This guide is written for litigators, not technologists. It explains how cryptocurrency forensic experts trace disputed assets, what analytical techniques they use at each stage, where those techniques have been tested and challenged in court, and what the case law across three common-law jurisdictions tells us about the evidentiary standard that forensic methodology must meet.
What Is Cryptocurrency Forensic Methodology?
Cryptocurrency forensic methodology is the systematic application of analytical techniques to blockchain data in order to trace the movement of digital assets, attribute wallet addresses to their controllers, and produce evidence that meets the admissibility standards of a court of law.
To understand how it works – and why the methodology matters as much as the findings – consider the kitchen.
A professional kitchen has three distinct components: the equipment, the recipes, and the chef. A restaurant may own the finest knives and the most sophisticated ovens in the city, but without a trained chef who understands which technique to apply to which ingredient, and in what sequence, those tools produce nothing of value. Equally, a talented chef without the right equipment is limited in what they can produce. The two are interdependent. But above both sits the recipe – the documented, repeatable, defensible process that determines whether the outcome is consistent, reliable, and fit for the table.
Cryptocurrency forensic methodology is the recipe. The software platforms used to analyse the blockchain are the kitchen equipment. And the forensic analyst is the chef – the trained professional who selects the right tools, applies the right techniques, and takes personal responsibility for what arrives at the table.
In a courtroom, this distinction is the difference between evidence that stands and evidence that struggles under the microsco-pe of cross-examination.
It is important to distinguish cryptocurrency forensic methodology from two adjacent practices with which it is sometimes confused.
The first is blockchain analytics software – commercial platforms such as Chainalysis, Elliptic, or CipherTrace that generate automated attribution outputs. These are the kitchen equipment. They are powerful, widely used, and genuinely useful. But handing a litigator a software-generated report without methodological accountability is like serving a guest a meal and, when asked how it was prepared, pointing at the oven. The oven did not make the decision. The chef did. Courts are increasingly asking the same question of forensic reports: not what the software produced, but what analytical decisions the expert made, and why.
The second is open-source intelligence (OSINT) – the gathering of publicly available information about individuals or entities connected to blockchain addresses. OSINT may support a forensic investigation, but it operates outside the chain of cryptographic evidence and is assessed by different reliability standards. It is the garnish, not the dish.
In a courtroom context, the value of a cryptocurrency forensic analysis is determined not by the sophistication of the technology used to produce it, but by the defensibility of the method behind it. An opposing expert, a cross-examining advocate, or an admissibility challenge – whether a Daubert motion in the United States, a Part 35 compliance question in the United Kingdom, or a challenge under the Evidence Act in Australia – can take apart technically accurate findings if the analyst can’t articulate, justify, and defend every inferential step taken in reaching their conclusions.
A Michelin-starred kitchen does not succeed because it owns expensive equipment. It succeeds because every dish that leaves the kitchen has been prepared according to a documented, tested, and repeatable process – one the head chef can explain in precise detail. The same standard applies to forensic evidence.
This is why methodology is the first and most important question a litigator should ask of any cryptocurrency forensic expert: not what did you find, but how did you find it, and can that process withstand scrutiny?
Cryptocurrency forensic methodology encompasses a defined set of analytical techniques – the foundation recipes in the forensic kitchen – stock, breads that kind of thing – each suited to different tracing challenges and each carrying its own reliability profile. The principal techniques in current forensic practice are:
Commingled funds analysis – following the flow of specific funds through successive transactions and accounting for value that has been mixed with funds from other sources. The commingled funds models used – FIFO, LIFO, pari passu, LIBR, and rolling charge – are derived from forensic accounting and equity’s treatment of mixed bank accounts, and are now applied to cryptoassets by a growing body of international case law.
Wallet clustering – grouping multiple blockchain addresses that the evidence suggests are controlled by the same entity, using three principal heuristics: co-spend (common input) analysis, behavioural analysis (fee structures, peel chains, change address patterns), and intelligence-based direct attribution using off-chain evidence. The authoritative judicial examination of these heuristics is United States v Sterlingov (D.D.C. 2024).
Change address heuristics – identifying which outputs in a UTXO-based transaction represent returned funds to the sender, as distinct from payments to third parties. This technique applies to Bitcoin and other UTXO-based networks and does not transfer to account-based cryptocurrencies or Layer 2 tokens.
Chain-hopping analysis – tracing assets deliberately moved from one blockchain network to another in order to obscure their origin, through bridge protocols, cross-chain swap services, or centralised exchanges.
Mixer and tumbler tracing – analysing transactions that have passed through obfuscation services designed to sever the link between sending and receiving addresses, from centralised mixer services through to protocol-level privacy implementations.
DeFi protocol forensics – tracing value through decentralised finance platforms, where assets may be converted, pooled, routed through smart contracts, or extracted through protocol exploits without the involvement of any centralised intermediary.
Each technique is examined in detail in the sections that follow. Together they make up the methodological kitchen from which a forensic expert constructs an evidentiary case – and from which a defence expert identifies where the cooking went wrong.
Before examining those techniques in detail, one foundational point should be made and it applies to every section that follows: not all cryptocurrencies are the same. A full taxonomy of digital asset types – native layer 1 tokens, layer 2 tokens, ERC-20 assets, stablecoins, wrapped tokens, NFTs, and the many other categories that have emerged across different blockchain architectures – is beyond the scope of this article. But the practical implication is that the forensic methodology appropriate for one cryptocurrency may be entirely inappropriate for the next.
The techniques applied to a Bitcoin tracing matter are not the same as those applied to a matter involving Ethereum, Tether, or a token operating on a layer 2 network. The underlying architecture of the asset determines which analytical tools are valid, which heuristics are reliable, and which assumptions cannot safely be made. Selecting the wrong methodology for the asset in question is not merely a technical error – it is the kind of error that an opposing expert will identify, that a cross-examiner will exploit, and that a court may use as grounds to question the reliability of the entire analysis.
Knowing which technique fits which asset, and being able to justify that choice under cross-examination, is part of what distinguishes a skilled forensic expert from one who applies a standard toolkit without regard for what is actually in front of them. To return to the kitchen: a good chef does not decide the technique before seeing the ingredient. And they certainly do not apply a technique suited to one ingredient to another simply because both ingredients are vegetbles.
When a litigator instructs a cryptocurrency forensic expert, they are commissioning a documented, step-by-step account of where funds originated, where they travelled, and where they came to rest, expressed in language and supported by evidence that a court can assess and a judge can understand.
To continue the kitchen analogy: before a chef can cook, they must read the recipe, source the ingredients, assess the quality of what they have been given, select the appropriate techniques, and then execute – in the right order, at the right temperature, with the right level of precision. Rushing any stage produces a dish that fails. The same is true of a forensic tracing exercise.
The first task of a forensic expert is not to open a software platform. It is to understand precisely what question is being asked. The scope of a tracing exercise determines everything that follows: which blockchain networks are in scope, what the relevant time period is, what the known starting points are, and what standard of proof the findings must meet.
In several of the jurisdictions we work across, this scoping exercise is a formal procedural requirement. In the United Kingdom, instructions to an expert witness must be documented in writing, as mandated under Part 35 of the Civil Procedure Rules. In Australia, various state and federal Evidence Acts similarly allow for a written letter of instruction. This formal requirement exists for good reason: a poorly scoped instruction is one of the most common causes of forensic reports that fail to answer the legal question actually in dispute. Documenting the instruction creates accountability on both sides – it disciplines the litigator to articulate the precise question, and it disciplines the expert to answer that question and no other.
In jurisdictions where written instructions are not mandated, I recommend them regardless. The letter of instruction is the diners order to the wait staff. A chef who begins cooking without reading it is un;likely to produce what the table ordered.
Every tracing exercise begins with at least one known data point – what I call the origin address or seed transaction. This is the starting ingredient. It may be a wallet address from which funds were stolen, a transaction hash recorded in exchange logs, a smart contract address, or an on-chain movement identified in prior disclosure.
The quality and reliability of this starting point matters enormously. An origin address that has been incorrectly identified – through misattribution, exchange error, or deliberate misdirection – will produce a tracing chain that is technically coherent but factually wrong. The expert should verify the origin point independently before building any analysis from it. No competent chef begins cooking with an ingredient that they haven’t inspected.
With a verified origin point established, the expert begins tracing the movement of funds through the blockchain. This is the core analytical work – and the stage at which the chef’s skill is most visible.
