Cryptocurrency Tracing Workflow
Tracing cryptocurrency transactions from a known address through the blockchain. Covers wallet identification, transaction graph analysis, exchange detection, and entity attribution.
Seed Address Analysis
Start with your known address (the seed). Look up its balance, transaction history, first and last activity dates, and total volume. Identify what chain you're on and get familiar with the address's pattern of activity. Is it receiving from many addresses (possible exchange or service)? Sending to one address repeatedly (possible hot wallet to cold wallet)? Understanding the pattern tells you what you're dealing with.
Tools for this step
Bitcoin Core CLI
Geth (Go Ethereum)
Cast (Foundry)
Etherscan API ToolsTip: For Bitcoin, bitcoin-cli with a full node gives you the most reliable data. For Ethereum, Cast (from Foundry) or Geth let you query transactions directly. Etherscan API works for quick lookups without running a node.
Transaction Graph Mapping
Trace the flow of funds in both directions. Follow the money forward (where did it go?) and backward (where did it come from?). Build a transaction graph showing all connected addresses and the amounts that flowed between them. Look for patterns like peeling chains (common in Bitcoin), token swaps (common in DeFi), and bridge transactions (cross-chain).
Tools for this step
Cryo
TrueBlocks
GraphSenseTip: Cryo extracts raw blockchain data efficiently. TrueBlocks indexes Ethereum data for fast queries. GraphSense does automated clustering and analysis. For complex investigations, export the data and build your own graph in Neo4j or a similar tool.
Mixer and Obfuscation Detection
Check whether the funds passed through mixing services, privacy protocols, or obfuscation techniques. On Bitcoin, look for CoinJoin transactions (equal-output transactions with multiple participants). On Ethereum, check for Tornado Cash interactions or other mixing contracts. Cross-chain bridges are also used to break the trail.
Tools for this step
mev-inspect-pyTip: Tornado Cash transactions have a distinctive pattern - fixed deposit amounts followed by withdrawal to a different address after a delay. WalletExplorer can identify known mixer addresses on Bitcoin. Not all obfuscation is unbeatable - timing analysis and amount correlation can sometimes de-anonymize mixed funds.
Exchange and Service Identification
Identify when funds hit a known exchange, payment processor, or service. Most crypto investigations end at an exchange because that's where KYC records exist. Use labeled address databases to identify known entity addresses and cluster analysis to group related addresses.
Tip: Nansen and Arkham maintain extensive labeled address databases. Whale Alert tracks large transactions in real time. When you find an exchange deposit, that's typically where law enforcement serves subpoenas. Document the chain from seed to exchange thoroughly.
DeFi and Smart Contract Analysis
If the funds interacted with DeFi protocols, analyze those interactions. Did they swap tokens on a DEX? Provide liquidity? Use a lending protocol? Each interaction leaves on-chain evidence. Decode the smart contract calls to understand exactly what happened with the funds.
Tools for this step
Ethers.jsTip: Cast can decode transaction calldata against known ABIs. EigenPhi visualizes DeFi transaction flows. DeBank API shows a wallet's complete DeFi positions and history. Token approvals can reveal which contracts a wallet has interacted with even if the transactions aren't obvious.
Report and Evidence Preservation
Document the complete flow of funds with transaction hashes, timestamps, amounts, and entity attributions at every step. Blockchain data is immutable, but your analysis and the labeled databases you referenced might change. Preserve everything - screenshots of block explorer pages, API responses, and your graph visualizations.
Tools for this step
CyberChefTip: Use CyberChef to convert between hex, decimal, and other encodings when working with raw blockchain data. Export your transaction graph as both a visual diagram and raw data. For legal proceedings, every link in the chain needs to be documented with the source of attribution.
Other Workflows
OSINT Investigation Workflow
A structured approach to open-source intelligence gathering, from target identification through to reporting. Covers passive reconnaissance, social media analysis, email and phone lookups, and data correlation.
Web Application Penetration Test
A systematic approach to testing web applications for security vulnerabilities. Covers reconnaissance, mapping, vulnerability discovery, exploitation, and reporting.
Active Directory Attack Path
From initial foothold to domain admin. A step-by-step approach to enumerating and attacking Active Directory environments during authorized penetration tests.