Follow the Coin: How Investigators Turn Public Ledgers Into Evidence

• The “follow the money” model still works. Investigators trace funds on-chain until they hit an exchange, then subpoena the KYC records.
• Mixers and privacy coins make tracing harder, but not impossible. Mixer takedowns produce historical data that feeds future investigations.
• International cooperation is built in. MLATs, Europol, and FinCEN’s Rapid Response Program move evidence across borders relatively fast.
• Blockchain analytics tools have very low false-positive rates in controlled testing, but they are investigative leads, not standalone evidence.
• Courts have generally held that on-chain data is public and needs no warrant. Exchange records still require legal process.

How Police Trace Crypto: Inside the Hunt for Illicit Money

For a long time, the public assumption about crypto was that it was anonymous. That assumption sold a lot of ransomware, made the early dark web possible, and powered a great deal of confused journalism.

It was always wrong. Bitcoin’s ledger is one of the most public financial records ever created. Every transaction sits on a globally distributed database that anyone can read. The hard problem for investigators was never seeing the transactions. It was tying addresses to people.

Try the leading VASP data free for 1 month. No card required.

That problem has been getting solved, piece by piece, for over a decade. So this piece aims to look at how law enforcement traces illicit crypto today: the legal framework, the investigative workflow, the tooling, the wins, the failures, and the parts that still do not work.

The Legal Plumbing

The Financial Action Task Force extended its anti-money-laundering recommendations to cover Virtual Asset Service Providers some years ago. Exchanges, custodians, and most centralized crypto businesses now have to do customer due diligence, file suspicious activity reports, and comply with the travel rule, which requires sender and recipient identity information to accompany transfers above certain thresholds.

The US has treated crypto money transmitters under the Bank Secrecy Act for years. The EU rolled out MiCA. Other jurisdictions built their own versions. The combined effect is that crypto exchanges behave like banks for compliance purposes, which means real identities get attached to most wallets that interact with the regulated financial system.

Cross-border work runs on a few channels. Mutual Legal Assistance Treaties handle formal evidence requests between countries. Europol coordinates EU-wide investigations. INTERPOL has its own crypto unit. FinCEN’s Rapid Response Program connects US victims and US law enforcement with foreign counterparts to freeze stolen funds quickly. Since its launch in 2015, RRP has interdicted close to two billion dollars for US fraud victims.

For a US victim of crypto fraud whose funds end up on a foreign exchange, the path runs from victim to FBI, FBI to FinCEN, FinCEN to the foreign Financial Intelligence Unit, FIU to local law enforcement, and local law enforcement to the exchange. When the channels work, it can happen in hours. They work more often than people assume, especially in jurisdictions with established cooperation history.

The Workflow in Plain Terms

A typical investigation starts with a tip. A victim files a complaint with the FBI’s IC3 portal. A bank files a SAR. A cyber incident gets reported through a victim’s incident-response firm. Sometimes a tax authority surfaces an anomaly.

From there, analysts identify the addresses involved and start following the chain. They use heuristic clustering to group addresses that probably belong to the same wallet. They build transaction graphs showing how funds moved through the network. They look for known entities along the way: exchange deposit addresses, mixer wallets, sanctioned addresses, ransomware payment clusters.

Buy bitcoin and stocks. Signup to Coinbase today

The goal is to follow the funds until they reach a regulated exchange that collected KYC. Once they do, investigators subpoena or formally request the records. Exchange compliance teams turn over names, addresses, IP logs, phone numbers, and transaction histories. Those data points get cross-referenced with other intelligence. Suspects emerge. Arrests and seizures follow.

The agencies involved depend on the case. In the US: DOJ Criminal handles prosecution, the FBI’s Virtual Asset Exploitation Unit runs the technical side, IRS Criminal Investigation has produced some of the biggest crypto cases on record, Homeland Security Investigations and the Secret Service handle pieces of the cybercrime portfolio, and various state attorneys general work crypto-specific cases. DOJ stood up the National Cryptocurrency Enforcement Team (NCET) in 2021 to centralize the work, then disbanded it in April 2025, folding its functions back into the broader Criminal Division.

