Blockchain Forensics: Tracing Stolen Funds and Investigating Crypto Hacks

When approximately $1.5 billion was stolen from Bybit in February 2025, blockchain forensics analysts had attributed the attack to Lazarus Group within hours. Not days: hours. The transaction trail was public, immutable, and available to anyone with the right tools and expertise. That speed of attribution does not mean the funds were immediately recovered. It means that every exchange in the world had the attacker's addresses flagged before the laundering operation had fully begun.

This is the central paradox of blockchain forensics: the public ledger makes every transaction permanently visible, yet determined attackers with the right techniques can still obscure the trail well enough to convert hundreds of millions of dollars into usable fiat. The discipline of blockchain forensics exists to close that gap between visibility and attribution, and to translate on-chain evidence into outcomes that matter: frozen assets, legal proceedings, and partial or full fund recovery.

This guide covers what blockchain forensics is, how it differs from traditional digital forensics, how investigations are conducted, what obfuscation looks like in practice, and how to engage specialist capability before an incident occurs. It is written for security directors, legal counsel, CISOs, and founders who need to understand what is possible and what to build into their incident response capability.

What Is Blockchain Forensics?

Blockchain forensics is the investigative discipline of analysing on-chain transaction data to trace the movement of digital assets, attribute attacks to specific threat actors, and produce evidence usable in legal and regulatory proceedings. It sits at the intersection of cryptography, financial intelligence, open-source intelligence (OSINT), and legal procedure.

The discipline covers several distinct activities:

• Transaction tracing: Following the movement of funds from an attacker-controlled address through subsequent hops, bridges, mixers, and exchange deposits
• Address clustering: Using heuristics and graph analysis to identify which addresses are controlled by the same entity, even when the attacker uses many wallets to fragment the trail
• Entity attribution: Linking pseudonymous addresses to known entities: exchanges, mixer services, over-the-counter brokers, or specific threat actors such as Lazarus Group
• Evidence preservation: Documenting findings in a format that meets evidentiary standards for law enforcement and court proceedings
• Exchange notification: Providing flagged attacker addresses to centralised exchanges so compliance teams can freeze inbound funds before they are withdrawn

Unlike traditional digital forensics, blockchain forensics does not depend on obtaining access to a suspect's device or server. The evidence is already public. The challenge is interpretation, attribution, and legal action, not evidence collection in the conventional sense.

Security4Web3 works with specialist forensic partners to deliver investigation and recovery support for Web3 organisations. Our approach covers the full investigation lifecycle, from immediate triage through to legal package preparation. Details of our investigation services are covered on our investigations page.

The Public Ledger Advantage and Its Limits

The foundational property that makes blockchain forensics possible is the immutability and public accessibility of on-chain data. Every transaction on a public blockchain such as Bitcoin or Ethereum is permanently recorded, cryptographically verifiable, and accessible to anyone. There is no equivalent in traditional finance: bank records require court orders, interbank transfers cross multiple jurisdictions with different disclosure regimes, and records can be altered or deleted by institutions.

In a crypto theft, the attacker cannot erase their tracks from the chain. Every wallet address they use, every transaction they execute, every bridge they cross is permanently recorded. An investigator working a case months or years later has access to exactly the same on-chain data as one who began work within hours of the attack.

This is a significant investigative advantage. It is also not sufficient on its own.

The limits of the public ledger as a forensic tool are well understood:

• Pseudonymity, not anonymity: Blockchain addresses are not attached to identities by default. Linking an address to a person or organisation requires off-chain information: exchange KYC records, IP data, OSINT, or prior investigative attribution.
• Obfuscation infrastructure: Mixing services, cross-chain bridges, and privacy coins are specifically designed to break the analytical link between source and destination addresses. Sophisticated attackers use these tools as a matter of routine.
• Multi-chain complexity: When funds move across five or six different blockchains, each with different data formats and analytical requirements, tracing requires specialist tooling that can handle cross-chain flows natively.
• Speed of laundering: Nation-state actors begin the laundering process within hours of a successful theft. By the time many victims detect the incident, the funds have already passed through multiple obfuscation layers.

"The blockchain records everything. The challenge is not finding the data; it is interpreting pseudonymous addresses, defeating obfuscation, and translating on-chain evidence into legal outcomes before the trail goes cold."

The difference between blockchain forensics and simply viewing a block explorer is the same as the difference between a police detective and a member of the public: both can see the same scene, but one has the tools, training, and authority to turn observations into actionable outcomes.

