Cryptocurrency is pseudonymous, but it is still traceable. Unlike cash transactions, which leave no public record, every crypto transaction is permanently recorded on the blockchain.
This comprehensive guide explores how to track stolen crypto, common theft indicators, and tracking techniques such as address clustering and transaction graph analysis. We’ll also examine the role of blockchain analytics tools in identifying blacklisted addresses, analyzing behavioral patterns, and enabling law enforcement and businesses to track and recover stolen crypto in real time.
If someone walks into a supermarket and pays for groceries with cash, there is no public record of the transaction. The blockchain, however, operates very differently. Unlike fiat currency, all cryptocurrency transactions are permanently recorded on a public ledger known as the blockchain. This ledger can be accessed through a blockchain explorer, which reflects the network's consensus on its historical transaction record.
Bitcoin’s public ledger contains key transaction details, including wallet addresses, counterparty addresses, transaction amounts, timestamps, and unique transaction IDs (TXIDs). While cryptocurrency transactions do not inherently require KYC—unless conducted through a regulated exchange—they remain fully visible on-chain. This transparency benefits investigators, allowing them to detect stolen crypto funds and trace their movement through laundering networks.
In addition to native blockchain explorers, law enforcement agencies leverage open-source blockchain forensic tools and, more commonly, advanced blockchain analytics tools.. These specialized solutions provide increasingly sophisticated tracking capabilities, enabling investigators to follow illicit crypto funds even as criminals employ obfuscation techniques to conceal their movements.
A bank teller knows when they’re being robbed—a masked intruder demands cash at the counter. In crypto, theft is far more subtle. Many businesses don’t even realize they’ve been hacked until it's too late, often mistaking malicious transactions for legitimate activity.
Theft in crypto can be identified through three critical indicators:
1. Common crypto attack vectors - One of the most effective ways to identify crypto theft is by understanding common attack vectors. Different types of crypto businesses face different risks. Centralized exchanges (CEXs), for example, are prime targets because of their hot wallets. Attackers often use social engineering to gain access to an organization’s internal systems, moving laterally until they escalate their privileges. In the $600 million Ronin heist, hackers tricked a developer into downloading malware by posing as recruiters, ultimately gaining access to the network and draining funds.
For businesses that rely on smart contracts, vulnerabilities are even more technical. The OWASP Smart Contract Top 10 highlights key risks, including integer overflow, logic errors, insecure randomness, and unchecked external calls. Exploiting any of these flaws can allow attackers to drain funds from decentralized protocols, often in seconds. For example, in November 2023, attackers used a rounding-off discrepancy to steal $2.1 million from the Onyx Protocol.
Fraud doesn’t always come from outsiders. New crypto projects can be a major source of theft, as developers sometimes launch seemingly legitimate ventures only to vanish once they’ve secured investor funds. This happened with Le Anh Tuan, who raised $2.7 million for the NFT collection Baller Ape before disappearing and laundering the funds on-chain.
Even retail investors are not immune. A particularly deceptive attack involves clipper malware, which infects a user’s clipboard and silently replaces copied wallet addresses. An investor thinks they are pasting their own address, but instead, they send funds to an attacker’s wallet—often without realizing until it’s too late.
Crypto theft doesn’t always look like a traditional crime, but recognizing these attack methods can mean the difference between a secure transaction and a devastating loss.
2. Blacklisted crypto addresses - When crypto addresses are linked to a crime, they can be blacklisted—either by regulators, such as the Office of Foreign Assets Control (OFAC), or by industry leaders.
However, once addresses are flagged, criminals quickly adapt, switching to new wallets. Yet, their transactions often reveal connections between blacklisted and fresh addresses—whether through direct transfers or intermediary wallets. Businesses must be able to track these on-chain links, regardless of how many hops a transaction makes from its illicit origin.
Identifying blacklisted or associated addresses is crucial because crypto crimes require capital to operate. Reentrancy attacks and front-running tactics both depend on initial funding, while even a basic heist requires assets in the blockchain’s native currency to facilitate laundering.
A clear example of this pattern: Merkle Science fund that wallets used in the Bybit hack were connected to the WazirX attack, reinforcing how stolen funds circulate across multiple incidents. Robust monitoring of addresses is essential for businesses to identify threats in real-time.
