โ† Back to Blog

Blockchain Investigations: How Forensic Investigators Trace Stolen Crypto in 2026

Editorial illustration of a blockchain investigation trace, flow from victim wallet through obfuscation layers to an identified exchange endpoint with KYC data

People come to me with one of two mental models. Half think a forensic investigator is going to wave a magic wand and recover their funds. The other half have already given up because "once crypto is gone it's gone." Both are wrong, and the truth in the middle is what this whole field actually is.

Blockchain investigations are the structured analysis of on-chain transaction data to trace cryptocurrency, attribute wallets to controlling entities, identify exchange endpoints, and produce documented evidence usable by law enforcement, courts, and compliance teams. This is the complete 2026 working guide to how that work actually gets done, from the first transaction hash to a finished evidence package. It covers the tools, the techniques, the AI-assisted methods, the public-private partnerships, the cross-border legal mechanisms, and the real case studies (Ronin Bridge, Tornado Cash, ChipMixer, FTX, Bitcoin Fog) that define the modern practice.


Why Blockchain Tracing Is Possible at All

The foundational characteristic that makes blockchain forensics possible is also the one that confuses most people: the blockchain is a permanent, public record of every transaction ever made.

When you send Bitcoin or Ethereum, that transaction is broadcast to a network of nodes, validated, and written into a block that's cryptographically chained to every previous block. It can't be edited, deleted, or hidden. The sender address, recipient address, amount, and timestamp are visible to anyone in the world, forever.

This is the opposite of how most people imagine crime. In a cash-based crime, the physical money is hard to trace. In a cryptocurrency fraud, the money is easy to trace, the challenge is connecting the cryptographic addresses to real-world identities. That is the core work of blockchain forensics.

The key insight

Wallet addresses are pseudonymous, not anonymous. They don't come with names attached, but they do come with permanent transaction histories, behavioral patterns, and eventual connections to exchanges that hold verified identity data. Following those connections is the investigator's job.


Tools Blockchain Investigators Use in 2026

Modern blockchain investigations rely on a stack of commercial intelligence platforms, open-source tooling, and OSINT methods. Skilled investigators rarely depend on a single platform, different tools excel at different chain types, attribution depth, and visualization needs.

Commercial Intelligence Platforms

  • Chainalysis, market leader; Reactor for case investigation, KYT for compliance. Used by most U.S. federal law enforcement (FBI, IRS-CI, Secret Service, DEA).
  • TRM Labs, fastest-growing competitor; TRM Forensics for case work; particularly strong on Tron and stablecoin coverage. Heavily used by exchanges and federal agencies.
  • Elliptic, UK-based, dominant in European law enforcement; Investigator for case work, Lens for screening. Strong DeFi protocol attribution.
  • Crystal Intelligence, strong visualization, behavioral profiling, and dark market attribution.
  • Merkle Science, Singapore-based, predictive risk scoring, strong APAC coverage.

Open-Source and OSINT Tools

  • Block explorers, Etherscan, BscScan, Tronscan, Solscan, Blockchain.com. Foundation of any trace.
  • Arkham Intelligence, community-sourced wallet labeling; surprisingly strong on whale wallets, exchanges, known criminal addresses.
  • Breadcrumbs.app, graph-based wallet visualization useful for stakeholder presentations.
  • MetaSleuth, visualization tool from BlockSec, strong for EVM chains.
  • MetaSuites, browser extension overlaying additional context onto block explorers.
  • DefiLlama, Dune Analytics, Nansen, DeFi-focused analytics complementing traditional tracing.
  • OSINT tooling, Telegram and Discord scrapers, GitHub/leaked-database search, social media wallet correlation.

For a deeper comparison of these platforms, see our blockchain intelligence platforms guide.


Step 1: Case Intake and Transaction Mapping

STEP 01

Building the Starting Point

Input: victim's transaction records ยท Output: verified starting node

Every investigation starts with a transaction hash, the unique identifier for each blockchain transaction. This is the receipt for what was sent. From the transaction hash, the investigator pulls the full transaction record: the sending address, the receiving address, the amount, the fee, the timestamp, and the block it was confirmed in.

