Warning

Please be vigilant about TRM impersonation scams, especially those claiming to assist with fund recovery. More info

Solutions
Products
RESOURCES
Customers
Company
Request a demo
en
Search
Search
Back to Glossary

Crypto tracing

Table of contents
Crypto tracing

What is crypto tracing?

Crypto tracing, also known as blockchain tracing, is the process of tracking and analyzing cryptocurrency transactions to trace the movement of funds across blockchain networks. This process leverages the inherent transparency of blockchain technology to identify patterns, locate assets, and even attribute digital wallets to individuals or entities.

Crypto tracing plays a pivotal role in combating illicit activities such as money laundering, fraud, and ransomware payments within the cryptocurrency ecosystem.

{{horizontal-line}}

How does crypto tracing work?

Cryptocurrencies operate on blockchain networks, which are decentralized ledgers that record all transactions in a transparent and immutable way. Crypto tracing involves analyzing this data to trace the flow of funds. Here are the general steps involved in this process:

  1. Graph analysis: Investigators visualize wallets and transactions as nodes and edges to reveal patterns, address clusters, and probable entities. Techniques like wallet clustering, path analysis, and centrality metrics help identify services, mixers, and key counterparties.
  2. Address attribution: When specific wallet addresses are linked to real-world identities — through exchange Know Your Customer (KYC) data, for instance — it becomes possible to associate transactions with individuals or organizations.
  3. Flow tracking: Blockchain intelligence tools track the movement of funds across multiple wallets and chains, mapping the flow from origin to destination.
  4. Cross-ledger transaction tracking: Tools follow funds as they move between chains and assets — via bridges, centralized exchanges, and cross-chain swaps — linking transaction IDs across Bitcoin, Ethereum, Solana, and other ledgers to maintain a continuous trail.
  5. Reporting: Crypto investigators and blockchain intelligence software generates detailed reports that law enforcement, regulators, or businesses can use for investigations or compliance purposes.

{{crypto-tracing-glossary-on-vs-off-chain-data-definition}}

{{horizontal-line}}

Legal process and evidence handling

Subpoenaing KYC exchanges

To connect blockchain activity to real-world identities, investigators may subpoena or obtain court orders to retrieve customer and transaction data from exchanges that comply with KYC requirements. This typically includes account identifiers, IP logs, and transaction records linked to specific wallet addresses. Preserving the chain of custody and ensuring proper documentation are critical to maintaining the evidentiary integrity of this data in legal proceedings.

Cross-border cooperation: MLATs and letters rogatory

When relevant data or service providers are located outside the United States, authorities often rely on mutual legal assistance treaties (MLATs) or letters rogatory to formally request evidence from foreign jurisdictions. These legal mechanisms help ensure compliance with international privacy and data protection laws while supporting investigative continuity across borders.

Asset seizure and forfeiture

Once cryptocurrency funds are linked to a suspect or legal entity, courts may authorize their seizure or forfeiture. Depending on the jurisdiction and legal basis, assets may be frozen on compliant exchanges, transferred to government-controlled wallets, or otherwise secured for enforcement or restitution. Cases involving multiple jurisdictions often require coordinated efforts among international partners.

Producing courtroom-ready reporting

Tracing results used in legal proceedings must meet evidentiary standards. Analysts are expected to use validated forensic tools, document their methodologies, and maintain a defensible chain of custody. Final reports should clearly map on-chain activity to individuals or entities, supporting potential outcomes such as criminal charges, civil litigation, or asset recovery.

{{horizontal-line}}

What are some common tools and technologies used in crypto tracing?

Blockchain explorers

Blockchain explorers are public tools that allow users to view detailed transaction data on specific blockchains. These tools are essential for tracking the flow of funds and include features such as wallet addresses, transaction histories, and block details.

Examples include Etherscan (Ethereum), Blockchain.com (Bitcoin), and Solscan (Solana).

Blockchain intelligence platforms

Blockchain intelligence offers advanced analytics for tracing complex transaction patterns and identifying suspicious activities, integrating artificial intelligence and machine learning to enhance efficiency.