3. Irregular behavioral patterns - Criminals don’t always rely on wallets linked to blacklisted addresses. They may be new actors or use fresh wallets with no direct ties to previous crimes, making detection more challenging.
However, even if an address itself isn’t flagged, criminals often exhibit distinct behavioral patterns during a hack. In the February 2025 NoOnes breach, for example, the company initially believed the withdrawals were routine business activity. The attackers deliberately kept each transaction below $7,000, avoiding immediate suspicion.
While this tactic may have bypassed human security oversight, a blockchain analytics system would have quickly flagged the irregularities. The sheer velocity of withdrawals—combined with the consistent pattern of transactions staying under a specific threshold—would have revealed that the exchange’s hot wallet was compromised, enabling a faster response.
Detecting unusual transaction behaviors is critical because crypto crime is constantly evolving. Relying solely on wallet blacklists is insufficient; proactive monitoring of transaction patterns and anomalies is essential to identifying emerging threats.
Tracking illicit crypto activity requires more than monitoring individual wallets or transactions—it involves identifying address clusters and visualizing fund movements.
Address Clustering
Blockchain transactions are pseudonymous:while wallets aren’t directly linked to real-world identities, their activity is fully visible on a public ledger. Unlike traditional banking, where individuals typically have a one-to-one relationship with their bank account (and must open new accounts at different banks to expand), crypto allows for one-to-many wallet relationships. A single person or organization can control hundreds or thousands of wallets, often to evade blacklists, obscure illicit activity, or engage in fraud, such as peel chains or wash trading.
Because criminals operate vast networks of wallets—North Korean hackers, for instance, have been known to control tens of thousands—tracking individual addresses is insufficient. This is where address clustering comes in. Clustering is the process of identifying wallets that likely share the same owner.
This is done through direct transaction analysis (such as tracking recurring transfers between wallets) and more advanced techniques. For example, co-spending analysis can reveal shared ownership when multiple wallets sign transactions from the same unspent transaction output (UTXO), a common technique in Bitcoin laundering.
Clustering is critical because crypto crime isn’t isolated to individual wallets—it’s a network operation. By uncovering these wallet clusters, investigators can follow the broader financial flows, identify key actors, and build a more complete picture of illicit activity.
Transaction Graph Analysis
Criminals employ a variety of obfuscation and layering techniques to conceal their illicit crypto transactions, making it difficult for investigators to trace funds when examining transactions in isolation. This challenge extends to key stakeholders, such as prosecutors and judges, who may struggle to follow the flow of illicit funds without a clear visual representation.
Transaction graph analysis addresses this issue by mapping blockchain activity into
an intuitive, node-based visualization. Rather than analyzing raw transactions, investigators can see wallet clusters, fund movements, and laundering patterns at a glance. Our visualization of the Delta Prime hack clearly illustrates this—the transaction graph generated with Tracker reveals how stolen crypto funds flowed through multiple wallets, following distinct dispersal patterns. The analysis identifies two key associates facilitating the movement of funds, with one pathway leading to an exchange and the other funneling assets into a coin mixer to obscure their origin.
Source: Hack Track: DeltaPrime Flow of Funds Analysis
Importantly, transaction graph analysis is not just a post-mortem tool. The ideal approach is to track funds in real time, identifying laundering patterns as they unfold. This enables authorities to take enforcement action—whether by freezing assets, tracing funds through exchanges to uncover real-world identities, or flagging transactions before they become irretrievable.
Criminals employ a wide range of techniques to obfuscate and layer their crypto laundering trails. For investigators, these methods become far more apparent when visualized through graph analysis, such as with our tool Tracker. While not every case has corresponding graphs, real-world examples are often the most effective way to understand how these crypto laundering techniques unfold in practice.
1. Use of high liquidity coins - One frequently overlooked but fundamental laundering technique involves token selection. After a hack, criminals often end up with various altcoins. However, these altcoins typically have low liquidity, which creates two challenges. First, there are fewer channels through which criminals can move the funds. Second, transactions involving low-volume or low-market-cap coins stand out more on-chain, making them easier to track. To mitigate these risks, criminals frequently swap illiquid altcoins for higher-volume tokens. In the Velocore hack in June 2024, the attackers converted stolen assets into more commonly traded tokens, ultimately securing 1,406 ETH and 1.54 million USDT.