At this stage, the investigator verifies the victim's account of events against the on-chain record. Amounts, timing, and addresses are confirmed. This sounds simple but it's critical, discrepancies between what the victim believed they were sending and what the chain actually records can reveal important aspects of the fraud mechanism (for example, address substitution attacks where a scammer intercepts and replaces a destination address).

What the investigator needs from you: Transaction hash (TXID) for every transfer you made to the scammer, your sending wallet address or exchange account, approximate dates, and any wallet addresses you were given by the scammer. The more complete this starting data, the more full the trace.

Step 2: Transaction Graph Analysis

STEP 02

Following the Money Forward

Input: receiving wallet address ยท Output: complete forward transaction graph

Once the receiving wallet address is confirmed, the investigator begins following the money forward, tracing every later transaction from that wallet onward. This is called forward tracing or building a transaction graph.

In a typical fraud case, funds don't sit in the initial receiving wallet for long. Within minutes to hours, they're moved, usually split across multiple addresses simultaneously. A $200,000 deposit might immediately become 10 separate transactions of $20,000 each to 10 different wallets. Each of those wallets then moves funds again. The graph expands rapidly.

The investigator maps this entire graph, every wallet address involved, every transaction connecting them, every amount and timestamp. Specialist blockchain analysis software renders this as a visual flow diagram: a web of nodes (addresses) connected by edges (transactions). This diagram becomes the core exhibit in the forensic report.

Why fan-out splitting doesn't defeat tracing: Scammers split funds to make individual transaction amounts harder to follow and to distribute across multiple wallets so no single seizure captures everything. But it doesn't make the funds invisible, it just makes the graph wider. Every split is visible on-chain, and all branches can be followed simultaneously.

Step 3: Wallet Clustering and Entity Attribution

STEP 03

Connecting Wallets to Actors

Input: transaction graph ยท Output: identified wallet clusters and attributed entities

Not every wallet in the transaction graph is a different person. Sophisticated scam operations control hundreds of wallets, all managed by the same underlying entity. Wallet clustering is the process of identifying which wallets are controlled by the same actor.

The most powerful clustering technique on Bitcoin is common input ownership heuristic: when multiple input addresses are used in a single transaction, they're almost certainly controlled by the same entity (because signing a transaction with multiple inputs requires the private keys for all of them). This single analytical principle, applied systematically across a transaction graph, often reveals that what appeared to be 50 separate actors is actually 5โ€“8 controlled clusters.

On Ethereum and EVM chains, different heuristics apply, including nonce analysis, gas payment patterns, contract interaction timing, and address derivation patterns that suggest shared wallet infrastructure. On Tron (commonly used for USDT scams), address reuse patterns and contract interaction patterns are particularly revealing.

Beyond heuristics, entity attribution connects identified clusters to known entities: centralized exchanges (whose deposit addresses are catalogued in threat intelligence databases), known scam operation wallet sets that have appeared in prior cases, darknet market addresses, and addresses before flagged by other law enforcement agencies.

What attribution means in practice: When a cluster of wallets is attributed to "Binance hot wallet infrastructure," it means funds reached Binance and are likely tied to a user account there. When a cluster matches a known pig butchering operation's wallet pattern, it connects your case to a larger investigation with potentially more resources behind it.

Step 4: Obfuscation Layer Analysis

STEP 04

Tracing Through Mixers, Bridges, and Swaps

Input: transaction graph with obfuscation events ยท Output: continued trace beyond obfuscation

Sophisticated fraud operations use obfuscation techniques to deliberately break the traceability chain. Encountering these is common in high-value investigations. They aren't dead ends, they're recognizable patterns that investigators are trained to analyze and continue through.

Coin Mixers (Bitcoin)

CoinJoin and similar mixing protocols combine inputs from multiple users into a single transaction with multiple outputs, obscuring which input funded which output. The classic response is timing analysis: matching input and output amounts by timing and value, identifying which post-mix addresses later behave consistently with the pre-mix wallet's patterns. Advanced statistical demixing methods can dramatically narrow the field of likely post-mix addresses.

Tornado Cash (Ethereum)

Tornado Cash pools deposits into fixed denominations and allows withdrawal to a fresh address. The key analytical use point is timing and denomination correlation combined with post-withdrawal behavioral analysis, fresh addresses that immediately interact with the same DeFi protocols, same contract types, or same exchange deposit addresses as the pre-Tornado source are strong clustering signals.

