July 13, 2026
at
12:55 pm
EST
MIN READ

Blockchain forensics is the practice of analyzing blockchain transactions to track the movement of funds, identify wallet owners, and build up evidence that can be used in a court of law. Because blockchains are trustless and can be utilized by anyone to move money around without oversight, many criminals use crypto to move money around. However, the immutable public nature of blockchain ledgers also serves law enforcement well, as all they need to do is follow the trail of transactions recorded publicly on-chain.
Blockchain forensics involves tracing, attributing, and documenting the movement of digital assets on the public blockchain ledger through detailed examination. Whereas a traditional financial crime investigation may be stalled because of legal process, blockchain investigations face no such obstacles and can begin as soon as a transaction is confirmed.
To understand why this is possible, you’ll need to first understand what sets a blockchain apart from other traditional financial record-keeping systems.
A blockchain is a distributed ledger that is being contributed to and maintained by a very large network of computers. When a transaction is submitted to the blockchain, it gets bundled into a block, cryptographically sealed, and then attached to the block before it. No single party controls the ledger, and once a transaction has been confirmed by the network, it can’t be edited or deleted. As a result, blockchains have four distinct properties that can either help criminals operate or help law enforcement track them down.
The first property of a blockchain is pseudonymity. When you open a bank account, part of the standard process involves giving the bank your real name, address, and other identifying pieces of information. When you create a crypto wallet, none of these things are required. While this feature can help criminals move money more easily without initially revealing their identity, it also creates a permanent on-chain footprint for law enforcement to investigate.
Another inherent property of a blockchain is the permanent nature of recorded transactions. In traditional finance, records can be altered, destroyed, or sealed by court orders. Offshore banks have historically been black boxes, keeping their transactions private. Transactions on the blockchain, however, are cryptographically locked into the ledger and cannot be altered or deleted. This ensures that an investigator can see a wallet's every transaction, allowing law enforcement to track criminal funds with absolute certainty.
Transparency is a third characteristic property of blockchains. Anyone with an internet connection can access a blockchain and view what's occurred on-chain by themselves. There is no prerequisite of a subpoena or a FOIA request before an investigator can start tracking a criminal down. Law enforcement can begin tracing a suspicious wallet as soon as they have the address in hand.
Traceability is the final core property of a blockchain. If a hacker splits illicit funds into hundreds of different wallets, every single one of these splits and hops is recorded. Whereas traditional money laundering often routes dirty money through jurisdictions with poorer record-keeping, blockchains store each and every action that happens on-chain. A bad actor (like The Lazarus Group) laundering money on-chain can make the trail highly complex, but because the records are permanent, it ultimately helps law enforcement track them down.

Because crypto offers itself as an alternative to the traditional finance system and doesn’t require identification to use, many bad actors have turned to crypto as a finance ecosystem that they have free access to. Ransomware groups demand payments in Bitcoin, sanctioned states route payments through decentralized exchanges, and hackers exploit protocols for money and use mixers and bridges to try and clean their money.
Legacy investigation frameworks were built around parts of traditional finance infrastructure such as SWIFT records and court-ordered bank disclosures. This framework is not very useful in the crypto world, where money can be transferred globally in seconds without the need for a middleman. By the time a subpoena has been approved, the funds have already been transferred away long ago. Blockchain forensics on the other hand, gives investigators a way to track stolen money in real time. Additionally, because transaction hashes can’t be edited or deleted in any way, the evidence that it produces is admissible in courts.
Financial institutions and crypto businesses use forensic screening to check if a wallet has any suspicious previous activity or has been placed on a sanctions list before processing a transaction from a new wallet. Due to anti-money laundering regulations, institutions must screen counterparties, check for suspicious flows, and file reports when risk thresholds are met. Failure to do so may result in an exchange acting as an unwitting off-ramp for illicit funds. For banks and payment processors that frequently interact with crypto assets, on-chain risk monitoring is an essential part of remaining compliant.
For law enforcement, blockchain forensics acts as a force multiplier by allowing a small team of investigators to do the work that would typically require significantly more people and time. Using on-chain analysis tools, investigators can follow illicit funds across wallets, mixers, and chains. When criminals attempt to cash the money out by transferring to an exchange, investigators can perform a seizure. This has led to multiple high-profile seizures of ransomware operators, darknet market owners, and foreign sanctions evaders.
Regulators rely upon on-chain forensic data to verify if crypto exchanges are accurately reporting their trading volumes, if stablecoin issuers are properly backing their tokens, and if whales are manipulating markets with coordinated trades. Because courts accept blockchain forensic reports as evidence in cases covering digital asset fraud and tax evasion, regulators have a strong use case for blockchain forensics.

