Cryptocurrency investigations combine classic digital forensics, blockchain analysis, OSINT techniques, and the correlation of multiple intelligence sources. This guide summarizes a complete, field-tested workflow suitable for:
- financial crime
- fraud investigations
- ransomware tracing
- theft / account compromise
- darknet transactions
- cross-platform attribution
Every tool listed here is open-source, freemium, or widely used in professional environments.
1. Initial Scoping
Before touching the chain, define:
- What chain? (BTC, ETH, TRX, SOL, etc.)
- What asset?
- What evidence exists?
- What’s the suspected flow?
– screenshots, transaction IDs – wallet addresses – exchange activity – bank logs / payment confirmations
– wallet → exchange – wallet → mixer – wallet → bridge – wallet → unknown clusters
Key questions:
- Was the victim’s device compromised?
- Was remote access used?
- Do timestamps align with any suspicious activity?
2. Collect the Base Evidence
For every blockchain investigation, you must obtain:
Essential inputs
- Wallet address(es)
- Transaction hash(es)
- Exchange deposit addresses (if known)
- Timestamps
- Screenshots / logs
- Any financial confirmations (bank transfers → exchange)
Triaging tools
- Victim-side logs (browser history, clipboard, screenshots)
- Metadata (browser autofill, saved passwords)
- Remote-access detection (see SystemLog Forensics articles)
This phase anchors the entire investigation.
3. Multi-Chain Blockchain Exploration
Once you have an address or TXID, begin wide recon.
Universal Block Explorers
Blockchair
https://blockchair.com/ Multi-chain explorer with entity hints, charts, and metadata.
OKLink
https://www.oklink.com/ Excellent for:
- risk scores
- entity tags
- multi-hop tracing
- cross-chain viewing
Blockscan
https://blockscan.com/ All EVM chains in one interface.
4. Chain-Specific Explorers
Bitcoin
- Mempool.space – https://mempool.space
Best mempool analytics, fee estimation, entity tagging.
- Blockchain.com – https://www.blockchain.com/explorer
Ethereum & EVM
- Etherscan – https://etherscan.io
- BscScan – https://bscscan.com
- Arbiscan – https://arbiscan.io
- Polygonscan – https://polygonscan.com
Solana
- Solscan – https://solscan.io
- Solana Explorer – https://explorer.solana.com
Tron
- TronScan – https://tronscan.org
5. Visual Tracing & Graph Analysis
This is where you visualize the flows:
Breadcrumbs (highly recommended)
https://www.breadcrumbs.app/
- Multi-chain visual tracing
- Tags, clusters, mixing indicators
- PDF exports
- Risk-score overlays
GraphSense (open-source)
https://graphsense.info/
- Entity clustering
- Input–output linking
- Very strong for academic-grade analysis
OXT.me (BTC only)
https://oxt.me/
- Advanced wallet fingerprinting
- Taint analysis
- Economic clustering
6. Attribution & Entity Identification
Goal: determine who controls the receiving address.
You are looking for:
- Exchange deposit addresses
- Merchant addresses
- Service wallets (gambling, mixers, casinos)
- Known scam clusters
- Cross-matching addresses to OSINT sources
Helpful tools:
Elliptic Investigator (enterprise)
https://www.elliptic.co/
AMLBot (risk score)
https://amlbot.com/
Crystal Blockchain
https://crimeflare.org/ (mirror) Professional-level attribution.
WalletExplorer (BTC)
https://www.walletexplorer.com/
7. Mixer, Bridge & Tumbler Detection
Look for:
- sudden high-fee transactions
- rapid fan-out
- cross-chain bridges
- suspicious timing
- contract interactions
Mixer detection tools:
- Breadcrumbs mixer labels
- AMLBot risk-score patterns
- OXT wallet type inference
- Etherscan contract tagging
Bridge detection:
- Hop Protocol
- Wormhole
- Multichain (defunct but historically relevant)
- Portal Bridge
- Etherscan “Cross-chain” tab
8. Exchange Tracing
Your objective is to identify if the funds ended at:
- Centralized exchange (CEX)
- Custodial wallet
- Payment processor
- OTC desk
- P2P platform
Indicators of exchange involvement:
- Deposit address patterns
- Memo usage
- Large operational clusters
- Repeated behaviour
- Time-of-day patterns matching CEX hot wallets
Once an exchange appears as a destination, a formal request (LEA pathway) is possible.
9. OSINT Correlation
You now merge blockchain traces with other intelligence sources.
Infrastructure
- Shodan – https://www.shodan.io
- Censys – https://search.censys.io
- SecurityTrails – https://securitytrails.com
- WhoisXML – https://whoisxmlapi.com
Social / Human OSINT
- WhatIsMyName
- Epieos
- HaveIBeenPwned
- NameCheckup
- Dark web mirrors (through Tor)
Metadata
- ExifTool
- CyberChef
- VT Graph (careful with sensitive samples)
Historical content
- Wayback Machine
- Archive.today
Your goal is to identify:
- behavioural overlaps
- reused usernames
- wallet reuse patterns
- on-chain identities leaking into off-chain accounts
- timing patterns matching other activity
10. Reporting – Defensible & Clear
Your final output should contain:
1) Executive Summary
- What happened
- Loss
- Timeframe
- Impact
2) Timeline
Chronological reconstruction of:
- transactions
- account activity
- remote-access findings
- wallet usage
- device logs
3) Blockchain diagrams
Export from Breadcrumbs or GraphSense.
4) Entity attribution
- potential exchange
- clusters
- risk scores
- tags
5) Technical appendix
- all TXIDs
- all addresses
- analysis steps
- chain data
- hashes
- screenshots
11. Full Crypto Investigation Workflow (Condensed)
- Collect evidence
TXIDs, wallets, logs, timestamps
- Clone the device (if compromise suspected)
- Run multi-chain recon
Blockchair → OKLink → Blockscan
- Visualize the flow
Breadcrumbs / GraphSense
- Identify services
mixer → bridge → exchange
- OSINT correlation
usernames, domains, metadata, infrastructure
- Determine destination
CEX / service / cluster
- Prepare formal report
chain-of-evidence + timelines + diagrams
12. Additional Tools You Should Consider
Monitoring
- MistTrack
- Arkham Intelligence
- Nansen
Forensics (local)
- Autopsy
- FTK
- Magnet AXIOM
- KAPE
Automation
- n8n (SystemLog integration upcoming)
- Python notebooks
- Private LLMs (Sim AI + Ollama)
Final Notes
This workflow is designed to be:
- reproducible
- chain-agnostic
- forensically defensible
- OSINT-safe
- scalable for both small and large cases
It matches the needs of real-world cybercrime investigations and integrates directly into the SystemLog OSINT and Forensics sections.