Sequenxa Intelligence Agency

How Blockchain Forensics Supports Financial Investigations

March 31, 2026
How Blockchain Forensics Supports Financial Investigations
In February 2025, hackers drained $1.5 billion from Bybit. Within 48 hours, blockchain investigators attributed the attack to North Korea's Lazarus Group. The same forensic infrastructure that enabled that attribution is available for corporate fraud cases, embezzlement investigations, and regulatory enforcement. Here is how blockchain forensics actually works, and when your investigation needs it
Category:Blog

A decade ago, none of that would have been possible. The funds would have vanished.


That speed of attribution did not come from a tip or an informant. It came from blockchain forensics , the discipline of tracing cryptocurrency transactions, mapping wallet relationships, and connecting on-chain activity to real-world entities. The Bybit case is the most visible example of what this field now makes possible. But the majority of blockchain forensic work is not about headline-grabbing exchange hacks. It is about following money that someone tried very hard to make disappear.


What blockchain forensics actually is




Blockchain forensics is the process of collecting, analyzing, and documenting cryptocurrency transaction data in a manner that produces findings suitable for legal proceedings, regulatory filings, or internal governance decisions. It covers transaction tracing, wallet attribution, pattern analysis, and the correlation of on-chain data with off-chain intelligence sources.


Here is the part most people get wrong: they assume cryptocurrency is anonymous. It is not. Bitcoin, Ethereum, and most major blockchain networks maintain a public, permanent ledger of every transaction ever processed. Every transfer, every wallet address, every timestamp is recorded and visible to anyone who knows where to look.


What cryptocurrency is, more accurately, is pseudonymous. Wallet addresses are not labeled with names. But the transactions between those addresses leave patterns, and those patterns are traceable. Blockchain forensics is the discipline that reads those patterns and connects them to identifiable entities, exchanges, services, individuals, and criminal organizations.


The distinction between anonymous and pseudonymous is where the entire field operates. And it is why stolen cryptocurrency is increasingly recoverable in ways that stolen cash has never been.


Why this matters now: $9.3 billion in crypto fraud losses in a single year


The FBI's Internet Crime Complaint Center reported $16.6 billion in total cybercrime losses for 2024, a 33% increase over the prior year. Of that total, cryptocurrency-related complaints accounted for approximately $9.3 billion in losses across nearly 150,000 complaints, a 66% increase from 2023 (FBI IC3, 2024).


Investment fraud involving cryptocurrency was the single most costly category, generating $5.8 billion in losses. Business email compromise added another $2.77 billion. Sextortion schemes, crypto ATM fraud, and ransomware payments accounted for billions more.


Every one of those categories produces blockchain evidence. Transaction records, wallet addresses, timestamps, smart contract interactions, cross-chain transfers. The data exists. The question is whether anyone is collecting it in a way that makes it usable.


That is the function blockchain forensics serves. Not finding data on a blockchain, the data is already public. Making that data interpretable, attributable, and legally defensible.


How blockchain transaction tracing works in practice




The mechanics of crypto tracing follow a specific sequence, and each step builds on the last.


It starts with an address. A victim reports a wallet they sent funds to, or a compromised account shows outbound transfers to an unfamiliar destination. The forensic examiner takes that address and begins mapping the flow of funds forward and backward through the blockchain.


Forward tracing follows where the money went after it left the victim. Did it move to an exchange? Was it split across dozens of intermediary wallets? Did it pass through a mixing service or a cross-chain bridge? Each hop is documented with transaction hashes, timestamps, and amounts.


Backward tracing examines where the address received funds from previously. This establishes whether the wallet has a history of receiving stolen funds, interacting with sanctioned entities, or exhibiting patterns associated with known threat actors.


Wallet clustering ties multiple addresses to a single controlling entity. When someone sends Bitcoin, the transaction often includes a "change address" that returns leftover funds to a new address controlled by the same person. Forensic tools identify these change addresses and group them into clusters, revealing the full scope of an entity's on-chain footprint.


Attribution connects those clusters to real-world identities. When funds eventually reach a regulated exchange, which requires identity verification under Know Your Customer rules, investigators can work with the exchange or through legal process to identify the account holder. Off-chain intelligence, including OSINT, IP address data, and traditional investigative methods, fills the remaining gaps.


The output is a documented fund flow: a chain of transactions from origin to destination, with every hop verified and every attribution sourced. That documentation is what makes the findings admissible in court and useful in regulatory proceedings.


