Warning

Please be vigilant about TRM impersonation scams, especially those claiming to assist with fund recovery. More info

Solutions
Products
RESOURCES
Customers
Company
Request a demo
en
Search
Search
Foundations
November 26, 2025

The Fundamentals of Cryptocurrency Transaction Tracing

TRM BlogFoundationsFoundations
The Fundamentals of Cryptocurrency Transaction Tracing

Cryptocurrency was once perceived as a shadow economy — a place where digital value could move invisibly across borders. But in reality, the opposite is true. 

The blockchain — the foundational technology behind digital assets — is one of the most transparent financial systems ever created. Every transaction is recorded permanently on a public ledger that anyone can view.

This radical transparency has transformed financial investigations. And with blockchain analytics tools, regulators, law enforcement, and compliance teams can trace illicit crypto activity, recover stolen assets, and protect users — at a speed and scale that was impossible in the analog era.

{{horizontal-line}}

What makes blockchains “transparent”?

Every blockchain records transfers of value in an immutable, chronological ledger. Each transaction contains information such as:

  • The sending and receiving wallet addresses
  • The amount transferred
  • A timestamp and unique transaction hash
  • Links to previous transactions

These details make it possible to reconstruct the full path of any asset from creation to present ownership. Unlike traditional banking data — which is siloed and often subject to jurisdictional boundaries — blockchain data is public, permanent, and globally accessible.

The challenge is not whether transactions can be seen — it’s understanding what those transactions mean.

{{horizontal-line}}

What is blockchain intelligence and how is it used to trace cryptocurrency transactions?

Blockchain analytics refers to the process of collecting, interpreting, and visualizing data from public blockchains to uncover transaction patterns, identify associated entities, and trace the movement of digital assets over time. Blockchain intelligence takes this a step further by combining on-chain data with off-chain intelligence to provide even more comprehensive insights into activity on the blockchain.

Unlike traditional financial systems where data may be siloed or hidden, the decentralized nature of blockchain ledgers makes all transactions visible. However, while blockchains are transparent by design, they are also pseudonymous — meaning wallet addresses are not inherently linked to real-world identities — making attribution complex. Blockchain intelligence bridges that gap.

Using advanced heuristics, clustering algorithms, and proprietary attribution methods, blockchain intelligence platforms like TRM allow investigators to follow the flow of funds across chains and wallets to uncover potential illicit activity. This can include tracing stolen crypto or digital assets after a cyber attack, detecting sanctions violations, or mapping the financial infrastructure of fraud schemes.

Key use cases for blockchain analytics and intelligence include:

  • Investigations and enforcement: Law enforcement agencies and regulators use blockchain analytics to trace criminal proceeds, support seizure efforts, and build prosecutorial cases
  • Compliance and risk management: Financial institutions leverage blockchain analytics to monitor crypto transactions for anti-money laundering (AML) compliance and detect high-risk counterparties
  • Threat intelligence: Blockchain analytics provides insights into the tactics, techniques, and procedures (TTPs) of bad actors, enabling proactive risk mitigation and network defense

Importantly, blockchain analytics does not “deanonymize” users directly. Rather, it surfaces patterns and associations that can then be correlated with off-chain data — such as sanctions lists, exchange records, or open-source intelligence (OSINT) — to inform attribution.

{{horizontal-line}}

How do blockchain intelligence providers attribute real-world actors to pseudonymous cryptocurrency wallets?

Each wallet on a blockchain is represented by a unique alphanumeric address. While the address itself is pseudonymous, repeated activity from a wallet over time creates a behavioral fingerprint. TRM Labs applies advanced machine learning models, artificial intelligence, and human-led threat intelligence to link wallet addresses, build out networks on-chain, and label wallets associated with risk categories such as:

Through real-time analysis, TRM maintains a dynamic attribution database covering millions of entities and over 100 blockchains. This database provides the context necessary to trace value flows with precision. Our blockchain intelligence analysts also hunt for attribution through direct engagement with threat actors — often leading to the uncovering of far-reaching, interconnected criminal networks.

{{horizontal-line}}

What are the key steps in cryptocurrency or blockchain tracing?