TRM Labs’ blockchain analytics solutions to help law enforcement and national security agencies, financial institutions, and cryptocurrency businesses detect, investigate, and disrupt crypto-related fraud and financial crime. TRM’s blockchain intelligence platform includes solutions to trace the source and destination of funds, identify illicit activity, build cases, and construct an operating picture of threats.

{{horizontal-line}}

What are the core applications of crypto tracing for law enforcement, defense agencies, crypto businesses, and regulators?

Law enforcement

Law enforcement agencies rely heavily on crypto tracing tools to investigate and prevent financial crimes involving cryptocurrencies. Applications include:

  • Money laundering investigations: Identifying and tracing illicit funds moved through cryptocurrencies to uncover money laundering operations.
  • Ransomware attack responses: Tracking ransom payments made in cryptocurrencies to pinpoint attackers and potentially recover stolen funds.
  • Fraud and scam detection: Investigating cases of fraud, phishing schemes, and Ponzi operations that utilize blockchain-based payments.
  • Dark web monitoring: Identifying transactions associated with dark web marketplaces for illegal goods or services.
  • Asset recovery: Locating and recovering stolen or fraudulently acquired cryptocurrencies by mapping transaction flows to destination wallets. Tracing determines the disposition of misappropriated funds and supports civil litigation, criminal prosecution, forfeiture, and judgment collection. Investigators produce evidentiary reports and affidavits that map flows from theft to destination wallets or cash‑out points.
  • Counter-terrorism financing: Detecting and disrupting cryptocurrency transactions linked to terrorist funding.

Defense agencies

For defense agencies, crypto tracing supports national security and intelligence operations. Key applications include:

  • Tracking illicit funding: Monitoring the use of cryptocurrencies by adversaries — including rogue states — for sanctions evasion or illegal funding activities.
  • Cybersecurity threat analysis: Identifying cryptocurrency transactions tied to state-sponsored hacking groups or cyber warfare efforts.
  • Preventing crypto-enabled espionage: Investigating the movement of funds linked to espionage networks utilizing blockchain technology.
  • Supply chain security: Monitoring cryptocurrency payments in illicit arms and technology transfers.

Crypto businesses

Crypto businesses such as exchanges, wallet providers, and payment platforms use crypto tracing to enhance compliance and security. Applications include:

  • AML and KYC compliance: Monitoring transactions to meet anti-money laundering (AML) and Know Your Customer (KYC) regulatory requirements by identifying suspicious activity and high-risk wallets.
  • Fraud prevention: Detecting unauthorized or fraudulent transactions, such as account takeovers or phishing attacks targeting users.
  • Risk scoring: Assigning risk scores to wallets or transactions to assess their likelihood of involvement in illicit activities.
  • Customer protection: Enhancing trust and safety for customers by preventing exposure to high-risk entities or transactions.
  • Market integrity: Ensuring the platform’s integrity by identifying manipulative activities, such as wash trading or pump-and-dump schemes.

Regulators

Regulatory bodies leverage crypto tracing to oversee and enforce compliance with financial laws, ensuring the integrity of financial systems. Applications include:

  • Monitoring and enforcement: Tracing cryptocurrency transactions to ensure compliance with financial regulations, including tax reporting and anti-money laundering laws.
  • Preventing market manipulation: Identifying and investigating fraudulent or manipulative trading activities within the crypto market.
  • Supporting investigations: Collaborating with law enforcement and crypto businesses to investigate illicit activities.
  • Sanction enforcement: Monitoring compliance with international sanctions by identifying transactions linked to blacklisted entities.
  • Policy development: Using insights from crypto tracing to inform the development of regulations and guidelines for the cryptocurrency ecosystem.

{{crypto-tracing-glossary-notable-cases}}

{{horizontal-line}}

What blockchain tracing can reveal — and what it can’t

Blockchain tracing uncovers patterns of crypto asset movement and wallet interactions recorded on public blockchains — but it has limitations. Investigators rely on a combination of analytical techniques and external context to assess exposure, identify risks, and support attribution.

