Introduction
Cryptocurrency crime investigation requires specialized knowledge and tools. Unlike traditional financial investigations where banks provide records, crypto investigations involve analyzing public blockchain data, identifying wallet owners, and tracing complex transaction patterns. This part covers the core techniques used by investigators worldwide.
By the end of this part, you will understand transaction tracing methodologies, be able to use blockchain explorers, understand wallet clustering concepts, know about mixers/tumblers and how to analyze them, and be familiar with commercial investigation tools.
Transaction Tracing
Transaction tracing is the fundamental skill in cryptocurrency investigation. It involves following the flow of funds from one address to another on the blockchain.
Basic Tracing Methodology
- Identify Starting Point: Get the initial address from victim/complaint (deposit address, scam wallet, etc.)
- Gather Transaction History: Pull all incoming and outgoing transactions for the address
- Analyze Flow: Track where funds came from and where they went
- Identify Patterns: Look for consolidation, splitting, or mixing patterns
- Attribution: Link addresses to known entities (exchanges, services, individuals)
- Document: Create visual maps and preserve evidence
Transaction Analysis Concepts
UTXO Model (Bitcoin)
Transactions consume unspent outputs and create new ones. Understanding input-output relationships is key.
Account Model (Ethereum)
Addresses maintain balances that increase/decrease with transactions. Simpler to track balance changes.
Change Addresses
Bitcoin transactions often send "change" back to a new address owned by the sender.
Hop Analysis
Counting how many transactions separate the crime from known endpoints (exchanges).
Attribution Methods
| Method | Description | Reliability |
|---|---|---|
| Exchange Identification | Matching addresses to known exchange deposit addresses | High |
| OSINT | Finding addresses posted publicly (forums, social media) | Variable |
| Common Spend Analysis | Addresses spent together likely belong to same entity | High |
| Change Detection | Identifying change outputs to link addresses | Medium |
| Behavioral Analysis | Transaction timing, amounts, and patterns | Medium |
Every step of the tracing process must be documented with screenshots, transaction IDs, and timestamps. Blockchain data is permanent, but your analysis and interpretation need proper documentation for court admissibility.
Blockchain Explorers
Blockchain explorers are web-based tools that allow anyone to search and view blockchain data. They are the primary free tool for cryptocurrency investigation.
Popular Blockchain Explorers
| Blockchain | Explorer | URL |
|---|---|---|
| Bitcoin | Blockchain.com | blockchain.com/explorer |
| Bitcoin | Blockstream | blockstream.info |
| Ethereum | Etherscan | etherscan.io |
| BNB Chain | BscScan | bscscan.com |
| Multi-chain | Blockchair | blockchair.com |
| Monero | XMRchain | xmrchain.net |
Information Available from Explorers
- Address Balance: Current and historical balance
- Transaction History: All transactions involving an address
- Transaction Details: Inputs, outputs, fees, timestamps, confirmations
- Block Information: Block number, timestamp, miner, transactions
- Token Transfers: ERC-20 and other token movements (Ethereum)
- Smart Contract Data: Contract source code, internal transactions
Using Explorers Effectively
- Search by Address: Enter the address to see all activity
- Search by Transaction ID: Get details of a specific transaction
- Follow the Money: Click on destination addresses to continue tracing
- Check Labels: Many explorers label known exchange/service addresses
- Export Data: Download transaction history as CSV for analysis
When tracing funds, open multiple browser tabs - one for each address you're investigating. This allows you to easily cross-reference and follow multiple branches of the transaction tree.
Wallet Clustering
Wallet clustering is a technique to identify multiple addresses that belong to the same entity. This is crucial because criminals often use hundreds or thousands of addresses to obscure their identity.
Clustering Heuristics
Common Input Ownership
If multiple addresses appear as inputs in the same transaction, they are likely controlled by the same entity.
Change Address Detection
The "change" output of a transaction usually goes to an address owned by the sender.
Temporal Analysis
Addresses that transact at similar times or in response to the same events may be related.
Amount Pattern Analysis
Recognizing specific amount patterns (e.g., round numbers, consistent fees) across addresses.
Common Input Ownership Heuristic
This is the most reliable clustering technique. In a Bitcoin transaction, all inputs must be signed by their respective private keys. If Alice sends 0.5 BTC using inputs from Address A, Address B, and Address C, she must have the private keys for all three - strongly suggesting she owns all of them.
Limitations of Clustering
- CoinJoin: Multiple users combine their inputs in one transaction, breaking common-input heuristic
- PayJoin: Sender and receiver both provide inputs
- Exchange Addresses: Exchanges consolidate user funds, creating false clusters
- Multi-signature Wallets: Different parties may control different keys
Clustering results should be treated as investigative leads, not definitive proof. Always verify cluster attribution through additional evidence (exchange records, witness statements, etc.) before making accusations.