Cross-Chain Bridges

Bridges move value from one blockchain to another, converting ETH on Ethereum to WETH on BNB Chain, for example. The bridge transaction itself is public on both chains. An investigator follows the outgoing transaction on Chain A to the bridge contract, then identifies the corresponding inbound transaction on Chain B by matching amounts, timing, and bridge transaction identifiers. The trace continues on the new chain using the same methodology.

DEX Swaps and Token Conversions

Swapping USDT to ETH or BTC to USDC on a decentralized exchange creates a new token type but doesn't break the wallet-level trace, the same wallet address now holds a different asset. The investigator continues tracing the wallet, not the specific token denomination.

Real-world example: the Bybit hack (February 2025)

The Bybit exchange theft of $1.46 billion in ETH on February 21, 2025, the largest exchange-related crypto theft in history, attributed to the DPRK-affiliated Lazarus Group, is the textbook public example of a sophisticated multi-layer obfuscation pattern. Within minutes of the theft, the attacker's primary wallet (0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2) fragmented the stolen ETH into 40 separate 10,000-ETH transactions, swapped staked-ETH variants through ParaSwap and BreederDodo, then bridged to Bitcoin via Thorchain and the eXch instant-exchange before mixing through Cryptomixer and Wasabi Wallet. Forensic tracing through this pattern uses every technique above in combination: timing/denomination correlation across the fragmentation layer, DEX-swap continuation, bridge-to-bridge identification, and post-mix behavioral clustering. The key takeaway is that obfuscation rarely uses one technique in isolation, sophisticated operators stack them, and effective tracing requires understanding the full pipeline. We walk through the full Bybit attack and recovery in our dedicated Bybit hack forensic walkthrough.


Step 5: Exchange Deposit Identification

STEP 05

Finding the Real-World Exit Point

Input: traced wallet graph ยท Output: identified exchange deposit address and platform

The most actionable finding in a fraud investigation is identifying exactly which centralized exchange received the funds, and at which deposit address. This is the point where the pseudonymous on-chain world connects to real-world verified identity.

Centralized exchanges like Binance, Coinbase, Kraken, OKX, and Huobi assign unique deposit addresses to each verified user. These deposit addresses are known to forensic databases, threat intelligence providers maintain vast catalogues of exchange-attributed addresses. When a traced wallet sends funds to an address flagged as belonging to Binance's deposit infrastructure, the investigator has found a critical endpoint.

That deposit address is tied to a specific verified user account. That account has a registered email, phone number, government ID, and often a selfie submitted during KYC verification. This is the data that law enforcement can subpoena. This is the data that enables a civil attorney to file an emergency asset freezing order. This is why exchange deposit identification is the primary goal of most fraud investigations.

What happens next depends on the exchange: US-regulated exchanges (Coinbase, Kraken, Gemini) are subject to federal subpoenas. Major international exchanges (Binance, OKX) vary in their cooperation levels but do respond to law enforcement requests from certain jurisdictions. Smaller, unregulated exchanges may be the endpoint of laundering specifically because they're harder to compel. The investigator's report documents which type of exchange was identified, which directly informs what legal options are realistic.

Step 6: From On-Chain Data to Legal Evidence

Raw blockchain data, transaction hashes, wallet addresses, cluster maps, is accurate but not self-explaining. A forensic report transforms that data into documented evidence that law enforcement, courts, and regulatory bodies can evaluate and act on.

๐Ÿ“Š

Transaction Flow Diagram

A visual map of every wallet address and transaction in the traced graph, annotated with amounts, dates, and entity attributions where identified. This exhibit communicates the money flow to non-technical audiences, judges, law enforcement agents, and juries.

๐Ÿ“

Methodology Documentation

A written explanation of every analytical technique applied, every data source consulted, and every inference made, with the reasoning documented. This allows the findings to be independently verified and withstands cross-examination in legal proceedings.

๐ŸŽฏ

Findings and Conclusions

A plain-language summary of where the funds went, which entities controlled which wallets, which exchange(s) received the funds, and what the on-chain evidence does and doesn't support. Conclusions are stated with appropriate confidence levels, "strongly consistent with," "consistent with," "possible but unconfirmed."

