Blockchain forensics: Can authorities track the flow of crypto assets?

What is blockchain forensics?

Blockchain forensics refers to a sub-category of digital forensics which utilises blockchain data analysis to find illegal transactions and combat frauds, scams and other types of criminal activities.  

Blockchain presents a distributed ledger which records transactions in a transparent and tamper-proof manner. The main element of blockchain technology refers to its cryptographic algorithms which safeguard data from unauthorised access and subsequent changes by linking it to the previous block and setting out a chain of blocks.

While it is a great tool for the creation of a new digital financial landscape, its anonymity feature attracts perpetrators as well. Blockchain forensics is all about analysing blockchain data to investigate criminal activities that could happen in the crypto space such as scams, fraud, money laundering and terrorism financing. 

Blockchain forensics aims to address the challenges posed by illicit activities conducted through the use of cryptocurrency transactions and establish connections between individuals or entities and illegal transactions.

To better understand how traceable crypto really is, we suggest reading this article: 'Your crypto footprint'.

Many law enforcement agencies and regulators around the globe have been involved in the creation of tools and know-how in the rapidly evolving field of digital forensics to combat illegal activities. Blockchain forensics tools have enabled law enforcement agencies and other relevant officials to detect fraudulent crypto transactions as well as recover the associated assets, and in this article, we'll explain how they do it.

The need for blockchain forensics tools

Criminal activities within the crypto market and the blockchain ecosystem as a whole often made headlines. As mentioned above, these illicit activities include a wide range of actions that target cryptocurrency exchanges, projects, and users. 

In most cases, stolen crypto assets are never recovered due to the main perks of blockchain technology as well as various methods used by criminals to complicate tracking.  

That is why we need blockchain forensics – investigators found a way to uncover hidden trails and links to expose illicit activities.

Is it even possible to track crypto assets?

Many people think that cryptocurrency transactions are anonymous. If we conclude that transactions for virtual currencies are publicly reported on distributed ledgers that identify users only by their crypto address as a long string of letters and numbers, that might be right. 

However, law enforcement agencies and regulators have their methods and blockchain forensics tools that can pierce that veil of pseudonymity. These tools and techniques can be used under predetermined conditions under the law to de-anonymise cryptocurrency transactions.

A little bit of history

In the early years of crypto, the pseudonymous nature of cryptocurrency transactions, where assets are exchanged between crypto wallets identified only by a string of letters and numbers, was frequently mistaken for complete anonymity. 

However, back in 2012, the cryptographer Sarah Meiklejohn cracked the code – with Meiklejohn’s work many researchers figured out how to group crypto wallets and spot links that implied shared ownership. This advanced knowledge soon made it possible to link wallets to cryptocurrency exchanges and marketplace and track stolen assets.  

Meiklejohn referred to this general technique as clustering which was further developed into blockchain forensics and used by law enforcement agencies or crypto companies that offer such services.

Collecting evidence for the courtroom

Only 4 years later, the U.S. authorities arrested a New York City couple for conspiring to launder $4.5 billion worth of Bitcoin stolen during a hack of the crypto exchange Bitfinex. The authorities managed to recover $3.6 billion of assets and the Department of Justice said that it was the broadest financial seizure ever. 

According to the authorities, the couple utilised a wide array of sophisticated laundering techniques such as fake identities to set up online accounts and running computer programs to automate transactions.  

Special agents acquired court-authorised search warrants and examined the couple’s online accounts- they managed to track down files containing the private keys required to access a crypto wallet containing 94.000 Bitcoins worth approximately $3.6 billion in stolen funds. 

Another noteworthy example is the conviction of Roman Sterlingov for money laundering conspiracy, a Russian-Swedish national who operated Bitcoin Fog, a crypto mixing service in 2024. Bitcoin Fog was shut down by U.S. law enforcement in 2021 after 10 years of running – while crypto mixers were originally promoted as a way to enhance the users’ privacy, they were soon used as money laundering services.  

The rapid growth of blockchain forensics tools helped crack down another crypto mixer – the U.S. Treasury sanctioned Tornado Cash in 2022 and ChipMixer in 2023, charging their founders with money laundering schemes and several other violations. Blockchain forensics helped investigators and officials in following the crypto assets and collecting evidence for the courtroom. 