  • Attribution through off-chain context: Wallet addresses may be linked to known entities — such as exchanges, mixers, or illicit services — through KYC records, open-source intelligence (OSINT), and past enforcement activity.
  • Cluster analysis: Using heuristics such as shared spending behavior or address reuse, investigators can group addresses likely controlled by the same entity. These clusters help reveal internal fund movements or broader operational structures.
  • Transaction mapping: Visual tools like TRM's Graph Visualizer trace the flow of assets across wallets, services, and blockchains, helping illustrate the path of funds and identify key counterparties.
  • Value estimation: Each transaction can be quantified in fiat terms to assess losses, exposure, or operational scale. These estimates are typically based on asset prices at the time of transfer.
  • Risk profiling: Wallets and clusters with a history of illicit behavior — or interactions with sanctioned or high-risk services — may be assigned risk scores. These scores help investigators prioritize follow-up or escalate for further review.
  • Analytical boundaries: Blockchains do not store personal identifiers such as names, email addresses, or IP logs. Identifying who controls a wallet typically requires lawful requests to service providers, or access to off-chain intelligence and data sources.

While blockchain intelligence offers transparency into how assets move and interact, it does not automatically reveal the identity of wallet owners. Attribution requires both on-chain analysis and supporting off-chain evidence.

{{horizontal-line}}

What are some of the challenges of crypto tracing?

Crypto tracing offers powerful tools for tracking cryptocurrency transactions, but is not without challenges — arising from the technological complexities of blockchain networks and ever-evolving tactics employed by bad actors.

Privacy-focused cryptocurrencies

Certain cryptocurrencies are designed to enhance user privacy, making tracing significantly more difficult. For example, Monero, Zcash, and Dash use advanced cryptographic techniques to obscure transaction details such as sender, receiver, and amount. Standard blockchain tracing tools struggle to analyze these privacy coins, requiring specialized solutions or alternative investigative methods.

Use of mixers and tumblers

Mixers and tumblers are services that break down cryptocurrency transactions into smaller amounts, mix them with other funds, and redistribute them, making it difficult to trace the original source of funds. These services obscure transaction trails, complicating efforts to link wallets and identify the movement of illicit funds.

Cross-chain transactions

Cross-chain transactions involve moving funds between different blockchain networks, such as from Bitcoin to Ethereum, or through decentralized bridges. Tracing funds across multiple blockchains requires advanced tools like TRM Labs that can integrate data and trace transaction across various networks.

Decentralized finance (DeFi) protocols

DeFi platforms operate without intermediaries, using smart contracts for activities like lending, borrowing, and trading. Because these platforms often lack robust regulatory oversight, criminals can exploit DeFi protocols to move and launder funds, leveraging the anonymity provided by decentralized systems.

Scalability and volume of transactions

Blockchains process millions of transactions daily, creating a massive volume of data to analyze. Scaling tracing efforts to cover all transactions in real time requires significant computational resources and sophisticated algorithms.

Anonymity and pseudonymity

Most cryptocurrencies are pseudonymous, not anonymous. Transactions leave a visible on‑chain footprint that can be traced to wallets, even if personal identities aren’t directly on the blockchain. Linking wallets to people often requires KYC data from exchanges. Privacy coins like Monero and Zcash reduce traceability through obfuscation.

Use of obfuscation techniques

Criminals often use advanced techniques such as splitting transactions into multiple smaller transfers (smurfing), rapidly transferring funds between wallets, or converting assets into NFTs or stablecoins to hide their tracks. These techniques create complex transaction patterns that are harder to follow.

Jurisdictional and legal challenges

Cryptocurrencies operate globally, but laws and regulations governing their use vary by jurisdiction. Tracing efforts may stall when funds move into jurisdictions with lax regulations or insufficient cooperation with international investigations.

Evolving criminal tactics

Criminals continuously innovate new methods to exploit weaknesses in crypto tracing technologies. Law enforcement and tracing tools must constantly adapt to stay ahead, creating a perpetual arms race between criminals and investigators.