The primary challenge in blockchain forensic revolves around being able to attribute an anonymous wallet address to a real world identity. Forensic software accomplishes this through a variety of overlapping techniques.
Address clustering groups together wallets that are most likely owned and controlled by a single entity. Bitcoin’s UTXO model means that a single transaction is often downstream of multiple input addresses. When these addresses co-sign a transaction, it’s likely that these wallets are controlled by a single person or entity. Clustering these groups of wallets allows forensic investigators to collapse thousands of addresses into a smaller, more manageable set of entities.
Arkham Intel automates and scales this process. The platform combines on-chain transactional patterns with proprietary AI and data from in-house sleuths to automatically aggregate thousands of disparate addresses into a single entity profile (such as a specific exchange, fund, or hacker group).

Taint analysis tracks dirty money on-chain, and assigns scores to wallets based on their proximity to the dirty money. If one wallet receives funds stolen in a hack and sends a portion of the stolen funds to a second wallet, taint analysis assigns the second wallet a risk score based on how directly it connects back to the original attacker wallet. The further removed a wallet is from the hack, the lower the score, but the connection is still there.
Risk Scores are now live in the Arkham API as a paid add-on. Built on top of advanced taint analysis, these scores work by evaluating a wallet's exposure to known illicit entities - such as mixers, sanctioned addresses, or protocol hackers. The system assesses risk based on proximity: a wallet with direct exposure (receiving funds straight from an attacker) receives a high-risk rating, while a wallet multiple hops removed receives a lower score. API users can use these real-time scores to evaluate counterparty risk, automatically flag risky depositors, and build custom Anti-Money Laundering (AML) compliance workflows. Read our full guide to Risk Scores here.
UTXO tracing is particularly useful for Bitcoin and similar chains. Because funds are recorded as discrete outputs on the Bitcoin blockchain, each UTXO has a transaction history that starts with when it was first mined. When the UTXO is spent, new outputs are created and the original UTXO is consumed. By following the chain of outputs, investigators can follow how value moved from one output to another instead of watching an address balance change. This gives Bitcoin forensics a level of granularity that does not exist in account-based chains like Ethereum.
Mixer and cross-chain analysis represents some of the most challenging parts of blockchain forensics. Mixers, also known as tumblers, pool deposits from multiple users and return funds to depositors in multiple outputs of randomized amounts. This breaks the direct connection that links inputs and outputs. Cross-chain bridges move assets from one chain to another, which creates a gap in the on-chain trail that single-chain tools can’t connect. Advanced blockchain forensic tools tackle these two challenges through a combination of behavioral analysis, timing correlation, and amount fingerprinting. While none of these methods are perfect, they’ve been effective enough that multiple mixer operations have been shut down after investigators were able to use these techniques to identify mixer operators and users.
OSINT integration is what’s used to connect on-chain wallets and transactions to the real world. While wallets can be traced infinitely on-chain, that information alone doesn’t identify the owner of the wallet. The final step of identification requires off-chain data such as a social media post with a deposit address in it, forum threads where usernames are linked to a transaction, exchange KYC records obtained through legal processes, or court filings that reference specific wallets. Investigators who are able to identify the perpetrators of the largest cases tend to be investigators that are comfortable combining on-chain analysis with open-source research to crack cases.
Arkham is a blockchain intelligence platform that covers many major chains. The platform was built with the goal of de-anonymizing the blockchain. As well as performing analysis at the wallet/address level, Arkham organizes groups of wallets into entities, which Arkham, in-house sleuths, with the help of AI, have determined belong to a single organization or individual. This allows users to search for organizations such as BlackRock and Binance and immediately view their consolidated holdings and transaction history. The power of this approach becomes clear with a real example. Despite Michael Saylor’s public statements saying that Strategy (prev. MicroStrategy) would never disclose its wallet addresses, Arkham identified 1,500 wallets tied to the company containing over 83% of their total Bitcoin holdings.
Beyond entity names, Arkham uses behavioral tags to label on-chain addresses based on their transaction history. Tags like “Scam”, “Hacker”, and “FOMO User” let users quickly understand a wallet’s history without needing to manually go through thousands of transactions on their own. For forensics work in particular, seeing a wallet tagged with “Hacker” can save hours of additional manual tracing.