What makes blockchain forensics different from standard digital forensics




Digital forensics examines devices, networks, and storage media to recover and analyze electronic evidence. It operates on data that is often private, encrypted, or deleted. The challenge is getting access to the data in the first place.

Blockchain forensics operates in reverse. The data is public by default. Every transaction on Bitcoin, Ethereum, and most major networks is visible to anyone. The challenge is not access, it is interpretation.


Reading raw blockchain data without context is like reading a phone book with no names, only numbers. The forensic value comes from connecting those numbers to entities, identifying patterns in how funds move, and documenting the analysis in a format that holds up under legal scrutiny.


Where the two disciplines converge is in corporate investigations and financial crime matters that involve both traditional digital evidence and cryptocurrency. An employee who embezzled funds and converted them to Bitcoin produces evidence across both domains. The laptop forensics might reveal the wire transfers; the blockchain forensics traces what happened after those funds hit a crypto exchange.


In practice, cases that involve cryptocurrency almost always require both capabilities working together. The on-chain data tells you where the money went. The off-chain data tells you who moved it and why.


The obstruction playbook: how criminals try to break the trail


Sophisticated actors do not send stolen cryptocurrency directly to an exchange and cash out. They use a specific set of techniques designed to break the chain between the source of funds and the eventual off-ramp.


Mixing services pool transactions from multiple users and redistribute them, attempting to sever the link between input and output. Forensic tools have adapted. Analysts can now identify mixer entry and exit patterns, timing correlations, and volume signatures that allow partial or full de-mixing in many cases.


Cross-chain bridges move funds from one blockchain to another, Ethereum to Bitcoin, for example. Each bridge transaction creates a gap in the trail that requires multi-chain forensic tools to follow. The Bybit investigation demonstrated this clearly. Lazarus Group fragmented the stolen Ethereum across multiple chains, cycled funds through decentralized exchanges, and routed them through bridges to obscure the path.


Peel chains split a large amount into progressively smaller transactions, each sent to a new address, with the remainder forwarded to the next address in the chain. This creates dozens or hundreds of wallet addresses from a single initial transfer. Forensic tools detect peel chains by identifying the characteristic pattern of sequential decreasing-value transactions.


Privacy coins like Monero use cryptographic techniques that obscure sender, receiver, and amount information at the protocol level. These present real limitations for forensic analysis. But they also represent a small fraction of illicit transaction volume, in part because most regulated exchanges will not accept deposits from privacy coins, which limits their utility as off-ramps.


None of these techniques are foolproof. Each buys time rather than providing permanent concealment. The investigator's advantage is patience and infrastructure: labeled wallet databases, historical transaction graphs, and pattern recognition systems that improve with every case.


What the Bybit case showed about the current state of the field


The $1.5 billion Bybit theft was attributed to North Korea's Lazarus Group by the FBI within days. Independent blockchain investigators, including ZachXBT working through Arkham Intelligence's bounty marketplace, identified key intermediary addresses within 24 hours.


The attribution was not guesswork. Lazarus Group has a documented fingerprint: specific wallet clustering behaviors, timing patterns, and mixing service preferences. Investigators matched the Bybit outflows against those known signatures and established linkage with high confidence before any government statement was issued (FBI IC3 PSA, February 2025).


Here is what that actually means for financial investigations more broadly. The infrastructure that enabled 48-hour attribution of a $1.5 billion state-sponsored theft, labeled wallet databases, cross-chain tracing tools, behavioral pattern matching, real-time alerting networks, is the same infrastructure available for corporate fraud cases, embezzlement investigations, and regulatory enforcement actions.


The tools that traced Lazarus Group are the same tools that can follow an employee who diverted company funds through a series of crypto wallets, or a vendor who laundered kickback payments through DeFi protocols, or a fraud operation that collected victim funds across dozens of wallet addresses.


The difference is scale, not methodology.


When an organization needs blockchain forensic capability


Not every financial investigation involves cryptocurrency. But the indicators that one might are specific, and they show up more often than most organizations expect.


A corporate investigation uncovers payments to wallet addresses instead of bank accounts. An employee's device contains cryptocurrency wallet software, seed phrases, or exchange account credentials. A fraud scheme involves victim payments made in Bitcoin or stablecoins. A regulatory inquiry involves a counterparty with known cryptocurrency exposure. A due diligence review reveals that a target company holds digital assets or transacts with crypto-native entities.


In each scenario, the blockchain evidence does not replace traditional financial investigation. It extends it. The forensic accounting traces funds through bank accounts and corporate entities. The blockchain forensics picks up where those funds enter the crypto ecosystem and follows them to their destination.


