Introduction

In an era characterized by digital ubiquity, the nature of human interaction has undergone a profound transformation. Historically, our interactions, whether social or commercial, relied on physical encounters, bound to a singular persona—our physical identity. However, with the emergence of online digital platforms, the vast majority of our activities occur online, facilitating the use of different profiles for diverse objectives and platforms. The rapid advancements in generative artificial intelligence (AI) and large language models (LLMs) have further impacted our digital environments, making content creation effortless and instantaneous. In this digitally dispersed and under-regulated landscape, malicious or deceptive use of multiple online identities has become a growing concern. Indeed, governments, corporations, and nations alike face serious threats as entities exploit anonymity and platform diversity to manipulate narratives, influence public opinion, and disrupt markets, posing risks to societal stability, economic integrity1, and national security2,3,4. Detecting and mitigating such threats across platforms presents considerable challenges, as malicious activity is often concealed and fragmented across pseudonymous identities. Addressing these challenges requires robust methodologies for linking profiles associated with the same real-world entities across domains, referred to as the identity matching problem (Network alignment or user identity linkage are terminologies often used for this problem as well).

Extensive research efforts have demonstrated that content and personal attributes, such as age, gender or usernames are effective for matching profiles across domains. These approaches include both supervised5,6,7,8,9 and unsupervised10,11,12,13 models. However, content-based models face significant challenges nowadays. First, the widespread use of generative AI enables creating numerous variations of the same narrative effortlessly, making it increasingly difficult to detect content originating from the same individual. Additionally, the increasing shift toward encrypted platforms often restricts access to user-generated content and private attributes, especially across different platforms, further limiting the effectiveness of these models.

Furthermore, even in anonymized settings, notable cross-domain identity matching capabilities have been achieved by exploiting the network of interactions14,15,16,17,18,19,20,21,22,23 or individual metadata, such as profile trajectories24. However, such structure-based models face several limitations. Different platforms often exhibit distinct types of connections, leading to unique structural patterns that may hinder the effectiveness of these methods. Additionally, the sheer volume of structural information, especially when considering k-hop neighbors and the dynamic nature of connections, makes comprehensive data collection a difficult task. Even when structural data is completely available, running such models at scale is computationally expensive and even infeasible at times.

Building on the concept of “network of networks”25,26,27, we propose that distinct domains are implicitly connected through profiles controlled by the same entity. These hidden connections enable external events to propagate like shock waves, influencing actions across otherwise disconnected platforms. The temporal traces left by these actions, such as the timing of phone calls, digital transactions, or social media activity, offer measurable indicators of the underlying connections, bridging the gap between implicit links and explicit observable data. Bursty patterns of human behavior28, represented by the gap between consecutive activities of the individual (inter-event times), offer a distinct perspective of human dynamics, emphasizing the frequency of activity, rather than precise timing of individual events. These distributions were previously encountered in many and diverse types of activities, including individual mobility patterns, e-mail communications, instant messaging, web browsing, and mobile phone calls29,30,31,32,33,34.

In this study, we demonstrate that beyond conforming to a heavy-tailed distribution, bursty patterns are uniquely personal and can effectively characterize an individual, even upon acting across different platforms. Interestingly, these patterns provide a distinctive signature, better than the network of interactions and the actual timing of activity, enabling the detection of multiple profiles corresponding to the same individual, across different encrypted domains. We demonstrate the bursty model’s performance on two use-cases: across different financial platforms and across different social platforms. First, we show that our model outperforms various state-of-the-art temporal and structural models, presenting an average area under the receiver operating characteristic (ROC) curve (AUC) of 0.86, across two examined financial marketplaces. We further demonstrate its high stability over time, enabling the correct identification of 35% of profiles even after an entire year, by examining at most 10 candidates for each profile. This suggests that the temporal fingerprints last not only across domains but also for long periods of time. We additionally evaluate the model’s scalability, applying it across 500 different market places, encompassing the activity of over 250k daily traders. The identity matching problem across these domains presents a notably low baseline, as merely 3 out of 1000 randomly selected profile pairs actually correspond to the same individual. Nevertheless, our methodology achieves an average AUC of 0.78 and precision of 96% for the top-100 predictions. Finally, we show that the model is generalizable to other types of domains, establishing an AUC of 0.63 for matching identities across Twitter, Telegram and Instagram data, and achieving AUCs of 0.77 and 0.89 for matching identities across different sub-reddits and across different Telegram channels, respectively.

As the digital world enables the effortless creation of different content based on the same narrative content-based identity matching models become increasingly hindered. In parallel, the growing adoption of privacy-preserving measures further restrict access to identifying content. Accurately matching identities across platforms under these constraints becomes more challenging, but is inherently essential for uncovering patterns that extend across fragmented digital environments. By leveraging bursty individual patterns, our model provides a robust solution for linking identities within and across encrypted and content-restricted domains. Additionally, compared to other state-of-the-art temporal and structural methods with significantly higher computational complexity, our approach offers a vital advantage in enabling fast and accurate detection at scale. By enabling accurate identity matching across domains, even when content and network structure are absent, the proposed methodology provides a critical building block for detecting coordinated behavior across fragmented systems. Coupled with the suggested broader perspective on the mechanisms driving cross-domain coordination, this work lays a robust foundation for advancing threat detection methodologies in a rapidly evolving digital landscape, where traditional methods often fall short.