For active fund tracing, the Visualizer generates a network graph that displays relationships between entities, using green lines for inflows and red lines for outflows. Users can further filter by token type, transaction size, or timeframe. Large entities can be right clicked and broken into individual wallets.

Tracer allows users to follow funds around on-chain. By entering a wallet address, users can see the top counterparties, add them to the map, and then expand the web by fetching flows. Clicking the lines between two nodes then opens full transaction history between the two nodes, as well as a summary of tokens, timestamps, gas costs, etc.

The Arkham platform also has a robust alert system that actively monitors the blockchain and notifies users when their specified conditions have been met. Because Arkham has a large list of entities, a single alert set on “Satoshi Nakamoto” automatically covers all 22,000 of his known wallets. Users do not need to manually set alerts on each wallet, just selecting the entity covers them all. Alerts can be sent through email, Telegram, Slack, or through webhooks, and can then be filtered by token, transaction size, chain, or counterparty.
Full How To Use Arkham Guide: https://info.arkm.com/research/how-to-use-arkham-intel-guide-explained

In August 2025, Arkham was the first to report the largest theft the crypto industry had ever seen.
LuBian, a Chinese Bitcoin mining pool that at one point controlled close to 6% of the Bitcoin total hash-rate, was exploited for 127,426 BTC worth roughly $3.5 billion on December 8th, 2020. The next day, LuBian was hacked again for an additional ~$6 million in BTC and USDT. LuBian then moved its remaining 11,886 BTC to safe wallets on December 31st, 2020. The hack was not publicly acknowledged by LuBian or the attacker, and the funds sat dormant until July 2024, when Arkham detected the 127K BTC cluster moving to new addresses.
Arkham’s entity clustering had already identified LuBian’s many wallets and grouped them together into a unified trackable entity. Arkham’s investigation also revealed that LuBian had sent 1,516 OP_RETURN messages at a cost of 1.4 BTC to the hacker asking for the funds to be returned. The amount of messages and 1.4 BTC spent on them suggested that LuBian was indeed the owner of the drained wallets, and not a third party pretending to be LuBian.
A dramatic development in the story occurred when US civil forfeiture filings listed the original LuBian wallet and not the attacker wallets, as seized property. Court documents revealed that LuBian was not a legitimate mining group, but in fact a money laundering front for Prince Holding Group. Prince Holding Group was a Southeast Asian operation led by Chen Zhi that ran human trafficking operations as well as industrialized pig-butchering scams, and used the LuBian mining pool to launder money by funneling funds through it.
In October 2025, the US Department of Justice announced that it had seized 127,271 BTC from Prince Holding Group, the largest cryptocurrency seizure in US history. The seizure was worth over $35 billion at the time. Chen Zhi was arrested in Cambodia and extradited to China soon after. Without Arkham’s entity clustering, discovery of OP_RETURN messages, and detection of the 127K BTC moving, the connections between LuBian and Prince Group and Chen Zhi might never have been discovered.
As cryptocurrency adoption continues to grow, blockchain forensics has become a central part of financial crime investigation in recent years. The LuBian case is a good example of what the field is now capable of: a $3.5 billion on-chain theft went unnoticed for 5 years, but was eventually traced, identified, and seized with the help of Arkham and on-chain forensics.
Ironically, the same properties that help make crypto ungovernable are also the same ones that make it traceable. The public blockchain ledger that no one controls also ensures that no one can truly hide their actions on it. Every on-chain action leaves behind a trail of transactions, and the tools for following these trails only continue to improve as time passes.
Try Arkham today to start tracing on-chain activity yourself.


.png)
.png)


.png)
.png)


.png)
.png)


.png)
.png)


























.png)
.png)






.png)
.png)
.png)
.png)


.png)
.png)












.png)
.png)












.png)
.png)


















.png)
.png)




.png)
.png)




%20copy.png)
%20copy.png)
.png)
.png)








.png)
.png)
.png)
.png)