For example, the Bitcoin blockchain records every transaction in sequence, permanently and publicly. What it does not record is identity. The expert’s task is to follow the value as it moves from address to address, applying the appropriate analytical technique at each step to answer three questions: where did these funds go, who controlled the addresses they moved through, and what happened if the chain became obscured?
This stage typically involves the sequential application of several techniques – commingled funds analysis to follow the value, wallet clustering to attribute addresses to controllers, and chain-hopping or mixer analysis where the funds crossed networks or passed through obfuscation services.
The objective of most tracing exercises is to follow disputed funds to a point of off-ramp – an exchange, a payment processor, a custodial wallet, or another identifiable entity where the funds can be frozen, disclosed, or attributed. This is the destination: the plate on which the dish is served.
In some cases the funds reach a cle-ar destination. In others, the chain fragments across multiple addresses, passes through mixers, or terminates at addresses for which no ownership attribution is currently possible. A competent forensic expert documents all three outcomes with equal rigour – the clear destination, the partial trail, and the current dead end – because courts require an honest account of the limits of the analysis as much as they require its positive findings.
A chef who only reports dishes that came out well is not being completely honest.
The final stage is the translation of analytical findings into a forensic report that meets the procedural requirements of the relevant jurisdiction.
A forensic report is not a data export. It is a structured, reasoned document in which the expert sets out their methodology, their findings, their reasoning, and the limitations of their analysis. It must be written for two audiences simultaneously: the litigator who needs to understand the strategic implications, and the court that needs to assess the reliability of the evidence. The gap between a technically accurate analysis and a court-ready report is wider than most non-experts appreciate – and bridging it is a core part of the forensic expert’s function.
Commingled funds sit at the heart of many contested cryptocurrency tracing matters. The term refers to what happens when disputed assets – funds that are stolen, fraudulently obtained, or otherwise of legal significance – are mixed with other value, either deliberately to obscure their origin or simply as a consequence of normal wallet activity. Tracing through that mixture is the forensic challenge. Determining what legal consequences flow from it is the court’s challenge.
Here’s how
Forensic accountants have grappled with commingled funds for decades. When disputed cash is deposited into a bank account that already holds legitimate funds, the question of which subsequent withdrawals carry the taint of the disputed deposit – and in what proportion – is a well-established problem in both the law of tracing and the practice of financial forensics. The rules for answering it, while complex, have been developed over many years of litigation.
Cryptocurrency tracing inherits that problem in full, and adds several layers of technical complexity on top of it. On a blockchain, funds from multiple sources may enter a single wallet address across hundreds of transactions, be partially spent, receive further deposits, and be dispersed across dozens of outgoing transactions – all within hours. Tracing the disputed portion through that architecture requires the application of an established accounting methodology, applied consistently, and documented in a form the court can audit.
This is the distinction that litigators must keep in mind: how commingled cryptocurrency funds are traced is a matter of forensic methodology; how a court treats the result is a matter of law.
The methodologies used to trace commingled cryptocurrency funds are not novel inventions of the blockchain era – they are drawn directly from forensic accounting and equity’s treatment of mixed bank accounts, developed over two centuries of common-law jurisprudence. What is new is the growing body of international case law applying them to cryptoassets, for example, D’Aloia v Persons Unknown [2024] EWHC 2342 (Ch) in the UK, Ruscoe v Cryptopia Ltd [2020] NZHC 728 in New Zealand, Re Gatecoin Ltd [2023] HKCFI 914 in Hong Kong, and United States v Sterlingov (2024) in the US federal courts.
The five principal methodologies for commingled funds in current forensic practice are:
The FIFO model (First In, First Out) – rooted in the rule in Clayton’s Case (1816) in the UK – treats the earliest funds to enter a wallet as the first to leave, applying the same chronological queue assumed in standard accounting stock rotation. It must be applied consistently across every transaction: selective application is fatal, as D’Aloia demonstrated.
The LIFO model (Last In, First Out) treats the most recently deposited funds as the first to leave. It has no principled doctrinal foundation in equity as a tracing rule and surfaces as an inference of fact – for instance, where misappropriated funds are followed almost immediately by an identifiable onward transfer.
The pari passu model distributes the disputed proportion pro-rata across all withdrawals, reflecting each contributor’s proportionate share of the commingled pool. It is the modern default in multi-claimant pooled fund cases, applied in Barlow Clowes (UK), Cunningham v Brown (US), and Ruscoe v Cryptopia (NZ).
The LIBR model (Lowest Intermediate Balance Rule) – derived from James Roscoe (Bolton) Ltd v Winder [1915] – operates as a universal cap rather than a primary tracing method. A claimant’s traceable proprietary claim cannot exceed the lowest balance the mixed account reached between the date of the misappropriation and the date of the claim. It applies alongside whichever primary methodology is selected and is particularly significant where assets have passed through exchange wallets with high transaction volume.
The rolling charge model recalculates the proportion of tainted value in the wallet after every transaction, creating a continuously updated picture of the mixture. Conceptually endorsed in Barlow Clowes and D’Aloia as a fair methodology, it was historically resisted due to computational burden – an objection largely obsolete on the blockchain, where every transaction is timestamped and every input identifiable.
Each model is a legitimate recipe. But which recipe the court will accept, and under what circumstances, depends on the jurisdiction, the transaction architecture, and the quality of the methodology’s application. Most forensic experts can produce a technically rigorous analysis using any of these models. Only the instructing lawyer – guided by local counsel where appropriate – can determine which model is legally defensible in the venue where the matter will be decided.
For the litigator, it is sufficient to be aware of this dynamic: just as commingled funds are a well-established and carefully regulated concept in forensic accounting, they are equally alive and active in cryptocurrency tracing – and the methodology applied to them may be scrutinised with the same rigour that a court would apply to any contested financial reconstruction.
The consequences of applying a commingled funds methodology inconsistently – or of failing to apply any coherent methodology at all – were demonstrated with considerable force in the UK High Court matter of D’Aloia v Persons Unknown [2024] EWHC 2342 (Ch).
In that case, the claimant’s expert purported to apply a FIFO methodology to trace USDT through a series of wallet addresses to an account held at a cryptocurrency exchange. Under cross-examination, however, the court found that the expert had in fact applied a subjective approach.
The court found the expert’s evidence to be, in its own words, “chaotic and, ultimately, contradictory.” The lack of a coherent, explainable, and mathematically auditable method was fatal. The court held that the claimant had failed to prove, on the balance of probabilities, that any of his funds had reached the defendant’s wallet. The claim failed – not because the funds had not been traced, but because the methodology used to trace them did not withstand judicial scrutiny.
To return to the kitchen: the chef claimed to be following a specific recipe, but when the kitchen was inspected, the dish on the pass bore no consistent relationship to any recipe that could be written down, reproduced, or verified. The diner – the court – sent it back.
When instructing a cryptocurrency forensic expert, the question is not simply whether a commingled funds methodology has been applied. It is whether that methodology has been applied consistently, transparently, and in a manner that allows the court – and another expert witness – to reproduce the findings.
A full analysis of the D’Aloia judgment and its implications for cryptocurrency tracing evidence is available in our case brief: Cryptocurrency Tracing Methodology Scrutinised: D’Aloia v Persons Unknown.
A persistent misconception about cryptocurrency tracing is that each wallet address represents a distinct person or entity. In practice, a single individual or organisation may control hundreds – conceptually an infinite number – of wallet addresses simultaneously, cycling through them to receive payments, manage funds, and obscure the connection between transactions.
For the litigator, this matters enormously. A freezing order, a proprietary claim, or a criminal forfeiture application may depend on the ability to demonstrate that a particular wallet address – the one holding the disputed funds – is controlled by the same entity as another address already linked to the defendant. Wallet clustering can be how that demonstration is made.
Clustering is a blockchain analysis technique that identifies and groups together multiple cryptocurrency addresses that are believed to be controlled by the same entity, individual or organisation. Because cryptocurrency users frequently combine multiple addresses and use them together in single transactions, clustering allows investigators to consolidate what could be hundreds of thousands of individual, anonymous addresses into a single, identifiable entity – called a cluster. This prevents investigators from having to review transactions manually, address by address, and allows them to map out large services such as darknet markets or cryptocurrency mixers at scale.
Heuristics are the logical rules, patterns of behaviour, or statistical assumptions used to make clustering determinations about the ownership of anonymous public keys. In plain terms: a heuristic is a reasoned basis for concluding that two or more addresses are likely controlled by the same person, drawn from how the blockchain actually works.
