4,86
11-05-2025
3455
9 min.
Detailed examples of cryptocurrency theft incidents and descriptions of services for tracking stolen funds
We'll detail several examples of how stolen cryptocurrency is transferred, known as "laundering." We'll also use specific examples to demonstrate the tools and methods used to search for these funds and analyze their transfers.
Get advice from AML Crypto experts
Investigating incidents related to the theft or unlawful movement of cryptocurrency assets is a complex process that requires the use of a wide range of tools and methodologies. Unlike traditional financial systems, where fund movements are tracked centrally, information in the blockchain is public but anonymous — which simultaneously simplifies and complicates the investigator’s work.
Effective analysis requires an understanding of blockchain architecture, the principles of transaction chain construction, and the use of analytical platforms capable of linking addresses through various indicators.
The examples presented below illustrate real-world investigation scenarios — from simple cases involving transfers to centralized exchanges to complex schemes employing cross-chain bridges, peel chain patterns, and mixers. Each incident demonstrates a specific analytical technique and highlights the importance of combining tools — from standard blockchain explorers (Etherscan, Tronscan, Polygonscan) to advanced analytical solutions such as Arkham, Btrace, Metasleuth, and Bholder.
Thus, the purpose of this section is to show how various services assist in gradually reconstructing fund movements and identifying the final destinations of stolen assets, as well as to demonstrate a systematic analytical approach to blockchain data analysis.
Effective analysis requires an understanding of blockchain architecture, the principles of transaction chain construction, and the use of analytical platforms capable of linking addresses through various indicators.
The examples presented below illustrate real-world investigation scenarios — from simple cases involving transfers to centralized exchanges to complex schemes employing cross-chain bridges, peel chain patterns, and mixers. Each incident demonstrates a specific analytical technique and highlights the importance of combining tools — from standard blockchain explorers (Etherscan, Tronscan, Polygonscan) to advanced analytical solutions such as Arkham, Btrace, Metasleuth, and Bholder.
Thus, the purpose of this section is to show how various services assist in gradually reconstructing fund movements and identifying the final destinations of stolen assets, as well as to demonstrate a systematic analytical approach to blockchain data analysis.
Incident 1: simple transfer of funds to a centralized service
- Input data:the victim’s address and the attacker’s address are known. The theft of funds was carried out within a single transaction from the victim’s address to the attacker’s address.
- Tools used:
- Result:the funds were withdrawn through one intermediary (transit) address to the services HitBTC and n.exchange.
- Graph of connections:
How the investigation was conducted:
1
The starting point is to identify the initial attacker address. In our incident, the victim’s address was compromised and funds were withdrawn — the victim had withdrawn funds from their exchange account to their compromised address. Therefore, we will consider the victim’s address to be the attacker address, since the attacker had access to that address. At the start of the investigation it is also necessary to know the amount to track. In our case this is 63,000 TRX in a single transaction.
2
The second step is to trace to which address the funds were withdrawn from the attacker address. To verify the flow of funds we used the official TRON network explorer - Tronscan.
- 📌 Important: use the services collectively. Sometimes a single address-labeling service may not have information about an address’s ownership.
4
For graphical visualization, the Bholder tool was used. While visualization is not mandatory, it significantly simplifies both the understanding of the incident and further interaction with law enforcement agencies and exchanges identified during the investigation.
Incident 2: a large number of the attacker’s intermediary (transit) addresses
- Input data:the victim’s address and the attacker’s address are known. The theft of funds was carried out through multiple transactions from the victim’s address to the attacker’s address.
- Tools used:
- Result:the funds were withdrawn through multiple intermediary (transit) addresses to the services OKX, Coinhacko, HTX, MaskEx, and Binance.
- Graph of connections:
How the investigation was conducted:
1
The starting point is to identify the scammer’s address. In our incident, the victim sent funds to the same scammer’s address from multiple exchanges. Therefore, we need to trace where the scammer transferred all the funds in each transaction. At the first stage, we can see that all funds were sent to the same address, from which the distribution of funds began.
2
The scammer’s address, which distributes funds across multiple branches, should be analyzed using the LIFO (Last In, First Out) method.
- 1. What is LIFO?LIFO (Last In, First Out) is an accounting principle meaning “the last to come in is the first to go out.”
In cryptocurrency, LIFO means that when funds are spent, we assume the most recently received tokens are spent first.
For comparison:
With physical money (banknotes), you can literally say, “this specific bill with this serial number was spent.”
In cryptocurrency, tokens have no serial numbers — they are just a balance entry on an address.
- 2. How this looks on the blockchainOn the blockchain, we might see:
An address receives several incoming transactions (for example, 10 BTC stolen, then another 5 BTC). Later, that address sends out 7 BTC.
The question arises:
Was that 7 BTC from the first 10 BTC or the later 5 BTC? Technically, the blockchain doesn’t distinguish — it’s just a total balance.
This is where LIFO comes in.