๐Ÿ›๏ธ

Law Enforcement Submission Package

The report formatted for submission to the FBI IC3, relevant federal agencies, or international bodies, including a cover letter, case summary, and the full technical appendix with all transaction data. This gives investigators an actionable starting point rather than a raw data dump.


AI and Automation in Blockchain Investigations

AI is increasingly central to modern blockchain investigations, but its role is augmentation, not replacement. The dominant 2026 pattern is human-in-the-loop AI: machines do the volume work, investigators make the high-stakes calls.

Where AI is genuinely useful

  • Pattern recognition at scale, surfacing anomalies across millions of transactions that no human could review manually
  • Cross-case clustering, finding wallet pattern matches between an active investigation and historical case data
  • Risk scoring, real-time exchange compliance use cases where every deposit needs a fast triage decision
  • Triage and sorting, letting investigators focus their time on the most promising leads rather than manual graph exploration
  • Mixer-output probability modeling, narrowing down likely post-mix addresses faster than purely manual demixing

Where AI alone is dangerous

  • Court-bound attribution, Daubert and FRE 702 require documented methodology that an AI black box can't always supply
  • Cross-examination defense, an investigator who can't explain why the AI reached a conclusion will lose under cross
  • False-positive risk, clustering heuristics are probabilistic; high-confidence AI outputs need human verification before being acted on
  • Edge cases, novel laundering patterns, intent protocols, and sophisticated mixers still require expert judgment to interpret

The INTERPOL guidance is right: think in data, not in tools. AI is a force multiplier when investigators understand the underlying analysis well enough to validate its outputs. It isn't a substitute for that understanding.


Public-Private Partnerships and Law Enforcement Collaboration

Modern blockchain investigations rarely happen in isolation. The most consequential cases involve coordinated work across forensic firms, exchange compliance teams, federal agencies, and international counterparts.

How the layers actually fit together

  • Independent forensic firms produce documented, court-ready reports for victims, attorneys, and law enforcement. They do the technical work that resource-constrained agencies don't always have bandwidth for.
  • Exchange compliance teams, at Binance, Coinbase, Kraken, OKX, and others, respond to law enforcement requests, freeze flagged accounts, and increasingly cooperate with civil court orders identifying specific deposit addresses.
  • Federal agencies (FBI, IRS-CI, Secret Service, DEA) issue subpoenas, pursue arrests, and coordinate seizures. The FBI's Internet Crime Complaint Center (IC3) is the central intake; the Virtual Asset Exploitation Unit (VAXU) and DOJ's National Cryptocurrency Enforcement Team (NCET) handle the largest cases.
  • International counterparts, Europol, INTERPOL, NCA (UK), Action Fraud (UK), AFP (Australia), BKA (Germany), and others, collaborate via formal channels and increasingly through informal practitioner networks.

Why the coordination matters

A trace that ends at a Binance deposit address is just on-chain analysis. A trace that ends at a Binance deposit address plus an FBI referral that prompts Binance compliance to freeze the account before withdrawal is a recovery. The investigator's value is often less about the trace itself and more about understanding which combination of partners turns the trace into action.


Cross-Border Investigations and MLAT

Blockchain data is the same in every jurisdiction. The trace is unaffected by borders. What changes is the recovery pathway, and crypto fraud is overwhelmingly cross-border, so this matters.

Mutual Legal Assistance Treaties (MLAT)

MLATs enable U.S. authorities to formally request evidence and asset freezes from cooperating foreign jurisdictions. For an MLAT request to be effective in a crypto case, it needs the same precision a U.S. subpoena needs: specific exchange, specific deposit address, specific transaction hash, specific date. A forensic report supplies that predicate. Without it, MLAT requests are often too broad to advance.

Civil discovery across borders

Some jurisdictions allow civil asset recovery actions against cryptocurrency held at regulated exchanges with local legal entities. The forensic report establishes the chain of custody from theft to deposit; local counsel pursues the asset freeze. This pathway has succeeded in recovering funds in the U.S., U.K., Singapore, and other hubs where major exchanges have local presence.