How do blockchain forensics work?

Even though all blockchain forensic specialists don’t work in the same manner, they adhere to an organised procedure to learn crucial details of any illicit activity on the blockchain and discover the occurrence of a financial crime. Let’s take a look at some general steps followed by investigators. 

Collection & analysis

The first step involves data collection. Blockchain forensics specialists need to collect transaction data from several sources such as crypto exchanges, blockchain explorers and crypto wallets tied to the investigation. Data collection typically includes gathering information such as transaction hashes, amounts, time-stamps and crypto addresses. 

When they collect the needed data, investigators get down to the data analysis step to spot potential clues and patterns. They use specialised blockchain forensics tools to examine the collected data and look for irregular activities such as broad or frequent transactions as well as ties to criminal entities.

Special techniques

One of the most important techniques is known as address clustering- it is used to identify crypto addresses controlled by the same person or entity by analysing patterns. When investigators succeed in clustering addresses, they get valuable insights into the flow of digital assets across the blockchain. 

The purpose of blockchain forensics is to further link addresses to identities. Since these digital transactions are pseudonymous and presented by alphanumeric strings, this is a challenging task. Investigators need to use a wide range of methods to succeed such as analyse transaction metadata as well as leveraging external data sources to link blockchain addresses to real-world identities. 

Most illicit transactions’ flows are kind of complex, and specialists need to use a tool known as transaction visualisation which produces visual representations of transactions on the blockchain to identify patterns. 

Blockchain forensics involves chain analysis which refers to tracing crypto transactions backward through the chain. In other words, they need to analyse transactions in reverse chronological order and follow the path to the main source.

Preparing reports

It is not an easy task to link real-world identities with activities on the blockchain. Therefore, blockchain forensics typically includes cooperation between crypto companies, law enforcement agencies and different regulatory bodies. They pool resources and know-how to gather evidence. 

Once all data has been collected and analysed, it is time to produce reports used in legal proceedings. Specialists put together their findings in detailed reports which will find its use in the courtroom. 

If you are new to the crypto space, all the steps of blockchain forensics may sound complicated. If you want to expand your knowledge, check out the available courses at our Learn Crypto Academy.

What kind of crypto information can be tracked?

Techniques used in blockchain forensics can differ depending on the particular application and the type of data being assessed. We have already highlighted how it presents a challenging task and a rapidly evolving area of digital forensics. However, we can single out the types of blockchain data most commonly evaluated by investigators to enable crypto-tracing activities. Let’s take a look. 

Attribution data

Blockchain forensics tools are used to gather and analyse data related to ownership attribution for a broad number of entities to de-anonymise crypto addresses and link them to real-world identities.  

These tools cannot do miracles and provide information for personal identification but they can link associations with criminal entities. 

Each transaction on the blockchain leaves a public record which involves the addresses of the sender and the recipients, the transferred amount, and the timestamp. Therefore, if the same crypto address is used for multiple transactions or interacts with a crypto exchange that requires KYC identification, it can be potentially traced back to a certain identity or discover associations.

Total transaction history

The number of total cryptocurrency transactions can tell us something about the potential size of the fraud scheme and the number of affected users.  

Using the right tools and know-how, specialists can spot patterns and trends within the total transactions data which provides information regarding the user’s behaviour.

Transaction mapping

Once the transactional data has been gathered, it is usually turned into visual maps and flowcharts to demonstrate interactions of the user with exchanges and other entities, tracking transactions to endpoints. 

Investigators use visual mapping to recognise patterns; for example, layering and peel chains are typically used for money laundering activities. 

Cluster analysis

Cluster analysis refers to a data mining strategy that can be efficiently applied to cryptocurrency transactions on the blockchain. This strategy groups similar transactions together based on certain characteristics which makes it a good tool for crypto tracing and identifying links between divergent digital wallets. 

Due to the transparency of blockchains, each transaction is publicly available and auditable so investigators can use cluster analysis to track suspicious activities.

IP addresses

Using blockchain surveillance systems means running networks of nodes that look for Internet Protocol (IP) addresses associated with particular transactions. That is how investigators manage to collect privacy-sensitive metadata on the blockchain.  