The challenge is timing. Blockchain evidence does not degrade the way device evidence can, the ledger is permanent. But the ability to freeze or recover funds at an exchange depends entirely on speed. Every hour of delay gives an adversary more opportunity to move funds through additional obfuscation layers or convert to cash through unregulated venues.


Organizations that wait until a legal proceeding is underway to bring in blockchain forensic capability are starting the investigation weeks or months behind where the funds have already traveled.


What blockchain forensic findings look like as evidence




The deliverable from a blockchain forensic investigation is a documented fund flow analysis supported by transaction-level evidence. This typically includes transaction hash records with timestamps and amounts for every relevant transfer, wallet cluster analysis showing which addresses are controlled by the same entity, attribution reports linking wallet clusters to identified entities with sourcing documentation, visual fund flow diagrams that show the path of funds from origin to destination, and a methodology statement that explains the analytical techniques used and their evidentiary basis.


These findings are prepared to the same evidentiary standards as traditional digital forensic reports. Chain of custody is maintained from the point of evidence collection. Analytical methods are documented and reproducible. Attributions are sourced and confidence-scored.

The visual component matters more in blockchain cases than in most other forensic disciplines. Judges, regulators, and board members are not blockchain-literate by default. A fund flow diagram that clearly shows money moving from a victim's wallet through a series of intermediaries to a destination wallet controlled by the subject of an investigation communicates in seconds what a written report takes pages to explain.


Expert witness support translates that visual and technical analysis into testimony that a court can evaluate. The examiner explains the methodology, the findings, and the basis for each attribution in terms that non-technical decision-makers can assess.


The regulatory environment is accelerating demand


The regulatory framework around cryptocurrency looks nothing like it did three years ago. The EU's Markets in Crypto-Assets Regulation (MiCA) took full effect in late 2024, establishing compliance requirements for virtual asset service providers operating in Europe. The FATF Travel Rule requires that identifying information accompany cryptocurrency transfers above certain thresholds, mirroring requirements that have existed in traditional banking for decades.


In the United States, the SEC established a dedicated crypto task force in January 2025 to develop clearer regulatory frameworks for digital assets. FinCEN has been expanding reporting requirements for virtual asset service providers.


What this means for organizations: regulatory inquiries involving cryptocurrency are no longer exceptional. They are routine. And the standard of evidence expected in those proceedings requires forensic-grade transaction analysis, not a screenshot of a blockchain explorer.


The numbers reflect the pace: the crypto compliance and blockchain analytics market was valued at roughly $3.5 billion in 2024, with projections exceeding $13 billion by 2030 (Market Research, 2025). That is not speculative interest. That is organizations buying capability they did not think they needed two years ago.


The uncomfortable part


Most cryptocurrency fraud is not committed by state-sponsored hacking groups. The FBI's data makes this clear. The largest single category of crypto-related losses in 2024 was investment fraud, schemes that manipulate victims into sending funds to fraudulent platforms. The most affected demographic was individuals over 60, who reported $2.8 billion in crypto-related losses.


These are not sophisticated technical exploits. They are social engineering operations that use cryptocurrency as a payment rail because it is fast, irreversible, and crosses borders without the friction of traditional wire transfers.


Blockchain forensics can trace those funds. In many cases, it can identify the receiving wallets, map the laundering infrastructure, and support asset recovery efforts. The FBI's Operation Level Up reported saving potential victims approximately $285 million between January 2024 and January 2025 through early intervention enabled by this kind of analysis.


But the gap between what forensic tools can trace and what law enforcement can actually recover remains significant. Jurisdiction is fragmented. International cooperation is slow. And some receiving exchanges operate in jurisdictions with limited enforcement capability.


The forensic capability exists. The enforcement infrastructure has not fully caught up. That gap is where a large portion of stolen cryptocurrency still disappears, not because it cannot be traced, but because tracing it is not enough by itself.


How Sequenxa approaches blockchain forensics


Sequenxa's blockchain forensics capability operates within the agency's Advanced Intelligence Technology division. The work covers transaction tracing across major blockchain networks, wallet attribution using both on-chain analysis and off-chain intelligence, DeFi protocol investigation, and expert witness preparation for legal proceedings.


The capability sits alongside digital forensics and corporate intelligence services, which means investigations that span both traditional financial channels and cryptocurrency are handled under a single engagement rather than requiring coordination between separate firms.