The Investigation Workflow: Triage to Legal Action

A professional blockchain forensics investigation follows a structured workflow. The stages below describe best practice for a major theft involving a DeFi protocol or centralised exchange. Individual stages may compress or overlap depending on the speed of the incident and the nature of the attack.

Stage 1: Immediate Triage (0 to 2 hours)

The first priority is establishing the scope of the incident. Which addresses were involved? What transactions constitute the theft? What was the total value taken, across which assets and which chains? Triage produces a clear list of attacker-controlled addresses and a preliminary transaction graph showing the initial movement of funds.

At this stage, the most time-sensitive action is not investigation: it is exchange notification. Every major centralised exchange has a compliance team that can place a freeze on withdrawals from flagged addresses. This is only useful if the attacker has not yet deposited and withdrawn. The window is typically two to twelve hours from the theft. Sending a well-prepared notification with precise address information and a brief incident summary to Binance, Coinbase, Kraken, OKX, and relevant regional exchanges should happen in parallel with forensic triage, not after it.

A crypto incident response plan should include pre-drafted exchange notification templates and a maintained list of compliance team contacts, so that notifications can be sent within the first hour without waiting for legal review.

Stage 2: Fund Tracing (2 to 48 hours)

With attacker addresses identified, the investigation proceeds to detailed fund tracing. This involves following the movement of assets across wallets, bridges, DEX swaps, and mixer interactions. The goal is to build a complete transaction graph showing where the funds went, what obfuscation techniques were used, and whether any portion of the funds can be identified at an exchange or service that can act on a legal notification.

Fund tracing at this stage uses specialist tooling: Chainalysis Reactor, TRM Labs Forensics, or Elliptic Navigator. These platforms provide entity attribution for millions of addresses, automated demixing for funds passing through mixers, and cross-chain tracing capabilities that would take weeks to replicate manually.

Stage 3: Attribution (48 hours to weeks)

Attribution connects pseudonymous addresses to real-world entities or known threat actor groups. This draws on the analytics platforms' entity databases, OSINT, exchange records (obtained through subpoena or voluntary cooperation), and intelligence from prior incidents. Attribution at the level of Lazarus Group, as achieved in the Bybit and Ronin cases, typically requires combining on-chain heuristics with prior threat intelligence linking wallet patterns to known actor behaviour.

Stage 4: Legal and Regulatory Action

The investigation output feeds into legal proceedings. This may include applications for asset freeze orders, which require demonstrating the link between attacker addresses and specific exchange accounts; law enforcement referrals, which require the evidentiary package to meet the standards of the relevant jurisdiction; sanctions designations, as used by the US Treasury's Office of Foreign Assets Control to designate Lazarus Group addresses following the Ronin hack; and civil recovery actions, depending on the jurisdiction and the availability of identifiable defendants.

Evidence must be documented throughout the investigation in a format suitable for legal use. Chain of custody, methodology documentation, and expert witness availability are all relevant considerations. This is a primary reason why engaging a specialist firm, rather than conducting internal analysis, is important for any organisation considering legal recovery.

How Attackers Obfuscate Stolen Funds

Understanding attacker obfuscation techniques is essential for appreciating what blockchain forensics is working against. The most sophisticated attackers, particularly nation-state actors such as Lazarus Group, have developed a systematic laundering methodology refined across dozens of operations.

Mixing Services

Mixing services pool funds from multiple sources and redistribute them to destination addresses, breaking the direct transaction link between input and output. Tornado Cash, the Ethereum-based mixing protocol sanctioned by the US Treasury in 2022, was used extensively by Lazarus Group following the Ronin hack, where Elliptic tracked over $80 million passing through the service. Mixers are not absolute barriers to investigation: advanced demixing algorithms can probabilistically link inputs and outputs, particularly when the volume of attacker funds is large relative to the mixing pool.

Cross-Chain Bridges and Chain-Hopping

Cross-chain bridges transfer value between blockchains. When an attacker moves funds from Ethereum to BNB Chain to Avalanche and then to Solana within a few hours, each bridge transaction creates an analytical break in the trail that requires cross-chain investigation capability to follow. Chain-hopping across four or five networks in rapid succession was a standard technique in large-scale Lazarus Group laundering operations through 2024 and 2025.

