Wallet Tracing Techniques
Wallet tracing is the foundation of cryptocurrency investigation. The goal is to follow the flow of funds from the crime (victim's payment or stolen funds) to identifiable endpoints where the perpetrator can be identified.
The Tracing Process
Identify the Starting Point
Obtain the initial address from the victim - the wallet where funds were sent or from which funds were stolen. Document the transaction hash and timestamp.
Explore Transaction History
Use block explorers to examine all incoming and outgoing transactions. Note transaction amounts, timestamps, and connected addresses.
Follow the Funds
Track where funds move next. Funds may split across multiple addresses or consolidate. Follow each branch of the money trail.
Identify Endpoints
Look for identifiable destinations: exchange deposit addresses, known service wallets, merchant addresses, or addresses with attributable patterns.
Address Clustering
Address clustering groups multiple addresses likely controlled by the same entity. This expands the investigation scope and helps identify the full wallet:
Common Input Ownership
When multiple addresses are used as inputs in a single transaction, they're likely controlled by the same person.
Change Address Analysis
Bitcoin transactions often send change to a new address controlled by the sender. Identifying change addresses links them to the sender.
Behavioral Patterns
Similar transaction timing, amounts, or patterns can suggest common ownership across addresses.
Transaction: abc123...
INPUTS:
- Address 1bc1q...xyz (0.5 BTC)
- Address 1abc...def (0.3 BTC)
- Address 3xyz...ghi (0.2 BTC)
OUTPUTS:
- Address 1new...abc (0.9 BTC) [Likely recipient]
- Address bc1q...chg (0.08 BTC) [Likely change]
Analysis:
- All three input addresses are likely controlled by same entity
- They had to sign with private keys for all inputs
- Change address also belongs to sender
- Four addresses now linked to one wallet cluster
Transaction Graph Analysis
Transaction graph analysis visualizes the flow of funds as a network, revealing patterns that aren't visible in linear tracing.
Key Analysis Patterns
| Pattern | Description | Interpretation |
|---|---|---|
| Peel Chain | Repeatedly peeling small amounts while passing bulk forward | Gradual cash-out, often through exchanges or P2P sales |
| Consolidation | Many inputs combining into one output | Aggregating funds before large transaction or mixing |
| Fan-out | One input splitting to many outputs | Distribution (legitimate or money mule network) |
| Round Trip | Funds returning to original or related address | Failed mixing attempt or self-transfers |
| Hop Pattern | Quick successive transfers through multiple addresses | Attempted obfuscation, mixer input |
UTXO Analysis (Bitcoin-Specific)
Bitcoin uses the UTXO (Unspent Transaction Output) model. Understanding UTXO helps in tracing:
- UTXOs are atomic: They must be fully spent - can't spend partial UTXO
- Change creation: If sending less than UTXO value, change goes to another address
- UTXO age: Older UTXOs being spent might indicate cold storage being accessed
- Dust UTXOs: Very small UTXOs may be used for tracking (dust attacks)
Mixer and Tumbler Detection
Mixers (also called tumblers) are services designed to break the transaction trail by pooling funds from multiple users and redistributing them. Detecting mixer usage is crucial for investigation.
How Mixers Work
User A sends 1 BTC --> [ ] --> User A receives 1 BTC (minus fee)
User B sends 2 BTC --> [ Pool ] --> User B receives 2 BTC (minus fee)
User C sends 1.5 BTC -> [ ] --> User C receives 1.5 BTC (minus fee)
Key obfuscation:
- Output coins have NO direct link to input coins
- Multiple users' funds are pooled
- Time delays add further obfuscation
- Amounts may be randomized/split
Types of Mixing Services
Centralized Mixers
Traditional services like defunct BestMixer, Helix. Single point of failure - if service keeps logs or is compromised, trail is recoverable.
CoinJoin
Multiple users create a single transaction together (Wasabi Wallet, Samourai Whirlpool). More decentralized, equal output amounts.
Cross-Chain Swaps
Converting between different cryptocurrencies to break the chain. Bitcoin to Monero and back is common.
Mixer Detection Indicators
- Known Mixer Addresses: Commercial analysis tools maintain databases of known mixer addresses
- Equal Output Amounts: CoinJoin typically produces identical output amounts (0.01, 0.1 BTC)
- Large Input Counts: CoinJoin transactions have many inputs from different users
- Timing Patterns: Mixing services often have characteristic delays
- Round-Trip Time: Time between deposit and withdrawal follows patterns
- Behavioral Change: Sudden shift from normal wallet behavior to mixing patterns
Monero (XMR) uses ring signatures and stealth addresses making transaction tracing extremely difficult. If funds convert to Monero, the trail often goes cold. Note the conversion point as it may still lead to exchange KYC data.
Exchange Cooperation and KYC
Cryptocurrency exchanges are critical chokepoints where pseudonymous blockchain addresses connect to real-world identities through KYC (Know Your Customer) requirements.