Results

Preliminaries

In this study, we aim at identifying individuals across different encrypted domains. Specifically, we aim at learning an identity matching function:

Definition 1

Given D1, …, Dn different domains, the goal of the cross-domain identity matching problem is learning a function:

$$p:\mathop{\bigcup}\limits_{i,j\in [n]}{D}_{i}\times {D}_{j}\to [0,1]$$

such that \(p({u}_{{d}_{1}},{v}_{{d}_{2}})\) represents the probability that the profiles \({u}_{{d}_{1}}\in {D}_{1}\) and \({v}_{{d}_{2}}\in {D}_{2}\) are associated with the same real-world individual (\({u}_{{d}_{1}}={v}_{{d}_{2}}\)).

The vanilla inter-event bursty model

We propose exploiting individual temporal data for linking profiles back to the same individual across different domains. Specifically, we analyze individual bursty patterns, manifested as the time difference between any two consecutive activities of each profile. Formally:

Definition 2

Given a time period [ττ + Δτ] and a profile ud in domain D, we denote the sequence of their activity times \({A}_{\tau }^{{u}_{d}}\subset \left[\tau,\tau+\Delta \tau \right]\) by:

$${A}_{\tau }^{{u}_{d}}=({t}_{0}^{{u}_{d}},\ldots,{t}_{m}^{{u}_{d}})$$
(1)

An inter-event time period is defined as the time difference between two consecutive activities of ud:

$$\Delta {t}_{i}^{{u}_{d}}={t}_{i}^{{u}_{d}}-{t}_{i-1}^{{u}_{d}}$$
(2)

The inter-event time sequence is defined by:

$${S}_{\tau }^{{u}_{d}}=(\Delta {t}_{1}^{{u}_{d}},\ldots \Delta {t}_{m}^{{u}_{d}})$$
(3)

The cumulative distribution function of the inter-event sequence is defined as:

$${Q}_{\tau }^{{u}_{d}}(\Delta t)=\frac{| \delta \in {S}_{\tau }^{{u}_{d}}:\delta \le \Delta t| }{m}$$
(4)

Our bursty identity matching function pks is based on the similarity between the established inter-event time distributions of any two profiles, estimated by the Kolmogorov–Smirnov (KS) statistic:

Definition 3

Let \({u}_{{d}_{1}}\in {D}_{1}^{\tau }\) and \({v}_{{d}_{2}}\in {D}_{2}^{\tau }\), and their corresponding inter-event time distributions \({Q}_{\tau }^{{u}_{{d}_{1}}}\) and \({Q}_{\tau }^{{v}_{{d}_{2}}}\). The KS-statistic is defined as the maximal difference between their distributions:

$$K{S}_{\tau }({u}_{{d}_{1}},{v}_{{d}_{2}})={\sup }_{\Delta t}| {Q}_{\tau }^{{u}_{{d}_{1}}}(\Delta t)-{Q}_{\tau }^{{v}_{{d}_{2}}}(\Delta t)|$$
(5)

We define the corresponding identity matching function \({p}_{\tau }^{ks}\) as:

$${p}_{\tau }^{ks}({u}_{{d}_{1}},{v}_{{d}_{2}})=1-K{S}_{\tau }({u}_{{d}_{1}},{v}_{{d}_{2}})$$
(6)

We postulate that different profiles pertaining to the same individual are bound to exhibit synchronization in their activity dynamics, despite acting on different domains. The motivation to this hypothesis is presented in Fig. 1, observing two pairs of profiles:

  1. 1.

    A positive pair: \({u}_{{d}_{1}}\) and \({u}_{{d}_{2}}\), correspond to the same individual u in financial trading markets \({D}_{\tau }^{1}\) and \({D}_{\tau }^{2}\) respectively, illustrated illustrated in Fig. 1a (orange and cyan markers).

  2. 2.

    A negative pair: \({v}_{{d}_{2}}\) and \({w}_{{d}_{3}}\), corresponding to different individuals in two different financial trading markets \(v\in {D}_{\tau }^{2},\,\,w\in {D}_{\tau }^{3}\), illustrated by red and green markers in Fig. 1a.