Wallet Fragmentation

Splitting stolen funds across hundreds or thousands of wallets increases the analytical workload for investigators significantly. Each address must be traced individually, and clustering algorithms must work harder to reassemble the picture. Sophisticated attackers combine fragmentation with mixing and bridge transfers, creating overlapping layers of complexity.

Privacy Coins

Privacy coins such as Monero have cryptographic privacy properties built into the protocol itself, making transaction tracing substantially harder than on transparent blockchains. Converting stolen ETH or BTC to Monero and then back to another asset creates a gap in the on-chain record that current tooling cannot fully bridge. For this reason, the point of conversion to and from privacy coins is a primary focus for investigators: the on-ramps and off-ramps are typically more traceable than the privacy coin layer itself.

Over-the-Counter Brokers

Converting large volumes of cryptocurrency to fiat without triggering exchange KYC processes requires over-the-counter brokers, many of whom operate in jurisdictions with limited regulatory oversight. OFAC has sanctioned a number of OTC brokers identified as serving Lazarus Group. These actors sit at the edge of the chain trail, where on-chain forensics transitions into financial intelligence and law enforcement activity.

How Investigators Trace Through Obfuscation

Despite the sophistication of attacker obfuscation, blockchain forensics investigators have developed a set of techniques and tools that substantially reduce the effectiveness of each layer.

Clustering Algorithms

The most powerful analytical technique in blockchain forensics is address clustering: using heuristics to infer that multiple addresses are controlled by the same entity. The common-input-ownership heuristic, for example, infers that addresses used as inputs in the same transaction are controlled by the same wallet. Over time, these clusters build up a detailed picture of an attacker's address infrastructure even when they use thousands of wallets.

Demixing

Automated demixing for Tornado Cash and similar services has become a significant investigative capability. Chainalysis Reactor includes automated demixing that uses statistical analysis and timing heuristics to probabilistically link mixer outputs to inputs. While not deterministic, demixing can provide actionable intelligence about where mixed funds went, sufficient to support exchange notification and legal action.

Cross-Chain Tracing

Platforms such as Elliptic Navigator are purpose-built for cross-chain investigations, treating multi-blockchain transaction paths as a single investigation object rather than requiring separate analysis per chain. Elliptic's Holistic Screening technology traces funds across and between blockchains simultaneously. For the $21 billion in illicit cross-chain flows that now characterise sophisticated money laundering, this capability is essential.

Exchange Subpoenas and Voluntary Disclosure

When attacker funds reach a centralised exchange, the exchange's KYC records represent the point at which pseudonymous addresses can be linked to real identities. Law enforcement can obtain this information through subpoenas or mutual legal assistance treaty (MLAT) requests. Many major exchanges also have voluntary cooperation programmes with forensic investigators to support legitimate theft investigations, particularly where the attacker has already been flagged and the evidence is clear.

OSINT and Prior Attribution Intelligence

For known threat actors such as Lazarus Group, extensive prior attribution intelligence exists. The group's operational patterns, wallet infrastructure, and laundering techniques have been documented across dozens of cases by Chainalysis, TRM Labs, the FBI, and CISA. When new wallet addresses match the group's known behavioural signatures, attribution can be confirmed rapidly. As described in our analysis of Lazarus Group's operational security, the group's techniques are sophisticated but not invisible to specialist investigators.

Case Studies: Bybit, Poly Network, Ronin

Bybit (February 2025): $1.5 Billion Traced to Lazarus Group

The Bybit hack of February 2025 was the largest single cryptocurrency theft on record at approximately $1.5 billion. The attack involved compromising the Safe multisig wallet infrastructure used by Bybit's team, allowing Lazarus Group to replace the legitimate transaction signing process with a malicious one. As analysed in detail in our post on the Bybit hack, the attack vector was not the exchange's own infrastructure but the supply chain around it.

Within hours of the theft, TRM Labs had tagged the attacker's addresses and identified overlapping wallet infrastructure with prior North Korean operations. Chainalysis Reactor was used to visualise the fund flows and build the attribution case. The FBI formally attributed the attack to North Korean TraderTraitor actors, the operational cluster within Lazarus Group, within days.

In a notable enforcement outcome, the Hellenic Anti-Money Laundering Authority, working with Chainalysis, traced a portion of the funds months after the theft and obtained Greece's first-ever cryptocurrency seizure order. The on-chain trail from the original attacker addresses to the frozen wallet was established entirely through blockchain forensic analysis.