The relationship between heuristics and blockchain analysis software is foundational: heuristics are the underlying computational algorithms that the software uses to execute clustering. Because the Bitcoin blockchain (for example) is a public ledger containing only pseudonymous addresses and transaction amounts, blockchain analysis software relies on programmed heuristic rules to automatically rank different transactional branches, group related addresses together, and visualise the flow of funds.
The heuristics themselves could, in principle, be applied manually – the logical rules underneath each are not mathematically exotic. In practice, however, wallet clustering is the domain of software. A single blockchain entity may be linked to hundreds of thousands of addresses across millions of transactions: the computational scale required to apply clustering heuristics consistently, exhaustively, and without error across that volume of data is generally beyond manual capacity. This is why major commercial blockchain analytics platforms, for example, Chainalysis Reactor, TRM Labs, Elliptic Investigator exist: they industrialise a process that is conceptually straightforward but computationally immense.
An authoritative account of how clustering heuristics work in a forensic context comes from United States v Sterlingov 2024 WL 860983 (D.D.C. 2024), in which Chainalysis experts testified in detail about three heuristics their software applies, during a Daubert hearing before Judge Randolph Moss. The court admitted the evidence. Those three heuristics are:
Heuristic 1 – Co-Spend (Common Input Analysis)
This is the foundational method for blockchain clustering. It operates on the rule that if multiple distinct Bitcoin addresses are used as inputs in a single transaction, they are almost certainly controlled by the same entity.
The basis is cryptographic. To authorise a transaction that draws on multiple input addresses, the sender must possess the private keys for all of those addresses – they must all be signed simultaneously. Private keys are not shared between strangers. The co-spend heuristic therefore treats co-signed inputs as strong evidence of common control. It was described in the Sterlingov proceedings as the most commonly used and most reliable metric in commercial blockchain analysis.
Heuristic 2 – Behavioural Analysis
This heuristic clusters addresses by observing and tracking a particular entity’s unique on-chain behaviours and transaction patterns. Because large-scale blockchain services often use automated scripts to form their transactions, their behaviour tends to be highly predictable. Blockchain analysis software recognises specific transactional features – fee structures, data sizes embedded in transactions, lock times – and uses these to build custom clustering algorithms tailored to specific entities.
Two important sub-categories of behavioural analysis are:
Heuristic 3 – Intelligence-Based Clustering (Direct Attribution)
Unlike the first two heuristics, which work from on-chain ledger data and mathematical patterns, this heuristic draws on off-chain, real-world information to identify the owner of a cluster. Competing firms sometimes refer to this as direct attribution rather than a heuristic, because it relies on verifiable external evidence rather than inference from on-chain behaviour alone.
Sources include court documents, data leaks, undercover law enforcement transactions, subpoenas to financial institutions, open-source intelligence (OSINT), and information voluntarily shared by cryptocurrency exchanges. By linking these real-world data points to specific blockchain addresses, investigators can sometimes assign a true entity identity to the anonymous clusters the software has generated.
The subject of heuristics is an expansive area of forensic practice in its own right – one that extends well beyond this article. It has been examined at length in academic literature, including the foundational work of Meiklejohn et al., A Fistful of Bitcoins: Characterising Payments Among Men with No Names (2013), which remains one of the most cited papers in the field and introduced several of the clustering heuristics still in active forensic use today. More recently, Temu and Louca’s Evaluation of Crypto Assets Investigation Techniques: Bitcoin Address Clustering (2026, DOI: 10.1007/978-3-032-18484-9_14) provides a contemporary evaluation of how those techniques have evolved and where their reliability limits now sit.
At a judicial level, the reliability of clustering heuristics has been tested under adversarial conditions in United States v. Roman Sterlingov, Criminal Action No. 21-399 (D.D.C.) – a prosecution in which the government’s case rested substantially on wallet clustering analysis produced by Chainalysis, and in which the defence mounted a sustained challenge to the reliability of those heuristics as applied to the Bitcoin Fog mixer. The case is instructive not only for what the court accepted, but for the rigour with which the underlying methodology was examined – and the degree to which the reliability of specific heuristics was placed in genuine dispute before the finder of fact.
For litigators, the practical implication is significant. Where a forensic expert’s clustering analysis attributes a specific set of wallet addresses to a party to proceedings – such as a defendant, a respondent to a freezing order, or a claimant asserting a proprietary interest – that attribution is likely to be one of the first and most intensively challenged elements of the evidence. Understanding the heuristic basis on which the cluster was constructed, and being prepared to defend or contest that basis, is central to the litigation strategy.
Wallet clustering can establish, to a forensically defensible standard, that a set of addresses are likely controlled by the same entity. When combined with off-chain evidence – such as exchange KYC records, IP address data, device identifiers, or court orders compelling disclosure – it can bridge the gap between address-level attribution and named-entity attribution.
What it cannot establish on its own is the identity of the controller. This is a critical distinction. The forensic expert can demonstrate that addresses A, B, and C are controlled by the same entity. The connection between that entity and a named defendant requires additional evidence. The expert who overstates the reach of their clustering analysis – claiming more than the heuristics can properly support – risks having the entire analysis dismissed as unreliable.
A practical illustration from our own casework makes this distinction concrete. In one matter, a forensic tool attributed a particular cluster of addresses to Binance Global – the world’s largest virtual asset service provider (VASP) by most meaningful measures. The clustering itself – the grouping of those addresses into a single entity – was analytically sound and could be established by evidence. What could not be established by evidence was the software’s attribution of that cluster to Binance simply because the tool said so. Software attribution is not proof of control. It is a hypothesis that requires corroboration.
To determine whether the attribution was defensible, it was necessary to look behind the tool’s output and ask: on what basis has this cluster been assigned to Binance? Upon closer examination, Binance’s own corporate website identified one of the addresses in the cluster as one of its hot wallets. That public statement – made by the entity itself, on its own website – was accepted as a credible and independently verifiable piece of evidence supporting the attribution of control over the cluster. The tool’s label became defensible not because the tool produced it, but because an independent source confirmed it.
This distinction applies across every instance in which a forensic platform attributes a cluster to a named entity. Blockchain forensics can establish that a cluster exists. Attributing control of that cluster to a specific entity requires evidence that exists outside the tool – and that evidence must be identified, documented, and capable of withstanding cross-examination in its own right.
Every Bitcoin transaction – and every transaction on a UTXO-based blockchain – produces at least two outputs: the payment itself, sent to the intended recipient, and the change, returned to the sender. Unlike a bank transfer, where the sending account is simply debited and the receiving account credited, a UTXO transaction must consume its inputs in full and explicitly return whatever value was not intended as payment. That returned value goes to a change address – typically a new address generated automatically by the sender’s wallet software.
The forensic significance of this architecture is considerable. If an analyst can reliably identify which output in a transaction is the change and which is the payment, they have established two things simultaneously: the direction of the payment and the identity of an address controlled by the sender. That change address then becomes a new data point in the clustering analysis, potentially linking the sender’s wallet across many subsequent transactions.
Change address heuristics are the set of inference rules used to make that identification. They are a standard component of the forensic toolkit for UTXO-based cryptocurrency analysis. They are also, as this section examines, a source of meaningful evidential risk when applied without sufficient rigour.
The round number heuristic observes that payments between human parties tend to be round numbers – 1 Bitcoin, 0.5 ETH, 100 USDT – while change outputs tend to be irregular amounts reflecting the arithmetic residual of the transaction. Where one output is a round number and the other is not, the irregular output is provisionally identified as change. This is an intuitive and frequently useful heuristic, but it is not reliable in isolation: automated payment systems, exchange withdrawals, and programmatic transactions regularly produce non-round outputs that are genuine payments rather than change.
The fresh address heuristic observes that wallet software typically generates a new, previously unused address to receive change, rather than returning it to an address that has appeared in prior transactions. Where one output goes to an address with no prior transaction history and the other goes to an address that has appeared before, the fresh address is provisionally identified as change. Again, this is a useful starting point that requires corroboration – privacy-conscious users and certain wallet architectures deliberately reuse addresses in ways that confound this inference.
The script type heuristic observes that where a transaction’s inputs and one of its outputs share the same script type – the technical format of the address – and the other output uses a different script type, the output matching the input script type is more likely to be change returned to the sender’s own wallet. This heuristic is particularly relevant in transactions involving legacy and SegWit address formats and has proven useful in practice, though it too can be defeated by deliberate address format switching.
