One Sole-Source Contract, Seven Public Companies in the Blast Radius
Last Week’s Map
Last week we mapped the blast radius of a $4.4B NASA contract awarded to Northrop Grumman. The defense and space names held up reasonably well — the real damage landed on the smaller space plays.
NOC — $549.01 at publication → $541.82 now · -1.31%
LMT — $545.91 at publication → $520.68 now · -4.62%
BA — $226.49 at publication → $215.51 now · -4.85%
LHX — $302.07 at publication → $288.69 now · -4.43%
GD — $373.54 at publication → $372.78 now · -0.2%
RKLB — $100.46 at publication → $76.73 now · -23.62%
LUNR — $19.58 at publication → $15.15 now · -22.63%
LDOS — $108.84 at publication → $106.58 now · -2.08%
The Event
Here’s the detail most people glossed over: this contract was sole-source. One bidder. No competition. DHS didn’t put this out for proposals — they went straight to TRM Labs and said, essentially, “you’re the only one who can do this.”
On July 1, 2026, TRM Labs — a private blockchain intelligence company — was awarded a $94,655,840 contract by the Department of Homeland Security’s Homeland Security Investigations division. The money funds TRM’s forensic software and analytical support for the HSI National Coordination Center’s Cyber Disruption Center, which exists to disrupt crypto-enabled ransomware, fraud, and sextortion attacks on critical infrastructure and financial institutions.
Blockchain intelligence, in plain terms, is software that follows crypto transactions across multiple blockchains — tracing money from a ransomware payment, for example, through a tangle of wallets until it hits an exchange where someone’s identity is attached. TRM Labs has built a version of this that DHS considers irreplaceable enough to skip the bidding process entirely.
The part nobody’s talking about: this contract didn’t come out of nowhere. TRM Labs had a prior $1.5M software license with the same agency. What just happened is that DHS took a $1.5M software tool and turned it into a $94.7M operational capability. That’s a 60x expansion of the same relationship. When federal agencies do that to a specialist vendor, it almost always means two things: the capability is working, and other agencies are about to want it too.
For public markets, TRM Labs itself is private — you can’t trade it directly. But the contract is a signal that ripples through every company already plugged into the federal investigative workflow around crypto crime. That’s what this edition maps.
The Ecosystem Map
Cellebrite DI Ltd. (CLBT) — Gravity Score: 8/10
Cellebrite is the company that cracks seized phones for law enforcement. That might sound unrelated to blockchain forensics until you realize that almost every crypto crime investigation starts with a seized device before it moves to on-chain tracing. The phone is where the wallet keys live, where the transaction history is cached, where the evidence begins.
Cellebrite has a formal integration with Chainalysis (TRM’s closest competitor), meaning its device forensics platform is already wired to pass evidence directly into blockchain analytics workflows — the exact combination HSI’s Cyber Disruption Center needs. And in May 2026, Cellebrite achieved FedRAMP High Authorization, which is the federal government’s stamp of approval for handling sensitive law enforcement data in the cloud. That clears the last major hurdle for expanded federal contracts.
The score is an 8 because Cellebrite isn’t just adjacent to this story — it’s embedded in the operational workflow that TRM Labs’ DHS engagement sits inside. Government revenue is already core to its model, ARR is up 21% year-over-year, and a rising federal budget for crypto-crime disruption is a direct demand catalyst for the tool that starts every one of those investigations.
Coinbase Global Inc. (COIN) — Gravity Score: 7/10
Coinbase sits at the end of the chain, literally. When blockchain forensics software like TRM’s traces a ransomware payment through dozens of wallets, it usually ends at an exchange — a place where crypto converts to real money and someone’s real identity is attached. Coinbase is the largest regulated exchange in the U.S., and it’s one of the most common endpoints in federal crypto investigations.
What makes this interesting is that Coinbase also runs its own government analytics product (formerly called Neutrino, now Coinbase Analytics), which means it’s simultaneously a data source for investigators and a potential future contractor in its own right. The more the federal government scales crypto-crime enforcement, the more critical Coinbase’s cooperation and data infrastructure become — it’s the real-world resolution point that the forensics software points to.