Cryptocurrency tracing — also known as blockchain tracing — is the process of following the movement of funds across one or more blockchains to understand transaction flows, identify counterparties, and support investigations. While every case varies, blockchain tracing typically follows a structured sequence of steps:

  1. Establish an anchor point
  2. Trace the flow of funds
  3. Enrich on-chain data with attribution
  4. Assess risk and behavior
  5. Document and report findings

Step 1: Establish an anchor point

Every successful tracing investigation begins with a known point of reference — often called an anchor. This might be a wallet address linked to an incident (e.g. a scam, hack, or sanction designation), a transaction hash, a cluster already attributed to an entity of interest, or an alert generated by a risk monitoring system. 

The anchor point acts as a starting node for further exploration. From there, investigators can follow each transfer or hop to identify intermediary wallets, exchanges, or services.

Step 2: Trace the flow of funds

From the anchor, investigators trace the inbound and outbound movement of assets. This includes:

  • Identifying transfers to and from the anchor address
  • Mapping how funds split, merge, or move between wallets
  • Tracking movement across multiple blockchains (increasingly common in cross-chain laundering)

Specialized tools like TRM’s Graph Visualizer enable clear visualizations of these flows, helping analysts detect obfuscation techniques such as peel chains, mixers, or cross-chain bridges. If assets move through bridges or swap protocols, TRM connects those movements across blockchains, preserving the integrity of the trace.

These visualizations, or graphs, create a visual representation of events on the blockchain — enabling better communication and collaboration within and across agencies — and are critical in building defensible documentation (more on that in step 5).

Step 3: Enrich on-chain data with attribution

Raw blockchain data only shows wallet addresses and amounts. To make this information useful, investigators overlay attribution data — such as exchange wallet labels, darknet marketplace clusters, or sanctioned entities — to identify possible actors behind the transactions. Attribution can come from a variety of sources, including:

  • TRM’s proprietary attribution database
  • Open-source intelligence (OSINT)
  • Regulatory filings or public designations
  • Law enforcement collaboration

The TRM platform labels known entities, clusters related wallets, and assigns risk scores based on exposure to illicit activity.

Step 4: Assess risk and behavior

With the transaction history mapped and enriched, analysts and investigators can assess behavioral patterns and risk indicators, gaining insights to answer questions like:

  • Does the address receive funds from known ransomware wallets?
  • Is the entity cashing out to fiat currency via centralized exchanges?
  • Are the transaction patterns consistent with layering or structuring?

This behavioral intelligence helps distinguish between legitimate and suspicious activity — and supports prioritization in high-volume cases.

Step 5: Document and report findings

The final step involves packaging the findings into a defensible and actionable format. This may include:

  • Visual graphs, outlining the flow of funds
  • Timestamped transaction histories
  • Risk summaries with supporting attribution
  • Confidence levels for assessments

For investigators, regulators, or compliance teams, these reports are often used to initiate subpoenas, file suspicious activity reports (SARs), or inform internal decision-making.

{{horizontal-line}}

How does blockchain tracing help disrupt criminal activity?

Blockchain tracing is a powerful tool for exposing financial infrastructure, uncovering relationships between entities, and surfacing behavioral patterns that might otherwise remain hidden. By analyzing the flow of cryptocurrency and digital assets across the blockchain, teams from both the public and private sectors can take informed action — from disrupting threat networks to seizing assets and strengthening compliance programs.

Below are several examples of how blockchain tracing has been used to disrupt illicit activity in practice.

1. Ransomware investigations: Identifying infrastructure and supporting seizures

Ransomware groups frequently demand payment in cryptocurrency to bypass traditional financial safeguards. And with new ransomware groups emerging every day (many of which are increasingly leveraging AI to scale their operations), the threat has never been more urgent. 

By tracing ransom payments on-chain, investigators can uncover the broader infrastructure — including wallets, mixers, and cash-out points — used to support these operations. For example, TRM’s blockchain intelligence has been used to:

  • Link ransom payments to clusters associated with known ransomware variants (e.g. Conti, BlackCat)
  • Surface patterns in laundering behavior (e.g. use of nested services or regional exchanges)
  • Inform coordinated law enforcement actions resulting in wallet freezes and infrastructure takedowns

These insights have supported investigations by entities such as the Federal Bureau of Investigation (FBI), the US Secret Service (USSS), and Europol, contributing to both public attribution and private exchange compliance efforts.

2. Scam and fraud networks: Mapping cross-border operations

Pig butchering and investment scams have emerged as one of the fastest-growing forms of cyber-enabled financial crime. TRM’s tracing has revealed that many such operations are coordinated from large compounds in Myanmar, Cambodia, and Laos — with transnational operations that span many jurisdictions.