Fig. 1: Synchronization of burstiness patterns.
figure 1

a illustrates the daily networks of three financial trading markets \({D}_{\tau }^{1}\), \({D}_{\tau }^{2}\) and \({D}_{\tau }^{3}\), each corresponding to the trading of a different crypto-token. Profiles \({u}_{{d}_{1}}\) (degree k = 306) and \({u}_{{d}_{2}}\) (degree k = 268) correspond to the same individual (illustrated by orange and cyan markers). Profiles \({v}_{{d}_{2}}\) (degree k = 249) and \({w}_{{d}_{3}}\) (degree k = 275) pertain to different individuals (illustrated by red and green markers). b presents the activity times of \({u}_{{d}_{1}}\) and \({u}_{{d}_{2}}\), reaching an activity overlap of 37%. d presents the activity times of \({v}_{{d}_{2}}\) and \({w}_{{d}_{3}}\), reaching an activity overlap of 42%. c depicts the cumulative inter-event times distributions of \({u}_{{d}_{1}}\) and \({u}_{{d}_{2}}\), exemplifying similar distributions (\(K{S}_{\tau }({u}_{{d}_{1}},{u}_{{d}_{2}})=0.031\) with a p value of 0.99). e depicts the cumulative inter-event times distributions of \({v}_{{d}_{2}}\) and \({w}_{{d}_{3}}\), exemplifying significantly different distributions (\(K{S}_{\tau }({v}_{{d}_{2}},{w}_{{d}_{3}})=0.47\) with a p-value of 5e−27).

Full size image

Both pairs present similar degrees (illustrated in Fig. 1a) and resembling overlap in activity times: 37% of the time for the positive pair and 42% for the negative pair, illustrated in Fig. 1b, d, respectively. Nevertheless, the negative pair presents significantly different inter-event time distributions, establishing a KS distance of \(K{S}_{\tau }({v}_{{d}_{2}},{w}_{{d}_{3}})=0.47\) with a p value of 5e−27 (Fig. 1e), while the positive pair presents a high similarity of the inter-event distributions, with \(K{S}_{\tau }({u}_{{d}_{1}},{u}_{{d}_{2}})=0.031\) and a p-value of 0.99 (illustrated in Fig. 1c). This illustrates that burstiness patterns are able to characterize the profiles pertaining to the same individual better than basic temporal and structural patterns.

Experiments on financial markets

Identifying collusive trading practices, fraudulent accounts, and coordinated market manipulations, often concealed under multiple pseudonymous profiles to evade detection, is essential for ensuring the integrity of financial systems and maintaining market stability. We examine 2k traders transacting on two different financial trading markets, on top of the Ethereum blockchain35,36,37. In this setting, we refer to a financial trading market \({D}_{\tau }^{i}\) as encompassing all of the trading activity related to the respective crypto-token ci and time period [ττ + Δτ] where Δτ stands for single day length:

$${D}_{\tau }^{i}=\{u:u\,{{\rm{bought}}}\,{{\rm{or}}}\,{{\rm{sold}}}\,{c}_{i}\,{{\rm{in}}}\,[\tau,\tau+\Delta \tau ]\}$$
(7)

We wish to evaluate the performance of the vanilla inter-event bursty model and compare it to baseline models exploiting structural14,15,19,20 and temporal38,39,40,41 node characteristics (consider section “Methods” for a formal definition). Figure 2 presents the performance analysis of these models. Specifically, we consider 14 days of activity over two examined financial trading markets \({D}_{\tau }^{1},{D}_{\tau }^{2}\) and evaluate the performance on each day separately. Figure 2a presents the comparison of the AUC (ROC curve), and Fig. 2b depicts comparison of the precision established for each threshold of top-ranked profile pairs \(({u}_{{d}_{1}},{v}_{{d}_{2}})\). Both metrics indicate that structure-based models demonstrates limited efficacy in linking profiles across different domains, highlighting the greater significance of temporality in this context (consider section “Discussion” for a thorough discussion). The vanilla inter-event bursty model outperforms all temporal baselines, suggesting that while the bursty dynamics are closely related to an individual’s actual activity times, the latter is less effective in capturing the nuances required for an accurate individual fingerprint.

Fig. 2: Performance evaluation for the cross-domain identity matching problem.
figure 2

Comparing the inter-event bursty model (pks) and temporal (blue shaded) and structural (yellow shaded) baselines. a presents the averaged AUC over 14 daily tests, with error bars standing for standard error. b presents the average precision as a function of the examined number of pair candidates (with  ±1 standard error in light background, correspondingly). The inter-event bursty model presents higher performance than baseline methods across all examined metrics.