Outside the US, Europol coordinates across European member states. Germany’s BKA, the UK’s National Crime Agency, and France’s cyber-gendarmerie have built significant in-house crypto capacity. INTERPOL handles cases that cross continents.

Behind all of these public agencies sit the private analytics firms whose tools they use.

The Tools

A handful of companies dominate blockchain analytics for law enforcement.

What these tools do is ingest the raw blockchain plus a large amount of off-chain context: known exchange addresses, sanctioned wallets, OSINT from forums and breaches, tagging from prior investigations. They cluster addresses into entities, flag risky counterparties, and produce visualizations that an investigator can navigate.

Academic testing has confirmed extremely low false-positive rates on the leading platforms under controlled conditions. In real-world ambiguity the picture is messier, but the tools are good enough to generate solid investigative leads. Courts have generally accepted the outputs as evidence when properly supported by expert testimony.

The future of finance is here. Trade crypto and more

The heuristics that do most of the work include common-input clustering (multiple inputs to a single transaction probably share an owner), change detection (identifying which output of a transaction returns to the spender), peel chain detection (funds being split off in repeating patterns), and CoinJoin identification (recognizing the equal-value output signature of mixed transactions).

When investigators identify a suspect address and trace it to a regulated exchange, the chain analysis stops and the legal process starts. Subpoena the exchange. Obtain the KYC records. Match the records to other evidence. Build the case.

Mixers, Tumblers, and Privacy Coins

Mixing services exist to break the trace. They pool coins from many users and redistribute them, ideally with no clean on-chain link between input and output.

Investigators handle mixers in two ways.

The first is to take them down. The Cryptomixer operation in November 2025 is the working example. German and Swiss authorities, with Europol coordination and US support, seized three backend servers in Zurich, took control of the cryptomixer.io domain, and confiscated over €25 million in Bitcoin. The bigger prize was the data: roughly 12 terabytes of operational records, including transaction logs, user mappings, and historical clusters. That data lets investigators retroactively trace transactions that ran through Cryptomixer over years of operation.

Tornado Cash got a different treatment. US Treasury sanctioned the mixer in August 2022, citing over $7 billion in laundered funds. Two days later, Dutch authorities arrested one of the developers. The sanctions did not break the protocol’s code, but they made it illegal for US persons to interact with the service. The arrest signaled that open-source code can carry criminal exposure when the operators run it as a service.

The second approach is statistical. Even without seizing a mixer, certain patterns can be detected. Mixers often produce distinctive output structures, fixed fees, or timing windows. Combined with off-chain intelligence (user mistakes, leaked logs, infiltrated operators), these patterns can sometimes link inputs to outputs probabilistically. It is slower and less certain than working from seized data, but it produces leads.

Skip the wait. Buy a licensed company.

Privacy coins are a different problem. Monero uses ring signatures, stealth addresses, and confidential transaction amounts. The result is a ledger that does not reveal senders, recipients, or amounts. Conventional chain analysis does not work on it. Zcash with shielded transactions has similar properties.

Investigators working privacy-coin cases rely on off-chain methods. Exchange records when the funds come in or out, device seizures, network-level surveillance, cooperating witnesses, tor de-anonymization when applicable. The chain analysis approach used for Bitcoin tracing does not translate to these protocols, and the cases that proceed against privacy-coin users almost always rely on operational security failures by the targets rather than cryptographic breaks.

Off-Chain Work Is Still Most of the Job

The blockchain is transparent, but not its users. Connecting wallets to humans almost always requires off-chain data.

Exchange records are the workhorse. A subpoena to Coinbase, Binance, Kraken, or any other compliant exchange returns account profiles, transaction histories, IP logs, sometimes device fingerprints. Most major exchanges run dedicated law enforcement portals. For foreign exchanges, the request usually runs through MLAT channels, which adds time but generally works in cooperating jurisdictions.