The limitations of change address heuristics are well understood in the forensic community, and a competent opposing expert will probe them directly.
Deliberate manipulation is the most obvious vulnerability. A sophisticated actor who understands how these heuristics work can construct transactions specifically designed to confound them – using non-round payment amounts, reusing addresses as change destinations, or mixing script types in ways that make the change output indistinguishable from the payment output.
The consolidation transaction problem arises where multiple UTXOs are swept into a single address without any genuine payment being made – a common wallet maintenance operation that produces transactions with no change output at all, or with change that bears no reliable relationship to the heuristics above. Misidentifying a consolidation transaction as a payment transaction is an error that cascades through the entire subsequent analysis.
The multi-party transaction problem mirrors the CoinJoin challenge in the clustering context: where a transaction involves inputs from multiple independent parties – as in certain exchange batch transactions – the change address heuristics that assume a single sender break down entirely.
As noted in the tracing section above, change address heuristics simply do not apply to account-based cryptocurrencies and Layer 2 tokens. Applying UTXO-specific analytical frameworks to Ethereum transactions, ERC-20 token transfers, or Layer 2 activity is a category error – the forensic equivalent of using a recipe for one ingredient on an entirely different one.
Change address heuristics are a legitimate and valuable component of cryptocurrency forensic analysis when applied to the right asset type, corroborated by complementary evidence, and documented with appropriate acknowledgement of their limitations. They become a liability when applied mechanically, without regard for the specific transaction architecture under examination, or when their probabilistic nature is not disclosed.
For the litigator instructing a forensic expert, the right question is not whether change address heuristics have been used, but whether their application has been justified, their limitations acknowledged, and their outputs corroborated.
A forensic kitchen that relies on a single seasoning technique, applied without tasting the dish, is not a kitchen producing evidence fit for the table.
In the early years of cryptocurrency litigation, most tracing matters involved a single blockchain. A theft of Bitcoin was traced on the Bitcoin network. A fraud involving Ethereum was traced on the Ethereum network. The forensic task, while technically demanding, was at least contained within a single ledger governed by a single set of rules.
That containment no longer holds. The proliferation of blockchain networks – and the sophisticated cross-chain infrastructure that has developed to move value between them – means that disputed assets routinely travel across multiple networks before coming to rest. This technique, known in forensic practice as chain-hopping, is one of the most effective obfuscation strategies available to a sophisticated actor, and one of the most technically demanding challenges a forensic expert will face.
Chain-hopping refers to the deliberate movement of cryptocurrency assets from one blockchain network to another, typically through a bridge protocol, a cross-chain swap service, or a centralised exchange that accepts deposits in one asset and permits withdrawals in another. The motivation is usually obfuscation: each time assets cross from one chain to another, the direct on-chain link between the sending and receiving addresses is severed. An analyst following the trail on the original chain will reach a point where the funds are deposited into a bridge or exchange address with no visible continuation on the same ledger.
To return to the kitchen: chain-hopping is the equivalent of a chef moving the same dish between different kitchens mid-preparation, each with its own set of records, its own staff, and its own filing system. A reviewer examining only one kitchen’s records will see an incomplete picture – ingredients arriving but no finished dish, or a finished dish with no traceable origin.
The core technical challenge in chain-hopping analysis is often establishing the link between the deposit on one chain and the withdrawal on another. That link isn’t recorded on either blockchain. It exists in the records of the intermediary – the bridge protocol, the cross-chain swap service, or the centralised exchange – and accessing those records typically requires either voluntary disclosure from the operator or a court order compelling it.
This creates a two-stage forensic task.
The first stage is on-chain: following the funds to the point of departure on the originating chain, identifying the bridge or exchange address into which they were deposited, and documenting the deposit transaction with precision.
The second stage is off-chain: obtaining the records of the intermediary that confirm what was withdrawn on the destination chain, from which address, and at what time.
In our experience, the off-chain stage is where many chain-hopping investigations stall – not because the forensic methodology fails, but because the intermediary is uncooperative, located in a jurisdiction that does not respond to disclosure requests, or structured in a way that means no central operator holds the relevant records at all. The forensic expert can take the analysis to the bridge. Getting across it is frequently a legal and jurisdictional challenge as much as a technical one.
Not all cross-chain infrastructure involves a centralised operator from whom records can be compelled. Decentralised bridge protocols – smart contract systems that facilitate cross-chain transfers without a central intermediary – present a particular forensic challenge because there is no operator to serve with a disclosure order. The bridge’s logic is encoded in publicly visible smart contracts, but the connection between a deposit on one chain and a withdrawal on another must be reconstructed from on-chain data alone, using the bridge’s contract logic to map inputs to outputs.
This is technically possible for a forensic expert with sufficient blockchain architecture knowledge, but it requires a level of smart contract analysis that goes beyond standard transaction tracing. It is worth noting here that specialist forensic software platforms have developed significant capability in this area – cross-chain tracing, bridge analysis, and smart contract event reconstruction are features that leading tools now support, to varying degrees of sophistication. The role of forensic tooling in the analyst’s kitchen – what the tools can do, what they cannot, and how courts regard their outputs – is examined in detail in a dedicated section later in this article. For present purposes, the important point is that the availability of capable tooling does not eliminate the need for expert judgement in interpreting its outputs; it simply expands the range of on-chain territory the expert can cover.
Despite the growth of decentralised infrastructure, centralised exchanges remain the most common vehicle for chain-hopping in matters we encounter. The pattern is familiar: stolen funds are deposited into a centralised exchange in one asset – Bitcoin, for example – and withdrawn in another – USDT on the Tron network, or Ether – with the exchange performing the conversion and the withdrawal address having no visible on-chain connection to the deposit address.
The forensic response to this pattern relies heavily on exchange cooperation or compelled disclosure. Centralised exchanges operating under regulatory frameworks in the USA, UK, and Australia are subject to disclosure obligations and have, in our experience, responded to properly framed legal process. Exchanges operating outside those jurisdictions – or those that have actively marketed their services to users seeking to avoid KYC requirements – present a materially different challenge, and the realistic prospects of obtaining records must be assessed carefully before a tracing strategy is built around them.
Chain-hopping is a forensic challenghe and a jurisdictional one. When assets move from a Bitcoin wallet in one jurisdiction, through a bridge protocol governed by smart contracts deployed on a network with no identifiable home jurisdiction, to a withdrawal address on a different network used by a party in a third jurisdiction, the question of which court can compel which disclosure – and from whom – becomes genuinely complex.
For the litigator, this means that a chain-hopping tracing exercise must be planned in conjunction with legal advice on the jurisdictional reach of the available disclosure mechanisms. The forensic expert can identify where the chain leads. Whether the relevant records can be obtained when it leads there is a question the forensic expert and the instructing lawyer must work through together – ideally before the investigation begins, not after it has stalled at a bridge operated from a jurisdiction that will not respond.
Of all the obfuscation techniques encountered in cryptocurrency forensic practice, mixers and tumblers are the ones that generate the most anxiety among litigators – and, in our experience, the most misconceptions. The assumption that mixed funds are untraceable is widespread. It is also wrong, or at least significantly overstated. The more accurate position is that mixing creates a forensic challenge of varying difficulty depending on the type of mixer used, the volume of funds processed, the behaviour of the actor using it, and the analytical resources brought to bear.
The purpose of a mixer or tumbler is to sever the on-chain link between a sending address and a receiving address by interposing a pool of funds between them. The sender deposits funds into the mixer. The mixer combines those funds with deposits from other users – or with its own reserve pool – and outputs an equivalent value, minus a fee, to a destination address specified by the sender. The intended result is that an observer watching the blockchain cannot draw a direct line from the deposit to the withdrawal, because the withdrawal comes not from the deposit address but from the mixer’s pool.
The kitchen analogy is apt here: the mixer is a large communal pot into which multiple chefs tip their ingredients. The pot is stirred, and each chef receives back a portion from the combined pool rather than their original contribution. An observer who saw what went into the pot but not the stirring cannot say with certainty which portion came from which chef.
There are two principal categories of mixer in current forensic practice, and they present meaningfully different analytical challenges.
A centralised mixer is operated by a specific entity – a company, an individual, or an organised service – that takes custody of user funds, performs the mixing operation, and returns equivalent value to the destination addresses specified by users. Bitcoin Fog, the service at the centre of the Sterlingov prosecution, was a centralised mixer. Helix, ChipMixer, and several other services that have been the subject of law enforcement action fall into the same category.
