4,85
11-03-2025
3781
5 min.
We will tell you exactly which services and tools are used for investigation
Investigating cryptocurrency thefts is a highly complex process and is virtually impossible without the right tools. In this article, we'll use examples to illustrate which programs are used and how.
Get advice from AML Crypto experts
With each passing year, the cryptocurrency ecosystem becomes increasingly complex and multi-layered. The growing number of users, transactions, and decentralized applications leads not only to technological advancement but also to a rise in incidents involving theft and fraud. In this context, tools that enable digital investigations and facilitate the analysis of fund movements on the blockchain are gaining particular importance.
One of the key tools available to analysts working with cryptocurrencies is the blockchain explorer — a specialized web service that provides transparent access to data on transactions, blocks, and addresses within public networks. These tools make it possible not only to trace the movement of assets but also to identify relationships between participants, analyze wallet activity, and even determine exit points where funds are transferred to centralized platforms such as exchanges or gambling sites.
Using explorers is a fundamental step in any cryptocurrency-related investigation. They allow analysts to reconstruct the chain of stolen funds’ movements, determine the exact destinations of the assets, and identify the stage at which the trail becomes opaque. However, proper interpretation of explorer data requires not only technical expertise but also a deep understanding of the specific network — whether it is Ethereum, with its smart contracts and ERC-20 tokens, or Bitcoin, where each transaction represents a system of inputs and outputs (UTXO).
This article explores the practical application of blockchain explorers in investigations related to cryptocurrency theft. It provides a step-by-step overview of how to analyze transactions, trace the flow of funds, and identify final withdrawal points. Additionally, it examines the use of supplementary tools that help clarify address labeling and determine associations with known services.
One of the key tools available to analysts working with cryptocurrencies is the blockchain explorer — a specialized web service that provides transparent access to data on transactions, blocks, and addresses within public networks. These tools make it possible not only to trace the movement of assets but also to identify relationships between participants, analyze wallet activity, and even determine exit points where funds are transferred to centralized platforms such as exchanges or gambling sites.
Using explorers is a fundamental step in any cryptocurrency-related investigation. They allow analysts to reconstruct the chain of stolen funds’ movements, determine the exact destinations of the assets, and identify the stage at which the trail becomes opaque. However, proper interpretation of explorer data requires not only technical expertise but also a deep understanding of the specific network — whether it is Ethereum, with its smart contracts and ERC-20 tokens, or Bitcoin, where each transaction represents a system of inputs and outputs (UTXO).
This article explores the practical application of blockchain explorers in investigations related to cryptocurrency theft. It provides a step-by-step overview of how to analyze transactions, trace the flow of funds, and identify final withdrawal points. Additionally, it examines the use of supplementary tools that help clarify address labeling and determine associations with known services.
Blockchain Explorers
When investigating incidents involving cryptocurrencies, it is impossible to proceed without tools that enable transaction tracking and fund movement analysis. A key instrument in the analyst’s toolkit is the blockchain explorer — a web-based service that provides access to data on blocks, transactions, and addresses across various networks.
Explorers allow users to:
Explorers allow users to:
-
view the transaction history of a specific address; - identify the source and recipient of funds;
- track the time, amount, and hash of each operation;
- detect potential connections between addresses;
- export data for further analysis.
Examples of popular blockchain explorers include:
-
Ethereum: https://etherscan.io/ — one of the most feature-rich explorers, offering detailed information about smart contracts, ERC-20 tokens, and address activity. -
Bitcoin: https://www.blockchain.com/explorer — a classic tool for viewing transactions and analyzing fund movements within the Bitcoin network.
At the beginning of any investigation, it is crucial to identify the address from which the funds were stolen, as well as the transaction that confirms the theft. Once this information is established, the analysis of data in the corresponding network’s explorer can begin.
Example addresses for demonstrating the use of these tools:
Example addresses for demonstrating the use of these tools:
- Address in Ethereum network:
- Address in Bitcoin network:
⚠️ Note:
The addresses provided are not related to any real theft incidents. They have been selected at random from the public Ethereum and Bitcoin networks solely for educational purposes.
The addresses provided are not related to any real theft incidents. They have been selected at random from the public Ethereum and Bitcoin networks solely for educational purposes.