Practitioner networks

Beyond formal channels, the modern blockchain investigations community functions partly as a global practitioner network, investigators at Chainalysis, TRM, Elliptic, federal agencies, and independent firms share threat intelligence informally on case patterns, known scam infrastructure, and emerging laundering routes. This informal layer accelerates many investigations well beyond what formal channels alone could deliver.


Notable Real-World Blockchain Investigation Case Studies

Five public cases that illustrate the methodology in action, from clean exchange-deposit identifications to probabilistic mixer attribution under court scrutiny.

2022 ยท ATTRIBUTION + FREEZE

Ronin Bridge / Lazarus Group

$625M drained from Axie Infinity's bridge. Public blockchain forensics attributed the hack to North Korea's Lazarus Group within days. U.S. Treasury OFAC sanctioned the wallets used; portions of funds were frozen at exchanges. Textbook cluster-based attribution plus public-private cooperation.

2022โ€“2024 ยท MIXER PROSECUTION

Tornado Cash Sanctions

OFAC sanctioned a smart contract for the first time in August 2022. DOJ prosecutions of Roman Storm and Alexey Pertsev relied heavily on probabilistic mixer-output attribution, establishing that smart-contract level forensics meet evidentiary standards.

2023 ยท POST-SEIZURE ATTRIBUTION

ChipMixer Takedown

U.S. and German authorities seized ChipMixer in March 2023, surfacing $3B in historical mixed-fund records. Showed that centralized mixers offer anonymity until they don't, a single seizure can render years of laundering activity transparent.

2021โ€“2024 ยท ADMISSIBILITY PRECEDENT

U.S. v. Sterlingov (Bitcoin Fog)

Conviction of the alleged Bitcoin Fog operator relied substantially on Chainalysis Reactor expert testimony. Defense Daubert challenges to clustering methodology were considered and denied. Leading U.S. precedent for the admissibility of commercial-platform blockchain forensic evidence.

2022โ€“2024 ยท BANKRUPTCY & VALUATION

FTX Bankruptcy Forensics

One of the largest crypto bankruptcy proceedings in history. Forensic analysis of the FTX wallet infrastructure, Alameda Research transfers, and customer fund movements has been central to creditor recovery efforts and the criminal prosecution of Sam Bankman-Fried.

ONGOING ยท COMPOUND ATTRIBUTION

SE Asia Pig Butchering Compounds

Federal investigations into Cambodian, Myanmar, and Laotian fraud compounds rely on cross-victim wallet clustering, identifying that funds from many individual victims consolidate into common compound infrastructure. See our SE Asia compound breakdown.


Court Admissibility (FRE 702 / Daubert)

Blockchain investigation reports are routinely admitted in U.S. federal civil and criminal proceedings under Federal Rule of Evidence 702 and the Daubert standard. The methodology meets all four Daubert factors: it is testable (every trace is reproducible from the public ledger), has known error rates (clustering heuristics have documented false-positive modes), is subject to peer review and publication, and has gained general acceptance across academia, government, and the commercial intelligence industry.

For attorneys evaluating blockchain evidence in litigation, admissibility considerations, expert witness preparation, TRO/asset freeze workflows, see our complete attorney guide to blockchain forensic evidence in federal civil litigation.


What Blockchain Investigations Can't Do

Being honest about limitations is part of what makes forensic methodology credible. There are things that blockchain analysis genuinely can't accomplish, and overstating its capabilities does victims a disservice.

โœ• Can't reverse transactions

Confirmed blockchain transactions are permanent. No forensic technique, no law enforcement action, and no technology can alter the blockchain record. Funds that have moved can't be "sent back" through on-chain means, recovery requires action at the exchange or legal level.

โœ• Can't guarantee identity from address alone

A wallet address is cryptographic, it identifies a key, not a person. Forensic analysis can attribute an address to an exchange account or a known entity. Identifying the specific human behind it requires exchange KYC data, which requires law enforcement action.

โœ• Can't compel foreign exchange cooperation

Even if funds are definitively traced to an exchange account at an overseas platform, compelling that exchange to disclose account holder identity requires the legal jurisdiction to do so, which may or may not exist depending on the exchange's country of operation.