We assume that the most recent incoming funds (the ones “on top” of the balance) are spent first.
This is useful for tracing laundering patterns, since the latest “dirty” batch of funds is usually moved immediately.
- 3. Why LIFO is more convenient for investigations than FIFONo unique token identifiers. Unlike dollars with serial numbers, Bitcoin or Ethereum tokens are fungible. That means it’s impossible to prove whether the “first” or “last” coins were spent.
Any outgoing transaction may involve stolen funds. If a wallet contains even a portion of “dirty” tokens, any transfer from it can be treated as laundering.
LIFO makes laundering chains clearer.- Criminals often move the newest inflows with “fresh” transactions to quickly hide the trail.
- Therefore, it’s logical to assume the latest stolen funds are moved first.
- This helps investigators link transactions and prove connections in court.
📌 Key idea: Under the LIFO principle, every new outgoing transaction from a suspicious wallet can be directly associated with the most recently stolen funds — even if the wallet also holds older, “clean” assets.
- 4. Analogy for understandingImagine a thief hides stolen gold bars in a chest that already contains his “clean” gold:
- Later, when he takes out a few bars to sell, no one can tell which exact bars were removed.
- But investigators assume he’s selling the stolen ones first (LIFO).
- This makes sense — the thief’s goal is to get rid of the stolen gold as quickly as possible.
3
To apply the LIFO method, you need to use a blockchain explorer. In our case, the network is Ethereum, so we’ll use Etherscan. Example of calculating fund flows using the LIFO method:
We are tracking a transfer of 29,855 USDT (it’s at the bottom of the transaction list).
After that, another 380,000 USDT arrived at the address, but under the LIFO method (the most recent inflows are spent first) that later amount is not relevant to us. We continue to look specifically for the spending of our 29,855 USDT.
In the transaction list we see:
- Line 3 — a transfer of 800 USDT. That is part of our funds, so we track the recipient address.
- Line 2 — a transfer in a different token, so it’s unrelated to this case.
- Line 1 — a large transaction of 402,000 USDT, which includes the remaining portion of our funds.
As a result, our 29,855 USDT were split between two addresses: the recipient from line 3 and the recipient from line 1.
This same analysis must be repeated at every new address, until the stolen funds reach centralized services (exchanges, swap services, etc.) where they might be possible to freeze.
4
When tracing funds, each new address must be checked for existing labels or tags using services such as Btrace, Arkham, Metasleuth.
Incident 3: Transfer of Funds via Bridges
- Input data:the victim's address is known, the attacker's address is known. The theft was carried out via multiple transactions from the victim's address to the attacker's address.
- Tools used:
- Result:the funds left the original network and were distributed across multiple centralized services
- Graph of connections:
How the investigation was conducted:
1
The starting point is to identify the scammer’s address. In this incident, the victim sent funds to the same scammer’s address. This slightly simplifies the tracking process at the initial stage. To obtain information about all transactions associated with the attacker’s address, the Polygonscan service was used.
2
Using the LIFO tracking method, an analysis of fund flows was performed up to the addresses of decentralized services. Information about address ownership was obtained from Polygonscan, Metasleuth, Arkham, and Btrace. With the help of these tools, it was determined that the funds were transferred to Bitkeep Wallet and Bridgers services.
3
Using Bridgers Explorer and Allchain Explorer, information was obtained showing that the funds were moved from the Polygon network to the Tron network.
4
Once the funds entered the Tron network, the transaction tracking process continued using the Tron network explorer — Tronscan. Alongside building the connection graph, all new addresses presumably associated with the scammer were checked through Metasleuth, Arkham, and Btrace.
Incident 4: Peel Chain Services
- Input data:the victim's address is known, the attacker's address is known. The theft was carried out via several transactions from the victim's address to the attacker's address.
- Tools used
- Result:the funds were sent to peel chain services (services for mixing and fragmenting funds)
- Graph of connections:
How the investigation was conducted:
1
The starting point is to identify the scammer’s addresses. In this incident the victim sent funds to four different attacker addresses. Therefore, the subsequent fund flow must be traced along four distinct paths.
2
Using the LIFO tracking method, an analysis was performed to follow the funds to addresses exhibiting atypical behavior. During the analysis an address was identified:
TVUBnNk9D6NtVkrUMQN6ZfxvorYetnk9o, whose activity significantly differs from the patterns characteristic of addresses controlled by the attacker. This address executed 9,271 transactions with an average amount of about 10 USDT each. Such an activity model is typical for schemes associated with so-called peel chain patterns — automated systems that split incoming funds into a large number of small transactions. The primary purpose of this behavior is to obfuscate the trail and conceal the true source of funds.
TVUBnNk9D6NtVkrUMQN6ZfxvorYetnk9o, whose activity significantly differs from the patterns characteristic of addresses controlled by the attacker. This address executed 9,271 transactions with an average amount of about 10 USDT each. Such an activity model is typical for schemes associated with so-called peel chain patterns — automated systems that split incoming funds into a large number of small transactions. The primary purpose of this behavior is to obfuscate the trail and conceal the true source of funds.
