Warning

Please be vigilant about TRM impersonation scams, especially those claiming to assist with fund recovery. More info

Solutions
Products
RESOURCES
Customers
Company
Request a demo
en
Search
Search
Insights
November 6, 2025

Sticky Notes to Seed Phrases: How To Identify Crypto Artifacts in the Field

TRM BlogInsightsInsights
Sticky Notes to Seed Phrases: How To Identify Crypto Artifacts in the Field

Whether executing a search warrant or responding to a crime scene, law enforcement officers today are more likely than ever to encounter digital evidence connected to cryptocurrency — from hardware wallets and seed phrases to lesser-known clues like transaction memos, printed QR codes, and air-gapped devices.

In a recent webinar, two of the world’s leading crypto investigators — Chris Janczewski (TRM’s Global Head of Investigations and former IRS-CI special agent) and Chris Wong (Global Investigator, Law Enforcement Relations at TRM and former FBI supervisory special agent) — led front-line law enforcement professionals through a deep-dive into all things crypto evidence. 

They explored the common crypto artifacts officers are likely to come across in the field, what they mean, and how to preserve them for effective follow-up and prosecution. And they also walked attendees through some of the high-profile cases they both led during their time in law enforcement — a rare, behind-the-scenes look into the frontline investigative process.

Read on for a recap of the session, or use your law enforcement email address to watch the recap below.

What are crypto artifacts — and why do they matter?

Crypto artifacts refer to the physical and digital traces that signal cryptocurrency usage or ownership. Unlike traditional assets, crypto assets can be stored, transferred, and accessed through a wide range of hardware and software — meaning key evidence may not always resemble what most investigators expect (especially those who are new to the digital asset space).

As Janczewski noted, “Crypto artifacts aren’t always flashy. Sometimes it’s a sticky note, sometimes it’s a label on a laptop. But that small detail could unlock an entire investigation.”

Recognizing these indicators — and understanding their potential investigative value — is essential for any officer responding to a scene where financial crime, fraud, or digital assets may be in play.

Common types of crypto artifacts found in the field

Janczewski and Wong outlined several common crypto artifacts law enforcement officers may encounter during field operations, including:

  • Hardware wallets: Physical devices often resembling USB sticks or external hard drives, used to store the private keys needed to access crypto assets. Popular brands include Ledger, Trezor, and SafePal.
  • Seed phrases: A sequence of 12 to 24 words that can be used to regenerate a crypto wallet. Officers often find these written down or saved in password managers.
  • Mobile and desktop applications: Crypto wallets may be installed on a suspect’s phone, laptop, or even a burner device used for a single transaction.
  • QR codes: These may appear on printed documents, whiteboards, or even t-shirts — often linking to a wallet address or payment request.
  • Notes and receipts: Transaction memos, screenshots, exchange deposit confirmations, or shipping labels with wallet addresses can all serve as critical leads.

A key investigative tip: when in doubt, photograph first, interpret later. Preservation is key, and you never know if an artifact will play an important role at a later stage of your investigation or if you will ever have access to it again.

Field tactics for securing digital evidence

Janczewski and Wong also shared real-world examples of successful evidence collection based on their past casework — and where missed artifacts led to dead ends. To help investigators preserve and assess crypto evidence, they emphasized the following best practices:

  • Photograph all digital screens and handwritten materials before seizing devices or documents
  • Look for small, unexpected items like USBs hidden in inconspicuous containers (e.g. deodorant sticks, toys, or coin pouches)
  • Label and log devices accurately, noting whether they were powered on, connected to a network, or encrypted
  • When in doubt, treat cryptocurrency like cash
  • Understand that seed phrases and other mechanisms for accessing crypto wallets may exist in multiple places, giving illicit actors access to the wallet, even though you have “seized” a copy of that access

These details may prove essential later in court or when building attribution through blockchain intelligence platforms like TRM.

How TRM supports law enforcement in the field

TRM’s blockchain intelligence platform is designed to help investigators follow the money through every stage of their investigation.

Investigators can use TRM Triage to search crypto artifacts in the field with their mobile device. With a photo of any crypto artifact — QR code, ATM receipt, or even a partial address — investigators can instantly view balances, transaction history, and threat categories.

With Seed Analysis, investigators can quickly and securely convert seed phrases and xPubs into actionable leads across dozens of blockchains and billions of addresses to discover linked wallets, transactions, and assets.

TRM Forensics helps law enforcement trace the flow of cryptocurrency across blockchains in a single graph, link wallets to real-world services with glass box attribution, and generate clear, court-ready visuals and reports to support subpoenas, freezes, and prosecutions.

TRM’s solutions are built specifically to support time-sensitive law enforcement needs — helping teams trace, seize, and disrupt illicit crypto activity in real time.

Tips for improving frontline crypto readiness

Janczewski and Wong closed out the session with practical guidance for law enforcement professionals who want to improve their crypto readiness:

  • Train your team to recognize common crypto artifacts — and know how to escalate when needed
  • Coordinate with digital evidence specialists when crypto is suspected or discovered
  • Meticulously look everywhere and document everything
  • Leverage TRM Academy for continuing education to upskill your team

As Wong summarized, “If we can help an officer identify a single wallet in the field, we can potentially stop an entire laundering operation from succeeding.”

{{horizontal-line}}

Want to go deeper? Download the Identifying Crypto Artifacts in the Field Flip Book to explore each type of crypto artifact in more detail, unpack their roles in investigations, and learn blockchain tracing and TRM Triage basics.