Exchange Data Available
| Data Type | Description | Evidentiary Value |
|---|---|---|
| KYC Documents | ID proofs, selfies, address proofs | Identifies account holder |
| Deposit Addresses | Blockchain addresses linked to user account | Links blockchain to identity |
| Trade History | All buys, sells, conversions | Shows fund handling patterns |
| Withdrawal History | External addresses where funds were sent | Identifies further fund destinations |
| Login Records | IP addresses, timestamps, devices | Location and device forensics |
| Bank Linkages | Linked bank accounts for fiat transactions | Traditional banking trail |
Requesting Data from Exchanges
Indian Exchanges
For exchanges registered in India (WazirX, CoinDCX, ZebPay, etc.):
- Direct request from Cyber Cell/Police to exchange nodal officer
- Reference FIR number and relevant sections
- Cite Section 91 CrPC for document production
- Most cooperate within 7-14 days
International Exchanges
For exchanges like Binance, Coinbase, Kraken:
- MLAT (Mutual Legal Assistance Treaty) process for formal requests
- Many have Law Enforcement portals for verified requests
- Binance has dedicated Law Enforcement Response Team
- Emergency requests may be handled faster for ongoing crimes
To: Law Enforcement Contact / Nodal Officer
[Exchange Name]
Re: Information Request - FIR No. XXX/2026
We are investigating a cryptocurrency fraud case registered vide
FIR No. XXX/2026 at PS [Name] u/s 66C, 66D IT Act and 420 IPC.
Target Cryptocurrency Addresses:
- Bitcoin: 1AbcXyz...
- Ethereum: 0x742d35...
Requested Information:
1. Account holder details including KYC documents for any account
associated with above addresses
2. Complete deposit and withdrawal history
3. Trade/conversion history
4. Login IP addresses and timestamps
5. Any linked bank accounts
Please provide above information within 7 days.
[IO Name, Designation, Contact]
Investigation Tools and Platforms
Free/Open Source Tools
| Tool | Function | URL |
|---|---|---|
| Blockchain.com Explorer | Bitcoin transaction lookup, address history | blockchain.com/explorer |
| Etherscan | Ethereum/ERC-20 transaction tracking | etherscan.io |
| Blockchair | Multi-chain explorer with search | blockchair.com |
| Wallet Explorer | Bitcoin address clustering | walletexplorer.com |
| OXT | Bitcoin privacy analysis | oxt.me |
Commercial Analysis Platforms
Chainalysis
Industry-leading platform used by law enforcement globally. Provides attribution, clustering, and risk scoring. Reactor tool for investigation.
Elliptic
Transaction monitoring and forensics. Strong in identifying illicit activity patterns and compliance screening.
CipherTrace
Now part of Mastercard. Cryptocurrency intelligence and compliance. Used by financial institutions and law enforcement.
The Cryptocurrency Address Analyzer tool in this course provides basic address lookup and transaction history. Use it to practice tracing before moving to more advanced commercial tools.
Systematic Investigation Methodology
Crypto Investigation Workflow
Initial Intelligence Gathering
Collect all available cryptocurrency addresses from victim, wallet apps, communications, ransom notes. Identify blockchain type (Bitcoin, Ethereum, etc.).
Preliminary Blockchain Analysis
Use block explorers to examine initial addresses. Check balance, transaction count, first/last activity. Identify transaction types and patterns.
Fund Flow Tracing
Follow funds hop-by-hop. Document each transaction. Note splits, consolidations, and patterns. Create visual flow diagram.
Service Identification
Identify if funds reach known services: exchanges, mixers, gambling sites, darknet markets. Check against known address databases.
Exchange/Service Requests
Send formal requests to identified exchanges for KYC data. Parallel requests if multiple exchanges involved.
Identity Attribution
Correlate exchange KYC with other evidence. Cross-reference IPs, phone numbers, email addresses with traditional investigation.
Case Studies
Scenario: A company paid 2 BTC ransomware to address 1RansomXYZ... The victim reported to cyber cell with transaction details.
Investigation Process:
- Initial address showed funds moved within 30 minutes to three different addresses
- Followed largest portion (1.5 BTC) through 5 hops over 48 hours
- Final destination identified as deposit address at Exchange X (matched known exchange deposit patterns)
- Formal request to Exchange X revealed account registered with forged PAN but valid phone number
- CDR analysis of phone number led to identification of suspect
Outcome: Suspect arrested. Partial funds (0.8 BTC) still in exchange account were frozen and later returned to victim.
Scenario: Victim lost Rs. 15 lakhs in romance scam. Scammer requested payments via UPI initially, then convinced victim to buy Bitcoin and send to "investment wallet."
Investigation Process:
- Traced UPI payments to money mule accounts (separate investigation track)
- Victim's exchange account showed Bitcoin purchases and withdrawals to scammer's address
- Scammer's address analysis showed funds from multiple victims (clustering identified 12 addresses receiving from 40+ sources)
- All funds eventually consolidated and moved through mixing service
- Post-mixer trace lost, but pre-mixer analysis identified one address receiving funds from Indian exchange
- Exchange cooperation revealed another mule account with minimal KYC but active phone
Outcome: Mule arrested, provided information about scam network operating from abroad. International cooperation initiated.
- Wallet tracing follows funds from crime address to identifiable endpoints - document every hop
- Address clustering using common inputs and change analysis expands investigation scope
- Recognize transaction patterns: peel chains, consolidation, fan-out, and mixer indicators
- Mixers break transaction trails - detect them through equal outputs, large input counts, and known addresses
- Exchange KYC is often the breakthrough - identify exchange addresses and send formal requests
- Indian exchanges generally cooperative; international exchanges require proper legal process
- Free tools (block explorers) are sufficient for basic tracing; commercial tools add attribution and clustering
- Always create visual fund flow diagrams and maintain detailed documentation for court
- Privacy coins (Monero) can break the trail - note conversion points for potential KYC data