Bitcoin Forensics and Cryptocurrency Forensics: A Beginner’s Guide to Blockchain Investigations

Cryptocurrency Flow Model & Common Criminal Use Cases

Typical Flow of Cryptocurrency: Fiat (a type of government-issued currency)→ Crypto → Layering → Fiat

Circulation Logic of Cryptocurrency Flow

Cryptocurrency has become a central tool in financial crimes due to its ability to facilitate anonymous transactions and cross-border money transfers. A typical money laundering process involving cryptocurrencies follows these steps:

• On-ramp (Fiat → Crypto): Illicit actors convert fiat into crypto via centralized exchanges (CEX), over-the-counter (OTC) desks, peer-to-peer (P2P) platforms, or third-party payment services. These entry points provide the initial ingress of illicit funds into the crypto ecosystem.
• Layering & Obfuscation: Once on-chain, funds are moved through multiple wallets and services to break the transaction trail. Typical techniques include chain-to-chain transfers, use of mixing/tumbling services, routing through DeFi liquidity pools, and bridging across chains. The objective is to sever the direct linkage between the source funds and the eventual recipient.
• Cash-out (Crypto → Fiat): After sufficient layering, assets are converted back to fiat through compliant or illicit channels—regulated exchanges, complicit OTC desks, underground exchangers, prepaid instruments, or third-party payout services—finalizing the laundering cycle.

Throughout this cycle, perpetrators exploit cross-jurisdictional gaps, varying regulatory regimes, and technical features (privacy tokens, smart contracts, bridges) to hinder conventional financial oversight.

Representative Criminal Use Cases

Cryptocurrency features are attractive to a broad range of illicit activities. Common scenarios include:

• Telecom and Internet Scams: Victims are persuaded to send fiat converted to crypto into attacker-controlled wallets or exchange accounts; funds are then moved and cashed out via complex on-chain routes.
• Bribery and Corruption: Crypto enables cross-border transfers with reduced visibility in traditional banking rails, facilitating covert payments and value transfers in corruption schemes.
• Online Gambling and Illegal Betting: Unregulated gambling platforms use crypto for settlement and bankroll movement, creating opportunities to layer proceeds of crime
• Ransomware and Extortion: Ransom demands are typically paid in crypto; attackers then use mixers, privacy coins, and multihop transfers to launder receipts before cashing out.
• Darknet Markets and Illicit Trade: Marketplaces for drugs, weapons, stolen data, and services commonly accept crypto—often using privacy features or staging transfers to hide participants’ identities.

These use cases are well documented in reports and advisories from international law enforcement and financial oversight bodies, such as the U.S. Department of Justice’s guidance on cryptocurrency and money laundering, the Europol Internet Organised Crime Threat Assessment (IOCTA), and the FATF report on virtual assets and VASPs.

Centralized vs. Decentralized Cryptocurrency Systems: Differences and Circulation Logic

Centralized System (CEX, Custodial Wallets, Trading Platforms)

In the centralized cryptocurrency system, users rely on third-party platforms (such as centralized exchanges, custodial wallets, and trading platforms) to store, trade, and manage their assets. These platforms serve as intermediaries, offering an easy-to-use interface for users to convert fiat currencies to cryptocurrencies and vice versa. The typical circulation logic in centralized systems is as follows:

• Circulation Logic: Users register an account on a centralized platform, undergo KYC (Know Your Customer) verification, and deposit fiat funds. Once the fiat funds are deposited, users can trade, invest, and withdraw cryptocurrencies through the platform’s user interface. Most platforms also allow for the withdrawal of assets to external wallets. The centralized exchange (CEX) or platform holds custody of the user’s assets until they are withdrawn, making the platform an essential component in the transaction flow.
• Forensic Advantage: Centralized platforms are advantageous for forensic investigations due to the significant amount of user data they store. These platforms typically retain comprehensive records of user activity, including personal identification information from the KYC process, login timestamps, transaction history, deposit and withdrawal records, and IP addresses used during login sessions. This data provides valuable evidence for investigators, allowing authorities to identify users behind specific wallet addresses and trace transactions in real time. The availability of such detailed records greatly simplifies the process of tracking illicit activity.
• Forensic Challenges: Despite its advantages, obtaining data from centralized platforms faces challenges, especially when the exchange operates in jurisdictions with weak or non-cooperative legal frameworks. Some platforms may lack comprehensive AML/CFT practices, retain incomplete logs, or have data encryption or purging policies, complicating analysis. Additionally, weak registration models—such as minimal or no KYC—can leave account records without reliable identity links, making it difficult to trace and attribute accounts, even when transaction data is available.

