Forensic Identity Anchor Chain for a Team's True Identity — Synthesizing Multi-Source Fingerprints
On this page
Wiki route
This entry sits under FinWiki index. Read it with bytecode forensic for peer context and systems index for the broader infrastructure boundary.
[!info] TL;DR When the public-facing structure (LinkedIn company page / official site about / PR release) does not match the people actually writing the code, synthesize 6 independent fingerprint sources → build a single-thesis identity chain → lock the separation structure of “public-facing vs real team.” Combined with the cluster labels of Global crypto-asset forensics-vendor layer — Chainalysis / Elliptic / TRM / Crystal comparison, a complete attribution can be formed.
6 Independent Fingerprint Sources
- TLS certificate SANs — the Subject Alternative Names within a domain certificate · the same ops base tends to share the same certificate or issuing authority
- Concentration of GitHub account registration times — multiple accounts registered consecutively within 1 hours = a sock-puppet signal
- Email domain preference — ProtonMail / iCloud / own domain vs Gmail · the team’s overall preference tends to align
- Language of names on the LinkedIn company page — a mix of West African / Southeast Asian / Indian / Chinese / Japanese names
- Language of the GitHub commit author name — the name field of actual commits (contrasted with the public-facing names on LinkedIn)
- Exposure from CLI / config paths — config paths in the home directory, remnants of SSH known-hosts, document metadata, the author field of PDFs
Synthesis logic
- Public-facing vs real-team determination: source 4 (LinkedIn name) ≠ source 5 (commit author name) + source 3 (email domain preference) → a binary separation
- Sock-puppet determination: source 2 (concentration of registration times) + source 5 (email overlap between “independent” accounts) → multiple accounts of the same person — attribution inference for large exchange incidents like DMM Bitcoin Lazarus hack relies precisely on this kind of multi-account cluster-overlap analysis
- Individual identity anchor: source 1 (TLS) ∩ source 6 (CLI path) → a single-thesis dev identity — the result of this layer can connect directly to the sanctions-list matching process of Chain-Level OFAC Freeze = Dollar Chain-Level Hegemony
Anti-pattern
Do not assert identity on a single thesis (e.g., concluding from LinkedIn1件 alone) · always cross-check with 3 or more independent sources.
When to Use
- Cases where a project claims to be a “global team,” but the code style / comment language is inconsistent
- Cases where the same email appears in the commits of multiple “independent companies / outsourcers”
- Cases where the LinkedIn name and the Whitepaper author / commit author name are in completely different languages
When NOT to Use
- The project is public and transparent (GPG-signed / has a public identity)
- An individual’s open-source project (no need to contrast against a public face)
- Cases where you only do code-quality DD and do not verify the team’s authenticity
Provenance
- Case study (vaporware audit): multiple GitHub accounts registered in a concentrated short window + the language of names on the LinkedIn company page vs the language of the commit author name did not match + the metadata author of the Whitepaper PDF + CLI path remnants + own-domain email · the separation of public-facing / real team was locked through cross-checking of multiple anchors
- The same kind of technique is also applied to ex post attribution inference: see the leads for attacker tracing in Coincheck Nem Hack Detailed Analysis or JP VASP incident history
Discovery
Keep reading
Read next
- Git history rewrite detection — recovering squashed and force-pushed states This entry sits under security domain. It is the source-code analogue of Wayback Machine as a forensic tool (which recovers de-published web content), and it feeds the people-layer work in f... security/git-history-rewrite-detection
- Proxy-upgradeable contract rug pattern — admin upgrade rights as a backdoor This entry sits under security domain. Read it against bytecode forensic three-tier verify for the on-chain verification mechanics it depends on, and against ERC-4337 overview for the broade... security/proxy-upgrade-rug-pattern
- Typosquatting package detection checklist — npm / PyPI / Go name-confusion triage This entry sits under security domain. It generalizes the concrete attack in module path confusion + LICENSE strip supply chain attack into a reusable, registry-agnostic triage checklist, an... security/typosquatting-package-detection-checklist
Links here
- Agent identity bridging DeFi and traditional finance · KYA, Skyfire, Lit PKP, mDL, MiCA, GENIUS Agent identity in 2026 sits at the bridge between DeFi-native primitives (smart-contract wallets, on-chain attestations, ERC-4337 / ERC-7702 wallets controlled by Lit PKP threshold keys or s... agent-economy/agent-identity-defi-and-traditional-finance-bridge
- Bybit Lazarus $14.6 億 hack detailed analysis (2025-02) — largest crypto-asset outflow in history This entry sits under exchanges index. Read it against DMM Bitcoin 流出事件 詳細分析 (2024-05) — Lazarus 帰属 4,502.9 BTC for peer / contrast context and FSA 暗号資産交換業登録制度 — 番号体系・財務局管轄・登録要件 for the broa... exchanges/bybit-lazarus-hack-detailed-analysis
- CEX matching engine + cold/hot wallet internal architecture This entry sits under exchanges index. Read it against 国内 VASP コールド保管 95% + 分別管理制度 for peer / contrast context and FSA 暗号資産交換業登録制度 — 番号体系・財務局管轄・登録要件 for the broader system / regulatory bound... exchanges/cex-matching-engine-wallet-architecture
- Coincheck NEM 580 億円 outflow incident detailed analysis (2018-01) This entry sits under exchanges index. Read it against DMM Bitcoin 流出事件 詳細分析 (2024-05) — Lazarus 帰属 4,502.9 BTC for peer / contrast context and FSA 暗号資産交換業登録制度 — 番号体系・財務局管轄・登録要件 for the broa... exchanges/coincheck-nem-hack-detailed-analysis
- DMM Bitcoin outflow incident detailed analysis(2024-05)— 4,502.9 BTC attributed to Lazarus This entry sits under exchanges index. Read it against Coincheck NEM 580 億円流出事件 詳細分析 (2018-01) for peer / contrast context and FSA 暗号資産交換業登録制度 — 番号体系・財務局管轄・登録要件 for the broader system / regu... exchanges/dmm-bitcoin-lazarus-hack-detailed-analysis