Blockchain Investigation Visual Reference

A comprehensive guide for cryptocurrency forensic analysis and investigation

1 Blockchain Basics 2 Address Formats 3 Blockchain Types 4 Transaction Anatomy

Key Concepts Bitcoin Ethereum Public Blockchains Privacy-Focused UTXO Model (BTC) Account Model (ETH)
Block: Collection of transactions confirmed together 1... - P2PKH (Legacy) 0x... - Standard format (42 chars) ₿ Bitcoin (BTC) M Monero (XMR) Inputs: Previous UTXOs being spent From: Sender address
Transaction: Transfer of value between addresses Ξ Ethereum (ETH) Z Zcash (ZEC) Outputs: New UTXOs being created To: Recipient address
3... - P2SH (Segwit) Contracts use same format as EOAs
L Litecoin (LTC) D Dash (DASH)
Address: Public identifier for sending/receiving bc1... - Bech32 (Native Segwit) B BNB Chain (BNB) G Grin (GRIN)
Change: Returned to sender Value: Amount transferred
Private Key: Secret that controls address funds Fee: (Inputs - Outputs) Gas: Fee paid for execution
Hash: Unique fingerprint of data Other Formats Privacy Coins Investigation Difficulty Scale
T... - TRON 4... - Monero (Standard) Easy: Bitcoin, Litecoin - Clear UTXO model Transaction Properties
Verification Mechanisms Moderate: Ethereum - Smart contracts add complexity Property Bitcoin Ethereum
Proof of Work: Resource-intensive puzzle solving ltc1... - Litecoin (Bech32) 8... - Monero (Subaddress) Hard: ZCash (transparent tx only)
Very Difficult: Monero, ZCash (shielded tx) Confirmations ~6 blocks (60 min) ~12 blocks (3 min)
Proof of Stake: Validators stake crypto as collateral bnb... - Binance Chain z... - Zcash (Shielded)
Transparency Features Fee Structure Satoshis/byte Gas × Gas Price
Delegated PoS: Elected validators by token holders Public Ledger: All transactions visible
Example BTC: 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa Finality Probabilistic Probabilistic
Pseudo-anonymity: Addresses not linked to identity
Example ETH: 0xd8dA6BF26964aF9D7eEd9e03E53415D37aA96045 Transaction ID Double SHA-256 hash Keccak-256 hash
Immutable History: Cannot alter past records

5 Address Clustering Techniques 6 Investigation Tools

Co-spend Heuristic Change Address Detection Blockchain Explorers Commercial Platforms
Addresses used as inputs in the same transaction are controlled by the same entity. Techniques to identify outputs that return to the sender: Blockchair: Multi-blockchain explorer Chainalysis: Enterprise-grade analysis
Input A Input B Input C Output X Change D Address reuse pattern: Previously used as change Blockchain.com: Bitcoin, ETH, BCH explorer CipherTrace: AML & compliance tools
A B C X D Output value analysis: Odd amounts likely change Etherscan: Ethereum-focused explorer Elliptic: Risk management platform
Cluster = {A, B, C, D} Script type: Different from spending address BscScan: BNB Chain explorer Crystal Blockchain: Analytics suite
Behavior analysis: Used shortly after as input TxStreet: Visual mempool representation TRM Labs: Risk management & analytics
Caution: Change detection is probabilistic, not deterministic. Always evaluate multiple factors before making conclusions.
Open-Source Tools API Services
Multi-Input Transactions Behavioral Patterns Deterministic Wallets BlockSci: Python blockchain analysis framework OKLink: Multi-chain data
When a wallet needs to spend more than one UTXO to cover a payment amount, it Regular transaction timing (e.g., weekly withdrawals), consistent amount patterns, HD wallets generate addresses from a single seed. Some services use predictable GraphSense: Crypto analytics platform BlockCypher: Transaction propagation
creates a transaction with multiple inputs, revealing address connections. or repeated interaction with specific services indicates shared control. derivation patterns that can be identified through analysis. Bitcoin Explorer (bx): Command-line tools Amberdata: Historical blockchain data
Maltego: Graph-based investigation Alchemy: Enhanced Ethereum data
BitIodine: BTC clustering/tagging Tokenview: Automated analytics
Tool Comparison Matrix
Tool Best For Chains Price Visualization
Chainalysis Enterprise/Gov 20+ $$$$$ Advanced
OKLink Multi-chain 15+ $$$ Good
BlockSci Research UTXO only Free Custom
GraphSense Clustering 5+ Free Good