By tracing transactions on the blockchain, investigators can see that stolen funds often consolidate in stablecoins — then funnel through regional over-the-counter brokers and centralized exchanges. These insights have supported joint operations by US and international agencies, leading to asset seizures and the disruption of major networks. For example, TRM has supported multi-agency efforts by:

  • Tracing victim payments from US and European bank accounts into stablecoin wallets
  • Identifying patterns of consolidation in large wallets managed by regional brokers
  • Surfacing clusters associated with physical compounds in Southeast Asia known for forced labor operations

3. Sanctions evasion and nation-state threats: Strengthening global compliance

Blockchain tracing is also critical in responding to sanctions evasion and state-aligned financial activity. In particular, North Korea has used decentralized services, mixers, and a wide array of intermediaries to launder proceeds from cyber attacks.

TRM has attributed — with high confidence — several clusters of addresses to North Korea. These insights have been used to:

  • Support designations by the US Department of the Treasury’s Office of Foreign Assets Control (OFAC)
  • Alert exchanges and financial institutions to suspicious transaction flows
  • Identify cross-chain laundering techniques that evade traditional compliance controls

For the private sector, these insights have informed sanctions screening models and enabled the proactive identification of indirect exposure to DPRK-linked wallets — a critical capability for meeting regulatory expectations globally.

4. Child sexual abuse material (CSAM) and human trafficking: Illuminating hidden economies

In some investigations, blockchain analysis has uncovered financial activity linked to platforms trafficking in child sexual abuse material (CSAM) or coordinating forced labor. For example, investigators have used blockchain tracing to:

  • Link payments for illegal content to buyer and seller wallets
  • Uncover relationships between financial facilitators and illicit marketplaces
  • Coordinate with hosting platforms, exchanges, and payment processors to disrupt revenue flows

Crypto exchanges and stablecoin issuers can also leverage these insights to take action against these bad actors by freezing funds or enhancing monitoring of high-risk typologies.

5. Terrorist financing and extremist movements: Supporting financial disruption

While the volumes associated with terrorist financing remain relatively low compared to other types of illicit activity, blockchain intelligence has enabled early detection and disruption of actors seeking to fund operations through cryptocurrency. Examples include:

  • Tracing fundraising campaigns tied to designated groups (e.g. Hamas or Islamic State affiliates)
  • Identifying donation flows to known propaganda channels or facilitators
  • Informing alerts, transaction blocking, and account terminations in the private sector

These efforts are often supported by interagency collaboration — including with the Financial Crimes Enforcement Network (FinCEN) and the Financial Action Task Force (FATF) — and rely on close coordination between public and private sector partners to ensure timely response and minimal market disruption.

{{horizontal-line}}

How does algorithmic and crowdsourced data enrich TRM’s blockchain intelligence?

Artificial intelligence (AI)

AI and machine learning are integral to modern blockchain intelligence. TRM Labs applies supervised and unsupervised learning models to detect anomalies across billions of transactions.

These systems analyze:

  • Transaction frequency and patterns
  • Counterparty relationships
  • Flow timing and velocity
  • Reuse of addresses and behavioral markers

When a pattern matches known typologies — such as mixer obfuscation, smurfing, or scam consolidation — the platform automatically generates a risk alert. Over time, these models adapt, learning from confirmed investigations to identify new behaviors faster.

Chainabuse

Public reporting adds another critical layer of visibility into TRM’s blockchain intelligence. Chainabuse — TRM’s community-driven reporting platform — allows scam victims, exchanges, and investigators to flag fraudulent addresses. These reports feed directly into TRM’s attribution models, enriching them with human intelligence and enabling faster detection of emerging scam patterns.

This combination of algorithmic detection and crowdsourced data creates a global early-warning system for illicit activity.

{{horizontal-line}}

How does blockchain tracing improve the integrity of financial systems?

Cryptocurrency tracing is not simply a technical process — it is the backbone of trust in the digital financial system. The ability to follow the money, understand exposure, and act quickly is what separates transparent innovation from opaque exploitation.

It’s important to note that blockchain tracing does not automatically reveal the identity of a wallet’s owner. Instead, it highlights linkages, risk signals, and possible entity associations — which must be corroborated with off-chain data for positive identification. This process does not undermine privacy — it strengthens integrity by allowing regulators to enforce sanctions, compliance teams to manage risk, and investigators to protect victims.