Source: Investigating the Velocore Hack and Flow of Funds
2. Peel chains - Multi-wallet transfers are another standard tactic in money laundering, allowing criminals to distribute funds across numerous wallets to create layers of obfuscation. A peel chain is a specific type of multi-wallet transfer where funds are moved in progressively smaller increments rather than arbitrary amounts. In the DMM hack, the stolen funds followed a structured pattern, with the first hop transferring as much as 499 BTC and later hops reducing the amounts to as low as 39 BTC. This gradual decrease in transaction size makes it harder to link later transfers back to the original illicit source while maintaining a steady movement of funds.
Source: Hack Track: DMM Flow of Funds Analysis
3. Cross chain bridge - In the early days of cryptocurrency, when Bitcoin was the dominant asset, investigators could rely solely on Bitcoin’s public blockchain explorer to trace illicit transactions. Today, criminals exploit cross-chain bridges to move funds between blockchains in a technique known as chain-hopping. By swapping assets from one network, such as Bitcoin, to another, like Ethereum, they evade detection across blockchain explorers and open-source tools, which are often limited to a single network.
Even blockchain analytics platforms often struggle with cross-chain tracking, as many lack comprehensive support for all blockchains. These limitations in cross-chain analytics make investigations significantly more challenging.
A clear example of this occurred during the XT.com hack in November 2024. After stealing the funds, the hacker leveraged both the Optimism Bridge and the Polygon Bridge to transfer assets into Ethereum, effectively obscuring the laundering trail and adding additional layers of complexity to forensic tracking.
Source: Hack Track: XT.com Flow of Funds Analysis
4. Mixers - Mixers collect coins from multiple users, pool them together, and then redistribute the equivalent value to each user after "mixing" them. This process effectively obscures the original source of funds and severs the link between senders and their money. One of the most well-known crypto mixers is Tornado Cash, which was removed from sanctions following a U.S. court ruling in March 2025. Some mixers also incorporate time delays, adding another layer of obfuscation. While mixers have legitimate use cases, they are heavily relied upon by criminals to launder illicit funds.
Mixers are typically used in the later stages of a laundering process, often before criminals move funds to an exit node or reinvest them into new attacks. In the case of the Ankr exploit, our investigation revealed that approximately 3,360 ETH was funneled into Tornado Cash through multiple transactions. Additionally, a portion of the stolen Binance USDC tokens was swapped for 5,500 BNB, with 900 BNB subsequently transferred to Tornado Cash in multiple transactions, further obscuring the trail.
5. DeFi services - Hackers may occasionally use exchanges with weak or nonexistent KYC measures, but a more common choice is decentralized finance (DeFi) services. Through DeFi platforms, criminals can swap, sell, lend, stake, and provide liquidity, among other financial transactions, to further obfuscate their laundering trail. The decentralized nature of DeFi services allows them to move funds without the oversight typically found in regulated exchanges.
For example, on December 11, 2021, attackers stole $71 million from the cryptocurrency exchange AscendEX. On February 18, 2022, the stolen ERC-20 tokens were swapped for ETH using Uniswap, a well-known decentralized exchange. The attacker’s wallet facilitated 74 separate transactions, which involved ERC-20 tokens such as MAP, REVV, MATIC, ROUTE, Huobi Token (HT), RioDEFI (RFuel), and PLOT.
6. Privacy-enhancing technologies - Privacy-enhancing technologies come in many forms, ranging from privacy-focused cryptocurrencies like Monero to techniques such as one-time addresses. While these tools have legitimate applications, they are frequently exploited by criminals to obscure illicit transactions, much like coin mixers.
A notable example occurred during the Pike Finance exploit in April 2024, which resulted in losses exceeding $1.98 million. As part of the laundering process, 562 ETH was funneled through RAILGUN, a DeFi relay protocol designed to enhance transaction privacy using Zero-Knowledge (ZK) technology. RAILGUN enables users to interact with on-chain DeFi applications while concealing their transaction details and wallet information, making it a favored tool for those seeking to evade blockchain surveillance.