OSINT fills in the gaps. Forum posts where someone advertises a wallet. Social media that links a username to an address. Job listings, public statements, leaked databases. Blockchain analytics firms increasingly bundle these data sources into their platforms, so an investigator can pivot from an on-chain cluster to a Telegram username without leaving the same interface.

Cross-agency collaboration ties it together. FIUs share SARs through the Egmont Group. Europol pushes intelligence updates to member states. Joint task forces form for high-priority cases.

And then there is the physical world (search warrants, device seizures). The James Zhong case ended with IRS agents finding hardware wallets at his Florida home, which contained the keys to over 50,000 BTC he had stolen from Silk Road back in 2012. The chain analysis identified the cache. The search warrant retrieved the keys.

Try the leading VASP data free for 1 month. No card required.

Cases Worth Studying

Colonial Pipeline in 2021 is the canonical recovery case. Colonial paid a 75 BTC ransom to DarkSide. They reported it to the FBI immediately. Analysts traced the payments on the public ledger and identified that 63.7 BTC ended up at an address for which the FBI already held the private key. Funds recovered within weeks. The lesson is that rapid victim reporting plus chain analysis can produce real recoveries when the destination addresses end up in cooperating hands.

The James Zhong case from 2022 demonstrates the patience side of the work. Zhong stole 50,676 BTC from Silk Road in 2012 by exploiting a withdrawal bug. He sat on the coins for a decade. IRS-CI traced them through years of transactions until they identified Zhong, then executed a search warrant on his Florida home. They recovered $3.36 billion worth of Bitcoin. Chain analysis does not have a meaningful statute of limitations.

The Garantex takedown in 2025 illustrates multi-jurisdictional coordination. A multinational operation dismantled the Russia-linked exchange, which had been accused of laundering funds for darknet markets, ransomware operators, and sanctioned entities. US Secret Service seized the domains. German and Finnish authorities seized servers and froze over $26 million in proceeds. The indictment alleged at least $96 billion in laundered transactions over the exchange’s operational history.

The Cryptomixer takedown, also in 2025, is covered above. Its real value will play out over years as the seized data continues to generate investigative leads.

The Tornado Cash sanctions and the Dutch arrest of the developer remain a contested case. The legal questions around whether sanctioning a smart contract is constitutional, and whether developers of open-source privacy tools can be held criminally liable for downstream use, are still being litigated and have produced mixed rulings. The case will continue to shape the legal boundaries around privacy-preserving software.

Red Flags Compliance Teams Watch For

FATF’s red-flag indicators on virtual assets remain a useful baseline. The recurring patterns include:

• Use of P2P exchange platforms, mixers, or privacy coins, especially in combination.
• Transactions structured just below regulatory reporting thresholds.
• Sudden large transfers with no clear business rationale.
• Customers depositing to known darknet addresses or aggregating from many small unknown wallets.
• Geographic exposure to high-risk jurisdictions or sanctioned entities.
• Repeated round-trip transactions between the same wallets without economic purpose.
• A long-dormant wallet suddenly liquidating large positions.
• Requests for anonymity-enhancing features at otherwise compliant exchanges.

Most compliance teams run automated screening that flags these in real time. The ones that do not are the ones generating the SARs that show up in someone else’s investigation later.

Buy bitcoin and stocks. Signup to Coinbase today

What Does Not Work

False positives are a real problem. Heuristics can mis-cluster addresses. Tagging databases get out of date. A wallet that looks suspicious in one tool can be perfectly clean in another. Investigators corroborate leads with multiple data points before acting on them, and defense attorneys increasingly challenge cluster attributions in court.

Privacy advocates raise legitimate concerns about mass blockchain surveillance. A US appeals court ruled in 2020 that accessing Bitcoin blockchain data requires no warrant, on the theory that users voluntarily exposed it to the public ledger. Exchange records still need subpoenas, treated similarly to bank records under the third-party doctrine. The legal framework permits broad surveillance, and the surveillance footprint is correspondingly large by historical standards.