The score is a 7 because the relationship is direct and operational. Federal crypto-crime enforcement budgets expanding is good for Coinbase’s regulatory legitimacy narrative, and its compliance infrastructure is already wired into the federal investigative chain.
Palantir Technologies Inc. (PLTR) — Gravity Score: 6/10
Palantir’s Gotham platform is what federal law enforcement uses to fuse multiple data streams into a single investigative picture — surveillance feeds, financial records, communications intercepts, and increasingly, on-chain transaction data. ICE, the same funding parent behind the HSI contract, is an active Palantir customer.
The connection here isn’t that Palantir does what TRM does. It’s that as crypto-crime cases multiply and blockchain intelligence becomes a standard evidence layer, the agencies already running Gotham will want that data integrated into the platform where their analysts already work. Palantir is a logical aggregation point for that expansion.
The broader signal matters too. A $94.7M sole-source award to a specialist AI-native analytics vendor validates the exact procurement model that Palantir has built its federal business on — mission-specific, high-switching-cost, non-competed contracts. The score is a 6 because this is a structural tailwind, not a direct contract relationship.
Mastercard Inc. (MA) — Gravity Score: 5/10
In 2021, Mastercard acquired CipherTrace — one of TRM Labs’ direct competitors in blockchain analytics. Which means Mastercard quietly owns the same type of capability that DHS just paid $94.7M for. It secured a BitLicense from the NYSDFS in May 2026 and joined the Blockchain Security Standards Council alongside Coinbase in April 2026.
The TRM Labs contract re-rates the commercial value of proprietary blockchain intelligence IP — and Mastercard holds some. As stablecoin regulation accelerates and issuers get required to run AML screening on digital dollar transactions, Mastercard’s combination of payments network reach and crypto forensics capability becomes a genuine compliance infrastructure offering.
The score is a 5 because crypto forensics is still a non-material revenue line for a company of Mastercard’s scale. The strategic optionality is real; the near-term financial impact is modest.
NICE Ltd. (NICE) — Gravity Score: 5/10
NICE’s Actimize division is one of the leading financial crime compliance platforms on the planet — used by major banks and regulators to detect money laundering, fraud, and suspicious transaction patterns. That’s the off-chain complement to what TRM Labs does on-chain.
Here’s what caught our eye: the DHS Cyber Disruption Center’s mandate isn’t purely crypto. It explicitly covers cyber-enabled fraud and sextortion — financial crime categories that run through both traditional payment rails and crypto simultaneously. NICE is already deployed in that off-chain fraud detection layer at financial institutions that DHS investigations ultimately touch.
The score is a 5 because the product-category alignment with the DHS mission is strong, but there’s no verified direct TRM partnership. NICE benefits from the same federal budget tailwind and the same institutional buyer demand — it’s a real connection, not just a thematic one.
Varonis Systems Inc. (VRNS) — Gravity Score: 4/10
Varonis detects data exfiltration and insider threats at the network level — the pre-encryption phase of a ransomware attack, before the crypto transaction that TRM Labs would then trace. Ransomware disruption is explicitly named as a Cyber Disruption Center mission priority, and Varonis’s tools are already deployed by federal agencies for exactly this pre-encryption detection work.
Think of the investigative chain: Varonis catches the attacker moving through the network, TRM traces the ransom payment after the fact. They’re different stages of the same criminal event. A federal budget that funds one stage validates the case for the adjacent stage.
The score is a 4 because the connection is adjacent and thematic rather than operational. No direct TRM relationship has been verified. Varonis benefits from the same procurement trend — it’s just a couple of degrees removed from this specific contract.
Oracle Corporation (ORCL) — Gravity Score: 3/10
Oracle’s play here is infrastructure, not analytics. The company provides FedRAMP-authorized cloud environments — including its national security-cleared Oracle National Security Regions — that host sensitive federal analytics workloads. As TRM Labs scales from a $1.5M software tool to a $94M operational platform inside DHS, the cloud infrastructure requirements scale with it.