Decentralized System (DEX, Self-Custody Wallets, DeFi, Cross-Chain Bridges)

In the decentralized cryptocurrency system, users maintain full control over their assets without relying on third-party intermediaries. All transactions are recorded on-chain, providing transparency and immutability. The typical circulation logic is as follows:

• Circulation Logic: In decentralized systems, users directly hold the private keys to their wallets, which gives them full autonomy over their funds. All transactions, whether on decentralized exchanges (DEX), DeFi platforms, or cross-chain bridges, are publicly recorded on the blockchain. This on-chain record allows for transparent tracking of assets, although the identity of users behind specific addresses is not inherently available.
• Forensic Advantage: A key advantage of decentralized systems is the transparency of on-chain data. Since blockchain transactions are publicly recorded and immutable, forensic investigators can analyze transaction flows through blockchain explorers and transaction graphing tools. This enables the identification of suspicious transaction patterns and asset movements across different wallets and platforms. The blockchain’s transparency offers an immutable and permanent record that is difficult to alter, providing a reliable source of evidence in investigations.
• Forensic Challenge: The main challenge in decentralized systems is the lack of user identity, as blockchain addresses are pseudonymous and don’t link directly to real-world identities. Privacy coins, mixing services, and cross-chain transfers obscure transaction trails, making it harder to trace the true owner. Self-custody wallets and decentralized exchanges, which often lack user verification and centralized records, further hinder identity collection.

Best & Hardest Points for Evidence Collection

Best Points for Evidence Collection

Certain stages in the cryptocurrency transaction flow present optimal opportunities for evidence collection, thanks to the accessibility of data and the transparent nature of blockchain or platform interactions. These key moments offer the best forensic advantages:

• Centralized Exchanges & On-ramp Channels: Centralized exchanges (CEX) and on-ramp services (e.g., fiat-to-crypto gateways) are among the strongest evidence points in cryptocurrency forensics. These platforms typically require users to complete KYC (Know Your Customer) verification, and they maintain detailed records of fiat transactions, deposits, and withdrawals. Investigators can request these records to link cryptocurrency addresses to real-world identities and trace the origin of illicit funds. These exchanges provide a robust dataset for forensic analysis.
• Withdrawal & OTC Transaction Nodes: Withdrawals from exchanges or over-the-counter (OTC) transactions often represent crucial points in tracking funds. By combining off-chain contracts (such as trade agreements), communication records (e.g., emails or chats), and blockchain transactions, investigators can link funds to specific recipients, strengthening the evidence chain and pinpointing the asset’s final destination.
• On-chain Asset Consolidation & Key Transfer Points: Large-scale consolidations of funds or significant transfers at specific on-chain junctions (e.g., between wallets) can be identified using graph analysis and blockchain visualizations. This helps to detect unusual or suspicious transactions, such as large sums moving to a single wallet or sudden transfers between multiple addresses. These activities often represent attempts to conceal or launder funds, making them prime targets for forensic investigations.
• Device or Server Control Points: If investigators can access the private keys or wallet backups associated with a cryptocurrency wallet, this provides the most direct evidence of control over assets. The private key is the only method to access and control funds on the blockchain, so recovering it (e.g., from seized devices or servers) allows investigators to definitively establish ownership of the assets.

Hardest Points for Evidence Collection

While certain stages in the cryptocurrency flow offer robust forensic opportunities, others are far more challenging. The following stages present significant barriers to effective evidence collection:

• Privacy Coins & Mixing Services: Transactions involving privacy coins or mixing services make tracing extremely difficult. These tools obfuscate the transaction path by encrypting or randomizing transaction data, effectively “washing” funds. As a result, it becomes nearly impossible to trace the source or destination of funds once they have passed through these services.
• Cross-chain Bridges & Atomic Swaps: Cross-chain bridges allow for the transfer of assets between different blockchain networks, while atomic swaps enable direct peer-to-peer exchanges across blockchains. These mechanisms facilitate the rapid movement of funds across different ecosystems, often leaving investigators with fragmented evidence and disconnected transaction histories, which complicates tracking the funds.
• Decentralized P2P Transactions: Decentralized peer-to-peer (P2P) platforms offer users the ability to buy and sell cryptocurrency without relying on a centralized intermediary. These platforms generally lack centralized records and often do not require user identity verification. As such, tracing transactions through P2P networks is particularly difficult, as it is challenging to obtain personal details about the involved parties.\
• Jurisdictional & Compliance Barriers: Forensic investigators may also face significant jurisdictional challenges, particularly when dealing with cross-border data requests. The process of requesting and obtaining data from international exchanges or platforms can be lengthy, and some countries may lack effective legal frameworks for cross-border data sharing. Furthermore, some regions may not have cooperation agreements in place, making it hard to access critical evidence from foreign platforms.

Empower Your Cryptocurrency Investigations with SalvationDATA

The cryptocurrency ecosystem is growing rapidly, and tracing digital assets is becoming increasingly complex. Traditional tools often fall short in uncovering wallet connections, transaction flows, and cross-chain activity. SalvationDATA offers an efficient cryptocurrency forensics solution that simplifies investigations, enabling efficient, reliable, and comprehensive analysis for law enforcement, financial institutions, and security teams.

Take your digital asset investigations to the next level with SalvationDATA: [email protected]