How Authorities Track Criminal Crypto Transactions

While crypto-assets offer far greater anonymity than any other electronic payment option, there are still ways government and others can track illicit transactions.

Updated May 11, 2023 at 6:12 p.m. UTC

One of the biggest draws of transacting value using cryptocurrencies versus fiat currency like the U.S. dollar is the pseudonymity crypto provides. While all transactions sent over the blockchain are completely transparent, immutable and accessible to everyone, the identities of the people making those transfers are often presented as a string of alpha-numeric code known as a crypto wallet public key.

This makes forensic investigation difficult for government agencies, sub-contracted cybersecurity firms or anyone trying to isolate the senders and recipients of crypto assets from nefarious activities.

Just as the crypto market has matured over the years, so, too, have the techniques and tools used to track down the owners of specific crypto wallets.

How do criminals hide their crypto transactions?

Because of the transparent nature of the way crypto transactions are stored on public blockchains, the only option available to cybercriminals is to try and complicate the process of ascertaining wallet addresses and crypto funds, or offload their assets as quickly as possible.

This can be done using a variety of different methods.

Crypto mixers

Crypto mixing services allow users to deposit their assets into a pool and withdraw the same amount out. During this process each user will receive a mixture of different coins than what they deposited, obfuscating the origin of their funds.

Centralized mixers like take users’ deposits and hand them back the same amount of funds in exchange for a fee, whereas decentralized mixers like JoinMarket will utilize mixing protocols like CoinJoin and allow users to mix their coins among each other.

Layering transactions

Layering refers to the practice of disguising funds by sending hundreds of transactions through multiple intermediary wallet addresses. These eventually combine into a final single transfer. In some instances, creating an entanglement of addresses like this can slow down the identification process, buying the criminal time to withdraw funds before their addresses are blacklisted. You can think of layering as creating a haystack to hide a needle.

Peer-to-peer transactions

A popular way of cashing out stolen crypto is to sell the funds for cash via a peer-to-peer arrangement. This circumvents the know-your-customer and anti-money laundering checks present on centralized exchanges and payment platforms and offloads the tainted crypto funds onto someone else.

Peel chain

A peel chain is a process whereby a criminal initiates a string of transactions. Each time funds are moved from one intermediary wallet to the next, a small portion of the funds is “peeled” away from the overall amount and cashed out or exchanged for a different cryptocurrency using different centralized exchanges.

Let’s say 100 bitcoin (BTC) have been stolen via an exchange hack. A peel chain could be initiated whereby 0.01 bitcoin is peeled each time the funds are sent along to the next wallet address. In this way, it would require 10,000 transactions before the original amount was completely withdrawn.

Cashing out small amounts of crypto avoids arousing suspicion with centralized exchanges and will be less likely to trigger reporting requirements.

How illicit crypto transactions get traced

According to New York-based private investigation agency Hudson Intelligence, there are two main forensic techniques involved in pinning down the owner of a particular wallet address or set of wallet addresses:

  1. Identification of common spending patterns
  2. Address reuse

Both techniques focus on a similar objective – isolating specific crypto wallet addresses that are assumed to belong to the culprit from a sea of other crypto wallet addresses.

Common spend

Common spend refers to the process of using several different crypto wallet addresses to send a single transaction to a recipient address. You can think of it as paying for a meal in a restaurant using 10 different credit or debit cards.

Just as it’s unlikely nine people would lend their debit or credit cards to a tenth person to use, it’s assumed the multiple input wallet addresses all belong to the same person.

Using multiple input addresses in this manner typically requires shared access to their passwords, or private keys. People rarely relinquish their private keys to strangers, for the same reasons they protect their login credentials for online banking.

To expedite the process of identifying these types of layered transactions – which would otherwise take considerable effort to do manually – blockchain analytic firms like Chainalysis and CipherTrace have created tools that scan for common spending patterns automatically.

By using this technique it is possible to ascertain how many wallets a criminal controls from a single transaction that might’ve occurred after a hack, rug pull or any type of unlawful cyber activity was perpetrated. Not only does this help narrow down the focus but, in certain circumstances, exchanges or payment providers may be called upon to blacklist the addresses to prevent the stolen assets from being withdrawn into fiat currency.

Address reuse

Another way of attributing cryptocurrency addresses to an individual is by scanning the blockchain for reused addresses – that is, crypto wallet addresses used more than once in a string of transactions.

Sometimes, digital assets will be transferred multiple times from one wallet to another in a loop-like cycle and a particular wallet address will be reused as the output address to complete the transfer. Identifying the reused output addresses allows a blockchain investigator to hone in on a perpetrator’s wallet address. It’s also assumed several wallets used prior to the output address are also likely to be under their control.

These addresses become reference points and help filter out external addresses which might belong to mixing services, exchanges or payment providers.

What happens when illicit crypto funds are withdrawn into fiat?

In the event the person(s) under investigation successfully withdraws the stolen crypto assets into fiat currency, it then becomes a matter of co-operating with exchanges and law enforcement to identify key personal information that can assist with apprehending the culprit(s).

“When proceeds from illicit activity are found to have been deposited into customer accounts at major cryptocurrency exchanges, law enforcement will notify the exchanges in an effort to freeze accounts and recover funds.” Says John Powers, president of Hudson Intelligence LLC.

“Law enforcement frequently obtains other useful information from exchanges, such as a list of linked accounts (including bank accounts used for external transfers), or copies of passports and identity documents provided by the customer when they created the account.”

This allows law enforcement to freeze bank accounts, block passports and track any vehicles linked to the target(s).

Despite the advancements in technology and tracing techniques, the process of identifying and preventing criminal crypto activity remains incredibly difficult. Improved cooperation among centralized platforms and greater regulatory oversight over mixing services and peer-to-peer trading platforms will be paramount in tackling the laundering of illicit funds through blockchain networks.

This article was originally published on Mar 11, 2022 at 7:54 p.m. UTC


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Ollie Leech

Ollie is the Learn editor for the Crypto Explainer+ section. He holds some SOL, RAY, CHSB and BTC.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.