Full size image

Stability and robustness

We further wish to evaluate the ability to match profiles across domains even after long periods of time. In particular, given a user u with a profile \({u}_{{d}_{1}}\in {D}_{1}^{{t}_{0}}\), active during [t0t0 + Δτ] in domain D1, we define the similarity of \({u}_{{d}_{1}}\) to other profiles in the second domain, after a time delay τ as:

$$K{S}_{{t}_{0},\tau }({u}_{{d}_{1}},{v}_{{d}_{2}})={\sup }_{\Delta t}| {Q}_{{t}_{0}}^{{u}_{{d}_{1}}}(\Delta t)-{Q}_{{t}_{0}+\tau }^{{v}_{{d}_{2}}}(\Delta t)|$$
(8)

The corresponding identity matching function is:

$${p}_{{t}_{0},\tau }^{ks}({u}_{{d}_{1}},{v}_{{d}_{2}})=1-K{S}_{{t}_{0},\tau }({u}_{{d}_{1}},{v}_{{d}_{2}})$$
(9)

We define the identification probability of u at time τ as the probability that \({p}_{{t}_{0},\tau }^{ks}({u}_{{d}_{1}},{u}_{{d}_{2}})\) is within the top-k ranked matches for \({u}_{{d}_{1}}\). Figure 3a, b present the identification probability as a function of the examined time delay τ, for k = 5 and k = 10 correspondingly. While the identification probability decreases with the length of delay, the performance remains rather high with 25% (35%) of users correctly identified within 5 (10) matches, even after a year long, outperforming baseline temporal models.

Fig. 3: Temporal fingerprints stability.
figure 3

The identification probability of a user depending on the time delay from their initial observation, for k = 5 and k = 10, in (a, b) correspondingly. Despite the evident decrease of the identification probability as the delay between observations increases, the vanilla bursty model (dark red curve) is able to correctly identify 25% of the users within 5 ranks, and 35% within 10 ranks, after a delay of an entire year, outperforming the baseline temporal models (green-shaded curves). Shaded background represents  ±1 standard error.

Full size image

Next we examine the robustness of our suggested model to data omission. Indeed, incomplete data is a common challenge in today’s era of massive data generation, making it crucial to understand its implications. We randomly omit Δ of each profile’s activity times within the different domains and analyze the omission effect. Figure 4a presents the cumulative inter-event time distributions of two examined profiles, which pertain to the same individual, after randomly omitting Δ [50%, 75%, 90%] of their activity, compared to their original distributions. Notably, the pre- and post-data omission distributions change significantly, and the similarity between the two profiles decreases with Δ. Figure 4b depicts the change to the average KS distance as a function of the original KS, presenting a non-monotonous effect of data omission on profile similarity. Encouragingly, this indicates that both originally highly similar and highly distinct profiles are more robust to data omission, compared to profile pairs that originally had medium-level similarity, and are more prone to be affected by incomplete data. We further wish to estimate the data omission effect on the performance of the identity matching model. Figure 4c, d depict correspondingly the AUC and precision for each of the different levels of Δ, indicating the decrease caused by incomplete data. Despite this expected decrease in performance, the vanilla inter-event bursty model, even under 90% data omission threshold, outperforms state-of-the-art temporal models, applied with only 50% omission threshold (consider Supplementary Fig. 3). This result underscores the model’s relative robustness and its effectiveness in capturing individual fingerprints, even under severe data limitations.

Fig. 4: Robustness to incomplete data.
figure 4

a depicts the cumulative inter-event time distributions of two examined profiles, which pertain to the same individual, after randomly omitting Δ [50%, 75%, 90%] of their activity, compared to their original distributions. Notably, the similarity deteriorates with increase in Δ. b presents the non-monotonous effect of data omission on the average KS distance change as a function of the original KS distance. c, d present the AUC and the precision of pks upon different noise omission thresholds, presenting a slight decrease in performance. Error bars (c) and light shaded background (b, d) represent standard error.

Full size image

Scalability: Bursty-GNN for temporal similarity networks

To further enhance the vanilla version of inter-event bursty model, we propose employing a temporal graph neural network (TGNN) on top of cross-domain similarity networks \({G}_{ks}^{\tau }=({V}^{\tau },\,{E}^{\tau })\) where edges link profiles across different domains, and edge weight is reflected by the KS distance between the inter-event time distributions of any pair of profiles. We employ a supervised learning approach to train the TGNN, using edge labels inferred from the KS statistic metric:

  1. 1.

    Positive edges: two profiles \({u}_{{d}_{1}}\in {D}_{1}^{\tau }\) and \({v}_{{d}_{2}}\in {D}_{2}^{\tau }\) are linked by a positive edge if \(K{S}_{\tau }({u}_{{d}_{1}},{v}_{{d}_{2}})\le t{h}^{p}\), where thp is a predefined positive threshold.

  2. 2.

    Negative edges: two profiles \({u}_{{d}_{1}}\in {D}_{1}^{\tau }\) and \({v}_{{d}_{2}}\in {D}_{2}^{\tau }\) are linked by a negative edge if \(K{S}_{\tau }({u}_{{d}_{1}},{v}_{{d}_{2}})\ge t{h}^{n}\), where thn is a predefined negative threshold.

We employed thp = 0.001 and thn = 0.98 as the predefined positive and negative thresholds, respectively. The proposed TGNN setting utilizes labels inferred from the KS statistic and does not rely on actual identity labels. As such, it is applicable to the unsupervised setting we are examining. The Bursty-TGNN learns a latent embedding for all profiles, which is utilized subsequently for a cross-domain edge detection task. Figure 5a illustrates the two-layer Bursty-TGNN employed on the daily similarity networks. An elaborated overview of the TGNN architecture can be found in the Supplementary Materials.

