Tools like Chainalysis Reactor allow investigators to trace the movement of cryptocurrency between addresses. In addition to analyzing transactions between distinct parties, following the flow of funds is hugely useful in cases involving stolen or otherwise illicit cryptocurrency, in which cybercriminals often attempt to rapidly move funds through multiple addresses in order to throw investigators off the scent.
For instance, in the Reactor graph pictured below, we see funds stolen in an exchange hack move through two intermediary wallets before reaching a deposit address at an exchange.
Following the funds between the first and second intermediary wallet, or from the second intermediary wallet to the exchange deposit address isn’t difficult. All we need to do is view the wallet’s sending exposure in Reactor and click the service category of interest to pull up the specific counterparties to which the wallet sent funds. We see below what this would look like for the transfer of funds between Intermediary Wallet 2 and Exchange 2.
If an investigator clicked the portion of the sending exposure wheel labeled “exchange,” they would be able to see the specific exchange and deposit address at that exchange to which Intermediary Wallet 2 sent the stolen funds.
However, the investigator couldn’t follow that same process to see where the funds moved next after Exchange 2. Below is what the sending exposure wheel would look like for the cybercriminals’ deposit address at Exchange 2.
What’s happening here? Is something wrong? No. The issue is that you can’t trace funds through a service, because the way that services store and manage funds deposited by users inherently makes further tracing inaccurate. Below, we’ll explain why that is and what steps investigators should take when funds they’re tracking hit a service, by which we mean an entity containing many addresses holding funds on behalf of numerous individuals, such as an exchange, merchant services provider, or even darknet market.
Transactions coming into services can’t be connected to transactions leaving services
Let’s start with the basics: The reason blockchain analysis is possible is that transactions in most cryptocurrencies are recorded on public, permanent blockchains that act as ledgers, allowing anyone to view them. Blockchains display transactions by showing the amount that has moved between cryptocurrency addresses, which are pseudonymous by default. Blockchain analysis tools like Reactor make these transactions readable by attributing addresses to the services or entities that control them, and showing the transactions in a more visually coherent way, as you see in the screenshots above. The key point, though, is that blockchain analysis tools only reflect the movements of cryptocurrency between discrete addresses, as recorded on blockchains themselves.
That means, however, that following funds gets more complicated when someone sends cryptocurrency to an address hosted at a service like an exchange, even if you know the specific deposit address associated with an individual user. When a user sends cryptocurrency to their deposit address at a service, the cryptocurrency doesn’t just sit at that address. Instead, the service moves it around internally as needed, pooling and co-mingling it with the funds of other users as needed. For instance, many exchanges keep portions of deposited funds in cold wallets disconnected from the internet for security reasons. This idea holds true in the fiat world as well — if you deposit a $20 bill at an ATM and then withdraw $20 one week later, you’re not going to receive the exact same bill you originally had.
Of course, blockchains don’t know that services’ internal fund movements aren’t ordinary transactions as we understand them — they get recorded in the ledger just like any other transaction. Therefore, it doesn’t make sense to continue following funds once they’ve been deposited at a service, as the owner of the deposit address isn’t usually the one moving them after that point. Only the exchange itself knows which deposits and withdrawals are associated with specific customers, and that information is kept in the exchange’s order books, which aren’t visible on blockchains or in analysis tools like Reactor. In order to prevent investigators from mistakenly following funds after they’ve been deposited at a service, Reactor doesn’t show the outgoing transaction history for individual service deposit addresses.
Investigators need to work with cryptocurrency services
While the ineffectiveness of tracing funds through a service can be frustrating for investigators, they’re by no means out of options when they trace funds to a service deposit address. They just need to work with the service in question. We recommend investigators reach out to services to learn more about where a user has sent funds post-deposit, or even subpoena them for this information if necessary. You can watch our webinar on cryptocurrency subpoenas to learn more about how to optimize the process.