This is some text inside of a div block.
TRM Team

Related posts

No posts to show
arrow right
Report
October 21, 2025

2025 Crypto Adoption and Stablecoin Usage Report

No posts to show
No posts to show
arrow right
GUIDE
September 11, 2025

Identifying Crypto Artifacts in the Field | Flip Book

arrow right
GUIDE
April 7, 2025

Common Crypto Artifacts and Their Role in Investigations

No posts to show

Access our coverage of TRON, Solana and 23 other blockchains

Fill out the form to speak with our team about investigative professional services.

Services of interest
Select
Transaction Monitoring/Wallet Screening
Training Services
Training Services
 
By clicking the button below, you agree to the TRM Labs Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Subscribe and stay up to date with our insights
No items found.
3D illustration of a blue magnifying glass hovering over a digital fingerprint on a dark background, symbolizing crypto investigations or forensic analysis.
FLIP BOOK
Learn more about common crypto-enabled scam typologies in our "Investigating Crypto Scams" flip book
Get your copy →
Illustration of a stablecoin represented by a dollar symbol surrounded by icons for growth, risk alert, user profiles, and a security shield with a target, connected through a network of hexagons — symbolizing the interconnected risks and compliance considerations in digital asset ecosystems.
USE CASE
Learn how TRM helps compliance teams monitor exposure, detect threats, and safeguard their organizations
TRM for stablecoin risk management →
A worn silver wrench tool on a brown-red background, as a metaphor for violent crime
BLOG
Learn about the recent rise of "wrench attacks" and crypto-related violent crime
Read the post →
Illustration of a financial institution icon and a compliance document with checkboxes, symbolizing regulatory due diligence and financial compliance in the digital asset ecosystem.
GUIDE
Learn best practices for evaluating the legal, operational, and financial integrity of crypto entities before engagement
Get the guide →
A judge's gavel rests beside a stack of gold-colored cryptocurrency tokens, including Bitcoin, Dogecoin, Ethereum, and others, symbolizing the intersection of digital assets and regulatory or legal oversight.
REGULATORY ACTION TRACKER
Stay updated on the latest crypto-linked regulatory actions available in the public domain
Check it out →
Screenshot of the splash page used by law enforcement agencies following the takedown of Garantex, with bold red lettering reading, "This domain has been seized," along with the logos of various international law enforcement agencies involved in the action.
BLOG
Learn more about the global law enforcement operation that took down Garantex
Read the post →
Illustration of cryptocurrency crime on a dark blue background featuring bright blue and white blockchain symbols (including Bitcoin and TRON), financial graphs, and a hacker icon.
REPORT
2025 Crypto Crime Report: Explore how the crypto crime landscape evolved over the past year
DIG IN NOW →
Bright blue fiber optic cables on a dark blue background, with flashes of white sparks interspersed throughout.
REPORT
As AI technology becomes more sophisticated, so will the ways in which criminals use it. See what TRM is doing to counter AI-enabled crime.
FIGHT AI WITH AI →
Illustration of cryptocurrency crime on a dark blue background featuring bright blue and white blockchain symbols (including Bitcoin and TRON), financial graphs, and a hacker icon.
REPORT
The crypto crime landscape saw significant shifts in 2024, including decreases in illicit volumes. Dig into the data here.
PREVIEW THE CRYPTO CRIME REPORT →
Cork board with mugshots of Heather "Razzlekhan" Morgan and Ilya Lichtenstein, with their names written in handwritten script below their photos, and push pins on the board connected by red string.
DOCUMENTARY
Stream “Biggest Heist Ever” and get a behind-the-scenes peek from the TRM team
CHECK IT OUT →
A light blue two dimensional circle (representing a stablecoin) floating against dark blue and white curved lines (representing waves), with thin dotted blue and white lines overhead to represent wind.
REPORT
Explore the macro trends and jurisdictional developments that shaped the global crypto policy landscape in 2024
READ THE REPORT →
Illustration on a dark blue background showing a bug and exclamation mark (representing illicit activity), a globe with pin points, a coin, and a bar chart.
REPORT
See the countries with the highest rates of crypto adoption — and the highest rates of exposure to illicit activity
READ THE REPORT NOW →
A blue rectangle with geometric shapes in the background and dots connected by thin lines in the foreground, representing connections on the bockchain.
WHITE PAPER
Explore four ways TRM improves compliance in the modern sanctions enforcement era
Download the white paper →
Illustration of a pig butchering chart featuring various cryptocurrency logos in each section, with a bright blue sheriff's badge on top, symbolizing law enforcement's role in combating fraud.
CASE STUDY
See how Deputy District Attorney Erin West and the REACT Task Force are fighting back against pig butchering
WATCH THE VIDEO →
Illustration of an eye, skull and crossbones, and a pie chart on a light blue background, symbolizing the dangers of crypto scams and financial fraud.
REPORT
Explore the key trends that shaped that the illicit crypto economy in 2023
GET THE REPORT →
Close-up photograph of the United States Capitol building with snow falling
BLOG
Learn why cryptocurrency has become a central issue in the 2024 US election
READ THE POST
Illustration of a Russian doll toy containing a ransomware attack inside the smallest one
REPORT
Take a deep-dive into the Russian-speaking illicit crypto ecosystem
READ THE FULL REPORT
Outline of pig with law enforcement shield overlaid
Case Study
Learn more about how the REACT Task Force is tackling pig butchering
Read the case study
Illustration of a Russian doll toy containing a ransomware attack inside the smallest one
REPORT
Explore recent ransomware trends in the Russian-speaking crypto ecosystem—including the role of ransomware groups in cybercrime around the world
GET THE REPORT
Person typing on a laptop keyboard with dark blue filtered overlay
BLOG POST
Learn about summer 2024’s spate of ransomware attacks, and the proliferation of RaaS around the world
READ THE POST
REPORT
Learn about cryptocurrency’s role in the international synthetic drug precursor market
GET THE REPORT