Fig. 5: Scalability and the Bursty-TGNN.
figure 5

a presents the architecture of the 2-layer TGNN on top of temporal similarity networks. b, c present the average AUC and precision of the Bursty-TGNN, the vanilla bursty model and various temporal baseline models on the multi-domain identity matching problem, with the Bursty-TGNN manifesting an evident enhancement to the top-1000 precision. Error bars (b) and light shaded background (c) represent standard error.

Full size image

In order to evaluate the Bursty-TGNN, we consider an identity matching problem of higher complexity, where we do not restrict the experiment to the two-domains use-case. This setting, alongside verifying the performance of the Bursty-TGNN, will assist in examining its scalability by identifying profiles across over 500 financial trading markets, while considering over 250k daily users. The performance was evaluated for the vanilla bursty model, the Bursty-TGNN model comparing them with temporal baseline models only. The structural baseline models did not scale effectively, preventing us from evaluating their performance in this challenge.

The identity matching problem across these domains presents a notably low baseline, as merely 3 out of 1000 randomly selected profile pairs actually correspond to the same individual (dashed horizontal red line in Fig. 5c). Figure 5b, c depict, respectively, the average AUC and precision for the multi-domain setting. Notably, up to the top-200 pairs the vanilla inter-event bursty model outperforms the temporal baselines, reaching almost error-less precision on average. Furthermore, the Bursty-TGNN extension (dashed purple curve, Fig. 5c) presents a performance boost when run on the top-1000 inter-event similarity edges (dashed vertical gray line in Fig. 5c marks the top-1000 threshold), underscoring the evolving role of each profile within the overall network and the hidden potential in this dynamic view for solving the identity matching task.

Experiments on social media

Identifying coordinated inauthentic behavior across social media domains is essential, since malicious entities frequently employ bots, troll farms, or fake accounts to avoid detection and reinforce targeted narratives. These tactics are often aimed at shaping public sentiment, influencing elections, and steering political landscapes. Platforms like Twitter (X) and Telegram, widely used for real-time news sharing, opinion formation, and group coordination, are particularly appealing to actors seeking to amplify influence across diverse audiences. A critical step toward detecting such campaigns is the ability to accurately match identities across distinct platforms, especially when pseudonymity and content encryption hinder profile attribution across domains. In this experiment, we examine 266 profiles: 126 Twitter, 120 Telegram and 20 Instagram, corresponding to 131 different entities, on a weekly basis (Δτ = 7 days), for 8 weeks. Figure 6 presents the performance of the vanilla inter-event model and comparisons to the temporal baselines. The vanilla inter-event model outperforms the baseline models, attesting to the generalizability of the model to different platform types. To further evaluate generalizability, we conducted two additional identity matching experiments. The first experiment consists of matching profiles across different Reddit forums (sub-reddits), and the second one involved matching profiles across different Telegram channels. These analyses, presented in Supplementary Fig. 4, yielded higher performance than the Twitter-Telegram-Instagram setting and provide additional evidence for the generalizability of burstiness-based identity matching across diverse social media contexts.

Fig. 6: Performance evaluation of the inter-event similarity method (pks) for identity matching across social media platforms and comparison to temporal baselines.
figure 6

a depicts the averaged AUC over 8 weekly tests, with error bars signifying the standard error. b resents the average precision as a function of the examined number of pair candidates (with  ±1 standard error in light background, correspondingly). The inter-event bursty model presents similar AUC and higher precision, comparing with baseline temporal models.

Full size image

Discussion

The widespread accessibility of generative AI and LLMs has made text generation remarkably fast and effortless, placing powerful tools within the reach of all. These technological advancements have led to a significant rise in manipulative cross-platform activity including the spread of sophisticated influence campaigns, which are now far more challenging to detect using content-based models due to their versatile and easily adaptable nature. Privacy restrictions, though essential for safeguarding individuals, hinder the analysis of cross-domain patterns and correlations, which are crucial for identifying such coordinated activities. Countering these evolving threats across disconnected domains requires accurate identity linkage as a foundational step.

This study underscores the potential of temporal patterns, specifically individual burstiness, as a robust and scalable framework for cross-domain identity matching. We demonstrate that individual bursty dynamics form temporal fingerprints that persist across different platforms and over long periods of time, enabling accurate cross-domain identity matching. Our model outperforms state-of-the-art temporal and structure-based models in two experimental settings (Figs. 2 and 6), proving its generalizability. We demonstrated that the suggested model is stable over time, and is able to correctly identify 35% of the users even after an entire year, by examining at most 10 candidates for each profile (Fig. 3b). We further assessed the model’s robustness to incomplete data and its impact on individual temporal fingerprints. We demonstrated that despite omitting various fractions of the individual’s activity, temporal fingerprints remain similar, in particular for originally highly similar profiles (Fig. 4a, b). Although this affected the predictive ability of the model, it was still able to attain an AUC of 0.82 after an omission of 50% of individual activity (Fig. 4c). Lastly, we demonstrated that our model is highly scalable, outperforming the temporal baseline models in a setting involving 500 distinct domains (Fig. 5b, c), where all examined structure-based models failed to scale effectively. The limitations of structure-based models and the high computational complexity of existing temporal models highlight the advantages of our model as an efficient alternative, enabling real-time deployment on resource-limited devices.