Criminals adapt continuously. New privacy tools emerge. Cross-chain bridges complicate tracing. DeFi protocols let funds hop between assets and chains in ways that fragment the trail. Each new mixing or obfuscation technique forces a corresponding update on the analytics side, and the gap between innovation and detection capability is often measured in months.

What Is Changing

Cross-chain tracing is becoming standard. Analytics firms are building tools to follow funds across bridges and decentralized exchanges. The trail fragments but does not disappear, and the firms with the most aggressive cross-chain integration are pulling ahead of the slower competitors.

AI and machine learning are being applied to anomaly detection at scale. The volume of on-chain data is too large for purely manual analysis. Pattern recognition models are flagging behavior that human analysts would miss, especially in coordinated wash trading and complex layering schemes.

Regulatory expansion continues. MiCA in Europe, the various US infrastructure provisions, FATF travel rule enforcement. Each tightens the screws on the points where crypto meets fiat, which is also where most enforcement actions land.

Stablecoins and eventually central bank digital currencies may reshape the picture again. Tracing dollar-pegged tokens is technically similar to tracing other tokens, but the policy implications of programmable money are significant. A CBDC with built-in compliance hooks would change the surveillance landscape more than any private-sector tool has so far.

The future of finance is here. Trade crypto and more

Frequently Asked Questions (FAQ)

How do investigators trace cryptocurrency transactions? 

Through blockchain analytics tools that cluster addresses, build transaction graphs, and identify entities along the chain. When the funds reach a regulated exchange, investigators subpoena the KYC records. Cross-border cases run through MLATs, Europol, or FinCEN’s RRP.

What happens when criminals use mixers or privacy coins? 

Mixers complicate the trace but do not end it, particularly when law enforcement seizes a mixer’s backend and gains access to historical mapping data. Privacy coins like Monero are effectively untraceable on-chain, so investigators rely on off-chain methods: exchange records, device seizures, network analysis, and operational security failures by the targets.

Do investigators need a warrant to analyze blockchain data? 

Generally no. US courts have held that blockchain data is public and can be analyzed without a warrant. Exchange records do require a subpoena or warrant. The distinction sits between the public ledger and the records held by intermediaries.

Which agencies handle crypto crime? 

In the US: FBI (Virtual Asset Exploitation Unit), DOJ, IRS Criminal Investigation, Homeland Security Investigations, the Secret Service, and various state attorneys general. DOJ’s NCET was disbanded in April 2025 and its functions absorbed elsewhere. Internationally: Europol, INTERPOL, and each country’s cybercrime and financial-crimes units.

What red flags should compliance teams watch? 

Use of mixers and privacy coins, structured transactions below reporting thresholds, sudden large transfers, exposure to darknet addresses, high-risk jurisdictions, and unusual customer behavior like requests for anonymity features.

Are blockchain analytics tools reliable?

Very low false-positive rates in controlled testing. Real-world ambiguity exists. The outputs are investigative leads, not standalone evidence. Tagging quality varies across providers, and investigators corroborate before acting.

How do exchanges respond to law enforcement requests? 

Major exchanges have dedicated law enforcement portals. Subpoenas, court orders, or warrants get them KYC records, transaction histories, and IP logs. Foreign requests typically run through MLATs.

Skip the wait. Buy a licensed company.

How do cross-border investigations work? 

Through Europol, the Egmont Group of FIUs, FinCEN’s Rapid Response Program, and direct bilateral cooperation between agencies. The Garantex and Cryptomixer cases are examples of multi-country coordinated operations.

What is coming next? 

Cross-chain analytics, AI-driven anomaly detection, expanded regulation, and tighter enforcement on the fiat on-ramps and off-ramps. Privacy tools will continue to evolve, and so will the tracing methods.

Can journalists trace transactions? 

To an extent. Anyone can read the public chain through block explorers. Tying addresses to identities is harder without subpoena power, but combining on-chain analysis with leaked data, court documents, and OSINT can produce real investigations.