{{crypto-tracing-glossary-best-practices-checklist}}

{{horizontal-line}}

What is the future outlook for crypto tracing?

As the cryptocurrency ecosystem evolves, so too does the field of crypto tracing — and the importance of using advanced blockchain intelligence to help create a safer and more transparent financial ecosystem. Future developments are likely to include:

  • Enhanced AI integration: Advanced AI algorithms will improve the accuracy and efficiency of blockchain tracing.
  • Global collaboration: Increased cooperation between governments, businesses, and international organizations to combat cross-border illicit activities.
  • Regulatory frameworks: Clearer regulations will drive innovation in tracing technologies and strengthen enforcement capabilities.
  • Interoperability solutions: Tools for seamless cross-chain analysis will become essential as multi-chain transactions grow in popularity.

{{horizontal-line}}

Frequently asked questions (FAQs)

1. How do on-chain and off-chain analyses work together in a blockchain investigation?

On-chain analysis enables investigators to trace transactions, identify patterns, and group wallet addresses under likely common control. It also reveals interactions with known services or high-risk entities. Off-chain analysis — which may include exchange records, Know Your Customer (KYC) data, subpoenas, and open-source intelligence — provides the additional context needed to link wallet clusters to real-world identities. Effective investigations typically iterate between both approaches to build a complete picture and support asset recovery.

2. What legal mechanisms support identification and recovery (e.g. subpoenas, warrants, MLATs)?

Law enforcement and regulatory authorities may issue subpoenas or criminal warrants to request customer records from virtual asset service providers (VASPs) that comply with KYC obligations. These requests can yield personally identifiable information (PII), banking details, and transaction records. When the data resides in another jurisdiction, cross-border requests are typically made through mutual legal assistance treaties (MLATs) or letters rogatory. Once asset ownership is established, prosecutors may pursue seizure or forfeiture orders in criminal cases. In civil matters, remedies may include garnishment or injunctive relief.

3. Can cryptocurrency users be served through NFTs or other digital methods in legal proceedings?

In limited cases, courts have permitted service of process via non-fungible tokens (NFTs) — especially when traditional service was infeasible. These methods can create a verifiable, timestamped on-chain record of service. However, legal recognition varies significantly by jurisdiction. Investigators and attorneys should consult counsel before relying on digital service as a primary method.

4. What heuristics are commonly used to de-anonymize wallet activity?

Two of the most widely used heuristics are common-spend (multiple inputs used in a single transaction, suggesting shared control) and address reuse (the repeated use of an address across multiple transactions). These techniques help analysts expand address clusters and assess wallet control. When combined with attribution datasets and known exchange interactions, these heuristics can help link blockchain activity to real-world entities — particularly when KYC data is accessible via legal process.

5. What data points are most useful for prioritizing recovery efforts?

Analysts evaluate multiple signals to prioritize investigative leads and potential recoveries. These may include:

  • Estimated address value to identify high-value targets
  • Lifetime transaction volume to assess the operational scale
  • Risk indicators based on links to mixers, sanctioned entities, or known illicit services
  • Off-chain metadata, such as IP logs captured by VASPs or service nodes, to help infer potential geographies (when available)

Each of these inputs helps guide next steps and inform the likelihood of successful recovery.

Last updated: December 4, 2025

Keep learning

Crypto crime

Learn about crypto crime, including common types like fraud, theft, and money laundering, and their impact on individuals and the crypto industry. Discover strategies for protection, the role of law enforcement, and steps to take if you fall victim to scams.

Learn more

Blockchain intelligence

Explore blockchain intelligence, the advanced practice of analyzing on-chain and off-chain data to detect risks, trace illicit funds, and ensure compliance. Learn how it enhances crypto compliance, aids law enforcement, and supports regulatory oversight. Discover its future with AI integration, cross-chain analytics, and global regulatory applications.