TRM Labs provides the intelligence layer that makes this possible: uniting on-chain data, off-chain insight, and real-time collaboration to trace, detect, and disrupt financial crime worldwide.

{{horizontal-line}}

Frequently asked questions (FAQs)

1. Is it possible to trace cryptocurrency transactions?

Yes, cryptocurency transactions can be traced. Despite early perceptions of anonymity, most cryptocurrency transactions can be traced using blockchain analytics. Every transfer of value is recorded permanently on public ledgers such as Bitcoin or Ethereum. By analyzing this data, blockchain intelligence platforms like TRM Labs can follow the flow of funds, detect suspicious behavior, and link activity to real-world actors — especially when combined with off-chain intelligence such as sanctions lists, open-source data, or law enforcement records.

2. How do investigators trace crypto transactions across multiple blockchains?

Investigators use advanced blockchain tracing tools — like TRM’s Graph Visualizer — to follow the movement of funds across wallets, exchanges, and even multiple blockchains. These tools preserve the integrity of the trace by detecting cross-chain hops via bridges, swaps, and mixers. A trace typically starts with a known anchor (e.g. a wallet address or transaction hash) and is enriched with attribution data to identify potential bad actors — including scam networks, ransomware operators, and sanctioned entities.

3. What are the most common criminal activities uncovered through blockchain tracing?

Blockchain tracing has been used to expose and disrupt a range of illicit financial activity, including:

  • Ransomware payments and laundering infrastructure
  • Investment scams and pig butchering schemes
  • Sanctions evasion by state-linked actors (e.g. DPRK)
  • Child sexual abuse material (CSAM) monetization
  • Terrorist financing and extremist fundraising

In both the public and private sectors, these insights have supported asset seizures, risk mitigation, and improved compliance outcomes across jurisdictions.

4. How does blockchain intelligence help financial institutions detect and prevent crypto crime?

Financial institutions rely on blockchain intelligence to monitor transaction flows for anti-money laundering (AML) compliance, screen for sanctions exposure, and identify high-risk counterparties. By integrating tools like TRM Labs, compliance teams can detect red flags — such as connections to mixers, darknet marketplaces, or scam-related typologies — and take proactive steps, including blocking transactions, filing SARs, or updating risk models to prevent future abuse.

5. Does blockchain tracing violate user privacy or anonymity?

No. Blockchain tracing enhances system integrity without compromising personal privacy. Wallet addresses are pseudonymous, meaning they do not inherently reveal real-world identities. Tracing tools surface linkages and behavioral patterns, but attribution to individuals only occurs when combined with lawful off-chain data. This capability empowers investigators to disrupt criminal networks and regulators to enforce compliance — without undermining the privacy of legitimate users.

This is some text inside of a div block.
TRM Team

Related posts

arrow right
BLOG
August 26, 2025

What is the Best Blockchain Intelligence Tool in 2025?

arrow right
BLOG
May 20, 2025

The Crypto Maturity Model: How Law Enforcement Agencies Are Scaling Blockchain Intelligence

arrow right
BLOG
November 25, 2025

How To Choose the Best Transaction Monitoring Solution for Your Compliance Program

No posts to show
No posts to show
No posts to show
No posts to show
No posts to show

Access our coverage of TRON, Solana and 23 other blockchains

Fill out the form to speak with our team about investigative professional services.

Services of interest
Select
Transaction Monitoring/Wallet Screening
Training Services
Training Services
 