IP addresses may provide valuable information regarding the geographical location of the subject at the time the transaction was conducted. 

With the use of analytics tools, investigators can map IP addresses and create a map that links them to certain transactions. This helps in understanding patterns between transactions.

Subpoena targets

Crypto exchanges and crypto wallet providers, along with other types of cryptocurrency services, are usually required to comply with KYC and AML regulations. If a regulatory agency serves them with a subpoena, these entities must provide the requested information such as account information, IP addresses, or transaction data.  

Despite the believed notion that crypto transactions are anonymous and decentralised, subpoenas enable tracing funds back to individual users much easier. 

Current and historical values

Crypto assets with a higher value, such as Bitcoin and Ethereum, are typically more easy to trace due to their high value and used technology. The technology provides a ledger with historical data that is immutable. 

On the other hand, crypto addresses with a higher value can be a good indicator of financial recovery and an appropriate target for seizure warrants.

Advantages of blockchain forensics

Blockchain technology brings to the table several advantages for tracking assets such as transparency and security as well as increased credibility of digital evidence.

While blockchain provides a tamper-proof area that records all transactions making it hard for fraud to occur in the first place, the creation of blockchain forensics tools helps tracking down stolen assets. 

Blockchain forensics can further help to obtain and monitor compliance with legal obligations that are especially important for certain businesses and industries and their financial transactions. 

Furthermore, in cases of legal disputes or lawsuits, the use of blockchain forensics can provide legally admissible evidence of financial transactions and activities to reach a fair judgement. 

Finally, by analysing patterns and activities on the blockchain network, researchers can gain valuable insights into the blockchain behaviour which can be used to improve the ecosystem, introduce new features of services as well as gain a deeper understanding of market dynamics.

Limitations of blockchain forensics tools

Similar to any other field related to forensics, blockchain forensics is associated with certain limitations.

If you wonder if it is hard to recover hacked funds within the world of decentralised finance (DeFi), why not read this article: 'Can I recover my hacked DeFi funds?'.

To understand the challenges blockchain forensic experts face in discovering illicit activities within the crypto space, it is important to learn about these limitations. Let's explain them briefly.

Anonymity and pseudonymity

As mentioned already in the text, crypto transactions don’t require users to provide personally-identifiable information as they are identified by cryptographic addresses. This anonymity or pseudonymity trait seems like a good venue for criminal activities.  

Even though the pseudonymity trait is still a challenge for financial crime investigators, the legal requirements to implement strict AML policies and KYC procedures has made it a bit easier to recover information for the purpose of legal proceedings.

Limited access to off-chain data

Blockchain forensics tools typically analyse on-chain data such as transactional data visible on the blockchain. On the other hand, important pieces of information can also be accommodated off-chain. 

Finding off-chain data, such as communication evidence, can be hard to find and would require cooperation from other entities.

The scalability of blockchains

Blockchains are able to handle a high transaction throughput and that presents a challenge for crypto forensics as well. With a growing number of crypto transactions, the blockchain network continues to expand which as well makes blockchain data collection and data analysis more time-consuming and cause a delay in spotting patterns of illicit behaviour.

Privacy-enhancing technological innovations

Technologies such as privacy coins as well as crypto mixers and tumblers enhance the privacy of users and present obstacles to blockchain forensics activities.  

Such technologies have the purpose to hide the origin and destination of crypto funds which makes it harder for investigators to trace transactions in an accurate manner. 

Additionally, more advanced users can implement sophisticated anonymisation methods to obfuscate their activities on the blockchain such as using multiple addresses, employing privacy-oriented cryptocurrencies as well as layering transactions.

Jurisdictional issues

Crypto transactions are not limited by geographical or jurisdictional boundaries which makes it hard for law enforcement agencies to enforce regulations across multiple jurisdictions. By exploiting the differences in jurisdictions, criminals can try to evade prosecution. 

Additionally, strict data protection regulations in several regions can make it hard for investigators to balance the need to access data while complying with data protection legal requirements. 

Finally, the crypto ecosystem is decentralised which means that it operates without a central authority. This trait makes it harder for law enforcement agencies to acquire subpoenas or freeze assets.