Working with Etherscan (Ethereum Network):
-
Go to the website https://etherscan.io/ and enter the address from which the funds were stolen into the search field: 0x573243A8477fBB7050280d1E20AD32a8E67a1Ecc
-
You will be directed to the address page, where you can view all transactions associated with the address, its balance, and the dates of activity:
-
If the theft transaction involved tokens other than ETH, the list of all transfers can be found in the Token Transfers (ERC-20) section. If the stolen asset was in ETH, the list of all transactions can be found in the Transactions section.
-
In our incident, let us assume the funds were stolen in the transaction with hash
0xd67a77ec97e2bc9b9afdaed3db9f2c65acc2b6c825f8ac3112063e671e2ec906. In that transaction the perpetrator withdrew USDT tokens from our (investigated) address. To find this transaction, go to the Token Transfers (ERC-20) section and locate the theft transaction.
-
After locating the transaction, we need to see where the funds were sent. In our case, an amount of 1017 USDT was transferred from the investigated address to the presumed attacker address: 0xe5A7C8E816f0aa386528a2D3982aA27741ef2a12. For further tracking, we should find the same transaction on the attacker’s address page.
-
While viewing the full transaction list on the attacker’s address page, we identified the transaction in which they received funds from our investigated address. The next step is to identify the transaction in which the attacker spent the stolen 1017 USDT. To track such a transaction, inspect all subsequent outbound transfers from that address. It is important to follow the same token — USDT (the stolen token) — and the specific amount. As soon as we observe that the attacker has spent the stolen 1017 USDT, we will be able to see the address to which the funds were forwarded. This tracking methodology is known as LIFO and is used in most cryptocurrency theft investigations. In our incident, we observe the expenditure of the stolen funds in the following transaction:
-
In the transaction that forwarded the stolen funds, we can see that the funds were sent to an address labeled Stake.com. “Stake.com” is a tag that the blockchain explorer assigns to that address. Behind the label Stake.com is the address
0x974CaA59e49682CdA0AD2bbe82983419A2ECC400, which is affiliated with the gambling company Stake.com.
At this stage, the investigation within the Ethereum network can be considered complete. This is because the stolen funds were transferred to a centralized service. Once assets reach such platforms (for example, exchanges or gambling sites), further tracking of cryptocurrency movements on the blockchain becomes impossible. Unlike an open blockchain network, a centralized service maintains its own internal accounting systems and can convert the received funds into fiat currency. Therefore, this point is regarded as the exit point of the attacker and marks the end of the transparent part of the investigation.
Working with Bitcoin (Bitcoin Network):
- Go to the website https://www.blockchain.com/explorer/ and enter the address from which the funds were stolen into the search field: bc1qv3pgxle306ss5nawvrv83xp2nyxw0ujr3txjhn
- You will be taken to the address page, where you can view all transactions associated with the address, its balance, and the dates of activity:
- The Bitcoin network does not support the use of any tokens other than its native currency — BTC. As a result, there is no Token Transfers tab available. In our case, the theft occurred through the following transaction:
7d83686deabef95d3e2b409f7e3a13d2bd589d81a790a3661ea5ef7aa3dbc800
- Transactions on the Bitcoin network are significantly more complex to interpret than those on Ethereum. Bitcoin transactions reflect changes in balances rather than a direct one-to-one movement of assets from one address to another.
In the theft transaction we observe two senders (both inputs originate from our investigated victim address) and two recipients (two addresses that may not be affiliated). In that transaction our address spent 4.00000221 BTC, while one of the recipient addresses received 4 BTC.
Therefore, we can reasonably assume that the address bc1qkp8tgu8smychs780w6nzqh9rvjamduapn9qm5rt5xnc9auf8qm3sxg85l9 is the attacker who received the stolen funds. The next step is to visit the attacker’s address page and locate the receiving transaction:
- We can see that within the following transaction, the funds were fully withdrawn, and among the two recipients of the stolen funds, there is one address —
bc1quhruqrghgcca950rvhtrg7cpd7u8k6svpzgzmrjy8xyukacl5lkq0r8l2d
— which received almost the entire amount. We consider this address to be the next one through which the stolen funds were transferred.
- Upon examining the address, we can see that it holds a significant amount of BTC and has conducted a large number of transactions. This indicates that we are dealing with the address of a centralized service, and at this stage, our investigation is concluded:
- As a final step, we need to determine which centralized service the address bc1quhruqrghgcca950rvhtrg7cpd7u8k6svpzgzmrjy8xyukacl5lkq0r8l2d belongs to. For this purpose, we used the Arkham platform, which provides labeling information for various addresses, including those on the Bitcoin network.