TRM Labs operates in a FedRAMP-compliant environment, and Oracle’s federal cloud is a candidate to host that kind of sensitive, cleared workload. The connection is plausible but two layers removed — there’s no verified named relationship between TRM and Oracle specifically.
The score is a 3. The federal cloud growth story is real for Oracle, but this contract’s link to that story is indirect at best.
ICTS International N.V. (ICTS) — Gravity Score: 2/10
ICTS is a homeland security services company — it operates in the same DHS procurement ecosystem as TRM Labs. The thematic connection is that the TRM award demonstrates DHS’s willingness to issue large, sole-source contracts to specialized technology providers, and that’s a procurement pattern that advantages specialist incumbents across DHS mission areas generally.
That said, ICTS doesn’t do anything close to blockchain forensics. There’s no product overlap, no verified customer overlap, no operational connection to the Cyber Disruption Center mission. The score is a 2 because this is as thin as ecosystem connections get — it’s a sector neighbor, not a partner.
How They’re Trading
CLBT · Gravity 8/10 · $16.13 · Day +1.19% · Since event +4.4% · Month +23.6%
COIN · Gravity 7/10 · $157.37 · Day -1.07% · Since event -1.17% · Month -7.22%
PLTR · Gravity 6/10 · $130.04 · Day +2.56% · Since event +3.43% · Month -3.47%
MA · Gravity 5/10 · $537.70 · Day +2.08% · Since event +2.92% · Month +9.59%
NICE · Gravity 5/10 · $103.48 · Day +3.75% · Since event +9.12% · Month +19.57%
VRNS · Gravity 4/10 · $45.38 · Day +1.91% · Since event +8.33% · Month +33.9%
ORCL · Gravity 3/10 · $131.54 · Day -6.47% · Since event -7.69% · Month -31.72%
ICTS · Gravity 2/10 · — · Day — · Since event — · Month —
The most interesting thing in these numbers is that NICE and VRNS — both scoring lower on gravity than COIN — have moved more since the event. NICE is up 9% and VRNS up 8% since July 1, while COIN is essentially flat. Some of that is sector rotation and some is earnings-adjacent momentum, but it’s worth watching whether the market is pricing financial crime compliance more directly into this story than crypto exchange exposure. ORCL’s -31.72% month is its own separate situation and has nothing to do with this contract.
The Synergy Thesis
Cellebrite (CLBT)
Every crypto crime investigation that scales inside DHS expands the addressable workflow for Cellebrite’s device forensics platform. Seized devices are the starting point; blockchain analytics are the follow-on. Cellebrite’s FedRAMP High clearance, achieved just weeks before this contract became public, removes the main friction for expanded federal deployment. The TRM Labs award is a direct demand catalyst for the platform that generates the evidence TRM Labs then traces on-chain.
Coinbase (COIN)
Coinbase becomes more operationally critical, not less, as federal blockchain forensics scale. Its on-chain data, KYC records, and freeze-coordination capabilities are the real-world endpoints that forensics tools resolve to — every investigation that TRM Labs runs for HSI may eventually knock on Coinbase’s door for records or a freeze. The expanding federal enforcement budget also validates Coinbase’s compliance infrastructure buildout for institutional clients and strengthens its regulatory legitimacy at a moment when stablecoin legislation is moving through Congress.
Palantir (PLTR)
The TRM Labs award validates Palantir’s entire federal contracting thesis: that mission-specific, AI-native analytical platforms with high switching costs command sole-source, non-competed contracts. As crypto-crime cases proliferate through agencies already running Gotham, the logical next step is blockchain intelligence data integrated into the platform where federal analysts already work. Palantir doesn’t have to win the forensics contract — it wins when the forensics contract generates more investigative case volume for the platform it already powers.
