Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.
A practical grounding in how blockchain networks record and confirm transactions, covering distributed ledgers, UTXO and account models, and the transparency properties investigators rely on when tracing cryptocurrency.
Last updated:
When investigators first encountered Bitcoin transactions as evidence, the instinct was to treat them like bank records with the bank removed. That framing is half-right and half-misleading. A blockchain does record every transfer in a permanent ledger that no single party can quietly edit. But the mechanics underneath, the way outputs are spent, the way nodes vote on validity, the way privacy is constructed and broken, are different enough from traditional finance that misreading them can send an investigation the wrong direction.
This topic builds the structural knowledge an investigator needs before touching any tracing tool. It covers how a distributed ledger achieves tamper-resistance without a central authority, the two main accounting models (UTXO and account-based) and what each reveals in a money trail, the meaningful distinctions between public and private blockchains, and the confirmation mechanism that makes a recorded transaction reliable evidence. Along the way it flags where the transparency properties that help investigators also create the privacy pressures that bad actors try to exploit.
Get this right and the tracing techniques in the next topic follow logically. Skip it and the clustering heuristics and graph analysis will feel like black boxes. This is the wiring diagram.
Every node is both a record-keeper and an auditor.
A traditional bank ledger is authoritative because the bank controls it. Change the bank's database and the record changes. A blockchain achieves something different: the record is authoritative because thousands of independent nodes each hold a copy, continuously cross-check new additions, and reject anything that violates the shared rules. To alter a transaction already on the chain, an attacker would have to rewrite it on every node simultaneously and outrun the honest majority that is still adding new blocks. In practice, for a large public chain, this is computationally and economically prohibitive.
The mechanism tying this together is cryptographic hashing. Each block contains the hash of the previous block. Changing one transaction inside block 500 changes that block's hash, which breaks the link to block 501, which invalidates every subsequent block. To make the altered chain the dominant one, an attacker would have to redo the proof-of-work (or produce valid signatures, in proof-of-stake systems) for every block from 500 onward, faster than the honest network adds new ones. The chain structure makes the past progressively harder to revise, not just harder to access.
Bitcoin doesn't move balances; it consumes and creates discrete coins.
In Bitcoin's UTXO model, a transaction is a declaration: I am spending these specific prior outputs and creating these new outputs. Each output is locked to an address. To spend it, the holder must provide a valid signature unlocking that lock. Once spent, the output is gone permanently; it cannot be spent again (the double-spend problem Bitcoin solved). A new output is created for the recipient, and if the sender is sending less than the full UTXO, a change output goes back to an address the sender controls.
This means a transaction on a UTXO chain carries explicit provenance. You can look at any output and ask: which prior transaction created it, and which addresses funded that transaction? The trail is a directed acyclic graph running backward through time. Tracing tools walk this graph. When multiple inputs are combined in one transaction, the tool notes that the addresses controlling those inputs were probably controlled by the same entity, because only someone with keys to all of them could sign the transaction. That heuristic is called co-spend clustering.
| Feature | UTXO (Bitcoin) | Account model (Ethereum) |
|---|---|---|
| Balance representation | Sum of unspent outputs | Single running balance per address |
| Transaction structure | Inputs consumed, outputs created | From-address decremented, to-address incremented |
| Change handling | Explicit change output to sender | Remainder stays in sender balance |
| Tracing provenance | Full input graph visible | Debit-credit history visible |
| Clustering heuristic | Co-spend of inputs implies shared control | Less direct; needs token-flow analysis |
Simpler to read, but the provenance is less explicit.
Ethereum and most EVM-compatible chains use an account model. An address has a balance. A transaction subtracts from the sender and adds to the recipient. There is no consumption of specific prior outputs; the chain just maintains a state that records every address's current balance. This is conceptually closer to a traditional bank ledger, which makes it easier for financial investigators to read but strips some of the provenance detail the UTXO graph provides.
The complexity on Ethereum comes from smart contracts. A contract is code deployed at an address; it can hold and transfer value according to programmable rules. Decentralised exchanges, lending protocols, and token bridges are all contracts. An investigator following funds through a DeFi protocol is no longer tracing simple peer-to-peer transfers; they are reading contract logic to understand how value entered, transformed, and exited. Tools like Etherscan let you inspect individual contract calls, but understanding what those calls mean requires reading the contract's source code or ABI.
The investigative access model is completely different for each.
A public blockchain is permissionless: anyone can download the full node software, sync the ledger, and read every transaction ever recorded. No API key, no account, no legal process required. Bitcoin's ledger from the genesis block in January 2009 to the present is publicly accessible in full. This is why tracing firms can build their products: the raw data is free and complete.
A private blockchain is operated by a known consortium or company. Hyperledger Fabric deployments used by banks for interbank settlement, or supply-chain blockchains used by logistics companies, fall here. The ledger is not public. Getting those records requires a subpoena or court order directed at the known operator, followed by authentication of the exported records. The challenge is not finding the data but establishing its integrity, since the operator could theoretically manipulate their own private chain. Hash-chain integrity checks and independent node logs from consortium partners provide corroboration.
More confirmations means a higher bar for reversal, and stronger evidence.
When a transaction is broadcast to the Bitcoin network, miners compete to include it in the next block. Once included, the transaction has one confirmation. Each subsequent block adds another confirmation. Because rewriting history would require outpacing the entire honest mining network from that point, the cost of reversal grows roughly exponentially with the confirmation count.
For investigative purposes, a transaction with fifty or a hundred confirmations sitting on a major public chain is, for practical purposes, immutable. Presenting it as evidence does not require the same authentication chain a bank statement would. Block explorer output with timestamp, transaction ID (TXID), input and output addresses, and value, supplemented by a hash-chain verification showing the block is on the main chain, is sufficient for most courts that have addressed the question. The TXID is itself a cryptographic hash of the transaction content, so any alteration of the transaction data would change the TXID and invalidate the record.
The ledger reveals everything except who is behind the address.
Public blockchains present a paradox that drives both the investigative opportunity and the countermeasures market. Every transaction is permanently visible to everyone: amounts, addresses, timestamps, and the full graph of prior transactions. This is more transparency than any traditional bank provides. And yet the addresses are pseudonyms. The ledger says that address 1A1zP1... sent 50 BTC to 1BpEi6... at block 170. It does not say those addresses belong to anyone in particular.
The link between address and identity comes from off-chain anchors. An exchange that collects KYC documents before allowing withdrawals knows which of its customers own which withdrawal addresses. An IP log captured when a transaction was broadcast can tie the broadcast to a device. A blockchain explorer account linked to an email address creates a record. Investigators who obtain these off-chain anchors, through subpoenas, court orders, or undercover operations, can collapse the pseudonymity of a large cluster of addresses at once. Once one address in a cluster is identified, the co-spend and change-address heuristics propagate that identity to every address in the same cluster.
In Bitcoin's UTXO model, what happens to a UTXO when it is spent?
Test yourself on Forensic Accounting and Financial Forensics with free, timed mocks.
Practice Forensic Accounting and Financial Forensics questionsSpotted an error in this page? Report a correction or read our editorial standards.