Poly Network (August 2021): Attacker Returns Funds After Identification

The Poly Network attack of August 2021 saw approximately $611 million stolen across Ethereum, BNB Chain, and Polygon in what was at the time the largest DeFi hack ever recorded. The attack exploited a smart contract vulnerability in cross-chain message verification, allowing the attacker to manipulate the signing authority for cross-chain transactions.

TRM Labs tracked the attacker's addresses in real time as the theft unfolded, identifying a small deposit to the attacker's Ethereum address from an East Asian exchange in the hours before the attack. That exchange record provided an investigative lead. Security firm SlowMist subsequently claimed to have identified the attacker's email address, IP address, and device fingerprints.

Whether or not the full identification was accurate, the attacker began returning funds within 24 hours and had returned virtually all of the stolen assets within days. The decision to return the funds was attributed, at least in part, to the rapid progress of the forensic investigation and the prospect of identification. This remains one of the most significant demonstrations of how blockchain forensics can deter or reverse theft outcomes, even without law enforcement action.

Ronin Bridge (March 2022): FBI Attribution and Partial Recovery

The Ronin bridge attack saw $625 million stolen over the course of two transactions, with the breach going undetected for six days. The attack exploited revoked but not removed validator permissions, as detailed in our incident response guide. By the time Sky Mavis identified the breach, Lazarus Group had already begun passing funds through Tornado Cash and centralised exchanges.

The blockchain forensic investigation, conducted with Chainalysis, supported the attribution of the attacker's Ethereum address to Lazarus Group. The US Treasury's Office of Foreign Assets Control added the address to its sanctions list in April 2022, prohibiting American entities from transacting with it. This designation meant that any exchange receiving funds traceable to the address faced sanctions exposure, significantly constraining the attacker's ability to cash out through regulated venues.

Law enforcement achieved partial recovery: the FBI recovered approximately $30 million in September 2022, and Norwegian authorities seized an additional $5.8 million in February 2023. The majority of the stolen funds remained with the attackers, illustrating both what blockchain forensics can achieve and the importance of detection speed in maximising recovery.

KuCoin (September 2020): Lazarus Attribution via Laundering Pattern

The KuCoin hack of September 2020 drained approximately $280 million from the exchange's hot wallets. Chainalysis attributed the attack to Lazarus Group based in part on a specific money laundering strategy the group had used consistently across prior operations: a recognisable sequence of DEX swaps, fragmentations, and OTC broker interactions that formed a signature pattern. Elliptic was simultaneously tracking the funds, demonstrating that DEX-based laundering does not prevent tracing, only complicates it.

The KuCoin case illustrated that laundering patterns themselves constitute intelligence. When an attacker group uses consistent techniques across multiple incidents, each investigated case strengthens the attribution capability for future ones.

Forensics Tooling: Chainalysis, Elliptic, TRM Labs

Three platforms dominate professional blockchain forensics. Each has different strengths depending on the nature of the investigation.

Chainalysis

Chainalysis holds the largest market share in blockchain analytics and is widely regarded as the gold standard for investigation-grade work. Chainalysis Reactor, the platform's core investigation tool, provides automated demixing for Tornado Cash and similar mixers, seed phrase analysis through Wallet Scan, and extensive entity attribution built through direct law enforcement collaboration. Chainalysis evidence has been tested under the Daubert standard in US federal courts and is used by law enforcement in over 70 countries. For cases requiring court-admissible evidence and expert witness support, Chainalysis has the deepest established track record.

Elliptic

Elliptic, founded in 2013, was the first blockchain analytics firm and maintains what it describes as the industry's largest labelled dataset at over 100 billion data points. Elliptic's primary differentiation is cross-chain coverage: its Holistic Screening technology traces funds across and between blockchains simultaneously, addressing the multi-chain laundering patterns that now characterise major thefts. Elliptic covers 99 per cent of the cryptoasset market by value, including extensive DeFi protocol coverage. For investigations involving complex cross-chain fund flows, Elliptic's architecture is particularly well suited.

TRM Labs

TRM Labs takes an AI-driven approach to blockchain intelligence, with a focus on speed, transparency, and government agency workflows. TRM's glass box attribution methodology shows investigators not just what an address represents, but why, with confidence scores and source methodology disclosed. TRM supports real-time indexing across 45 blockchains with over 200 million assets and adds 160 new services to its attribution database weekly. TRM has deep relationships with US federal agencies including the FBI and IRS, and its Forensics platform integrates AI agents trained by experienced investigators to triage and cluster criminal networks. For organisations with national security-adjacent concerns, TRM's government intelligence integration is a significant advantage.

