Cryptocurrency Tracing and Blockchain Analysis

Bitcoin and Ethereum use fundamentally different accounting models, and the investigative implications of each differ accordingly. Understanding both models is necessary because financial crimes frequently involve both networks, and mixing between them is common through cross-chain bridges and exchanges.

In the Bitcoin UTXO model, a transaction has one or more inputs (each referencing a specific previous output by transaction ID and output index) and one or more outputs (each specifying an address and an amount). The inputs must be fully consumed: if a UTXO worth 1 BTC is spent in a transaction that sends 0.6 BTC to a recipient, the remaining 0.4 BTC (minus fees) must be explicitly sent back to the sender as a change output. The change output address is commonly a new address generated by the same wallet, which is exploitable as a linking heuristic. Every UTXO is traceable back to its creation, giving investigators a complete directed acyclic graph of all Bitcoin movement.

Ethereum uses an account model similar to a bank. Each address has a balance that is incremented or decremented by transactions, rather than consuming specific previous outputs. A transaction references a sender address, a recipient address, and a value. Smart contract interactions complicate this: an Ethereum transaction may trigger a chain of internal transfers between contracts that do not appear as top-level transactions in the blockchain and require tracing through contract execution traces. Token transfers (ERC-20 tokens) are recorded as event logs within contract state rather than as native ETH movements, and must be extracted separately.

Address clustering converts the raw transaction graph into wallet-level entities. Rather than tracking hundreds of individual addresses that all belong to one criminal actor, investigators work with a single cluster attributed to that actor. Commercial platforms maintain continuously updated global cluster databases built from applying heuristics across all historical transactions.

The common-input-ownership heuristic (CIOH) is the most productive. When a Bitcoin transaction has multiple input addresses, standard wallet software combines them because all inputs must be signed by the controlling private key. Analysts treat all co-spent input addresses as belonging to the same entity. This is a probabilistic heuristic, not a certainty: CoinJoin transactions deliberately combine inputs from different users to defeat CIOH, and some advanced wallets avoid address reuse. CIOH is most reliable on transactions from standard consumer wallet software.

The change-address heuristic exploits the structural requirement that unspent Bitcoin must be returned to the sender. When a transaction has two outputs and one matches an amount that could be the intended payment (a round number or an amount matching a known invoice), the other output is likely the change returned to the sender's own address. Linking the change address to the input addresses extends the cluster. The heuristic becomes unreliable when transaction amounts are ambiguous or when the wallet deliberately uses round-number change.

Commercial blockchain analytics platforms layer attribution data and cluster databases on top of the raw public blockchain. They maintain databases of known addresses tagged to entities: exchanges, darknet markets, mixers, ransomware operators, sanctioned entities, and legitimate services. When an investigator traces a fund flow to a tagged address, the platform returns the entity label rather than just the raw address.

Chainalysis is the most widely deployed platform in law enforcement agencies in the US, UK, and several EU member states. Its Reactor product provides a visual transaction graph, cluster attribution, and entity risk scoring. Elliptic and CipherTrace (now part of Mastercard) are significant competitors. TRM Labs focuses on multi-chain coverage including Ethereum, Solana, and Tron. Crystal Blockchain is used by several European exchanges for compliance purposes. The platforms differ in the breadth of their attribution databases, the blockchains they cover, the legal-grade evidence packages they produce, and their pricing model.

Open-source tools complement commercial platforms. GraphSense, developed by the Austrian Institute of Technology, provides cluster analysis on Bitcoin and runs on self-hosted infrastructure, which matters in investigations where data sovereignty is a concern. Maltego has blockchain data providers that integrate with investigation workspaces. Block explorers (Blockstream.info, Etherscan, Tronscan) provide raw transaction data without attribution. In India, the Financial Intelligence Unit and the Enforcement Directorate have piloted Chainalysis and Elliptic in asset tracing operations.

The point where a pseudonymous address becomes a named person almost always involves a regulated exchange or VASP. Investigators trace fund flows until they reach a deposit address at a known exchange. At that point, the blockchain evidence has done its work, and legal process extracts the account identity.

