Main » Weekly overview

On-Chain Analytics in 2025: A Field Guide for Builders, Traders, and (Ethical) Sleuths

Author Reading 16 min Published by Modified by
Content
  1. What “on-chain analytics” really means
  2. Part I — Your core toolbelt
  3. 1) Etherscan-style explorers (and friends)
  4. 2) Dune (community data warehouse)
  5. 3) Nansen (labeled flow & “smart money” cohorts)
  6. 4) Arkham Intelligence (entity graphs + bounties)
  7. 5) Tenderly (simulations, state diffs, traces)
  8. 6) Breadcrumbs (open visualization & monitoring)
  9. Sidekicks worth knowing
  10. Part II — A repeatable investigation workflow
  11. Part III — How on-chain detectives actually work
  12. Part IV — Case studies (what the data teaches)
  13. A) Euler Finance (2023): chaos → recovery
  14. B) Ronin Bridge (2022): attribution at nation-state level
  15. C) Mango Markets (2022–2024): manipulation vs. code-is-law
  16. D) Munchables (Blast, 2024): the “give-it-back” exploit
  17. Part V — Practical patterns you’ll reuse
  18. 1) “Is this token safe enough to trade?”
  19. 2) “Who funded this deployer?”
  20. 3) “Did a governance action change flows?”
  21. 4) “Was this a wash-trade farm?”
  22. 5) “Is this a bridge-arb or a rotation?”
  23. Part VI — Dune patterns (copy/paste with your tweaks)
  24. Part VII — Tenderly drills you’ll actually use
  25. Part VIII — Red teaming your own assumptions
  26. Part IX — Ethics, compliance, and safety
  27. Part X — Checklists you can print
  28. Part XI — What 2025 changed
  29. Closing: Build your stack, keep your edge
  30. Sources (selected)

Long read (bookmark this).
This is a practical, end-to-end playbook for doing real on-chain analysis: which tools to use, how to structure an investigation, what signals matter, and how top “on-chain detectives” put pieces together. We’ll cover Etherscan-style explorers, Dune (SQL/warehouse analytics), Nansen and Arkham (labeled entity intel), Tenderly (simulations), and open visualization stacks. Then we’ll walk through case studies that show how public data actually moves decisions. Finally, you’ll get reusable checklists and queries you can adapt.

Keep your bps: Most investigations end with moving funds—claiming an airdrop, rushing to a new chain, or rotating profits. Bundle swap + bridge in one click and earn cashback (plus referrals) with Chainspot: https://app.chainspot.io

What “on-chain analytics” really means

On-chain analysis is the craft of turning public ledger events into explainable narratives and actionable decisions. In practice you’ll juggle:

  • Block explorers (ground truth): tx traces, event logs, storage diffs, contract metadata.

  • Data warehouses: pre-indexed tables (swaps, transfers, mints) you can query with SQL.

  • Entity-label platforms: clustered addresses (exchanges, funds, bridges, mixers, OFAC-listed identifiers), “smart money” cohorts, and alerts.

  • Simulation & debugging: dry-run tx, replay forks, or run state overrides to see “what would happen if…”.

When you combine these layers, you can answer questions like: Who funded this deployer? Which CEX hot wallet absorbed the proceeds? Which gauge change caused TVL to rotate? And most importantly: What should I do next—and at what cost?

Part I — Your core toolbelt

Below are the primary tools (with the one thing each is best at) and how to use them together.

1) Etherscan-style explorers (and friends)

Best at: the ground truth for EVM chains—transactions, logs, internal calls, bytecode, ABI, verified source, and permalinks you can cite. Etherscan’s API exposes address metadata, labels, funding links, and token transfer endpoints (ERC-20/721/1155) that are convenient for quick triage. docs.etherscan.io+1

How to work fast here:

  • Start from a transaction hash → read Input Data (decoded if ABI verified), Logs (events), Internal Txns (value flows through calls).

  • For addresses, check the label/nametag and fundedBy metadata; this often reveals the first funder and common clusters. docs.etherscan.io

  • Use explorer variants for other ecosystems (BscScan, Arbiscan, Polygonscan; Solscan/Explorer for Solana; OKLink/Blockscout where relevant).