That integration matters because financial crime does not stay in one domain. An embezzlement case might start in a corporate bank account, move through a personal brokerage, and end in a series of cryptocurrency wallets. The investigation that only covers one of those segments produces partial findings. Partial findings do not hold up under the kind of scrutiny these matters attract.


If your investigation involves cryptocurrency, blockchain forensics determines whether the evidence trail leads somewhere actionable or goes cold. Request a consultation to discuss what your matter requires.


Frequently asked questions


What is blockchain forensics?


Blockchain forensics is the process of tracing, analyzing, and documenting cryptocurrency transactions to support financial investigations, regulatory proceedings, and legal actions. It involves mapping fund flows across blockchain networks, attributing wallet addresses to real-world entities, and producing evidence that meets legal admissibility standards.


How do investigators trace cryptocurrency transactions?


Investigators trace cryptocurrency by following the public transaction records on blockchain networks. They use forward tracing to follow where funds went, backward tracing to identify fund sources, wallet clustering to group addresses controlled by the same entity, and attribution techniques to connect those clusters to identified individuals or organizations.


Can cryptocurrency actually be traced?


Yes. Most major cryptocurrencies, including Bitcoin and Ethereum, operate on public blockchains where every transaction is permanently recorded. While users are identified by pseudonymous wallet addresses rather than names, forensic techniques including clustering analysis, exchange identification, and off-chain intelligence correlation can attribute activity to specific entities.


What types of cases use blockchain forensics?


Blockchain forensics supports a range of matters including cryptocurrency fraud investigations, embezzlement cases involving digital assets, ransomware payment tracing, sanctions compliance verification, due diligence on crypto-native entities, and regulatory enforcement actions involving virtual asset service providers.


How does blockchain forensics relate to digital forensics?


Blockchain forensics is a specialized branch within the broader digital forensics discipline. Traditional digital forensics examines devices and networks to recover electronic evidence. Blockchain forensics specifically analyzes public ledger data from cryptocurrency networks. Investigations involving both device evidence and cryptocurrency transactions typically require both capabilities.


References


Federal Bureau of Investigation (FBI). (2025). 2024 Internet Crime Report. Internet Crime Complaint Center (IC3). Retrieved from https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf


Federal Bureau of Investigation (FBI). (2025, February 26). North Korea Responsible for $1.5 Billion Bybit Hack. IC3 Public Service Announcement. Retrieved from https://www.ic3.gov/psa/2025/psa250226


TRM Labs. (2025). A Record-Breaking Year for Cybercrime: Key Findings from the FBI's 2024 IC3 Report. Retrieved from https://www.trmlabs.com/resources/blog/a-record-breaking-year-for-cybercrime-key-findings-from-the-fbis-2024-ic3-report


TRM Labs. (2025, February 27). The Bybit Hack: Following North Korea's Largest Exploit. Retrieved from https://www.trmlabs.com/resources/blog/the-bybit-hack-following-north-koreas-largest-exploit

Ready to Take the Next Step?

Learn how Sequenxa can help protect your organization with intelligence-driven solutions.

Get Started
R.J. Finnegan
Written by
R.J. Finnegan

R.J. is special agent under Sequenxa Intelligence Agency. With a deep understanding of behavior analytics mixed in with cyber and technical warfare, R.J. brings a unique perspective to the intelligence community.

More Briefings

What a Private Intelligence Agency Actually Does

What a Private Intelligence Agency Actually Does

Most people hear "intelligence agency" and think of government acronyms. A private intelligence agency operates in the same domain but answers a different question entirely — not "what threatens the nation?" but "what threatens your organization, your transaction, your people?"

Read More
Penetration Testing Services vs Red Team Services

Penetration Testing Services vs Red Team Services

Most organizations order a penetration test when what they actually need is to know whether anyone would notice a real attack. Pen tests and red team engagements answer fundamentally different questions, and confusing them costs time, money, and false confidence.

Read More
What Identity Verification Services Actually Validate

What Identity Verification Services Actually Validate

Most organizations treat identity verification as a checkbox. It isn't. These services confirm a document is real and the face matches, but they don't touch employment history, credentials, criminal records, or corporate affiliations. Here's what's actually being validated, and where a deeper process starts.

Read More
How Digital Forensics Supports Modern Investigations

How Digital Forensics Supports Modern Investigations

Most organizations find out they needed digital forensics about three weeks after they actually needed it. This article breaks down what the forensic investigation process actually looks like, from evidence preservation and chain of custody to analysis, reporting, and court preparation, and why the first 72 hours determine whether your evidence holds up or falls apart.

Read More