The forensic significance of the centralised model is that the mixer operator holds records – or held them before any law enforcement action – and those records, if obtained, can bridge the gap that the mixing operation was designed to create. This is precisely what occurred in Sterlingov: the government’s case relied in significant part on records obtained from Bitcoin Fog’s servers following the service’s takedown, combined with blockchain analysis tracing the flow of funds into and out of the mixer.
Decentralised mixing presents a more durable forensic challenge because there is no operator and no central record. The most widely used decentralised mixing technique is CoinJoin, in which multiple independent users combine their transactions into a single on-chain transaction, with each user receiving back an equivalent output to a fresh address. Because no custodian takes possession of the funds and no central service holds records, there is no operator to serve with a disclosure order and no server to seize.
Protocol-level privacy coins – Monero being the most prominent example – present the most significant forensic challenge of all. Unlike Bitcoin, where all transactions are publicly visible on the ledger and the privacy challenge is attribution rather than visibility, Monero is designed from the ground up to obscure transaction amounts, sending addresses, and receiving addresses using cryptographic techniques including ring signatures, stealth addresses, and RingCT. Tracing Monero with the same methodologies applied to Bitcoin is , in the current state of the art, extremely difficult without access to off-chain information such as exchange records or device data. A forensic expert who claims otherwise should be asked to explain their methodology in precise detail.
Against centralised mixers, the prospects are generally good where legal process can reach the operator or their records. The mixing obfuscates the on-chain trail but does not destroy the off-chain record, and the combination of blockchain analysis and compelled disclosure has proven effective in multiple prosecutions and civil recovery actions.
Against CoinJoin implementations, the prospects depend heavily on the sophistication of the implementation and the behaviour of the user. Users who make operational security errors – reusing addresses, consolidating outputs, or using the mixer in conjunction with identifiable exchange accounts – frequently leave sufficient forensic trace for analysis to proceed. Users who implement CoinJoin correctly and consistently, without operational errors, present a significantly harder problem.
Against privacy coins, the honest assessment is that on-chain forensic analysis alone is unlikely to produce a result in the absence of off-chain evidence. Cases involving Monero that have resulted in successful prosecution or recovery have generally done so through exchange records, device seizure, or other intelligence that bypassed the on-chain privacy entirely rather than defeating it cryptographically.
In practice, the most productive line of forensic inquiry against mixed funds is often not the mixing event itself but the behaviour of the actor before and after it. Mixers protect the link between deposit and withdrawal. They do not protect against an actor who deposits from an identified address, withdraws to an address they subsequently use in an identifiable way, or accesses the mixer service from a device or IP address that can be connected to them through other means.
In our experience, the majority of cases in which mixed funds have been successfully traced to a specific actor have not depended on penetrating the mixing operation analytically. They have depended on identifying the point at which the actor’s operational security failed – the address they used before they remembered to mix, the exchange account they withdrew to after the mixing was done, or the device from which they accessed both the mixer and a service that knows who they are.
Decentralised finance – universally referred to as DeFi – represents the frontier of cryptocurrency forensic complexity. Whereas Bitcoin tracing deals with a relatively straightforward ledger of value transfers, and where centralised exchange tracing relies on compellable records from an identifiable operator, DeFi forensics confronts an environment in which financial operations of significant sophistication are executed by autonomous code, without any central intermediary, across multiple interconnected protocols, often within a single transaction.
For the litigator encountering DeFi for the first time, the landscape can appear impenetrable. The terminology alone – liquidity pools, automated market makers, flash loans, yield farming, governance tokens, wrapped assets – is sufficient to discourage meaningful engagement. The purpose of this section is to explain, in terms directly relevant to litigation, what DeFi forensics actually involves, what it can establish, and where its limits lie.
DeFi refers to a class of financial services – lending, borrowing, trading, yield generation – that are delivered through smart contracts deployed on programmable blockchain networks, primarily Ethereum and its competitors and derivatives. Unlike a bank or a centralised exchange, a DeFi protocol has no staff, no headquarters, no compliance function, and no customer records. Its logic is encoded in smart contracts that execute automatically when the conditions they specify are met.
Tracing through DeFi is like trying to follow a single ingredient through a restaurant kitchen in which dozens of dishes are being prepared simultaneously, the recipes are written in a specialised technical language, the ingredients are frequently transformed into entirely different substances during cooking, and there is no head chef to ask – only the kitchen’s autonomous processes, operating according to rules encoded in advance.
Liquidity pools and automated market makers (AMMs) are among the most common DeFi mechanisms encountered in forensic matters. In a liquidity pool, users deposit pairs of tokens that are then made available for trading by other users. When disputed funds are deposited into a liquidity pool, they are immediately commingled with the funds of every other liquidity provider in the pool. The depositor receives liquidity provider tokens representing their proportional share of the pool – not the specific assets they deposited.
To make this concrete: suppose a user connects their Ethereum wallet to Uniswap and deposits 1 ETH and 2,000 USDC into the ETH/USDC liquidity pool. The protocol’s smart contract receives both tokens, adds them to the shared pool alongside the deposits of every other liquidity provider, and issues the user a quantity of LP tokens representing their proportional share of the total pool – say, 0.5% if the pool holds 200 ETH and 400,000 USDC in aggregate. From that point, the user’s 1 ETH and 2,000 USDC no longer exist as discrete, identifiable assets on the blockchain. They have been absorbed into the pool. When the user later redeems their LP tokens, they receive back 0.5% of whatever the pool then contains – a figure that will differ from their original deposit as a result of trading fees earned and price movements during the period of deposit. For the forensic analyst, this means that the moment the disputed funds enter the pool, they cannot be followed as a distinct asset. The commingled funds problem applies immediately and completely.
Flash loans represent one of the most forensically distinctive DeFi mechanisms. A flash loan is a transaction in which a user borrows a large sum of assets from a lending protocol, uses those assets within the same transaction block for an arbitrary purpose, and repays the loan – all within the execution of a single transaction. Flash loans have been used extensively in DeFi exploits, and tracing their forensic footprint requires reconstructing the internal logic of the transaction in which they were used.
Token wrapping and unwrapping introduces another layer of complexity. Many DeFi operations require assets to be converted into a wrapped representation – Wrapped Bitcoin (WBTC) being a common example – before they can be used within a particular protocol. The reason wrapping is necessary is that each blockchain operates its own native token standard, and assets native to one chain cannot be used directly on another. Bitcoin, for instance, exists natively on the Bitcoin blockchain. To use it within an Ethereum-based DeFi protocol, it must first be wrapped – meaning a custodian holds the actual BTC and issues an equivalent ERC-20 token on the Ethereum network, redeemable one-for-one for the underlying Bitcoin. That ERC-20 token is WBTC, and it is the Ethereum representation of the Bitcoin, not the Bitcoin itself. For the forensic analyst, a wrapping event therefore means the asset changes blockchain, changes token standard, and changes the on-chain address space in which it can be followed. Each wrapping and unwrapping event creates a new on-chain footprint that must be followed and correctly interpreted to maintain the continuity of the tracing chain.
At the heart of DeFi forensics is smart contract analysis – the examination of the code that governs a protocol’s behaviour and the events that code emits when it executes. Every interaction with a smart contract generates a set of on-chain events – structured records emitted by the contract that document what occurred during execution.
It is worth noting here that smart contracts, in this respect, are unlike most other forms of evidence the forensic analyst works with: they are open-source by default. To continue the kitchen analogy – the smart contract is a recipe that has been published on the blockchain for anyone to read.
In the case of Ethereum-based contracts, the code is written in a programming language called Solidity, and in the majority of cases the exact contract code can be downloaded directly from the blockchain explorer. This transparency is forensically significant: the analyst does not need to speculate about what the contract does. They can read precisely what it was programmed to do, audit the logic that governed its execution, and identify any features – intentional or otherwise – that are relevant to the matter in dispute. A contract that contains a hidden function allowing its deployer to drain the liquidity pool at will, for example, does not conceal that function from a forensic analyst who reads the code.
It is there, in writing, on the blockchain.
Reading and interpreting those events correctly requires the forensic analyst to understand the specific contract’s architecture – how it structures its data, what its events mean, and how its internal accounting works. DeFi forensics is not a single methodology applied uniformly – it is a family of related techniques applied with protocol-specific knowledge.
