How to Trace a Cryptocurrency Transaction: A Guide for Investigators
How investigators lawfully trace a cryptocurrency transaction: blockchain tracing, the KYC exchange chokepoint, tools, mixers, the travel rule and legal process.
Cryptocurrency is often called anonymous. For investigators, the more useful word is pseudonymous. Most public blockchains record every transfer on an open, permanent ledger that anyone can read, which in many respects makes them more traceable than cash. This reference sets out the lawful methodology for following funds across a blockchain and attributing them to a real person, and it assumes throughout that you are acting under proper legal authority.
- Public blockchains are pseudonymous, not anonymous. Every transfer is permanent and readable, so funds can be followed hop by hop.
- The hard part is attribution, not tracing. A pseudonym becomes a person at the cash-out point, which is almost always a KYC-regulated exchange or VASP.
- Blockchain analysis gets you to the exchange door; only legal process (subpoena, court order, warrant or MLAT) opens it.
- Mixers, peel chains and cross-chain bridges raise the cost of tracing but rarely defeat it, because mixed funds still have to exit somewhere.
- Stablecoins now carry about 84% of illicit on-chain volume, and issuers such as Tether can freeze tokens at the contract level in coordination with law enforcement.
How blockchain tracing works
A public blockchain is a shared, append-only ledger. Every transfer is broadcast, validated and written into a block that is then effectively immutable. Each transaction carries a unique identifier, the transaction hash or TXID, and moves value between addresses, which are long alphanumeric strings derived from cryptographic keys.
Addresses are not names. They are pseudonyms. The investigative task is to follow value from address to address until it reaches a point where a pseudonym can be tied to an identity.
Two ledger models matter:
- UTXO model (Bitcoin and relatives): a balance is the sum of discrete "coins" a wallet can spend. A transaction consumes inputs and creates new outputs, often including a "change" output back to the sender.
- Account model (Ethereum and most newer chains): behaves more like a bank ledger, where addresses hold balances that are debited and credited.
Because users rarely operate a single address, investigators rely on address clustering: heuristics that group addresses likely controlled by one entity. The classic example is the common-input-ownership heuristic, where several inputs spent together in one Bitcoin transaction are usually controlled by one party. Clustering is what turns a scatter of addresses into an attributable wallet, and it is the engine behind commercial analytics tools.
The KYC chokepoint: why exchanges matter
The single most important concept for an investigator is the exit. Pseudonymous funds only become spendable in the real economy when they are cashed out, typically at a centralised exchange or other virtual asset service provider (VASP).
Regulated exchanges perform Know Your Customer (KYC) checks, so they hold the name, ID documents, bank details and IP logs behind an account. The exchange is therefore the KYC chokepoint: the place where a blockchain pseudonym meets a verified identity.
Blockchain analysis gets you to the exchange door. Legal process opens it. Keep that division clear, because it separates the open-source half of the work from the half that requires authority to compel disclosure.
The tracing procedure
- Capture the TXID, addresses and evidence. Start from whatever the report gives you: a transaction hash, a destination address, a wallet screenshot, an exchange receipt. Record the TXID, sending and receiving addresses, amounts, timestamps and the chain involved. Preserve everything contemporaneously and document your chain of custody.
- Follow the flow on a block explorer. Look the TXID and addresses up on a public explorer to confirm the transaction, see where funds went next, and map the outbound hops. For simple cases a free explorer reaches the cash-out point; for peel chains and clustering, commercial software saves hours and produces court-ready attribution.
- Identify the off-ramp exchange or VASP. Trace forward until funds arrive at a deposit address belonging to a recognised service. Analytics platforms label many exchange deposit clusters automatically. Establishing which regulated entity received the funds, ideally with the specific deposit address and timestamp, is the pivot from open-source tracing to legal action.
- Send a lawful preservation request to the exchange's law-enforcement channel. Most major exchanges run a dedicated system (see below). Send a preservation request first to stop records being aged out, then serve the formal data request appropriate to your jurisdiction.
- Obtain KYC attribution under legal process. Once the exchange responds to valid legal process, you receive the account holder's identity, KYC documents, linked bank accounts, login IPs and transaction history. This converts a pseudonym into a named suspect and supports asset freezing or seizure.
Tools investigators use
Tooling falls into three tiers. Free explorers read transactions and follow simple flows. Commercial analytics add automated clustering, entity labelling, mixer demixing and case management built for evidentiary use. Open-source tools sit in between. Choose the tier that matches the complexity of the trail and the evidentiary standard you must meet.
| Tier | Examples | Typical use |
|---|---|---|
| Block explorers (free) | Etherscan (Ethereum), blockchain.com (Bitcoin), mempool.space (Bitcoin) | Confirm a TXID, read inputs/outputs, follow simple hops, check confirmations |
| Commercial analytics | Chainalysis Reactor, TRM Labs, Elliptic | Automated clustering, entity attribution, mixer tracing, court-ready reporting |
| Open-source / community | GraphSense, Breadcrumbs | Visual graph investigation and self-hosted analytics without a commercial licence |
GraphSense is an actively maintained open-source analytics platform for Bitcoin, Ethereum and Tron that you can self-host. Breadcrumbs offers free, community-powered graph investigation. Older guides also list OXT, a Bitcoin analytics site associated with Samourai Wallet; do not rely on it, as the service is widely reported defunct following the 2024 enforcement action against Samourai. Always verify a tool is live and reputable before depending on it.