Tip: build a ritual—who funded whom, when, and via what bridge—before you chase narrative.

2) Dune (community data warehouse)

Best at: ad-hoc questions at scale. Dune maintains community tables and decoded contract ABIs for major protocols. You can fork dashboards, write SQL against curated schemas, and share charts. Their front page highlights “100k+ community dashboards” and “750k insights,” which tells you two things: there’s almost certainly a base table for what you want—and you still need to verify it. dune.com

How to get leverage:

  • Learn the events tables for your target protocol (e.g., dex.trades, erc20.evt_Transfer), and build materialized views for speed.

  • Keep a dictionary of event signatures (topic0) you care about (UniswapV2 Swap, UniswapV3 Swap, ERC-20 Transfer) and index filters (pair, token, pool).

  • Treat someone else’s dashboard as a hint, not gospel—always peek at the raw SQL.

(If you want reference examples of common Dune SQL patterns, there’s a public GitHub with sample queries aggregating Uniswap volume, active wallets, etc. Useful for scaffolding. GitHub)

3) Nansen (labeled flow & “smart money” cohorts)

Best at: labels and cohort behavior. Nansen’s long-running value prop is entity labeling—cex hot wallets, team treasuries, funds, insiders—and the ability to tag wallets with custom labels that then propagate across dashboards. Their docs/guides explain how labels appear platform-wide to simplify tracking. nansen.ai

When it shines:

  • Tracking “who” is behind a flow (MM desk, VC, deployer cluster).

  • New token buyer quality (are they mercenary airdrop farmers or sticky funds?).

  • Alerting when specific cohorts accumulate or distribute.

Caveat: Labels can be wrong or stale; confirm with explorer traces when it matters.

4) Arkham Intelligence (entity graphs + bounties)

Best at: deanonymization workflows and the Arkham Intel Exchange bounty market—“intel-to-earn” where sleuths submit proofs of ownership/links for rewards, all via smart contracts. The Intel Exchange was announced with audits by Quantstamp, and bounties have even targeted high-profile figures (e.g., Do Kwon wallet intel). Arkham+1

When to use:

  • You need a named cluster (e.g., “team’s OTC desk”) or want to post a bounty for attribution.

  • Pair Arkham with Etherscan: Arkham for graph/entity context, Etherscan for line-by-line event truth.

Ethics note: stick to public data and platform rules; don’t cross into dox-for-harassment.

5) Tenderly (simulations, state diffs, traces)

Best at: dry-running transactions (yours or hypothetical) and debugging complex traces. You can simulate single or bundled tx by API/RPC or UI, examine decoded traces, storage changes, and gas, and even override block timestamps/headers to test edge cases. docs.tenderly.co+2docs.tenderly.co+2

Use it to:

  • Validate whether a pending tx will succeed (and what events fire).

  • Reproduce a hack path on a fork to understand exact preconditions.

  • Teach juniors why a certain call reverts (show the storage deltas).

6) Breadcrumbs (open visualization & monitoring)

Best at: accessible graph visualizations and multi-chain investigations with community labeling. It’s a handy “draw the story” layer if you don’t have an enterprise Chainalysis/Crystal license. breadcrumbs.app+1

Sidekicks worth knowing

  • Glassnode/IntoTheBlock: macro on-chain metrics (UTXO age, exchange balances).

  • EigenPhi / Flashbots: MEV & sandwich forensics.

  • Blockscout/OKLink: alt-L1/L2 explorers when Etherscan clones aren’t available.

Part II — A repeatable investigation workflow

Goal: turn noise into a narrative you can defend. Here’s a practical flow that scales from “new token just launched” to “was this exploit an inside job?”

  1. Snapshot the subject

    • Contract(s), deployer, proxy admin, timelock, Safe owners, initial LP event.

    • List the first funders of each key address (deployer, multisig, relayers). Etherscan’s metadata endpoints help here. docs.etherscan.io

  2. Map the graph

    • Identify central nodes: bridges, CEX deposit clusters, mixers.

    • Use Arkham/Nansen labels to label hubs; validate with explorer traces. nansen.ai+1

  3. Timeline the events

    • Commits/releases (GitHub), gov proposals, queued timelocks, actual execution.