Unfortunately, given the limited time and human resources allocated to the investigation, performing manual tracing across a multitude of tiny transactions is extremely difficult. In cases like this, automated investigative algorithms based on machine learning (ML) methods are used.
Such algorithms enable:
Such algorithms enable:
-
automatic computation of probable fund movement routes based on historical data and common criminal behavior patterns; - grouping transactions by similarity features, including sending time, transfer amount, and recurring recipient addresses;
- matching volumes and time intervals of inflows to the same services to determine whether they correspond to the sums of stolen funds;
- estimating the probability of address linkage when addresses display synchronous or mirrored activity.
Thus, the algorithm does more than record a transaction sequence — it computes a probabilistic model of fund flows, helping investigators focus on the most likely leakage paths. This substantially reduces analysis time and increases accuracy in identifying the end addresses where stolen assets may end up.
Incident 5: Mixers
- Input data:the victim’s address is known, the attacker’s address is known. The theft was carried out through multiple transactions from the victim’s address to the attacker’s address.
- Tools used:
- Result:the funds were transferred to Tornado Cash (a mixer), and further fund movement was identified using heuristic analysis.
- Graph of connections:
How the investigation was conducted:
1
The starting point is to identify the scammer’s addresses. In this incident, the victim sent funds to three different attacker addresses. Therefore, the subsequent tracing had to follow three separate paths.
2
Using the LIFO tracking method, the flow of funds was analyzed and led to an address associated with the mixer Tornado Cash. At this stage the investigation could have stopped, but further analysis revealed repeating withdrawal patterns characteristic of this service.
- Approximately 24 hours after the initial transaction, Tornado Cash began distributing funds to multiple different addresses with very short time intervals between transfers.
- Notably, the total volume of these withdrawals equaled 100 ETH — a sum identical to the amount stolen.
- Given the matching volumes and timing, it was hypothesized that the same attacker had executed these operations to quickly cash out the stolen assets and obscure their origin.
As the investigation continued, new addresses tied to the suspected attacker were tracked. The analysis showed that all of these addresses exhibited the same behavioral pattern.
Each address received funds from Tornado Cash, then routed them into trading pairs with a fake token — presumably created by the attacker. The scheme proceeded as follows:
Each address received funds from Tornado Cash, then routed them into trading pairs with a fake token — presumably created by the attacker. The scheme proceeded as follows:
1
Real funds received from Tornado Cash were deposited into a fake liquidity pool (for example, on decentralized exchanges).
2
The attacker, controlling the address that created this pool, performed sham swaps between its own tokens (“shell tokens”).
3
After several cycles of such transactions, the attacker executed a rug pull — abruptly removing liquidity and thereby “cashing out” the assets while giving them a cleaner transaction history.
From a technical perspective, after this operation it becomes extremely difficult to trace the original source of funds. Most analytics tools will see the assets as coming from a legitimate liquidity pool (e.g., on a DEX like Uniswap) rather than directly from Tornado Cash.
As a result, the attacker obtained cryptocurrency that appeared free of direct ties to the original theft and transferred it to the centralized exchange OKX for conversion. It is notable that this attacker had previously been observed attempting withdrawals via the same platform.
Visualization of the laundering scheme via Tornado Cash:
As a result, the attacker obtained cryptocurrency that appeared free of direct ties to the original theft and transferred it to the centralized exchange OKX for conversion. It is notable that this attacker had previously been observed attempting withdrawals via the same platform.
Visualization of the laundering scheme via Tornado Cash:
- ConclusionThe presented incidents clearly demonstrate that successful blockchain investigations are possible only through a comprehensive approach combining technical transaction analysis, address identification using labeling services, and a deep understanding of fund movement logic.
Even the most complex schemes — involving cross-chain bridges, peel chain services, or mixers such as Tornado Cash — leave digital traces that can be reconstructed using modern analytical tools and algorithms. In this process, a key role is played by the LIFO (Last In, First Out) methodology, which allows investigators to determine precisely which funds were spent first and to trace their subsequent movement.
The use of platforms such as Arkham, Btrace, Metasleuth, and Bholder enables the creation of transparent relationship graphs, the identification of centralized services where assets have been deposited, and the formation of an evidentiary foundation for cooperation with law enforcement agencies and exchanges.
Ultimately, the combination of sound analytics, technological tools, and an understanding of criminal behavioral patterns allows not only for the reconstruction of the stolen asset flow but also significantly increases the likelihood of asset recovery or freezing at their final destinations.
Want to learn more and get expert advice? Leave your email and we will contact you promptly!
Check blockchain address using Btrace
In seconds, determine the risk level of the counterparty’s address, find out the source of his funds and make an informed decision about interacting with him.
PREVENT FUNDS BLOCKING
PROTECT YOURSELF FROM SCAMMERS
AVOID TROUBLE WITH THE LAW
We also recommend