Cryptocurrency Tracing: Bitcoin and Ethereum Investigation

Last updated: April 26, 2026

Cryptocurrency tracing has become a standard tool for fraud and ransomware investigations in India. Despite the perception of anonymity, Bitcoin and Ethereum transactions are publicly logged forever, and modern blockchain analytics deanonymises a meaningful fraction of activity. This article covers practical tracing for fraud investigations.

The mental model

Each blockchain transaction is permanent and public. Wallet addresses are pseudonymous — not anonymous. Once you link an address to an identity (via KYC at an exchange, OSINT, or a leak), every past and future transaction of that address becomes attributable.

Bitcoin tracing

# Free tools
# blockchain.com explorer
https://www.blockchain.com/btc/address/<address>

# blockchair (multi-chain)
https://blockchair.com/bitcoin/address/<address>

# Walletexplorer.com — clusters addresses likely to belong to same entity
# (uses common-input heuristic — addresses spent together are typically same wallet)

Address clustering heuristics

• Common-input ownership — Bitcoin transactions with multiple input addresses; all inputs typically owned by same wallet (one signing key, multiple UTXOs)
• Change addresses — change output is typically same wallet as inputs; identifiable by patterns
• Behavioural clustering — wallets with similar spending patterns, timing, amounts

Ethereum tracing

Ethereum is account-based (not UTXO), making clustering different. Each address is a discrete account; transactions show direct flow.

# Etherscan
https://etherscan.io/address/<address>

# Decode contract interactions:
# Etherscan shows methods called on smart contracts
# DEX swaps, DeFi interactions all visible

Commercial blockchain analytics

• Chainalysis — industry-standard, used by exchanges and law enforcement
• TRM Labs — competitor with strong India regulator relationships
• Elliptic — risk scoring and investigation
• CipherTrace — Mastercard subsidiary

These services maintain large databases of attributed addresses (exchanges, mixers, sanctioned entities, ransomware operators). An address you investigate likely has historical interaction with one of these — providing attribution leads.

The investigation workflow for fraud

1. Victim provides BTC/ETH address used for fraud payment
2. Trace forward through transaction graph — where did the funds go?
3. Identify “off-ramps” — exchanges, OTC desks, P2P platforms where crypto becomes fiat
4. Subpoena / lawful request to off-ramp exchange for KYC of receiving customer
5. Coordinate with law enforcement for international cooperation if exchange is foreign

Mixers and privacy techniques

Tornado Cash (Ethereum), CoinJoin (Bitcoin), various privacy chains (Monero, Zcash) complicate tracing:

• Tornado Cash — sanctioned by US OFAC in 2022; on-chain entry/exit still observable
• CoinJoin — Bitcoin-native mixing (Wasabi, Samourai); requires multiple participants
• Monero — privacy-by-default chain; conventional tracing essentially fails
• Cross-chain bridges — can complicate tracing if funds move between chains

For mixed funds, tracing is probabilistic; for Monero, it’s largely impossible at the protocol level (statistical analysis remains).

Indian regulatory context

• Crypto exchanges in India must register under FIU-IND, conduct KYC
• 1% TDS on crypto trades creates a paper trail
• 30% tax on crypto gains
• Banking restrictions have been on/off; exchanges have alternative banking arrangements
• Cybercrime cells in major Indian cities have crypto-investigation capability; Mumbai, Delhi, Bengaluru typically lead

Compliance angle

• PMLA — virtual asset service providers in scope since 2023
• FATF Travel Rule — exchanges must share originator/beneficiary info for transactions >$1000 (compliance varies)
• FIU-IND filings for crypto-related STRs

The takeaway

Crypto tracing is feasible for most cases — Bitcoin and Ethereum leave permanent public trails, and commercial analytics maintain attribution databases. The key inflection points are off-ramps where pseudonymous becomes identified. For Indian fraud investigations, partner with FIU-IND-registered exchanges and use Chainalysis or TRM for attribution depth.