Much DeFi-related litigation arises from protocol exploits – attacks in which a malicious actor identifies and exploits a vulnerability in a smart contract’s logic to drain value from the protocol or its users. In these matters, the forensic tasks are: establishing what the exploit did and how it worked, and tracing where the extracted value went after the exploit was executed.
A recent matter we investigated illustrates how these elements combine in practice. The case involved what is colloquially known as a rug-pull – a form of investment fraud with structural similarities to a pump-and-dump scheme, adapted to the DeFi environment. The alleged offender deployed a smart contract for a new token, generated artificial interest through a coordinated social media campaign, and attracted a significant pool of investor funds into the token’s liquidity pool.
Once the pool reached critical mass, the offender exercised a withdrawal function in the contract and absconded with the pooled funds, leaving investors holding tokens that were now worthless.
The smart contract audit was the forensic starting point. Reading the contract code revealed precisely when the contract was deployed, the wallet address that deployed it, the withdrawal function that the deployer had built into the contract, and the transaction in which that function was ultimately exercised.
This established the on-chain mechanics of the fraud with a high degree of precision.
Tracing the extracted funds from the liquidity pool then engaged the commingled funds problem directly – there were numerous victims, each of whom had contributed to the pool, and the funds taken by the offender represented a commingling of all of their contributions. A pari passu distribution was determined to be the appropriate forensic accounting approach, ensuring that no individual victim’s claim was preferred over another’s and that each recovered an equitable share proportional to their contribution. This is precisely the kind of methodological decision that should be made explicitly, documented clearly, and defended under cross-examination – as the lessons of D’Aloia make clear.
The attribution of the wallet address to the alleged offender did not come from the blockchain alone. Circumstantial evidence of identity was drawn from social media recordings – posts, videos, and promotional material that the offender had published during the pump phase of the scheme – which, when combined with the on-chain evidence linking the deployer address to the fraud, provided a sufficiently complete evidential picture to support the proceedings. This is a clear example of how on-chain forensic analysis and off-chain attribution evidence must work in concert: the blockchain established what happened and who benefited at the address level; the social media record helped establish who was behind the address.
DeFi forensics can establish, to a forensically defensible standard, the complete on-chain record of what occurred within and around a DeFi protocol during a particular transaction or sequence of transactions. It can quantify the value that entered and left a protocol, identify the wallet addresses that initiated and received the relevant operations, and reconstruct the sequence of internal operations that produced the observed outcome.
What it cannot establish, without additional off-chain evidence, is the identity of the person behind the initiating wallet address. The pseudonymity problem that applies across all blockchain forensics applies with equal force in the DeFi context – and the absence of any central operator who might hold KYC records makes the off-chain attribution challenge, in some cases, more difficult than in the centralised exchange context.
Throughout this article, references have been made to forensic software platforms and the role they play in cryptocurrency tracing analysis. This section examines those tools directly – what they are, what they do, how the leading platforms compare, and – critically for the litigator – how courts have regarded their outputs and the significant limitations that apply when they are used as a substitute for, rather than an instrument of, expert methodology.
To return to the kitchen one final time on this point: forensic tools are the equipment. A gas range, a mandoline, a precision thermometer – each extends what the chef can achieve, each requires skill to operate correctly, and none of them produces a dish by itself. The tool does not replace the methodology. It serves it.
The commercial blockchain analytics market has developed significantly over the past decade. The platforms most likely to be encountered – in litigation across the jurisdictions we work in include:
The choice of tool in any given matter is typically determined by which blockchain networks are in scope, which attribution databases are most relevant, and – as this section examines – what level of methodological transparency the proceedings require. In practice, however, tool selection is frequently driven by a more prosaic factor: what the expert already has access to. Vendor relationships, subscription costs, and institutional licensing mean that many practitioners default to the tool they know rather than the tool best suited to the matter. In our view, this is the wrong approach. Tool selection should be dictated by the task – by the blockchain networks in scope, the transaction architecture under examination, and the admissibility requirements of the jurisdiction – not by the contents of the analyst’s existing toolkit.
All of the major forensic platforms share a common function. At their core, they ingest raw blockchain data – the complete transaction history of the networks they cover – and apply a proprietary set of clustering heuristics and attribution algorithms to that data to produce a labelled graph of addresses and transaction flows. The labels – “Binance hot wallet,” “Bitcoin Fog,” “darknet market,” “high-risk exchange” – are the product of that proprietary analysis, combined in most cases with data obtained through exchange cooperation agreements, law enforcement referrals, and the platform’s own investigative work.
What they do not provide – and what no forensic tool provides – is a methodology. The tool presents data and visualisations. The expert decides what that data means, which analytical steps to take, which heuristics to apply, and how to translate the output into a defensible evidential narrative.
The judicial treatment of blockchain analytics tool outputs has evolved considerably as these tools have moved from law enforcement intelligence aids to the foundation of expert evidence in adversarial proceedings. Several clear principles have emerged from the case law across the jurisdictions we work in.
The black box problem. The most significant and recurring judicial concern about forensic tool outputs is the opacity of the underlying methodology. A platform processes its attribution data through proprietary algorithms that are not publicly disclosed and are protected as commercial secrets. When an expert presents findings derived from such a platform, the opposing party – and the court – cannot independently audit the steps by which the platform reached its conclusions. This is the black box that the UK High Court identified in D’Aloia v Persons Unknown as fundamentally problematic: evidence that cannot be explained, replicated, or independently verified is evidence that cannot be properly tested.
The attribution label problem. As illustrated in the Binance example discussed in the wallet clustering section, a tool’s attribution of an address to a named entity is a hypothesis, not a finding. Courts may find that attribution labels be corroborated by independent evidence – exchange confirmation, regulatory filings, public disclosures, or other sources that exist outside the tool’s proprietary database.
The Sterlingov Daubert challenge. The United States v. Sterlingov proceedings produced what is currently the most detailed judicial examination of Chainalysis’s methodology in any adversarial context. The defence mounted a sustained (but ultimatyely unsuccesful) Daubert challenge to the government’s expert, arguing that the clustering heuristics underlying the platform’s attribution had not been subject to peer review, had unknown error rates, and had not been applied consistently. Any litigator whose matter involves Chainalysis evidence – on either side – would do well to be familiar with the arguments advanced in Sterlingov and the court’s response to them.
The consistency requirement. As discussed in the commingled funds section, courts require that whatever methodology is applied – whether by a human analyst or facilitated by a software tool – it must be applied consistently across the entire dataset. A tool that allows the analyst to select which transactions to include in the analysis creates the conditions for the kind of methodological cherry-picking that proved fatal in D’Aloia.
Not all forensic analysis is conducted using commercial platforms. In some matters – particularly those involving networks not well covered by the major tools, or where the opacity of commercial platforms creates an insurmountable admissibility challenge – open-source tools and academic methodologies provide a defensible alternative.
GraphSense, developed by researchers at the Austrian Institute of Technology, is an open-source blockchain analytics platform that implements a documented, peer-reviewed set of clustering heuristics whose methodology is publicly available for examination. For proceedings in which the opacity of commercial tools is a live issue, GraphSense offers the significant advantage that its methodology can be reviewed, replicated, and independently audited.
Blockchain explorers – Etherscan for Ethereum and its derivatives, Blockchair for Bitcoin and multiple other networks, and the native explorers of most individual blockchain networks – provide direct access to raw on-chain data without any proprietary attribution layer.
From a personal practice perspective, forensic tools serve three distinct functions – and understanding which function is being relied upon at any given point in an analysis is essential to using them responsibly in a litigation context.
The first is the intelligence layer – principally attribution data that identifies addresses as belonging to known exchanges, services, or entities. This is genuinely useful for directing an investigation, but it is intelligence rather than evidence in most cases. As discussed in the wallet clustering section, an attribution label is a hypothesis that may require independent corroboration before it can be presented to a court as a finding.
The second is visualisation – the production of clear, followable transaction graphs that allow a court, a jury, or a judge to understand the passage of cryptocurrency through a series of addresses and transactions. In our experience, a well-constructed graph can be one of the most effective tools available for communicating a complex tracing chain to a non-technical audience. This is not a trivial contribution. Making blockchain evidence comprehensible to a court is part of the expert’s function, and good graphing tools serve that function well.
The third is clustering – the application of heuristics across large datasets to group addresses by common controller. While clustering can in principle be performed manually, the computational scale at which it operates in practice makes it effectively exclusive to software. This is the function where forensic tools provide capability that genuinely cannot be replicated by hand across anything other than the smallest datasets.