7 Transaction Flow Analysis 8 Suspicious Transaction Patterns

Taint Analysis Hop Analysis Money Laundering Indicators Common Scam Patterns
Taint analysis traces how funds from a specific source (e.g., stolen coins) flow to destination addresses. Layering: Multiple rapid transfers between addresses Giveaway scams: Small deposits, no withdrawals
Hop Distance = 3
Forward Taint: Tracks where funds went after leaving a Backward Taint: Traces the origin of funds that arrived at a Structuring: Breaking large amounts into smaller ones Ponzi schemes: Pyramid distribution pattern
flagged address. specific address.
Source Hop 1 Hop 2 Target Round-trip transactions: Funds returning to origin Fake ICOs: Large collection, rapid distribution
Taint Calculation Methods Exchange hopping: Moving across multiple exchanges Rug pulls: Dev wallets emptying liquidity pools
Poison: One tainted input taints all outputs Hop Distance Characteristics Mixer usage: Passing through anonymizing services Phishing: Immediate outflow after deposit
1-2 hops: Direct connections, high confidence
Haircut: Proportional taint distribution Red Flags: Rapid succession transactions, unused outputs, dormant address activation, chain hopping (BTC→XMR→ETH) Note: Legitimate entities like exchanges may also display some of these patterns. Always corroborate with additional
3-5 hops: Moderate distance, potential relation evidence and entity identification.
FIFO/LIFO: Time-ordered coin spending
6+ hops: Distant connection, weak relationship
Visual Pattern Examples
Note: Mixers, exchanges, and mining pools act as "hop barriers" that make connections less conclusive. Treat transactions
through these entities with caution.

Temporal Analysis
Time Patterns Value Patterns Behavioral Indicators
Transaction time clustering Round number transactions Peeling chains (sequential txs)
Regular interval detection Consistent percentage splits Fan-out/fan-in patterns
Time zone analysis Fee anomaly detection Dormancy periods

Peeling Chain Fan-in (Collection) Fan-out (Distribution) Circular Pattern

Ransomware Indicators Darknet Market Indicators

Multiple identical ransom payments to same address High volume of small deposits to single address
Specific requested amount (e.g., 0.3 BTC exactly) Scheduled batch withdrawals (vendor payouts)
Payments consolidated then moved to exchanges Escrow address usage patterns
Temporal correlation with reported attacks Multisig transaction structures
 9 Mixers & Tumblers 10 Entity Identification 11 Forensic Data Sources 12 Case Study Framework

How They Work Exchange Fingerprinting Blockchain Data Investigation Elements

Cryptocurrency mixers combine funds from multiple users, shuffling them to break transaction trails between sending and Deposit addresses: Known patterns & prefixes Transaction history: All on-chain movements Initial indicators: Suspicious activity triggers
receiving addresses.
Withdrawal patterns: Timing, amounts, batching Block data: Timestamps, miner info Source of funds: Origin identification
Hot/cold wallet transfers: Security patterns Mempool: Pending transactions Flow analysis: Transaction path mapping
MIXER Fee structures: Unique to each platform Smart contract code: On-chain logic Entity attribution: Wallet owner identification
Common Entity Tags External Data Sources Value calculation: Monetary impact assessment
Detection Features Exchange Mining Pool Mixer Merchant Darknet Payment Processor Gambling DeFi Protocol Exchange records: KYC, trading history Evidence chain: Forensically sound documentation
Time delay patterns: Standard wait times Forum disclosures: Self-identified addresses Documentation Structure
Entity Identification Methods
Fee structures: Fixed % or tiered fees Darknet marketplaces: Seized server data Case Summary Key Findings
Known address lists: Public entity disclosures
Amount standardization: Fixed denominations IP association: Transaction broadcast data Case identifier Address clusters
Network analysis: Transaction patterns
Address reuse: Temporary collection addresses Social media: Address sharing, scam reports Date range Entity attributions
Off-chain intelligence: Forum posts, social media
Data Collection Methods Entities involved Transaction patterns
Known Mixer Services Self-attributions: Signed messages, website info
Full node operation: Direct blockchain access Value at risk Risk indicators
Wasabi Wallet (CoinJoin) Note: Many jurisdictions consider mixer usage suspicious. Risk Scoring
Some services (Tornado Cash) have been sanctioned by API services: Preprocessed blockchain data Methodology Timeline
Samourai (Whirlpool)
regulators. OSINT techniques: Public information gathering
Tornado Cash (ETH) Low (1-3): Regulated exchanges, known entities Famous Cases
Factors: Entity type, jurisdiction, KYC practices,
ChipMixer (BTC) Medium (4-7): Unregulated services, gambling Subpoenas: Legal requests to service providers Case Year Value Resolution
regulatory compliance
High (8-10): Mixers, darknet markets, ransomware Data Challenges Silk Road 2013 175,000 BTC Seized
Chain-hopping obscures complete flow Mt. Gox 2014 850,000 BTC Partial recovery
Off-chain transactions (Lightning Network) Bitfinex Hack 2016 119,754 BTC Partial recovery
Privacy protocols (Monero, zkSNARKs) Colonial Pipeline 2021 75 BTC Partial recovery
Exchange pooled wallets lack attribution