Beyond the practical applications of cross-domain identity matching across encrypted domains, a deeper question emerges: why are temporal signals more informative for linking identities than structural ones? We postulate that structural patterns, influenced by connection type (e.g., trading, social, or professional networks), vary significantly across different platforms, obscuring structural coordination and hindering cross-domain identity matching. In contrast, the manifestation of temporal regularities stems from the interconnected nature of distinct domains. To explain this observation more generally, we turn to a theoretical perspective that captures how coordination can emerge across disconnected systems. Building on the “network of networks” framework25,26,27, we consider coordinating individuals as bridges, implicitly linking seemingly disconnected domains. External events propagate as shock waves through this interconnected structure, while influencing coordinating entities across domains and triggering their actions. These actions, even if not simultaneous, often exhibit similar bursty patterns (see ref. 42 for formal modeling). Cross-domain identity matching, where a single entity controls multiple profiles across distinct platforms, offers a concrete example of this mechanism. The user’s profiles implicitly connect otherwise disconnected domains: activity triggered by interaction or coordination on one platform can lead the same entity to act on another platform, thereby transmitting influence across systems, leading to similar bursty patterns. While previous studies primarily modeled human burstsiness based on isolated individuals, disregarding environmental effects28,43,44,45,46, we offer a broader perspective, attributing aligned bursty behavior to shock waves traversing the network of networks.

These findings carry implications beyond the specific task of identity matching. In network science and computational social science, individual behavior is often modeled through structural relationships or semantic content. Our results suggest an alternative approach, modeling individuals based on the timing and dynamics of their actions. This temporal perspective enables modeling behavioral regularities across platforms, even in the absence of observable connections or shared metadata. By demonstrating that temporal signals are sufficient for identifying persistent behavior, our work positions time as a foundational dimension in understanding individual roles and coordinated activity within complex and fragmented systems.

Finally, it is worth considering whether coordination signals arising from bursty dynamics can be obscured. Our robustness analysis for the identity matching use-case (Fig. 4) reveals that despite omitting significant activity portions, most users remain identifiable. We hypothesize that this robustness may extend to the more general coordination scenario. Specifically, since many online settings are designated for timely responses, obscuring coordination from temporal signals is inherently challenging, as individuals naturally respond promptly to external shocks. Attackers may attempt to distribute actions over time using hidden agents, but such strategies are impractical. For instance, delayed transactions in money laundering raise suspicion, and dispersed actions weaken coordinated attacks’ impact, suggesting that ultimately, attempts to obfuscate coordination may undermine the purpose of the coordinated activity itself.

Limitations and future research

An intrinsic limitation of our study is the need for sufficient individual data to reliably estimate inter-event distributions. Future research should examine how identification probability depends on activity volume and inspected period length. Our preliminary analysis demonstrates that identification probability increases with activity volume (Fig. S2) but decreases with longer inspection periods (Fig. S5), indicating short-term patterns are more effective for matching profiles. The choice of similarity measure also impacts performance, and alternative methods, such as those in ref. 47, could be evaluated. Further improving model scalability, possibly using complexity-reduced versions of the KS statistic48 and optimizing search algorithms, is another promising direction. In addition, while our current approach is fully unsupervised, it would be valuable to explore the effect of incorporating limited supervision, such as fine-tuning with a small set of labeled identity pairs, to further enhance performance in low-resource scenarios. The authors intend to pursue these directions in future research.

Methods

Data

Financial markets data

We consider the Ethereum blockchain35,36,37,49,50 as our financial dataset. This encrypted financial ecosystem enables the trading of tens of thousands of different crypto-tokens, using a single Ethereum wallet. Broadly, a crypto wallet is a digital tool that securely stores and manages the user’s cryptocurrency holdings, allowing the user to send, receive, and monitor their digital assets on blockchain networks. The address of a crypto wallet serves as a unique identifier, similarly to an account number in traditional financial systems. Since a single Ethereum wallet can be employed for the trading of all Ethereum-based crypto-tokens, it can be used as the trader’s identifier across different crypto-domains, for validation purposes (ground truth). We refer to a financial trading market Di as encompassing all the trading activity related to the respective crypto-token ci. We consider two different experimental settings over this dataset.

  1. 1.

    Two-domain setting: Considering 14 days of trading activity across two domains only, encompassing the activity of 2k daily users.

  2. 2.

    Multi-domain setting: Considering 14 days of trading activity across 512 financial domains, encompassing the activity of 250k daily users.