With those three functions in mind, my own approach to tool selection in matters that are destined for – or may end up in – legal proceedings is guided by a simple principle: use the simplest practical tool for the job.
Every layer of software complexity is a layer that must be explained to the court, and every proprietary process is a potential admissibility challenge waiting to be made. Where it is practical to trace by hand, using raw blockchain data from open-source explorers and documented manual heuristics, that is my preference – the methodology is maximally transparent and maximally auditable. Where clustering is required, or where a complex multi-address transaction graph needs to be visualised in a form a jury can follow, then commercial or open-source software tools often become the right instrument for that specific task.
The guiding principle is that every report should be written with a contested trial in mind as a possible endpoint. Open-source where possible. Hand-traced where practical. Software where necessary – and always with a documented, defensible account of what the software was asked to do and why.
When reviewing a forensic report produced with the assistance of commercial blockchain analytics software, the litigator – whether instructing the expert or opposing their evidence – should press for clear answers to the following questions.
Which platform or platforms were used, and for which specific analytical tasks? What proprietary attribution data was relied upon, and how has that data been independently corroborated? Has the expert applied the tool’s outputs mechanically, or have they exercised independent judgement in assessing and, where necessary, departing from the tool’s conclusions? Can the methodology be expressed in terms that allow the court – and an opposing expert – to conduct a step-by-step audit of every inferential step?
A forensic expert who cannot answer these questions clearly and in detail is an expert whose evidence carries significant admissibility risk. The kitchen may be equipped with the most sophisticated tools available. But a chef who cannot explain what they did with those tools – or who simply points at the oven when asked how the dish was made – is not a chef whose evidence will survive scrutiny.
A forensic expert who cannot identify the weaknesses in their own methodology is not a forensic expert – they are an advocate. The willingness to articulate, honestly and precisely, where the analytical methods used in a given case may be challenged, where the inferences drawn may be contested, and where the findings fall short of certainty is a sign of a reliable report.
A chef who knows which dishes their kitchen cannot reliably produce is a more trustworthy chef than one who claims mastery of everything.
The most fundamental limitation of cryptocurrency forensic methodology is one that has been noted throughout this article and bears explicit statement here: the methodology traces addresses, not people. Every technique discussed – commingled funds tracing, wallet clustering, change address heuristics, chain-hopping analysis, mixer tracing, DeFi forensics – operates at the level of cryptographic addresses on a public ledger. The connection between those addresses and named individuals or legal entities requires additional evidence that exists outside the blockchain.
This gap is a structural feature of how public blockchain networks are designed. But it is a gap that must be acknowledged clearly in every forensic report, and it is a gap that opposing experts and cross-examining advocates should probe in every contested proceeding.
Every analytical heuristic discussed in this article – co-spend clustering, change address identification, round number analysis, fresh address inference – is a probabilistic inference, not a deterministic proof. Each heuristic is correct the majority of the time, under the conditions for which it was designed, applied to the network architecture for which it is appropriate. None of them is correct all of the time.
Courts have increasingly required that experts quantify, or at least explicitly characterise, the reliability of the heuristics they apply. A report that does not do so is vulnerable to challenge – not because the findings are wrong, but because the basis on which the court is asked to accept them has not been adequately disclosed.
Forensic analysis is only as reliable as the underlying data it is applied to. On the blockchain itself, the data is immutable and publicly verifiable – a significant forensic advantage. But cryptocurrency forensic analysis rarely relies on blockchain data alone. Attribution labels, exchange records, KYC data, IP address information, and tool-generated clustering outputs all enter the analysis at various points, and each of them carries its own data quality risk.
In our experience, data quality issues are among the most common sources of error in forensic reports produced under time pressure – and time pressure is a constant feature of litigation-driven investigations. The expert who does not build data verification into their methodology as a mandatory step is an expert whose findings are at risk from errors that a careful opposing analyst will identify.
Cryptocurrency networks, protocols, and obfuscation techniques evolve continuously and rapidly. A methodology that is forensically sound for the Bitcoin network as it existed in 2018 may not be sound for the same network as it exists today, where CoinJoin implementations are more sophisticated, Lightning Network transactions introduce off-chain payment channels, and Taproot transactions alter the on-chain footprint of certain transaction types.
Forensic experts must maintain current knowledge of the networks they work on. In a field that moves as quickly as blockchain technology, currency of knowledge is itself a component of methodological rigour.
Cryptocurrency forensic analysis is frequently conducted in conditions that create a significant risk of confirmation bias. The expert is typically instructed by one party, provided with that party’s account of the facts, given a starting point that reflects that party’s interests, and asked to trace funds in a direction that, if the instructing party’s account is correct, leads to a predetermined conclusion.
This creates a discipline requirement that not all experts meet: the requirement to actively test the hypothesis against the data, rather than simply building a narrative around it. An expert who follows only the transaction path that supports the instructing party’s case, without examining alternative paths that the data might equally support, is an expert who has allowed the brief to become the methodology.
A competent opposing expert will examine not only what the report found but what it chose not to follow – and the question of why certain transaction paths were not pursued can be as damaging under cross-examination as the question of why certain findings were made.
Cryptocurrency forensic analysis produces technical findings. The translation of those findings into legal conclusions is a step that requires both the expert’s technical input and the court’s legal determination. Experts who cross the line from technical finding to legal conclusion in their reports – who assert rather than demonstrate, who characterise rather than describe – are experts who have exceeded their proper function.
The technical finding is the dish the kitchen produces. The legal conclusion is the judgment the diner makes about its quality. The chef’s job is to cook the dish as well as possible and to describe it accurately. It is not to tell the diner what to think of it.
Every technique, every heuristic, and every methodology discussed in this article has been examined primarily from the perspective of the party constructing a forensic case – the claimant tracing stolen funds, the prosecutor establishing the movement of criminal proceeds, the applicant seeking a freezing order. But cryptocurrency forensic methodology is not a one-sided discipline, and this article would be incomplete without examining how the same evidence, the same tools, and the same analytical frameworks look from the other side of the courtroom.
The starting point for any defence forensic engagement should be a simple but important principle: the opposing expert’s work should be examined rigorously and tested thoroughly – and if that examination reveals that the methodology is sound, the findings are well-supported, and the conclusions are proportionate to the evidence, then there is nothing to challenge. A defence forensic expert who manufactures challenge where none is warranted does not serve their client. They serve only to undermine their own credibility and, ultimately, the credibility of the defendant’s position. The purpose of defence forensic work is not to find fault – it is to find out whether fault exists.
Where it does exist, it should be identified with precision and pursued with rigour. Where it does not, the forensic expert’s duty to the court requires them to say so.
In our experience, defence-side work is frequently time-pressured and almost always consequential. A defendant facing a freezing order based on cryptocurrency tracing evidence may have days, not weeks, to obtain a forensic response. The stakes on the defence side of cryptocurrency forensic work are high, and the quality of the forensic response must match them.
The first task of a defence forensic expert is a careful, systematic reading of the opposing report – not to find fault for its own sake, but to identify whether or not, and where the methodology is vulnerable, the findings are overstated, or the acknowledged limitations are insufficient.
The questions that structure that reading are drawn directly from the weaknesses catalogued in the preceding section. Has the expert clearly distinguished between what the blockchain data establishes and what additional off-chain evidence is required? Have the heuristics been identified, justified, and applied consistently? Has the choice of commingled funds model – whether FIFO, LIFO, pari passu, LIBR, rolling charge, or another – been explained and applied consistently? Has the origin address been independently verified? Have the tool’s attribution labels been corroborated by independent evidence?
Each of these questions corresponds to a potential line of challenge. Not every report will be vulnerable on every point. A systematic reading against these criteria will identify any specific weaknesses on which a forensic response should focus – and, equally importantly, will identify the areas in which the opposing analysis is sound and should be conceded rather than contested.
Where genuine weaknesses exist, the most effective defence forensic reports do not begin with a conclusion – they begin with a methodology. The defence expert who sets out, clearly and in advance, the framework by which they have assessed the opposing analysis is an expert who signals to the court that their challenge is principled rather than partisan.
In practice, this means that the defence report should address the opposing methodology at the same level of technical specificity as the opposing report itself. Where commingled funds are in issue, for example, the defence report should explain what model the opposing expert applied – whether FIFO, LIFO, pari passu, LIBR, rolling charge or something else – why the choice of model matters, what result an alternative model would have produced on the same data, and why the alternative is more appropriate to the specific facts of the matter. A challenge that identifies the problem without quantifying its impact is a challenge that the court may acknowledge but cannot act upon.
