End-to-end encrypted (E2EE) messaging and the growing use of cryptocurrency create an attribution gap for digital investigators because message content is unavailable and wallet activity is often decoupled from subscriber identities, which makes it difficult to link communication behaviors with wallet activity. We propose a lawful and metadata-driven forensic attribution framework called the Data-Source Association Framework (DSAF). The DSAF links encrypted communication behavior with cryptocurrency wallet activity by correlating only legally obtainable network metadata that are observable under lawful interception (LI) with on-chain traces. By integrating information from communication behaviors and wallet activity, the framework aims to narrow the person–application–wallet attribution gap. The framework integrates two components, where one performs encrypted-application classification using transport-layer signals and flow-level features and the other conducts wallet–identity association by applying controlled decoding to intercepted traffic and extracting relevant transaction traces. Both components operate under a minimum-field schema that is aligned with Taiwanese LI procedures. We implemented the workflow and evaluated it using controlled experiments across multiple wallets and assets, reporting Wilson 95% confidence intervals (CIs). We achieved 91.4% accuracy (181/198) in end-to-end association under a confidence threshold, with high performance across wallet types, including Monero and TronLink.
Lin et al. (Mon,) studied this question.