    • In Dune: build a table keyed by block_time with flags for each event of interest (fee change, emission start). dune.com

  4. Quantify flows

    • Who bought, who LP’d, who bridged when?

    • Segment cohorts (MMs, treasury, retail farmers) using Nansen labels and your own wallet lists. nansen.ai

  5. Simulate and sanity-check

    • Use Tenderly to replay a controversial function or a post-exploit patch; confirm the intended fix. docs.tenderly.co

  6. Synthesize

    • “On block X, function Y changed parameter Z; within 2 hours, cohorts A and B bridged N USDC; within 1 day, top LP withdrew.”

    • Put the cost of acting in the plan (gas, route, slippage). Don’t ignore fees.

Pro tip: your biggest edge is often basis points saved, not clairvoyance. If your workflow ends with a chain hop, route it efficiently with Chainspot (swap+bridge in one click, cashback + referrals): https://app.chainspot.io

Part III — How on-chain detectives actually work

The modern sleuth playbook is public data + open-source intelligence + pattern literacy. A few names built the archetype; the most cited is ZachXBT, a pseudonymous investigator covered by mainstream tech press for tracing large thefts and aiding recoveries and arrests. Profiles credit him with tracking billions in stolen crypto and directly assisting cases where funds were seized or suspects charged. WIRED

Common sleuth steps you can emulate—ethically:

  • Seed the graph from the exploit/launch: deployer, first LP, first large inbound/outbound.

  • Follow money through bridges to known exchange clusters (labeled hot wallets) or mixers.

  • Cross-reference social footprints (Discord/Twitter/GitHub handles that reuse vanity strings or OPSEC mistakes).

  • Pressure via sunlight: public threads can make funds hard to liquidate, pushing exploiters to negotiate returns (see Munchables case below). Cointelegraph

Arkham’s Intel Exchange formalized a bounty model for attribution—submitting proof of wallet ownership or links in return for ARKM payouts—creating a market for rigorous deanonymization work. Arkham

Part IV — Case studies (what the data teaches)

A) Euler Finance (2023): chaos → recovery

In March 2023, Euler was exploited for ~$200–240M via a complex flash-loan path. Chainalysis explains the mechanics, while Euler’s own post-mortem describes months of forensics and negotiation that led to substantial recovery. The episode showed how on-chain breadcrumbs—funding sources, bridge hops, and public pressure—can be leveraged to claw funds back. Chainalysis+1

Analyst takeaways

  • Recreate the exploit path with Tenderly to understand preconditions (collateralization checks, hook timing). docs.tenderly.co

  • Map cash-out risk: which exchanges could receive flows? Which mixers were used?

  • Prepare a negotiation channel once funds stall; sunlight often slows laundering.

B) Ronin Bridge (2022): attribution at nation-state level

The $600M+ Axie Infinity/Ronin hack was formally attributed to North Korea’s Lazarus Group by the U.S. Treasury; OFAC sanctioned the attacker address. That tied an on-chain theft to a sanctioned state actor and set a precedent for address-level sanctions. coindesk.com+2Blockworks+2

Analyst takeaways

  • Track bridge-sized flows and cash-out patterns (e.g., conversion to BTC, mixing).

  • Sanctions risk is not theoretical; use labeled entity graphs (Arkham/Nansen) to avoid tainted flows. Arkham+1

C) Mango Markets (2022–2024): manipulation vs. code-is-law

Avraham “Avi” Eisenberg used synchronized trades to push MNGO’s price, borrow against inflated collateral, and withdraw ~$110M. U.S. prosecutors charged him; a Manhattan jury convicted him of manipulation and fraud in April 2024, setting a major precedent for DeFi market abuse cases. Reuters+1

Analyst takeaways

  • On-chain doesn’t mean lawless. If you rely on oracles and thin books, manipulation shows up in time-aligned event logs and order data.

  • For protocols: document safeguards (index blends/TWAP clamps) and publish post-mortems people can audit.