Both settings contain temporal data on an individual level granularity and network data, where an edge (uv) Vi represents that user u sold crypto-token i to user v.

Social platforms

  1. 1.

    Cross Twitter-Telegram-Instagram: This dataset contains posting activity from 266 user profiles: 126 Twitter (X), 120 Telegram, and 20 Instagram, corresponding to 131 different individuals. The data was collected over a period of eight weeks (June 1 - July 28, 2024). We manually generated the ground truth labels for this dataset, relying on profile name similarity (for instance, “foo_networks” on Twitter and “FooNetworks” on Telegram), profile biographies, official websites, and other public sources of information (articles, Linktree) that indicate affiliation with the same individual or organization. The experiment on this dataset involved analyzing eight weekly activity snapshots of these users from all three social platforms. Each snapshot contains merely temporal data in the form of individual posting times, and lacks network data in the form of retweets, re-posts, likes and other connections.

  2. 2.

    Cross sub-Reddits: This dataset contains user-level temporal posting activity in multiple Reddit51 forums (sub-Reddits), spanning over 3,075 users with verified activity in 2848 sub-reddits over a 19-week period. Ground truth for this dataset was defined based on shared Reddit accounts appearing in different sub-Reddit contexts. The experiment on this dataset entailed analyzing 19 weekly activity snapshots of these users on top of all active sub-Reddits. Each snapshot contains merely temporal data in the form of individual posting times, and lacks network data in the form of replies or mentions.

  3. 3.

    Cross Telegram Channels: This dataset contains posting activity from 248 Telegram users across 175 different channels, such that each user has posted in 2 or more of the channels. The data was collected over an 8-week period aggregated into weekly bins (Δt = 7 days). Ground truth for this dataset was defined based on shared Telegram accounts posting in different channels. Each of the eight snapshots contains merely temporal data in the form of individual posting times, and lacks network data in the form of replies or mentions.

Temporal graph neural network

We employ a temporal graph neural network (TGNN) on top of cross-domain similarity networks \({G}_{ks}^{\tau }=({V}^{\tau },\,{E}^{\tau })\), as described in section “Scalability: Bursty-GNN for temporal similarity networks.” We frame this problem as a link prediction task, aiming to unveil potential connections within these similarity networks over time. Specifically, the task is identifying which profile pairs should be linked as corresponding to the same individual. This approach aligns with our objective to identify the implicit links between profiles, represented by edges in the similarity network, rather than to predict future transaction activity, as would be the case if we performed link prediction on the original transaction network. For each profile, we calculate 16 node features. Features include transaction counts, inter-event time statistics, and graph-based metrics like in-degree, out-degree, clustering coefficient, closeness, betweenness centrality, and PageRank. We use RobustScaler for feature normalization to mitigate the effects of outliers. Node features are recalculated daily to reflect the evolution of transaction behavior, providing a consistent set of features for training, validation, and evaluation.

Training

We employed supervised learning to train the TGNN, using edge labels informed by KS statistic measures. Positive training edges were defined as KS ≤ ρp, where ρp = 0.001, and negative training edges were defined as KS ≥ ρn, where ρn = 0.98. A weighted binary cross-entropy loss function was used to counter class imbalance:

$${{{\mathcal{L}}}}_{{{\rm{BCE}}}}=-\frac{1}{N}\mathop{\sum }\limits_{i=1}^{N}\left[{w}_{i}\cdot {y}_{i}\cdot \log (\sigma ({{{\rm{logits}}}}_{i}))+(1-{y}_{i})\cdot \log (1-\sigma ({{{\rm{logits}}}}_{i}))\right]$$
(10)

where \({{{\mathcal{L}}}}_{{{\rm{BCE}}}}\) is the binary cross-entropy loss, N is the number of samples, wi is the weight for sample i, yi is the true label, σ is the sigmoid function, and logitsi are the raw scores from the classifier.

The Adam optimizer, initialized with a learning rate of 0.0001, was employed along with a ReduceLROnPlateau scheduler. Training was conducted for up to 100 epochs with early stopping to avoid overfitting. The data snapshots were divided into 80% for training and 20% for validation. A dropout rate of 0.5 was applied to the model. Each input node featured 34 attributes. The GConvGRU and GATConv layers were configured with 64 hidden units, and the output embedding dimension from the linear layer was set to 32.

Evaluation

We assessed the TGNN’s capability to link Ethereum profiles against the baseline inter-event time distribution similarity. Consistent node features were used, and evaluation was performed across wallet activity for all days in the study period. The TGNN predicted the likelihood of an edge existing for each pair within two sets independently. First, previously seen edges, i.e., the 146 positive training edges. Then, the next 1000 most likely edges as ranked by KS score, corresponding to edges with a KS distance measure between 0.001 and 0.02616. The second set of edges had not previously been seen by the model.

Comparison baseline models

In this study, we compare the performance of the vanilla bursty model to various state-of-the-art models. We use each model in order to establish an embedding of the profiles, across the different domains. We apply cosine similarity on all embedding pairs to form a score, indicating the certainty that both profiles correspond to the same individual.