โœ• Can't always trace through all mixers

High-volume mixing pools with large anonymity sets create genuine uncertainty that can't always be resolved analytically. In these cases, the trace documents where funds entered the mixer and, where possible, where they exited, with an appropriate confidence level applied to the post-mix attribution.

The bottom line

Blockchain forensics builds the strongest possible evidentiary foundation for every legitimate recovery path. It doesn't recover funds directly, it creates the documented evidence that law enforcement and civil attorneys need to pursue action through channels that can. See how Wallet Witness approaches investigations โ†’


Frequently Asked Questions About Blockchain Investigations

What are blockchain investigations?

Blockchain investigations are the structured analysis of on-chain transaction data to trace cryptocurrency, attribute wallets to controlling entities, identify exchange deposit endpoints, and produce documented evidence usable by law enforcement, courts, and compliance teams. They combine transaction graph analysis, wallet clustering, OSINT correlation, and entity attribution to convert pseudonymous blockchain data into actionable investigative intelligence.

How do blockchain investigators trace stolen cryptocurrency?

The standard process is six steps: (1) intake and verify the victim's transaction hashes, (2) build a forward transaction graph from the receiving wallet, (3) cluster related wallets and attribute them to known entities, (4) trace through obfuscation layers like mixers and bridges, (5) identify the exchange deposit address that received the funds, and (6) package findings into a forensic report formatted for law enforcement and court submission.

What tools do blockchain investigators use?

Commercial platforms include Chainalysis Reactor, TRM Labs Forensics, Elliptic Investigator, Crystal Intelligence, and Merkle Science. Open-source and OSINT tools include Etherscan, Tronscan, Arkham Intelligence, Breadcrumbs, MetaSleuth, and MetaSuites browser extensions. Skilled investigators combine multiple tools rather than relying on a single platform.

Can blockchain investigations recover stolen funds?

Blockchain investigations don't recover funds directly, they produce the documented evidence that enables recovery through other channels. A successful trace identifies an exchange deposit address tied to a verified user account, which law enforcement can subpoena or a civil attorney can target with an asset freeze order. Recovery rates vary by speed, exchange cooperation, and jurisdiction.

How is AI used in blockchain investigations in 2026?

AI assists pattern recognition across thousands of transactions, large-scale wallet clustering, anomaly and risk-score detection, and automation of repetitive triage work. It augments rather than replaces investigator judgment, high-stakes attribution and court-bound conclusions still require human verification, documented methodology, and stated confidence levels. The dominant pattern is human-in-the-loop AI, not autonomous attribution.

How do blockchain investigators work with law enforcement and exchanges?

Public-private partnerships are central to modern blockchain investigations. Forensic firms produce documented reports that federal agencies (FBI, IRS-CI, Secret Service) can immediately act on with subpoenas and asset seizure tools. Major exchanges have dedicated compliance teams that respond to law enforcement requests and, increasingly, to civil court orders identifying specific deposit addresses. The investigator often acts as the bridge between the victim, the legal system, and the exchange.

Are blockchain investigations admissible in court?

Yes. Blockchain forensic reports have been admitted in U.S. federal civil and criminal proceedings under FRE 702 and Daubert, as well as in international courts. Notable precedents include U.S. v. Sterlingov (Bitcoin Fog), U.S. v. Storm and U.S. v. Pertsev (Tornado Cash), and SEC and CFTC enforcement actions. Admissibility turns on documented methodology, reproducible findings, and explicit confidence levels.

Can blockchain investigations work across borders?

Yes, blockchain data is the same in every jurisdiction, so the trace itself is unaffected by borders. What changes is the recovery pathway: cross-border action requires Mutual Legal Assistance Treaty (MLAT) requests, civil discovery in cooperating jurisdictions, or coordinated work via Europol, INTERPOL, and bilateral law enforcement channels. A forensic report identifying a specific exchange and account is the predicate for any of these mechanisms.

Need a Blockchain Investigation for Your Case?

Initial case assessments are free. Tell us what happened, we'll scope the investigation, assess traceability, and respond within 24 hours.

Start a Free Case Review

Zack Coffing, Wallet Witness

Independent blockchain forensic investigation practice specializing in cryptocurrency fraud, pig butchering investigations, and digital asset tracing. Serving victims, law firms, and law enforcement worldwide. Learn more โ†’