In the United States, federal subpoenas under the Electronic Communications Privacy Act or grand jury subpoenas compel exchanges registered with FinCEN to produce KYC records, account transaction history, IP login logs, and linked bank account details. In the United Kingdom, production orders under the Police and Criminal Evidence Act 1984 (PACE) or the Proceeds of Crime Act 2002 serve the same function. In the EU, the Transfer of Funds Regulation (2023) and the Markets in Crypto-Assets Regulation require VASPs to collect and transmit originator and beneficiary information, creating data trails analogous to SWIFT wire transfer records. In India, the Enforcement Directorate uses notices under the Prevention of Money Laundering Act 2002, and Indian exchanges registered with the Financial Intelligence Unit are required to maintain KYC records and respond to production requests.

Cross-border cases require Mutual Legal Assistance Treaty (MLAT) requests or, in urgent situations, informal law enforcement cooperation channels such as the 24/7 G8 High-Tech Crime Network. MLAT timelines can extend to several months, which matters in active investigations where assets may be moved. Some exchanges proactively cooperate with law enforcement through dedicated portals (Coinbase, Binance, and Kraken each maintain law enforcement request processes), and a number of exchanges share compliance intelligence through the TRUST network under the FATF Travel Rule.

Sophisticated criminal actors use a range of techniques to break or obscure the transaction graph. Investigators must recognise each technique because the response differs, and because misidentifying a mixing transaction as a direct fund transfer leads to attribution errors.

Cryptocurrency mixers and tumblers pool funds from multiple users and redistribute equivalent amounts to different addresses. CoinJoin (Bitcoin) and Tornado Cash (Ethereum) are the most documented examples. Tornado Cash was sanctioned by the US Office of Foreign Assets Control in 2022 on the basis that it was used to launder over USD 7 billion, including funds stolen by the Lazarus Group. Mixers break the UTXO-level tracing chain but do not eliminate investigative avenues: the timing and amount of deposits and withdrawals can be correlated even after mixing, a technique called amount-and-timing analysis. Additionally, a mixer's smart contract or operator may itself be a known entity in the analytics platform's database.

Chain-hopping converts Bitcoin to Monero (a privacy coin), makes transactions on the Monero network where transaction amounts and addresses are cryptographically hidden, then converts back. Monero's ring signature scheme makes direct on-chain tracing currently infeasible. However, the conversion points (exchanges that accept Monero) are regulated VASPs in most jurisdictions, and the entry and exit from Monero are traceable even if the Monero chain itself is not. Peer-to-peer exchanges and unregulated over-the-counter desks are the exit vectors investigators should focus on.

Blockchain data has unusual evidentiary properties. The ledger itself is publicly verifiable: any party can independently query the same transaction history and confirm that the data has not been modified. This makes fabrication nearly impossible but creates authentication questions: how does the investigator demonstrate to a court that the records presented are authentic blockchain data rather than modified screenshots?

Best practice is to preserve blockchain evidence in multiple forms. Investigators capture the raw transaction data via API (JSON responses from a node or block explorer API, timestamped), take signed screenshots with hash verification, and produce certified reports from the analytics platform used. The analytics platform's export report should identify the software version used, the date of the analysis, and the attribution database version, because attribution databases are updated continuously and the same query run six months later may produce different results.

Under the Bharatiya Sakshya Adhiniyam 2023, electronic records are admissible when accompanied by a certificate under Section 63 that identifies the device or system on which the record was produced, confirms it was in regular use, and attests to the integrity of the information. In the US, blockchain records produced from a node or exchange system are generally treated as business records under Federal Rule of Evidence 803(6). UK courts have accepted blockchain evidence under the Civil Evidence Act 1995 and in criminal proceedings under the Criminal Justice Act 2003, with expert reports from qualified analysts. The EU's eIDAS Regulation provides a framework for electronic evidence authenticity across member states.

Expert witnesses presenting blockchain analysis must be prepared to explain both the technical process and the limitations of the analysis: the probabilistic nature of clustering heuristics, the risk that a known mixing transaction breaks the causal chain, and the distinction between funds flowing through an exchange address and funds belonging to the account holder of that address (a custodial exchange controls many addresses on behalf of many users). Overstating the certainty of attribution is the most common expert witness error in cryptocurrency cases.