D) Munchables (Blast, 2024): the “give-it-back” exploit

A developer tied to the project drained ~$62–63M in ETH from Blast-based Munchables—then returned the funds and keys without ransom after rapid public attribution and coordination. Multiple outlets reported the return of ~17,400 ETH to a multisig controlled by core contributors. The episode highlighted a rising threat: malicious hires with backdoors—an HR and OPSEC problem you can partially detect on-chain (e.g., unusual privileges and approvals). Cointelegraph+2coinglass+2

Analyst takeaways

  • Monitor privileged roles and admin function calls in real time; flag anomalous approvals.

  • Correlate on-chain behavior with repo access and internal roles.

  • Keep incident runbooks ready; speed and public proof can tilt outcomes.

Part V — Practical patterns you’ll reuse

1) “Is this token safe enough to trade?”

  • Ownership/Proxy: Is the contract upgradable? Who has the admin?

  • Liquidity story: Which pool, what depth, is LP locked or migratable?

  • Holder distribution: Whale concentration, team/emissions wallets.

  • Allowance traps: Check for transfer-fee or blacklist functions.
    Tie it together with explorer verifications and a Dune snapshot of holders/netflows.

2) “Who funded this deployer?”

  • Use explorer fundedBy metadata and first inbound ETH. docs.etherscan.io

  • Expand one hop to see if the funder is a bridge or a CEX withdrawal (labeled on Nansen/Arkham). nansen.ai+1

  • Cluster with any shared relayers across projects.

3) “Did a governance action change flows?”

  • Mark the proposal pass block and timelock execute block.

  • In Dune: compute pre/post windows (e.g., 7d mean TVL, swap volume) for affected pools. dune.com

  • Attribute the delta to the earliest informed cohorts (labels + wallets you track).

4) “Was this a wash-trade farm?”

  • Check unique counterparties and directionality; same cluster ping-ponging volume at low depth.

  • Compare venue trades vs. RFQ fills; wash farmers avoid RFQ because it reveals intent.

5) “Is this a bridge-arb or a rotation?”

  • Bridge spikes + gas funding sprinkles across many fresh wallets usually precede campaigns or emissions.

  • If you’ll rotate, pre-fund gas and route cheaply. Don’t pay 40–80 bps in avoidable steps.
    Chainspot compresses swap+bridge, returns cashback: https://app.chainspot.io

Part VI — Dune patterns (copy/paste with your tweaks)

Daily Uniswap-style volume (toy skeleton)

SELECT
date_trunc('day', block_time) AS day,
SUM(amount_usd) AS volume_usd
FROM dex.trades
WHERE project IN ('uniswap_v2','uniswap_v3')
AND block_time >= now() - interval '30 day'
GROUP BY 1
ORDER BY 1;

Top net buyers of TOKEN in last 7 days

WITH flows AS (
SELECT
evt_tx_hash,
CAST(value AS NUMERIC)/1e18 AS amount,
CASE WHEN "to" = LOWER('{{TOKEN_CONTRACT}}') THEN "from" ELSE "to" END AS wallet,
CASE WHEN "to" = LOWER('{{TOKEN_CONTRACT}}') THEN -1 ELSE 1 END AS dir
FROM erc20.evt_transfer
WHERE contract_address = LOWER('{{TOKEN_CONTRACT}}')
AND block_time >= now() - interval '7 day'
)
SELECT wallet, SUM(amount * dir) AS net_tokens
FROM flows
GROUP BY 1
ORDER BY 2 DESC
LIMIT 50;

Funding spikes vs. price (perps venue)
Pull venue funding feed + spot price; compute rolling z-scores to spot outlier windows before you size.

Dune’s value is speed + shareability; verify key outputs with explorer truth. dune.com

Part VII — Tenderly drills you’ll actually use

  • “Will this tx revert?” Paste a pending tx into Tenderly; you’ll get decoded traces and state changes before you sign a replacement. docs.tenderly.co

  • “What does this upgrade do?” Simulate upgradeTo calls with state overrides to compare storage diffs for critical slots. docs.tenderly.co

  • “Can we ship with these gas limits?” Simulate bundles on Virtual TestNets to stress max gas paths. docs.tenderly.co

Part VIII — Red teaming your own assumptions

  • Labels can lie. Custom tags on Nansen are powerful, but verify via first-fund and exchange endpoints. nansen.ai

  • Dashboards drift. When schemas change, cached Dune views can silently mislead. Always rerun queries and read the code. dune.com

  • APIs summarize. Many CEX liquidation feeds publish summaries or rate-limited counts; in stress windows they can under-count live events. Treat public feeds accordingly. (This exact methodology gap was debated industry-wide after the Oct-10 crash.) justice.gov

  • Simulations aren’t omniscient. External calls and oracle reads can diverge from assumed state; mark the limits of your fork.

