SPECTER SATOSHI

No key required. ENUMERATE-WALLET, DETECT-MIXERS, INTELLIGENCE-REPORT, and status/sessions commands available. Entry point for all engagement workflows.

Requires SATOSHI_INJECT_KEY + ROE phrase. Unlocks TRACE-FORWARD, TRACE-BACKWARD, CLUSTER-ADDRESSES, DEANONYMISE, PROFILE-ENTITY, and PERSIST-SURVEILLANCE.

Requires SATOSHI_UNLEASHED_KEY + ROE phrase. Unlocks full entity attribution chains, sanctions correlation, and live address surveillance with external alerting.

Requires SATOSHI_WEAPONISE_KEY + ROE phrase "bitcoin intelligence weaponisation authorised" + --confirm-weaponise. Routes intelligence directly into NIGHTFALL campaign via WARLORD.

Detects address type from prefix/length: P2PKH (1-prefix, 25-34 chars), P2SH (3-prefix), P2WPKH (bc1q), P2TR (bc1p Taproot). Queries balance and transaction history via public blockchain APIs. Returns UTXO set, first-seen/last-seen timestamps, transaction count, and total received/sent BTC. Computes an initial risk indicator from transaction volume and counterparty diversity.

Breadth-first forward graph traversal from seed address to configured depth (default 3). At each hop: collects all output addresses, applies change-address heuristics (round-value, address reuse, output count), scores entities using LOCARD arXiv:2604.04211 graph centrality metrics. Returns a directed graph with value-annotated edges and LOCARD entity scores at each node.

Backward graph traversal following input funding chains. Computes coinbase distance (minimum hops to a coinbase transaction), detects potential mixing activity via value/timing entropy analysis across input sets, identifies consolidation transactions (many inputs, few outputs), and flags peel-chain patterns where value is progressively peeled from a large UTXO across sequential transactions.

Applies common-input-ownership (CIO) heuristic: addresses that appear as inputs in the same transaction are controlled by the same entity. Constructs a co-spend graph and applies GCN/GAT graph neural network entity grouping using Thor25 2026 dataset address embeddings. Returns cluster ID, cluster size, aggregate balance, and confidence score per cluster. Supports multi-address seed input for merged-cluster analysis.

Multi-vector entity attribution: WHOIS/KYC exchange address database lookup (major exchanges, OTC desks, known darknet markets), dust-attack correlation (identifies outputs of known dust-sending addresses), transaction propagation timing analysis for IP leak correlation, and address reuse pattern fingerprinting. Returns an attribution result with confidence level (CONFIRMED / PROBABLE / POSSIBLE / UNKNOWN) and supporting evidence chain.

Fingerprints mixing activity via: equal-value output detection (all outputs within 0.001 BTC of each other — classic CoinJoin), Wasabi Wallet signature (100 inputs, 100 equal outputs, coordinator fee output), JoinMarket marker outputs, atomic swap detection via hash-locked outputs, and peel-chain identification (serial single-output chains with incrementally decreasing values). Returns mixer_type, confidence, and estimated mixing volume.

Aggregates cluster data into a structured entity profile: total balance across all cluster addresses, estimated fiat value at current spot price, exchange affiliation (if deanonymised), and composite risk score 0–100. Risk score components: mixer_exposure (fraction of received value from detected mixers), darknet_exposure (known darknet market counterparties), ransomware_markers (known ransomware payment addresses), sanctioned_entity_contact (OFAC/EU/UN sanctioned address interaction). Returns FATF Travel Rule metadata fields where applicable.

Generates SAT-{hex12} session ID. Collects all subsystem results from the session. Produces structured JSON intelligence report: address list, cluster assignments, entity attribution, risk scores, graph topology summary, MITRE ATT&CK T1659/T1565 and ATLAS AML.T0057 mapping. Exports Graphviz DOT format entity graph for visualisation. Ed25519 signs payload with ~/.red-specter/satoshi/signing_key.pem. ML-DSA-65 countersigns. Saves to ~/.red-specter/satoshi/reports/.

Registers target addresses for continuous monitoring via cron-scheduled polling (configurable interval, default 15 minutes). Sends webhook alerts on new incoming or outgoing transactions. Supports balance threshold alerts (notify when balance exceeds or drops below configured BTC amount) and transaction count threshold alerts. Stores surveillance state in ~/.red-specter/satoshi/surveillance/. Survives restarts via cron @reboot entry.

Loads a completed intelligence report (SAT-{hex12}) and routes entity profiles, risk scores, and attribution chains directly into a NIGHTFALL campaign managed by WARLORD. Selects target campaign (e.g., ANARCHY for autonomous orchestration) based on entity risk profile. Requires SATOSHI_WEAPONISE_KEY environment variable, ROE file containing phrase "bitcoin intelligence weaponisation authorised", and explicit --confirm-weaponise flag. Returns campaign injection ID and WARLORD routing confirmation.

LOCARD (arXiv:2604.04211) applies graph neural networks to Bitcoin transaction graphs for entity attribution. SPECTER SATOSHI integrates LOCARD's centrality scoring at each graph traversal node, weighting entity candidates by graph topology features (degree, betweenness, clustering coefficient) to rank attribution confidence. Core to the TRACE-FORWARD and CLUSTER-ADDRESSES subsystems.

Graph Convolutional Networks (GCN) and Graph Attention Networks (GAT) learn address embeddings from the co-spend graph structure. Addresses controlled by the same wallet cluster together in the learned embedding space. CLUSTER-ADDRESSES uses Thor25 2026 dataset pre-trained embeddings as priors, fine-tuned on the live co-spend graph for the target entity. Cluster confidence is measured as cosine similarity in embedding space.

DETECT-MIXERS applies a multi-signature approach: equal-value output detection (all outputs within 0.001 BTC), Wasabi Wallet coordinator fee output pattern (100+100 structure), JoinMarket maker/taker balance markers, and peel-chain ratio analysis. Atomic swaps are identified by hash-locked contract outputs (OP_SHA256 / OP_RIPEMD160 opcodes in unlocking scripts). Each pattern carries a confidence weight; combined score thresholds trigger MIXER classification.

WEAPONISE integrates with WARLORD's campaign orchestration API. Entity risk profiles (risk_score > 70 routes to ANARCHY for full autonomous engagement; 40–70 routes to SPECTER PHANTOMNET for covert exfiltration chains; <40 archives to SPECTER FOUNDRY for passive monitoring). SAT-{hex12} report ID is preserved as provenance through the entire downstream campaign lifecycle.

T1659 — Financial Theft T1565 — Data Manipulation T1213 — Data from Information Repositories T1552 — Unsecured Credentials T1087 — Account Discovery

AML.T0057 — LLM Data Leakage AML.T0024 — Exfiltration via Cyber Means AML.T0043 — Craft Adversarial Data AML.T0040 — ML Model Inference API Access