How TRONORIGIN works

The pipeline

Every analysis follows the same sequence: collect on-chain data, identify candidate addresses, score each candidate across three phases, detect whether control has changed hands, and generate a plain-language explanation of the result.

  1. Data collection — Transaction history, resource delegations, permission keys, and token transfers are fetched from public TRON data sources (TRONscan, TronGrid). Standard analysis covers up to 30 inbound transactions; deep scan covers up to 200.
  2. Candidate identification — Every unique address that has sent funds or resources to the target becomes a candidate. Exchange hot wallets, DEX routers, and known infrastructure are classified and handled accordingly.
  3. Three-phase scoring — Each candidate is scored across activation, funding history, and current control. Scores are normalized and converted to a confidence band (Low / Medium / High).
  4. Takeover detection — If the genesis-era leader and the recent-activity leader are different addresses and the divergence is significant, the result is flagged and classified.
  5. AI summary — The structured scoring result is passed to an AI model, which generates a plain-language explanation of the finding and any alerts. The AI reads from the result; it does not alter it.

The three-phase scoring model

Attribution is split across three phases because the question “who is behind this wallet” has three distinct sub-questions, and the answers can disagree. Weighting the phases separately lets the model surface that disagreement rather than silently averaging it away.

Phase 1 — Activation (25%)

Who created or first funded this wallet? The activation event — especially when it involves an explicit account-creation transaction — is the strongest genesis signal. However, exchanges, faucets, and bridges frequently appear first without representing the true owner, so activation alone carries only a quarter of the total weight.

Phase 2 — Funding history (25%)

Who has been consistently involved over the life of this wallet? Sustained relationships — recurring transfers, resource delegation, fee provision, return flows — often point more reliably to the actual owner than the genesis event. Candidates that appear only once score lower than those with a long, ongoing pattern of involvement.

Phase 3 — Current control (50%)

Who controls this wallet right now? Current control carries the most weight because, for most investigative purposes, the operative question is who is operating the wallet today. Signals like resource delegation and recent return flows are the strongest indicators of active control. This phase is double-weighted to reflect that priority.

When Phase 1 and Phase 3 agree on the same candidate, overall confidence rises. When they point to different candidates and the divergence is large enough, takeover detection fires — the wallet may have changed hands, been sold, or been compromised since it was created.

What the heuristic looks at

The confidence score is built from a set of specific on-chain signals, each carrying a distinct weight. What follows is a summary-level list.

  • Strongest Resource delegation — If a candidate has delegated Energy or Bandwidth to the target wallet, they almost certainly control it. Exchanges never delegate resources to individual users; only personal wallets do this.
  • Strong Return flows — When the target sends funds back to a candidate, it is a strong indicator of an owner-operator relationship. The bonus decays with time: a same-day return is weighted more heavily than one that occurs months later.
  • Strong Fee provision — A candidate that consistently pays transaction fees (Energy or Bandwidth) on behalf of the target has a financial relationship that goes beyond a one-time transfer.
  • Strong Explicit account creation — A candidate whose transaction created the account on-chain (AccountCreateContract) has definitive, irrefutable genesis credit.
  • Moderate First sender — The chronologically first funder is statistically likely to be the origin, though this bonus is suppressed when address-poisoning signals are present.
  • Moderate Repeated interactions — Multiple inbound transactions from the same candidate suggest an ongoing relationship. The bonus is logarithmically capped to prevent spam from gaming the score.
  • Moderate Contract consistency — If the candidate has interacted with the same smart contract as the target’s first outbound transaction, they are likely operating together.
  • Contextual Address category — Personal wallets score higher than exchanges; exchanges are neutral; faucets, bridges, and mass-funder addresses are penalized. DEX router addresses are excluded from candidate scoring entirely.
  • Contextual Transfer amount — Dust transfers (below 0.01 TRX) are penalized. Normal and large transfers receive positive weight. Micro-dust and zero-value transfers are treated as potential address-poisoning signals.
  • Penalty Poisoning indicators — Lookalike addresses (within a small edit distance of the target), zero-value transfers, and micro-dust bursts receive direct score penalties and may reduce the global confidence band.

The AI summary

After the heuristic produces a structured result — ranked candidates, confidence band, behavioral tags, takeover flags — that result is passed to an AI model (Google Gemini), which generates a plain-language explanation for the investigator.

The AI summary does not change the result. It reads from the scoring output; it cannot override scores, confidence bands, or takeover classifications. If the underlying data is ambiguous or contradicted by competing signals, the summary will say so. That hedging is intentional — it reflects genuine uncertainty in the on-chain record, not a limitation of the language model.

Takeover detection

Takeover detection compares two scoring windows: a genesis window (roughly the first 30 days or first 10 transactions) and an operational window (approximately the last 180 days). If the leading candidate in each window is a different address and the divergence ratio is large enough, the result is flagged as a potential change of control and classified into one of five types:

  • Sale — The genesis funder was an exchange or custodian, and a different address now dominates recent activity. Consistent with a wallet sold or transferred to a new user.
  • Compromise — Early and recent control are held by different parties with no obvious custodial or commercial explanation. The most concerning classification; warrants further investigation.
  • Secondary wallet — The divergence pattern is consistent with the same owner moving to a different operational address — a common practice for operational security or account rotation.
  • DAO transition — Keys appear to have been transferred to a new governance entity or multisig structure, consistent with a protocol handoff rather than a sale or compromise.
  • Hostile takeover — Long dormancy followed by new key activity with no continuity of relationship — the strongest signal that the original owner lost control against their will.

What this tool does not decide

TRONORIGIN reports its confidence level and explains the on-chain signals behind each result. It does not make the final attribution call — that is the investigator’s job. A High confidence result means the data strongly supports the identified candidate; it does not mean the case is closed.

The tool does not provide financial or legal advice. It does not attempt to link blockchain addresses to real-world identities; it attributes addresses to known clusters and labeled entities (exchanges, contracts, faucets) only where the on-chain evidence directly supports that label. When the data is thin, contradictory, or obscured — by mixer involvement, deliberate layering, or a limited transaction history — the confidence band and data quality indicator will say so. See the FAQ for more on interpreting those signals.