Mastercard (MA)
The TRM contract re-rates the IP Mastercard holds through CipherTrace. As stablecoin regulation mandates AML and sanctions screening for digital dollar issuers, Mastercard’s combination of payment network reach and blockchain analytics capability puts it in a uniquely defensible position to become the compliance infrastructure layer for regulated digital payments. Federal validation of large-budget blockchain forensics spending strengthens the business case for continuing to invest in that capability.
NICE Ltd. (NICE)
The DHS Cyber Disruption Center targets fraud and sextortion alongside crypto-specific crime — categories that run through traditional financial rails that NICE Actimize already monitors. Federal validation of large AI-driven financial crime analytics contracts creates a favorable re-rating environment for NICE’s government and enterprise compliance revenue. As crypto crime increasingly bleeds into traditional financial fraud, the hybrid on-chain/off-chain analytics positioning that NICE can offer becomes more valuable to both regulators and financial institutions.
Varonis (VRNS)
Ransomware is explicitly on the DHS Cyber Disruption Center’s target list, and Varonis’s tools detect ransomware attackers during the network infiltration phase — before the crypto payment that TRM Labs would then trace. A federal budget that funds post-transaction blockchain tracing strengthens the case for funding pre-transaction network detection, and Varonis’s existing federal clearances position it to benefit from the same procurement trend. The connection is adjacent but the ransomware disruption mission is genuinely shared.
Oracle (ORCL)
As TRM Labs’ DHS engagement scales from a software license to a full operational platform, cloud and data infrastructure requirements scale proportionally. Oracle’s FedRAMP High-authorized GovCloud and its national security-cleared cloud environments are candidates for hosting the kind of sensitive, classified-adjacent analytics workloads that a $94M federal engagement generates. The link to this specific contract is unverified, but the federal cloud growth trend is real and this is the kind of contract that drives it.
ICTS International (ICTS)
The TRM Labs award demonstrates that DHS is willing to issue large, sole-source contracts to specialized technology providers in mission-critical analytical support categories. For ICTS, which operates in the broader DHS services ecosystem, that’s a favorable procurement trend in the same agency family — but the product and customer overlap with blockchain forensics is essentially nonexistent. The synergy here is thematic at best.
Sector Trajectory
The TRM Labs DHS award marks a structural inflection point: blockchain intelligence has graduated from a discretionary law enforcement tool to a funded, mission-critical federal infrastructure category. The sole-source designation and the $94.7M contract size aren’t just big numbers — they signal that DHS views TRM’s multi-chain forensics capability as irreplaceable. That’s the designation that historically precedes a wave of competitive awards as other agencies seek similar capabilities and vendors race to qualify.
The ripple phase this event creates is what we’d call a halo-then-re-rating sequence. In the near term, the halo effect elevates all credible blockchain analytics and digital forensics vendors — federal budget legitimacy spills into commercial and regulatory conversations, and every compliance team at every bank suddenly has a new data point for why this budget line exists. That’s the phase we’re in right now.
Over the following 12 to 24 months, the sector faces re-rating as the market prices in recurring government revenue streams for forensics-as-a-service models. The pattern is familiar. When geospatial intelligence received its first nine-figure federal contracts in the early 2000s, it triggered a consolidation cycle in which larger defense and intelligence primes acquired specialist vendors. The same dynamic played out in AI-driven signals intelligence in the 2010s. The window for pure-play exposure compressed as the big primes moved in.
For the public ecosystem names here, the most durable positions belong to companies already embedded in the federal investigative workflow — Cellebrite, with its device-to-blockchain pipeline — and those with existing crypto compliance infrastructure at scale — Coinbase and Mastercard through CipherTrace. Broad government AI platforms like Palantir can absorb blockchain intelligence as a new data layer without needing to win the forensics contract directly. The consolidation dynamic, when it arrives, raises the strategic value of any remaining independent specialists in this space — even though TRM Labs itself, for now, stays private.
The Market Gravity Newsletter is an educational publication. Nothing here is investment advice or a recommendation to buy or sell any security. We highlight relationships and market context only. Gravity Scores measure relationship strength and exposure, not investment merit. Do your own research. The publisher may or may not hold positions in securities mentioned.


