Common-Input-Ownership Heuristic

What you'll learn on this page: the single most important rule in blockchain forensics, a worked example from a famous transaction, how txray flags it, and how modern wallets break it on purpose.

The intuition

If one transaction spends several UTXOs at the same time, those UTXOs were almost certainly controlled by one owner.

That is the entire heuristic. It has a formal name, Common-Input-Ownership Heuristic, or CIOH, but the idea is the same as paying at a shop by pulling three ₹500 notes out of one wallet. The cashier does not need proof that all three notes belong to you. The fact that they came out together is enough to guess.

CIOH is the oldest heuristic in blockchain analysis. It is also the strongest, because most wallet software has no way not to fire it: if a user picks "send", the wallet grabs the UTXOs it needs and signs them all. Every one of those signatures is a link.

A single multi-input transaction collapses three independent addresses into one ownership cluster.

A worked example

Take a look at an ordinary payment from the chain.

INPUT 0:  0.041 BTC   address bc1q...a3f
INPUT 1:  0.028 BTC   address bc1q...9c2
INPUT 2:  0.011 BTC   address bc1q...77d

OUTPUT 0: 0.074 BTC   address bc1q...kk8   (payment)
OUTPUT 1: 0.005 BTC   address bc1q...xx1   (change)

Three inputs, three different addresses. Before this transaction an analyst looking at the chain could treat those three addresses as independent strangers. After this transaction, they are tagged as one cluster, almost certainly one wallet.

Now imagine that wallet later spends from bc1q...kk8 in another many-input transaction. Each new transaction grows the cluster by every input it touches. In a few hops, thousands of addresses can get rolled into one ownership group.

How txray flags it

Sherlock applies CIOH to every transaction it parses and returns a small structured result.

txray analyze --tx 4a5e1e4b...33b

Heuristics
  common_input_ownership:
    fired:      true
    confidence: high
    evidence:   3 inputs signed together; no CoinJoin structure detected
    caveats:    none

Three fields matter.

fired. Whether the heuristic triggered at all.
confidence. High, medium, or low, based on how many other signals agree or disagree.
caveats. A list of reasons to distrust the flag (for example, "equal-amount outputs suggest a CoinJoin round").

CIOH never runs alone. txray weighs it together with change detection, fingerprinting, and entropy so that one strong-looking flag cannot drag a wrong conclusion across the finish line.

How to defeat it

CIOH breaks the moment the assumption "the inputs all belong to one owner" stops being true. Three real-world tools do exactly that.

CoinJoin. Many users collaboratively build one transaction where every input is from a different wallet and every output is an equal amount. From the outside it looks like CIOH should fire, but the whole point of the protocol is that the inference is wrong.
PayJoin (BIP78). The receiver of a payment adds one of their own UTXOs to the sender's transaction. Now CIOH would group the receiver's address with the sender's, which is flat out false.
Collaborative multisig. Two or more independent parties sign inputs in the same transaction as part of a custody setup.

For all three, Sherlock downgrades the CIOH confidence automatically when it spots the tell-tale patterns (equal-value outputs, unusual input counts, known CoinJoin coordinator fingerprints).

How to read CIOH results

A few rules of thumb keep you out of trouble.

Treat a CIOH flag as likely, not certain. Even outside CoinJoin, shared-custody setups exist.
Always cross-check with change detection. If the "change" output looks just as much like a payment, your story has a hole.
If a transaction has the shape of a CoinJoin (many inputs, many equal-value outputs), trust CIOH less, not more.
Short ownership chains are far more reliable than long ones. Every extra hop multiplies the chance that one link in the chain was wrong.