Learn more

Transaction monitoring

Learn what transaction monitoring is and its role in cryptocurrency. Discover how law enforcement, crypto businesses, and regulators use blockchain intelligence tools to monitor transactions—and detect and disrupt illicit activities.

Learn more
Subscribe and stay up to date with our insights

Access our coverage of TRON, Solana and 23 other blockchains

Fill out the form to speak with our team about investigative professional services.

Services of interest
Select
Transaction Monitoring/Wallet Screening
Training Services
Training Services
 
By clicking the button below, you agree to the TRM Labs Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

On-chain vs. off-chain data and wallet de-anonymization

Understanding on-chain data

On-chain data refers to the publicly accessible information recorded directly on the blockchain. This includes transaction histories, wallet addresses, timestamps, and token flows. Investigators analyze these records to identify behavioral patterns, detect anomalies, and establish links between addresses. Because blockchains are immutable and transparent, on-chain data provides a reliable foundation for tracing digital asset movement.

The role of off-chain data

Off-chain data helps contextualize blockchain activity by linking addresses to known individuals or entities. This data often includes Know Your Customer (KYC) records from exchanges, IP logs, device fingerprints, and other attribution sources. It typically originates from compliance partners, investigative findings, or prior enforcement actions. When combined with on-chain analysis, off-chain data is essential for building a complete picture of illicit activity or financial exposure.

Techniques for de-anonymizing wallet activity

Investigators apply a range of heuristics and data enrichment techniques to assess address ownership and activity:

  • Common-spend analysis: If multiple input addresses are used in a single transaction, they are likely controlled by the same entity
  • Address reuse: Repeated use of the same address across multiple transactions can reveal usage patterns and help link activity to a known entity
  • Attribution datasets: Curated intelligence — often informed by investigations or compliance reviews — associates wallet addresses with exchanges, darknet marketplaces, mixers, or other services

While no single heuristic is definitive, combining multiple signals with off-chain context allows analysts to make more confident assessments of wallet ownership and intent.

Best practices for blockchain investigations

Investigators, auditors, and forensic examiners rely on standardized protocols to ensure their work is both defensible and transparent. The following practices support high-quality, court-admissible blockchain investigations and align with TRM’s investigative standards:

  • Preserve evidence early: Export wallet records, transaction histories, and relevant screenshots — including visible timestamps — as soon as possible. Early capture helps preserve the integrity of time-sensitive data and supports evidentiary requirements.
  • Maintain a documented chain of custody: Track who collected, handled, and analyzed data at each step of the process. A well-documented chain of custody is essential to ensure the admissibility of findings in legal or regulatory proceedings.
  • Use validated visualization tools: Use trusted blockchain intelligence platforms — like TRM Labs — to clearly map fund flows, identify counterparties, and isolate risk.
  • Apply analytics-based risk scoring: Evaluate wallets and counterparties using risk indicators to prioritize investigative leads. Risk scoring provides a structured framework for triaging activity and focusing on higher-priority exposures.
  • Document your methodology: Record the heuristics, assumptions, and analytic paths used during your investigation. Methodology notes are critical for future audits, peer reviews, or legal testimony.
  • Validate key findings: Cross-reference addresses and entity attributions with reputable external sources to ensure accuracy before drawing conclusions or taking investigative action.
  • Secure and protect case materials: Store investigative outputs — including reports, evidence exports, and notes — in encrypted, access-controlled environments to prevent unauthorized access or tampering.

Following these best practices helps ensure investigations are consistent, reproducible, and aligned with professional standards of care.

Notable cases

Mt. Gox (2014): Blockchain tracing helped identify wallets tied to the massive exchange theft, leading to asset recoveries and criminal prosecutions

Bitfinex (2016): Investigators tracked stolen Bitcoin through mixers and across years of transactions, eventually seizing over 90,000 BTC from linked wallets

Colonial Pipeline (2021): On-chain analysis enabled US authorities to trace ransomware payments and recover most of the ransom funds

Each case illustrates how blockchain transparency and forensic analysis can turn complex crypto crimes into recoverable evidence.