Structure-based models

We first compare against four baseline models, which rely on network data.

  1. 1.

    REGAL14: A spectral method solving the network alignment problem using network topology and nodes’ feature similarity, followed by a low-rank matrix approximation speed-up.

  2. 2.

    IsoRank15: A spectral method propagating pairwise node similarity over the network employing the homophily assumption (profiles pertaining to the same individual across two domains would have similar topological network environments).

  3. 3.

    NAWAL19: Combines generative adversarial deep neural network with structural similarity to calculate node embeddings.

  4. 4.

    GAlign20: Calculates node embeddings using a multi-order Graph Convolutional Networks (GCN) to capture local and global structural information.

Temporal models

Foundation models are large-scale, pre-trained machine learning models, typically based on transformer architecture52,53, designed for a wide range of downstream tasks across diverse domains. Building upon the success of foundation models in language and vision, foundation models for time series are large pre-trained models that capture complex patterns in temporal data across diverse domains and used for tasks like forecasting, sequence classification, anomaly detection, and imputation. In recent years, numerous foundation models for time-series analysis have been introduced54, each employing unique methodologies to enhance forecasting accuracy and efficiency.

In this paper, we benchmark our bursty model against four SOTA foundation models for time-series analysis: CHRONOS, MOMENT, PatchTST, and GPT4TS. These models have been trained on datasets from various domains, spanning electricity, traffic, weather, and health, as well as the UCL and UEA collections. Given the scarcity of labeled data in many domains in time-series analysis, a particularly critical challenge for foundation models is zero-shot learning, which refers to the ability to perform tasks on unseen data without requiring additional training or fine-tuning55. Benchmarking on zero-shot tasks evaluates the robustness and versatility of pre-trained models, highlighting their potential for real-world applications where task-specific data is limited or unavailable. Importantly, all models were reported to support zero-shot learning, and were evaluated on such settings.

  1. 1.

    GPT4TS56: Leverages pre-trained language models, specifically GPT-2, for time-series analysis. By treating time-series data similarly to textual data, GPT4TS applies the strengths of language models for forecasting tasks. The model fine-tunes the embedding layer, normalization layers, and output layer of GPT-2 to accommodate time series inputs, while keeping the self-attention and feedforward layers of the model unchanged. The model’s short- and long-term forecasting performance has been tested on ETT, Weather, ILI, and ECL datasets57 (Zhou et al.56; Ma et al.41), including zero-shot experiments on the ETT-H and -M datasets.

  2. 2.

    PatchTST40: A prominent transformer-based model tailored for long-term, multivariate time series forecasting. A key feature of the model is segmenting time-series data into subseries-level patches, which serve as input tokens to the transformer. This reduces the computational load by decreasing the length of input sequences and thereby lowering the time and space complexity associated with self-attention mechanisms. For zero-shot performance evaluation, it is tested on a diverse array of datasets spanning healthcare, finance and economics, retail and energy.

  3. 3.

    Chronos39: A family of pre-trained probabilistic time-series models that adapt language model architectures for time-series forecasting and encoding tasks, with parameter sizes ranging from 8 million (tiny) to 710 million (large). The model tokenizes time series data through scaling and quantization, enabling the application of language models to the data. The models are pre-trained on a collection of 13 datasets, encompassing energy, transportation, weather, and web traffic and have been evaluated on a wide range of datasets. For zero-shot performance, it is further tested on a wider array of datasets, including healthcare, retail, banking, and more.

  4. 4.

    Moment38: A family of foundation models designed for general-purpose time-series analysis. It addresses challenges in pre-training large models on time-series data by compiling a diverse collection of public datasets, termed the “Time Series Pile”, which spans 5 large public databases. Moment employs multi-dataset pre-training to capture diverse time-series characteristics, enhancing its adaptability across various tasks such as forecasting, classification, anomaly detection, and imputation.

After extracting and grouping temporal information per user per time period, we compute embedding similarity between every pair of cross-platform users in the following manner: First, we align the temporal sequences with the desired model input length. This process includes left-padding or truncating time steps to match the desired model input (typically, N = 512 for small models and N = 1024 for large models). We then pass the padded tensor, adjusting dimensions as per model requirements, into the selected model in batches of 16 to accommodate GPU constraints. If applicable, we apply mean pooling to the output embeddings to achieve a one-dimensional vector representation per user. Computing the similarity is then straightforward: we apply cosine similarity between each pair of users, skipping self- and same-platform comparisons (as we are only interested in cross-platform identity matching) to derive a final similarity score.

Use of LLMs

The authors acknowledge the use of a LLM (ChatGPT-4o, OpenAI, San Francisco, CA) to improve grammar and enhance the clarity of the text. All AI-generated suggestions were critically reviewed and edited by the authors to ensure the original meaning was preserved. The authors take full responsibility for the content of the final manuscript.