After successfully tracking criminals across their illicit trail, despite their various obfuscation and layering techniques, it should lead to real world intervention. These are the most common outcomes of successfully tracking stolen crypto:
1. Recover funds - There are several ways to recover illicit funds. Governments can issue orders requiring compliant businesses to freeze assets, which may later be returned to victims or retained by the government. For example, the U.S. government has used a significant portion of its seized crypto assets from enforcement actions to establish its Bitcoin strategic reserve.
Exchanges can also collaborate to intercept and seize suspicious transactions, preventing criminals from cashing out stolen funds. In some cases, if hackers face mounting pressure—whether from widespread media coverage or blockchain investigators—they may negotiate the return of stolen assets or even voluntarily return them in a bid to avoid prosecution. A notable example occurred on October 24, 2024, when hackers stole $20 million from a U.S. government wallet containing Bitfinex hack funds. Shortly after, they returned most of the funds in three separate transactions.
Source: Hack Track: US Government Hack of Recovered Bitfinex Hack Funds
2. Blacklist addresses - Regulators can flag addresses linked to money laundering and add them to blacklists, but this process often takes time. In response, crypto businesses may take proactive measures to curb illicit activity on their platforms.
Following the $1.5 billion Bybit hack, for instance, the exchange urged other platforms to blacklist specific addresses to prevent further laundering. Bybit even released an API to streamline the blacklisting process, making it easier for industry peers to coordinate their efforts. Blacklisting addresses disrupts laundering operations by limiting the number of platforms willing to process tainted funds. When multiple entities actively track and restrict certain wallets, criminals face fewer options for moving illicit assets.
3. Provide evidence to authorities for enforcement action or capture - The ultimate goal is to hold criminals accountable by apprehending them and securing appropriate charges. Crypto companies must recognize that prosecutors and judges may not have the same level of expertise in crypto or blockchain. To bridge this gap, they need a blockchain analytics tool with robust graphing capabilities, allowing legal authorities to clearly trace how a series of addresses and transactions connects to a real-world identity.
Equally important, the platform must offer transparency. It cannot function as a black box that obscures its methodology behind proprietary claims. Prosecutors, judges, and other key stakeholders in a crypto investigation must be able to see exactly how connections were established, so that they can pursue charges with confidence that the evidence is accurate, verifiable, and legally sound.
With the level of obfuscation and layering used in illicit transactions, tracking stolen crypto funds through public explorers or open-source tools is nearly impossible. Imagine trying to follow a Lazarus Group trail involving thousands of transactions using only a native blockchain explorer—it’s a losing battle.
For crypto businesses and law enforcement agencies, selecting the right blockchain analytics solution is critical. The best platforms should meet the following key criteria:
A blockchain analytics solution must support blacklists and flag transactions involving sanctioned or high-risk addresses. However, it must also allow for flexibility;businesses should not indefinitely block addresses associated with entities like Tornado Cash after legal rulings change their status.
Beyond blacklisting, a robust rule engine is essential. Businesses should be able to configure custom rules that trigger alerts for suspicious behavior, such as withdrawals exceeding a threshold within a set time frame after receiving funds. These rules should also be adjustable per jurisdiction, so that they are compliant with market-specific risk management requirements.
An effective blockchain analytics tool should not be cumbersome or inefficient. Investigators already face complex challenges—the software should streamline their workflow, not add to it. The best platforms offer user-friendly, investigator-centric features, including:
While many blockchain analytics platforms prioritize scalability, some do so at the expense of hands-on support. Leaving crypto businesses and law enforcement agencies to figure out the system on their own is a major shortcoming.
The ideal solution should come from a reputable provider that offers not only product-specific training but also insights into emerging threats and laundering techniques. The best providers act as thought leaders, publicly sharing intelligence on evolving attack vectors to help shape the industry’s defense strategies.
By considering these factors, businesses and agencies can select a blockchain analytics provider that goes beyond simple data visualization by actively empowering investigations and enhances financial crime prevention.
Tracking stolen crypto is challenging, but not impossible. By leveraging blockchain analytics, businesses and law enforcement can uncover laundering patterns, identify blacklisted addresses, and detect suspicious behaviors in real time. However, not all tools offer the depth and flexibility needed for effective investigations.
Tracker provides everything businesses require—advanced address clustering, transaction graphing, multi-chain coverage, and expert intelligence—to trace funds efficiently and combat financial crime. Reach out to Merkle Science today for a free demo.
