data is added to the properties of the initial Сluster:

• Name: Counterparty name / ID of the owner, address hash, or the "Rewards / Fees" statement.
• Type: Owner type, "Unnamed cluster," or "Address."
• Received: The total of funds on the defined blockchain received directly from the counterparty.
• Sent: The total of funds on the defined blockchain sent directly to the counterparty.
• Transactions: The total number of transactions with the counterparty in both directions on a specified blockchain.
• Risk Score: Counterparty Risk Score.
• First interaction: Date and time of the first transaction with the counterparty, regardless of whether the transaction was incoming or outgoing.
• Last interaction: Date and time of the last transaction with the counterparty, regardless of whether the transaction was incoming or outgoing.

Transform Meta Info

{Blockchain} Cluster to Input Connections

Transform Settings

Description

The transform takes Cluster as an input and returns senders - Clusters/Addresses that had direct / indirect interaction with it, and adds the list of top connections to the properties of the initial Cluster.

As a result of the transform, a list of connections with the following data is added to the properties of the initial Сluster:

• Name: Counterparty name / ID of the owner, address hash, or the "Rewards / Fees" statement.
• Type: Owner type, "Unnamed cluster," or "Address."
• Received: The total of funds on the defined blockchain received from the counterparty.
• Sent: The total of funds on the defined blockchain sent directly to the counterparty.
• Risk Score: Counterparty Risk Score.
• Hops: the length of the shortest path (number of hops) in the sending/receiving direction.

Transform Meta Info

{Blockchain} Cluster to Output Connections

Transform Settings

Description

The transform takes Cluster as an input and returns Receivers – clusters that had direct / indirect interaction with it, and adds the lists of top connections to the properties of the initial Cluster.

As a result of the transform, a list of connections with the following data is added to the properties of the initial Сluster:

• Name: Counterparty name / ID of the owner, address hash, or the "Rewards / Fees" statement.
• Type: Owner type, "Unnamed cluster," or "Address."
• Received: The total of funds on the defined blockchain received from the counterparty.
• Sent: The total of funds on the defined blockchain sent directly to the counterparty.
• Risk Score: Counterparty Risk Score.
• Hops: the length of the shortest path (number of hops) in the sending/receiving direction.

Transform Meta Info

{Blockchain} Cluster To Owner

Transform Settings

Description

The transform takes a Cluster as input and returns Cluster Owner information:

• First Activity: Date of the first transaction involving an owner’s address.
• Last Activity: Date of the most recent transaction involving an owner’s address.
• Name: Name of the service or ID of unnamed cluster.
• Slug: Owner’s slug.
• Addresses: The number of addresses for a selected blockchain included in the owner’s cluster.
• Type: The owner type as defined by the Crystal labeling system.
• Risk Score: A value between 0 and 100, expressed as a percentage, representing the risk level of the owner.).
• Balance: The current balance of the of the owner’s cluster on the specified chain.
• Sent: The cumulative amount of funds sent from the owner’s addresses on the specified chain.
• Received: The cumulative amount of funds received by the owner’s addresses on the specified chain.
• Transactions: The total number of transactions, both incoming and outgoing, of the owner’s addresses.
• Inner Txs: Number of internal transactions withing the owner’s addresses (for ETH-based chains).
• Inner Txs amount: The total value of all outputs in inner transactions (for ETH-based chains).

Transform Meta Info