Part IX — Ethics, compliance, and safety

  • No MNPI. On-chain is public; private leaks are not.

  • No harassment. Publishing a cluster is not a license to dox families or incite dogpiles.

  • Sanctions risk is real. If a flow is OFAC-listed (e.g., Ronin/Lazarus addresses) you cannot touch it if you’re under U.S. jurisdiction. coindesk.com

  • Security hygiene. Read-only wallets for investigations; hardware for funds; never paste seeds; revoke allowances after testing.

Part X — Checklists you can print

Quick “New Token” Safety Checklist

  • Contract verified? Ownership/proxy clear?

  • LP source and lock checked?

  • Top holders concentration documented?

  • First funders traced to bridges/CEX?

  • Any admin functions that can halt/blacklist?

  • Route costs priced (if rotating chains)—Chainspot quote saved.

Exploit Response Checklist

  • Snapshots: affected contracts, balances, approvals.

  • Trace path: exploiter address → hops → clusters (Arkham/Nansen). Arkham+1

  • Freeze vectors: CEX alerts, bridge monitors.

  • Communications: public post with hashes; contact security researchers; prepare negotiation channel.

  • Simulate patch on Tenderly; publish minimal, testable diff. docs.tenderly.co

Research Hygiene Checklist

  • Keep a repo of your Dune SQL; versioned and commented. dune.com

  • Save explorer permalinks for every claim. Etherscan Information Center

  • Journal costs saved (gas/route bps)—edge compounds as much as alpha.

Part XI — What 2025 changed

  • Bounty markets for intel are normal. Arkham mainstreamed “intel-to-earn,” so attribution work has a price tag and a public forum. Expect further professionalization. Arkham

  • Incident response is more public. The Munchables saga showed that fast, verifiable proof can force outcomes (funds returned, keys surrendered). It’s not guaranteed—but speed + sunlight matter. Cointelegraph

  • Legal clarity is catching up. Mango’s 2024 conviction signaled that manipulation on DeFi is still manipulation under U.S. law. Protocols that document guardrails will be favored by institutions. Reuters+1

  • Costs are back in focus. With spreads tighter and bots faster, bps saved in your rotations often outrank the alpha itself.

Closing: Build your stack, keep your edge

On-chain analytics is not about having a secret feed; it’s about showing up where the truth lives—explorers, decoded warehouses, labeled graphs—and tying the story together with timestamps and tx hashes you can defend. Learn one new query every week. Save every permalink. Simulate what you don’t understand. And when your analysis ends with a move, don’t donate your edge to fees.

👉 Bridge & swap in one click (earn cashback + referral rewards): https://app.chainspot.io

Sources (selected)

  • Etherscan tools/API & address metadata (labels, fundedBy, ERC transfers): official docs and info center. docs.etherscan.io+1

  • Dune overview (community dashboards / insights): front page. dune.com

  • Nansen labels (platform-wide labeling behavior): Nansen guide. nansen.ai

  • Arkham Intel Exchange (smart-contract bounties) + example bounty: Arkham announcement; third-party recap of bounty payout. Arkham+1

  • ZachXBT profile (investigations & recoveries): WIRED feature. WIRED

  • Euler exploit analysis & recovery narrative: Chainalysis explainer; Euler team blog. Chainalysis+1

  • Ronin/Lazarus attribution (OFAC announcement coverage): CoinDesk/Blockworks/Axios. coindesk.com+2Blockworks+2

  • Mango Markets legal precedent (conviction 2024): Reuters/Axios. Reuters+1

  • Munchables exploit & full return of funds: Cointelegraph; Coinglass/The Block recaps. Cointelegraph+2coinglass+2

Nothing here is financial or legal advice. Investigate responsibly. Protect your keys. And keep your costs tiny.

Rate this article
( No ratings yet )
Chainspot News
Add a comment