13 Learning Resources 14 Chain Hopping Techniques

Books & Publications Courses & Certifications Online Resources What is Chain Hopping? Investigation Challenges
Investigating Cryptocurrencies - Nick Furneaux Certified Cryptocurrency Investigator (CCI) - CipherTrace Cambridge Cryptoasset Study - Cambridge University Chain hopping is the practice of moving assets between different blockchains to obscure the trail of funds and take advantage Cross-chain tracing: Service attribution required
of the different privacy characteristics of each network.
Bitcoin Forensics - James Harris Cryptocurrency Tracing - Chainalysis CryptoCompare Research - Market insights Data silos: Different explorers for each chain
Cryptoasset Inheritance Planning - Pamela Morgan Certified Blockchain Expert - Blockchain Council Crystal Blockchain Blog - Analytics insights Exchange Privacy Layer
Privacy barriers: Some chains obscure information
The Basics of Bitcoins and Blockchains - Antony Lewis Cryptocurrency Investigation - ACAMS Chainalysis Market Intel - Market reports ₿ Ξ ɱ Timing correlation: Matching deposits/withdrawals
CryptoAssets - Chris Burniske & Jack Tatar Financial Crime Academy - Elliptic FATF Guidelines - Regulatory resources Bitcoin Ethereum Monero Exchanges as black boxes: Internal transfers hidden
ACFCS Articles - Case studies Blind Spots: When funds move through privacy chains like Monero or through mixers/tumblers, the trail often goes cold.
Recommended Learning Path
Common Hopping Patterns
Blockchain Basics Transaction Analysis Clustering Techniques Pattern Recognition Case Building Privacy Seeking Fee Optimization Regulatory Evasion
Tools Mastery Path Practice Resources BTC → XMR → ETH → BTC BTC → LTC → Exchange → BTC Regulated → Unregulated Exchange → Privacy Coin
Purpose: Break transaction trail Purpose: Lower transaction fees Purpose: Avoid reporting/restrictions
1. Learn public block explorers (Blockchair, Etherscan) CryptoHack - Cryptography challenges Detection: Timing correlation of exchange deposits/withdrawals Detection: Consistent amount minus predictable fees Detection: Exchange API identification, withdrawal patterns
2. Practice with open-source analysis tools (BlockSci) Follow The Coin - Transaction tracing game
3. Develop visualization skills (Gephi, Maltego) BlockSec CTF - Security competitions Investigation Approaches
4. Build automation skills (Python for blockchain) Princeton Bitcoin Course - Online lectures Service Node Operation: Capturing network data Amount Tracking: Distinct value patterns Best Practice: Focus on exchange chokepoints where funds enter and exit
Exchange Cooperation: Legal process access Known Exchange Patterns: Hot wallet signatures privacy layers. Most users eventually convert back to transparent chains.
5. Adopt professional platforms when needed GitHub repositories - Open-source tools
Deposit/Withdrawal Correlation: Timing analysis Integrated Services: Multi-chain analysis platforms

15 Smart Contract Analysis 16 DeFi Investigation

Key Contract Types Analysis Techniques DeFi Protocol Types Common DeFi Attacks
ERC-20 Tokens: Fungible token standard Event Logs: Transaction event tracking DEXs: Uniswap, SushiSwap, PancakeSwap Flash Loan Exploits: Large funds for single-tx attacks
ERC-721/1155: NFT standards Internal Transactions: Contract-to-contract calls Lending: Aave, Compound, MakerDAO Economic Attacks: Pool value manipulation
DEX Contracts: Decentralized exchanges Method Signatures: Function identification Yield Farming: Yearn, Curve, Convex Governance Attacks: Token voting manipulation
Lending Protocols: DeFi lending platforms State Changes: Variable modifications Derivatives: dYdX, Synthetix, Perpetual Bridge Exploits: Cross-chain validation flaws
DAO Governance: Voting contracts Token Flows: Transfers between addresses Bridges: Wormhole, Multichain, Portal Rugpulls: Developer-controlled asset draining
Multisig Wallets: Shared control contracts Contract Code: Behavior examination
Tracing DeFi Transactions
Common Smart Contract Exploits // Ethereum Contract Call Analysis Example Token Swap LP Position Yield Farming Bridge Transfer New Chain
Reentrancy: Recursive calling of vulnerable function contract.transfer(recipient, amount);
// Translates to function signature:
Flash Loan Attacks: Temporary large-sum borrowing Investigation Challenges Investigation Techniques Specialized Tools
0xa9059cbb // transfer(address,uint256)
Oracle Manipulation: Price feed tampering // Event emmitted (topic): Multiple contract interactions per transaction Track net value changes across interactions DeBank (cross-chain portfolio tracking)
0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef // Transfer
Front-running: Transaction order manipulation Complex logic across multiple protocols Follow internal transactions (contract-to-contract) Zerion (DeFi transaction history)
Token swaps change asset identifiers Identify protocol signatures and events DeFiLlama (protocol analytics)
Investigation Tools
Cross-chain movements break tracing Monitor bridge endpoints on both chains APY.Vision (liquidity pool analysis)
Block Explorers Analysis Platforms Development Tools
Etherscan, BscScan, PolygonScan Dune Analytics (SQL queries) Remix IDE (code analysis)
Blockscan (for multiple EVM chains) Nansen (wallet profiling) Hardhat (local testing)
Tenderly (advanced debugging) Etherscan Decompiler Slither (security scanner)

Blockchain Investigation Visual Reference | For educational purposes only