How criminals obscure the trail, and your response
Obfuscation raises the cost of tracing but rarely defeats it outright, because funds still have to exit through a regulated service eventually. Know the common techniques and the standard investigative answer to each.
| Technique | What it does | Investigator response |
|---|---|---|
| Peel chain | Moves a large sum through a long sequence of hops, peeling off small amounts at each step so the trail looks fragmented | Follow the dominant "change" output down the chain; analytics tools collapse the chain automatically and flag the eventual off-ramp |
| Mixers / tumblers / CoinJoin | Pool funds from many users to break the deterministic link between source and destination | Use demixing heuristics in commercial tools, watch deposit/withdrawal timing and amounts, and pursue the post-mix exit point |
| Cross-chain bridges / chain-hopping | Convert assets across chains (e.g. Ethereum to Tron) so a single-chain trace dead-ends | Use cross-chain tracing features that link bridge deposits to withdrawals; correlate amounts and timestamps across chains |
| Privacy coins | Conceal amounts and parties at protocol level (e.g. Monero) | Tracing on-chain is limited; focus on the fiat entry and exit points and conventional investigative leads instead |
The travel rule and lawful exchange requests
The international framework that helps investigators is FATF Recommendation 16, the "travel rule." It requires VASPs to collect and pass on identifying information about the originator and beneficiary for transfers above a threshold (FATF recommends USD/EUR 1,000; the US sets $3,000 and the EU applies a zero threshold). This means a compliant exchange should already hold counterparty data you can request.
A lawful request to an exchange typically must include:
- The specific deposit address, TXID(s) and timestamps you are asking about.
- Verified law-enforcement or government credentials and a point of contact.
- The legal instrument compelling disclosure (subpoena, production order, court order, warrant, or an MLAT request for cross-border data).
- A clear scope: KYC identity, linked bank accounts, login IP logs, and transaction history.
Two of the largest exchanges illustrate the workflow. Binance runs a Government Law Enforcement Request System (LERS); access is requested by verified agents and generally reviewed within about three business days, and a valid preservation request holds records for 90 days (extendable by further request). Coinbase accepts legal process through its dedicated legal channel and reported receiving 12,716 enforcement requests from more than 60 countries in its 2025 reporting period.
Stablecoin freezes: a fast disruption lever
Because roughly 84% of illicit on-chain volume now moves in stablecoins, and Bitcoin's share of illicit activity has fallen from around 70% in 2020 to under 10% in 2025, the stablecoin issuer has become a critical pressure point.
Tether, the issuer of USDT, can freeze tokens at specific addresses at the contract level. Between 2023 and 2025 it blacklisted 7,268 addresses and froze about $3.3 billion in USDT, with more than 1,200 of those actions coordinated with US agencies (out of over 2,300 cases globally). In September 2024 it formed the T3 Financial Crime Unit with Tron and TRM Labs, which has reported helping freeze over $450 million in suspected illicit funds.
This issuer-level freeze is a fast, practical disruption tool that sits alongside traditional exchange seizures. Note the limit: it is exercised by the issuer in response to law enforcement, not by investigators directly.
India and the United States compared
The methodology is universal, but the legal and institutional plumbing differs by country.
In India, financial cyber-fraud reporting is coordinated by the Indian Cyber Crime Coordination Centre (I4C) under the Ministry of Home Affairs, which runs the Citizen Financial Cyber Fraud Reporting and Management System (CFCFRMS), reachable through the National Cybercrime Reporting Portal and the 1930 helpline. Since a March 2023 notification, virtual digital asset (VDA) service providers, including offshore exchanges serving Indian users, are "reporting entities" under the Prevention of Money Laundering Act and must register with the Financial Intelligence Unit-India (FIU-IND), perform due diligence and file suspicious transaction reports. That regime gives Indian investigators a domestic, compellable counterparty.
In the United States, blockchain investigations are led by the FBI, IRS Criminal Investigation (which has notable on-chain tracing expertise) and the Secret Service, working with prosecutors who obtain the necessary legal process. A distinctive US lever is the stablecoin issuer freeze described above, which can disrupt illicit flows faster than a conventional seizure.
FAQ
Is cryptocurrency really traceable if it is anonymous? Most major blockchains are pseudonymous, not anonymous. Every transaction is public and permanent, so funds can be followed address to address. The hard part is attributing an address to a person, which usually depends on reaching a KYC-regulated exchange and serving legal process.
Do mixers and privacy tools make tracing impossible? No, though they raise the cost and may introduce gaps. Mixers, peel chains and chain-hopping are designed to break obvious links, but funds generally still need to exit through a service that performs KYC. Commercial analytics are increasingly effective at demixing, and the exit point remains the chokepoint.
Can I just get the account holder's name from a block explorer? No. Explorers and analytics tools show on-chain activity and can point you to the exchange that received funds, but they do not reveal real-world identity. That sits with the exchange and can only be lawfully obtained through proper legal process: a preservation request followed by a subpoena, court order, warrant or MLAT request.
What is the travel rule and why does it help? FATF Recommendation 16 requires exchanges to collect and pass on sender and recipient details for transfers above a threshold (commonly $1,000). It means a compliant VASP should already hold the counterparty information you can request under legal process.
Hero image: Bitcoin symbol on a circuit-board motif by Satheesh Sankaran, via Wikimedia Commons, CC BY-SA 2.0.