Most digital forensics work in our field still assumes the artefact is local: a device, a disk image, a memory dump. Cryptocurrency theft flips that. The evidence lives on a public ledger that anyone can query, and the investigative question is almost never "did it happen" (the transaction is cryptographically signed and timestamped) but "where did the funds end up, and can we reach the person who controls that endpoint."
I've been doing this work for a while and wanted to share the methodology for colleagues who may start seeing these cases and don't know where to start. All addresses below are public and already associated with reported scams.
---
**The typical flow**
A scam victim hands you a wallet address. It belongs to the scammer or a wallet the victim was tricked into sending funds to. Your goal is to follow the money until it lands somewhere that maps to a real-world identity. In practice that almost always means a centralized exchange deposit, because that's where KYC kicks in.
The path usually looks like:
victim wallet → scammer wallet → intermediary wallet 1 → intermediary wallet 2 → CEX deposit address
Most trained scammers use 3 to 7 hops before cashing out. Some use a bridge to move to a different chain first (Ethereum to Tron is the current favorite because Tron has low fees and looser compliance at several exchanges). Others use mixers (Tornado Cash on Ethereum, samourai-style coinjoins on Bitcoin) to break the trail.
---
**What signals tell you it's a CEX**
Not every address at the end of a trail is an exchange. Heuristics I rely on:
1. The address receives deposits from many unrelated wallets and sends to a small number of cluster-internal addresses (deposit consolidation pattern).
2. The receiving address matches a known labeled cluster. Arkham, Chainalysis, and public datasets like Dune's cex_labels maintain these.
3. The flow pattern matches known CEX behavior: predictable batching intervals, single-direction receive, no outbound to random wallets.
If only one of these hits, I label the endpoint "likely CEX, unverified" rather than naming the exchange. Naming the wrong exchange wastes a victim's one real filing opportunity.
---
**What to do with the endpoint**
Once you've identified the deposit went to Binance / Coinbase / Kraken / OKX / etc:
1. Document the exact deposit transaction hash, timestamp, amount, and token.
2. Have the victim file a police report immediately if they haven't. The exchange will not act on a civil request; they need LE contact or a subpoena.
3. Have LE contact the exchange's abuse or legal team with the deposit details. Most major exchanges have fast-freeze windows (24 to 72 hours) if the funds are still sitting in the deposit account.
4. Understand that if funds have already been withdrawn from the CEX, recovery odds drop to near zero unless KYC leads to a real person LE can reach.
---
**The limits**
Privacy chains (Monero, Zcash shielded) are out of scope. No method I know of traces those reliably.
Cross-chain tracing is still hard. You can flag that funds hit a bridge, but following them to the destination chain requires either the bridge's own APIs (most don't expose per-transaction mapping) or heuristics based on timing and amount matching. Most tools don't do this well yet.
Mixers break the trail for most practical purposes. Tornado Cash has some statistical-deanonymization research behind it, but it's not reliable enough for evidence.
---
**Tooling**
For colleagues looking to get into this: the commercial tools (Chainalysis Reactor, TRM, Elliptic) are the industry standard but priced for enterprise. Block explorers (Etherscan, Solscan, Tronscan) give you raw data but no CEX labeling. I built a free tool at chaintracing.org that automates the hop-following and CEX flagging across 8 chains, mostly because I got tired of doing it manually for friends who'd been scammed. Happy to run traces for anyone here who has a case.
Questions welcome.