Mixers and Tumblers
Cryptocurrency mixers (also called tumblers) are services designed to break the transaction trail by pooling funds from multiple users and redistributing them. Understanding how they work is essential for investigators.
How Mixers Work
- Deposit: User sends cryptocurrency to mixer's address
- Pool: Funds are combined with other users' deposits
- Delay: Random time delays added to obscure timing
- Split: Funds are divided into multiple smaller amounts
- Withdrawal: User receives "clean" coins to new addresses
Types of Mixers
| Type | How It Works | Examples |
|---|---|---|
| Centralized Mixer | Custodial service that pools and redistributes | Bitcoin Fog, Helix |
| CoinJoin | Users combine transactions in a single joint transaction | Wasabi, Samourai Whirlpool |
| Decentralized Protocol | Smart contract-based mixing | Tornado Cash (now sanctioned) |
| Atomic Swaps | Swap between different cryptocurrencies | Various DEXs |
Investigating Mixed Transactions
- Pre-mix Analysis: Trace funds before they entered the mixer
- Post-mix Timing: Look for suspicious timing correlations
- Amount Analysis: Matching input/output amounts minus fees
- Mixer Identification: Recognize known mixer addresses and patterns
- Subpoena Records: Centralized mixers may keep logs (if they exist)
- Chain Analysis Tools: Commercial tools can sometimes "demix" transactions
In August 2022, OFAC sanctioned Tornado Cash, making it illegal for US persons to use the service. Similar regulatory actions are possible in India under PMLA. Funds that have gone through Tornado Cash are considered "tainted" and may be frozen by compliant exchanges.
Investigation Tools
While blockchain explorers are free, sophisticated investigations often require commercial tools. These provide advanced analytics, attribution databases, and visualization capabilities.
Commercial Analysis Platforms
Industry-leading blockchain analytics platform used by law enforcement worldwide, including Indian agencies.
- Reactor: Visual investigation tool for tracing transactions
- KYT (Know Your Transaction): Real-time transaction monitoring
- Attribution database with millions of labeled addresses
- Support for 100+ cryptocurrencies
Blockchain analytics and compliance solution with strong UK/EU presence.
- Investigator: Transaction tracing and visualization
- Navigator: Transaction screening
- Risk scoring for addresses and transactions
- DeFi and NFT analytics
Cryptocurrency intelligence platform focused on compliance and investigation.
- Inspector: Transaction investigation
- Sentry: Compliance monitoring
- Attribution and risk scoring
- DeFi tracking capabilities
Free/Open Source Tools
| Tool | Purpose | Blockchain |
|---|---|---|
| OXT.me | Bitcoin address research, visual tracing | Bitcoin |
| Wallet Explorer | Bitcoin wallet identification | Bitcoin |
| Breadcrumbs | Multi-chain investigation | Multiple |
| Arkham Intelligence | Entity labeling, tracing | Multiple |
| Nansen | Ethereum analytics (freemium) | Ethereum |
Working with Indian Agencies
- ED: Enforcement Directorate uses commercial tools for PMLA cases
- State Cyber Cells: May have access through state police agreements
- I4C: Coordinating agency may assist with complex cases
- Exchange Cooperation: Indian exchanges (WazirX, CoinDCX) cooperate with law enforcement
Investigation Workflow
Step-by-Step Investigation Process
- Receive Complaint: Get initial address(es) and transaction details from victim
- Verify on Blockchain: Confirm the reported transactions actually occurred
- Map Initial Transactions: Create visual map of immediate fund flow
- Follow the Trail: Trace funds through subsequent hops
- Identify Endpoints: Look for exchange deposits, service addresses
- Cluster Analysis: Group related addresses to understand the full scope
- Request Records: Subpoena exchange KYC and transaction records
- Cross-reference: Match blockchain evidence with traditional evidence
- Document: Prepare comprehensive report with screenshots and transaction IDs
- Asset Recovery: Work with exchanges to freeze/seize identified funds
- Transaction tracing is the core skill - follow the flow of funds from address to address
- Blockchain explorers are free and essential tools for any investigator
- Wallet clustering helps identify multiple addresses belonging to the same entity
- Mixers/tumblers complicate tracing but are not impossible to investigate
- Commercial tools (Chainalysis, Elliptic) provide advanced analytics and attribution
- Exchange cooperation is crucial for identifying real-world identities
- Documentation at every step is essential for court admissibility