Methodology & Ethics
Every label, bloc and finding on ICPulse comes out of a documented process with a human decision at the end. This page describes that process — including what we refuse to publish, and the mistakes our method is built to catch.
Part 1
243 labels are live on ICPulse. Every single one went through the same pipeline. Nothing ships on an algorithm's word alone.
An indexer samples the ICP ledger and NNS governance every 60 seconds, around the clock. A discovery engine surfaces high-volume addresses, and an automated crawler produces a behavioral report for each: volume in and out, distinct counterparties, contact with already-verified anchors, and activity rhythm. The machine proposes — it never decides.
Each candidate runs through a published decision tree. A clean consolidation pattern (many depositors, one verified destination, near-zero balance) becomes a label candidate. An address touching multiple exchanges is never labeled — that shape belongs to users, services and third parties, not to the exchange. Dust-level "patterns" are discarded as spray artifacts.
A human reviews the full report and decides. Labels carry one of two confidence tiers — and if ownership can't be attributed with confidence, the address stays an internal lead no matter how perfect the pattern looks. We have rejected million-ICP addresses on exactly this rule.
Labels are published to a machine-readable registry that feeds every ICPulse feature, and are re-checked against each new deterministic source we open. When a re-check contradicts an old inference, the label is corrected publicly — that has already happened, and catching it is the point.
Proven by a controlled on-chain transfer executed through the address, or derived deterministically from protocol data. Not an opinion — a checkable fact.
A clean behavioral pattern cross-checked against independent external anchors. High confidence, honestly marked as inference — never dressed up as proof.
Part 2
Wherever the protocol itself can tell us an address, we take it from the protocol — certainty instead of trust.
Large parts of the label map are derived, not discovered: SNS DAO treasury accounts, DEX liquidity-pool accounts (derived from each pool's canister and re-verified against live ledger balances), node-provider reward accounts straight from the NNS registry, and named neurons that identified themselves publicly in governance. Anyone can reproduce these derivations independently — that's what makes them verified.
Third-party attributions (external explorers, clustering lists) are treated as leads only. They enter the pipeline at step 2 like any other candidate and earn a label only by passing steps 3–4. Promoting someone else's inference straight to a label is precisely the failure mode this method exists to prevent.
Part 3
ICPulse detects coordination in NNS governance from observable behavior only.
Voting blocs are measured from the ballot-arrival timing of known NNS neurons, sampled every 60 seconds. A bloc is a set of neurons that repeatedly cast matching votes within the same mid-stream sampling window across many proposals. Opening-burst co-arrival is excluded — many neurons voting seconds after a proposal opens reflects shared scheduling, not coordination.
| Parameter | Value |
|---|---|
| Sampling interval | 60 seconds, 24/7 |
| Co-arrival window | 300 seconds, mid-stream only |
| Minimum shared proposals | 5 |
| Minimum co-arrival rate | 50% |
| Proposals analyzed to date | 224 |
The underlying mechanism — following configuration, shared hotkey control, or external automation — is not observable on-chain, and we report it as unknown. Every bloc is reviewed and approved by a human before publication.
Part 4
ICPulse has documented an ongoing address-poisoning campaign on the ICP ledger: attacker-generated look-alike addresses that mimic heavily used wallets, planted via zero-amount and dust transfers so they appear in transaction histories next to the real address.
The mimics we've caught match the real address's first 4–5 characters — and sometimes the suffix too. Eyeballing the start and end of an address is not a defense. Copy addresses only from a source you control or a verified registry, and verify the entire string before funds move.
The campaign is systematic: new mimics appear within a day for addresses under active public scrutiny, including labeled infrastructure and DEX settlement accounts. ICPulse's crawler detects mimic candidates automatically by prefix-matching against the verified label map, flags zero-amount spray patterns, and logs the funding addresses behind the campaign. Mimic addresses are never eligible for labels and are excluded from all flow statistics.
Part 5
Three commitments shape everything ICPulse publishes.
1 — The data is public by birth. Everything on ICPulse comes from the public ICP ledger and NNS governance. We organize what is already visible to anyone; we expose nothing that wasn't. This is the same standard the wider industry applies to public blockchains.
2 — We label infrastructure, not people. The deposit-address rule is structural protection for individuals: exchange-owned plumbing gets labeled, the wallets of the users behind it never do. An individual's address can't end up labeled on ICPulse by pattern-matching, because patterns alone are never enough.
3 — Facts, not accusations. Labels are behavioral categories, not identity claims. Findings record direction and magnitude, never intent. Where a mechanism isn't observable on-chain, it is reported as unknown — and the SCAM ledger exists to protect users, not to name suspects.
Every claim on ICPulse is verifiable against the public ledger. If you find one that isn't — we want to know.
Open ICPulse