Crystal Blockchain

Crystal Blockchain provides analytics covering Bitcoin and major EVM chains with a focus on compliance screening and investigation workflows. Crystal is used by a range of exchanges and financial institutions for AML screening and is particularly strong in European compliance markets. For teams requiring investigation capability without the enterprise cost structures of the three largest platforms, Crystal represents a credible alternative for straightforward cases.

None of these platforms replaces experienced investigators. The output of blockchain analytics tooling must be interpreted by analysts who understand attacker behaviour, legal evidence standards, and the operational context of the incident. Tools provide the data; investigators provide the judgement.

When to Engage a Specialist Blockchain Forensics Firm

The question of whether to attempt internal investigation or engage a specialist firm is not primarily a question of cost. It is a question of time and outcome.

Internal investigation is appropriate for preliminary triage: identifying attacker addresses, pulling the initial transaction history, and drafting exchange notifications. These steps can be partially completed using public block explorers and do not require specialist tooling. Speed here is what matters most: the exchange notification window is time-critical and should not wait for a specialist firm to be onboarded.

A specialist blockchain forensics firm should be engaged for everything that follows triage. The reasons are straightforward:

• Specialist tooling (Chainalysis, TRM Labs, Elliptic) is necessary to trace funds through mixers, across chains, and into exchange deposits. Block explorers do not provide entity attribution or demixing.
• Legal-grade evidence documentation requires methodology that meets the standards of the relevant jurisdictions. Ad hoc internal analysis typically does not.
• Exchange subpoenas and law enforcement co-ordination require established relationships and legal process knowledge that most Web3 organisations do not have.
• Attribution intelligence for known threat actors draws on proprietary datasets built across years of prior investigations. Internal teams cannot replicate this.

"Engaging a specialist blockchain forensics firm during a live incident is not a sign of organisational failure. Attempting to trace stolen funds without one is."

The ideal model is a pre-incident retainer that provides immediate access to specialist capability from the moment of detection. Pre-negotiated retainers eliminate the hours spent finding and onboarding a provider during a live incident. They also allow the provider to understand your protocol architecture, key addresses, and operational context in advance, which materially accelerates the triage process. Our guidance on social engineering in crypto discusses how attackers exploit the chaos of an initial incident response phase, which is another argument for having specialist support pre-positioned rather than reactive.

For organisations operating a security operations function, integrating blockchain forensics capability into the broader SOC architecture is the mature approach. Our post on security operations centres for crypto covers how on-chain monitoring and forensics tooling integrate into a Web3 SOC.

Proactive Forensics: Preparing Before an Incident

Blockchain forensics is most commonly discussed in the context of post-incident investigation. The more operationally mature approach is to use forensic-grade tooling proactively, before any incident occurs.

Proactive forensics covers three main activities:

Address Monitoring

Configuring automated monitoring on your own treasury and contract addresses means that any unusual outflow triggers an immediate alert. More importantly, monitoring should cover known attacker and mixer addresses: if a wallet previously associated with Lazarus Group or any other threat actor interacts with your protocol, you want to know immediately, not after funds have moved. TRM Labs, Chainalysis, and Elliptic all provide address monitoring services that alert on interactions with high-risk addresses in real time.

Counterparty Risk Screening

For protocols and exchanges that process high volumes of inbound transactions, screening inbound addresses against known illicit entity databases allows you to identify and block high-risk counterparties before they interact with your platform. This is both a compliance requirement under regulations such as MiCA and DORA, and a practical risk management measure that prevents your protocol from becoming a laundering vector and attracting regulatory scrutiny.

Pre-Incident Investigation Preparation

Documenting your protocol's address architecture, key wallets, multisig configurations, and known counterparties in advance of any incident significantly accelerates forensic triage if one occurs. An investigator who arrives during a live incident and must first understand what the protocol looks like before they can identify anomalies is working at a substantial disadvantage compared to one who already knows the architecture.

Proactive forensics is also the only way to detect an attacker who has compromised internal infrastructure and is conducting reconnaissance before executing a theft. The Bybit attack involved a period of infrastructure compromise before the eventual exploit. Organisations with address monitoring in place and a clear baseline understanding of their transaction patterns are better positioned to detect anomalous pre-attack activity.

Frequently Asked Questions