According to data from Arkham, this address is identified as a hot wallet of the OKX exchange. At this stage, the investigation within the Bitcoin network can be considered complete.
Tools for Address Label Verification
There are several ways to verify address labeling on the blockchain — that is, to determine which service or type of user a particular address belongs to.
The first and most straightforward tool for this is blockchain explorers.
In this article, we have already seen how Etherscan automatically labels certain addresses. For example, the address
0x974cAa59e49682CdA8D2bbe829834149A2ECC400 was marked as belonging to the service Stake.com.
Most public explorers indeed include basic labeling and sometimes make it possible to identify whether an address belongs to an exchange, a DeFi platform, or another type of service. However, this information is usually insufficient for conducting a full investigation. To gain deeper analytics and extended insights into the relationships between addresses, specialists rely on dedicated analytical platforms such as Btrace, Arkham, and others.
Below is an example of how different services visualize and display address labeling using the address:
bc1quhruqrghgcca950rvhtrg7cpd7u8k6svpzgzmrjy8xyukacl5lkq0r8l2d.
Btrace:
The first and most straightforward tool for this is blockchain explorers.
In this article, we have already seen how Etherscan automatically labels certain addresses. For example, the address
0x974cAa59e49682CdA8D2bbe829834149A2ECC400 was marked as belonging to the service Stake.com.
Most public explorers indeed include basic labeling and sometimes make it possible to identify whether an address belongs to an exchange, a DeFi platform, or another type of service. However, this information is usually insufficient for conducting a full investigation. To gain deeper analytics and extended insights into the relationships between addresses, specialists rely on dedicated analytical platforms such as Btrace, Arkham, and others.
Below is an example of how different services visualize and display address labeling using the address:
bc1quhruqrghgcca950rvhtrg7cpd7u8k6svpzgzmrjy8xyukacl5lkq0r8l2d.
Btrace:
Arkham:
Metasleuth:
Conclusion
Blockchain explorers are the primary tools in the arsenal of specialists investigating cryptocurrency-related incidents. They enable detailed tracking of asset movements, identification of fund transfer routes, and detection of addresses associated with suspicious activity.
As demonstrated in the examples of the Ethereum and Bitcoin networks, despite differences in their architectures and transaction formats, the overall investigation principle remains the same: from identifying the source address and theft transaction to determining the final destination of the withdrawn assets.
However, the capabilities of explorers are limited to publicly available data. Once the funds reach centralized services—such as exchanges or gambling platforms—further tracing becomes impossible without cooperation from these organizations. In such cases, additional analytical tools and labeling services like Btrace, Arkham, and other investigative platforms are used for deeper analysis.
Thus, the competent use of blockchain explorers, combined with specialized analytical solutions, allows not only for the reconstruction of the stolen asset flow but also for the formation of an evidentiary foundation necessary for subsequent legal and technical actions.
Blockchain explorers are the primary tools in the arsenal of specialists investigating cryptocurrency-related incidents. They enable detailed tracking of asset movements, identification of fund transfer routes, and detection of addresses associated with suspicious activity.
As demonstrated in the examples of the Ethereum and Bitcoin networks, despite differences in their architectures and transaction formats, the overall investigation principle remains the same: from identifying the source address and theft transaction to determining the final destination of the withdrawn assets.
However, the capabilities of explorers are limited to publicly available data. Once the funds reach centralized services—such as exchanges or gambling platforms—further tracing becomes impossible without cooperation from these organizations. In such cases, additional analytical tools and labeling services like Btrace, Arkham, and other investigative platforms are used for deeper analysis.
Thus, the competent use of blockchain explorers, combined with specialized analytical solutions, allows not only for the reconstruction of the stolen asset flow but also for the formation of an evidentiary foundation necessary for subsequent legal and technical actions.
Want to learn more and get expert advice? Leave your email and we will contact you promptly!
Check blockchain address using Btrace
In seconds, determine the risk level of the counterparty’s address, find out the source of his funds and make an informed decision about interacting with him.
PREVENT FUNDS BLOCKING
PROTECT YOURSELF FROM SCAMMERS
AVOID TROUBLE WITH THE LAW
We also recommend