By clicking the button below, you agree to the TRM Labs Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Subscribe and stay up to date with our insights
No items found.
3D illustration of a blue magnifying glass hovering over a digital fingerprint on a dark background, symbolizing crypto investigations or forensic analysis.
FLIP BOOK
Learn more about common crypto-enabled scam typologies in our "Investigating Crypto Scams" flip book
Get your copy →
Illustration of a stablecoin represented by a dollar symbol surrounded by icons for growth, risk alert, user profiles, and a security shield with a target, connected through a network of hexagons — symbolizing the interconnected risks and compliance considerations in digital asset ecosystems.
USE CASE
Learn how TRM helps compliance teams monitor exposure, detect threats, and safeguard their organizations
TRM for stablecoin risk management →
A worn silver wrench tool on a brown-red background, as a metaphor for violent crime
BLOG
Learn about the recent rise of "wrench attacks" and crypto-related violent crime
Read the post →
Illustration of a financial institution icon and a compliance document with checkboxes, symbolizing regulatory due diligence and financial compliance in the digital asset ecosystem.
GUIDE
Learn best practices for evaluating the legal, operational, and financial integrity of crypto entities before engagement
Get the guide →
A judge's gavel rests beside a stack of gold-colored cryptocurrency tokens, including Bitcoin, Dogecoin, Ethereum, and others, symbolizing the intersection of digital assets and regulatory or legal oversight.
REGULATORY ACTION TRACKER
Stay updated on the latest crypto-linked regulatory actions available in the public domain
Check it out →
Screenshot of the splash page used by law enforcement agencies following the takedown of Garantex, with bold red lettering reading, "This domain has been seized," along with the logos of various international law enforcement agencies involved in the action.
BLOG
Learn more about the global law enforcement operation that took down Garantex
Read the post →
Illustration of cryptocurrency crime on a dark blue background featuring bright blue and white blockchain symbols (including Bitcoin and TRON), financial graphs, and a hacker icon.
REPORT
2025 Crypto Crime Report: Explore how the crypto crime landscape evolved over the past year
DIG IN NOW →
Bright blue fiber optic cables on a dark blue background, with flashes of white sparks interspersed throughout.
REPORT
As AI technology becomes more sophisticated, so will the ways in which criminals use it. See what TRM is doing to counter AI-enabled crime.
FIGHT AI WITH AI →
Illustration of cryptocurrency crime on a dark blue background featuring bright blue and white blockchain symbols (including Bitcoin and TRON), financial graphs, and a hacker icon.
REPORT
The crypto crime landscape saw significant shifts in 2024, including decreases in illicit volumes. Dig into the data here.
PREVIEW THE CRYPTO CRIME REPORT →
Cork board with mugshots of Heather "Razzlekhan" Morgan and Ilya Lichtenstein, with their names written in handwritten script below their photos, and push pins on the board connected by red string.
DOCUMENTARY
Stream “Biggest Heist Ever” and get a behind-the-scenes peek from the TRM team
CHECK IT OUT →
A light blue two dimensional circle (representing a stablecoin) floating against dark blue and white curved lines (representing waves), with thin dotted blue and white lines overhead to represent wind.
REPORT
Explore the macro trends and jurisdictional developments that shaped the global crypto policy landscape in 2024
READ THE REPORT →
Illustration on a dark blue background showing a bug and exclamation mark (representing illicit activity), a globe with pin points, a coin, and a bar chart.
REPORT
See the countries with the highest rates of crypto adoption — and the highest rates of exposure to illicit activity
READ THE REPORT NOW →
A blue rectangle with geometric shapes in the background and dots connected by thin lines in the foreground, representing connections on the bockchain.
WHITE PAPER
Explore four ways TRM improves compliance in the modern sanctions enforcement era
Download the white paper →
Illustration of a pig butchering chart featuring various cryptocurrency logos in each section, with a bright blue sheriff's badge on top, symbolizing law enforcement's role in combating fraud.
CASE STUDY
See how Deputy District Attorney Erin West and the REACT Task Force are fighting back against pig butchering
WATCH THE VIDEO →
Illustration of an eye, skull and crossbones, and a pie chart on a light blue background, symbolizing the dangers of crypto scams and financial fraud.
REPORT
Explore the key trends that shaped that the illicit crypto economy in 2023
GET THE REPORT →
Close-up photograph of the United States Capitol building with snow falling
BLOG
Learn why cryptocurrency has become a central issue in the 2024 US election
READ THE POST
Illustration of a Russian doll toy containing a ransomware attack inside the smallest one
REPORT
Take a deep-dive into the Russian-speaking illicit crypto ecosystem
READ THE FULL REPORT
Outline of pig with law enforcement shield overlaid
Case Study
Learn more about how the REACT Task Force is tackling pig butchering
Read the case study
Illustration of a Russian doll toy containing a ransomware attack inside the smallest one
REPORT
Explore recent ransomware trends in the Russian-speaking crypto ecosystem—including the role of ransomware groups in cybercrime around the world
GET THE REPORT
Person typing on a laptop keyboard with dark blue filtered overlay
BLOG POST
Learn about summer 2024’s spate of ransomware attacks, and the proliferation of RaaS around the world
READ THE POST
REPORT
Learn about cryptocurrency’s role in the international synthetic drug precursor market
GET THE REPORT