The food critic who says only that the dish is not good has written a useless review. The food critic who identifies the specific technique that was misapplied, explains what that technique should produce and what it actually produced in this instance, and demonstrates how a correctly executed version of the dish would have looked – that is a review that tells the reader something actionable.
The defence forensic expert’s work does not end with the production of a report. In contested proceedings, the expert will typically be required to give oral evidence and to withstand cross-examination. In some jurisdictions, such as England and Wales, the court may also direct a joint expert meeting, at which the opposing experts are required to identify the specific points of agreement and disagreement and produce a joint statement for the court.
The joint expert meeting is, in our experience, an important stage in any cryptocurrency forensic dispute. The expert who enters with a clear, principled framework for identifying genuine points of agreement and maintaining principled points of disagreement is the expert whose position will carry weight in the joint statement and, ultimately, with the court.
For the advocate preparing cross-examination of an opposing cryptocurrency forensic expert, the most productive lines of inquiry are those that expose the gap between what the methodology can establish and what the report claims it establishes – the pseudonymity gap, the heuristic reliability question, the data quality issues, and the consistency of the commingled funds model applied.
A final observation from practice: defence forensic work does not always support the defendant’s account of events. An expert instructed to review the opposing analysis must follow the evidence where it leads – and sometimes it leads to a conclusion that corroborates, rather than undermines, the opposing report’s findings.
A defence expert who discovers that the opposing methodology, despite its technical imperfections, has reached a substantially correct conclusion serves their client by saying so clearly and early – not by constructing a challenge that will collapse under scrutiny at trial.
The overriding duty of the expert witness is to the court, not to the instructing party.
Everything discussed in this article – the techniques, the tools, the heuristics, the methodological disciplines, the known weaknesses – converges on a single practical output: the forensic report. It is the document that carries the expert’s analysis into the courtroom. A technically brilliant analysis that is poorly reported is technically brilliant analysis that the court cannot use. The report is not a summary of the work. It is the work, as far as the court is concerned.
Before examining the specific characteristics of a credible forensic report, it is necessary to state the foundational principle in most common-law jurisdictions, and one from which most others derive: the expert witness’s overriding duty is to the court, not to the party that instructed them.
In the United Kingdom, Part 35 of the Civil Procedure Rules states explicitly that the expert’s duty to help the court overrides any obligation to the instructing party. In Australia, the equivalent obligations are expressed in the expert witness codes of conduct that apply in each jurisdiction. In the United States, Rule 26 of the Federal Rules of Civil Procedure imposes disclosure obligations on expert witnesses that are premised on the same principle of independence.
A cryptocurrency forensic report that reads as advocacy – that presents only the evidence supporting the instructing party’s case, that acknowledges no limitations, that reaches conclusions beyond what the methodology can support – is a report that has violated this foundational duty.
The first and most fundamental characteristic of a credible forensic report is a clear, complete, and upfront statement of methodology. The court must understand, from reading the report, precisely what analytical steps were taken, in what sequence, using what tools and heuristics, and on the basis of what data.
The methodology section should identify every technique applied and explain why it was selected as appropriate for the asset type and transaction architecture under examination. It should identify the forensic tools used and specify the function for which each tool was used – attribution intelligence, visualisation, clustering – with appropriate acknowledgement of the limitations that apply to each function.
A methodology section that says, in effect, “I used Chainalysis to trace the funds” is not a methodology statement. It is the equivalent of a chef writing “I used the oven” as a recipe. The court needs to know what happened inside the oven, at what temperature, for how long, and why those settings were chosen.
The practical test I apply when writing a methodology section is this: could another forensic expert, working from my methodology section alone, reproduce my analysis and arrive at the same findings? If the answer is no – if there are steps I have taken that I have not described, decisions I have made that I have not explained, or tools I have used whose function I have not specified – then the methodology section is incomplete. Reproducibility is the operational definition of transparency, and it is what distinguishes a methodology section that will survive cross-examination from one that may not.
Credible forensic reports do not only present conclusions. They show the working. Every inferential step – every point at which the analyst moved from data to interpretation, from observation to conclusion – should be documented and explained in terms that allow the reader to follow the reasoning and assess whether it is sound.
The lesson of D’Aloia is that a court which cannot follow the reasoning cannot accept the conclusion. The forensic kitchen must be open for inspection at every stage of the cooking process – not just at the point where the dish arrives at the table.
A credible forensic report sets out clearly and completely what documents and materials the expert relied upon in reaching their conclusions. This is a requirement in many jurisdictions, and one that goes directly to the court’s ability to assess the basis on which the expert’s opinions rest.
In practice, this task is most straightforward where a formal letter of instruction has been provided – as is mandatory in the United Kingdom under Part 35, and as we recommend as a matter of practice in all jurisdictions regardless of whether it is required by legislation. A well-drafted letter of instruction will enumerate the materials provided to the expert, and the report can incorporate that enumeration by reference, supplemented by any additional materials the expert sourced independently in the course of their analysis.
Where additional materials were relied upon beyond those provided with the instruction, those materials should also be identified explicitly – what they are, where they came from, and in what respect they informed the analysis. Raw blockchain data retrieved from public explorers, attribution data obtained from forensic platforms, exchange records obtained through legal process, and publicly available materials such as corporate website disclosures should all be identified.
A particular issue arises where materials that did not exist at the time the report was written subsequently come into existence. A client or defendant deposition taken after the report was produced, for example, may contain information that is directly relevant to the expert’s findings – information that, had it been available at the time of analysis, might have altered the scope of the investigation, the weight placed on a particular inference, or the conclusions reached. Where such materials emerge, the expert and the instructing lawyer should consider whether a supplementary report is required to address them.
A court should be able to read a forensic report and know precisely what the expert looked at, what they were given, and what they went and found for themselves. Transparency about the materials is transparency about the foundation – and a foundation the court cannot see is a foundation the court cannot trust.
The conclusions of a forensic report must be proportionate to the evidence from which they are drawn. A finding that a particular address received funds traceable to a specific prior transaction is a technical conclusion the methodology can support. A finding that the named defendant committed fraud is a legal conclusion it cannot.
Proportionate conclusions also mean acknowledging degrees of confidence where degrees of confidence exist. Where the tracing chain is clear, the report should say so. Where it rests on a series of probabilistic inferences that compound each other’s uncertainty, the cumulative effect of that uncertainty should be reflected in how the conclusion is expressed.
A credible forensic report is not merely technically sound – it is procedurally compliant with the specific requirements of the jurisdiction in which it will be used.
In the United Kingdom, Part 35 of the Civil Procedure Rules and its accompanying Practice Direction set out detailed requirements including a mandatory statement of the expert’s understanding of their duty to the court, a declaration of truth, and specific requirements around the disclosure of facts and assumptions on which opinions are based.
In Australia, the governing instrument for Federal Court proceedings is the Expert Evidence Practice Note (GPN-EXPT), which incorporates the Harmonised Expert Witness Code of Conduct. Every expert witness in the Federal Court must read the Code and agree to be bound by it. The Code establishes a paramount duty to assist the court impartially – explicitly overriding any duty to the instructing party – and specifies that the expert is not an advocate. Expert reports must state the assumptions and material facts underlying each opinion, the reasons for each opinion, any literature or other materials relied upon, details of any examinations or tests conducted, and any qualifications that would render an opinion incomplete or inaccurate if omitted. Critically, where an expert changes their opinion on a material matter after delivering a report, they are required to immediately provide a supplementary report. The Code applies in substantially harmonised form across the Federal Court and most state Supreme Courts.
In the United States, Rule 26 of the Federal Rules of Civil Procedure requires a written expert report containing a complete statement of all opinions and the basis for them, the facts and data considered, the exhibits to be used, the expert’s qualifications, prior testimony, and compensation. In addition, the Daubert standard requires that expert testimony be based on sufficient facts or data, be the product of reliable principles and methods, and reflect a reliable application of those methods to the facts of the case.
The final characteristic of a credible forensic report – and one that is frequently underweighted by technically accomplished analysts – is accessibility. A forensic report is not a technical paper. It is a document written for a judge, a jury, or a tribunal that has no prior knowledge of blockchain technology, cryptocurrency networks, or forensic methodology.
This is what we refer to as the Human Bridge function of the forensic expert: the translation of technical complexity into judicial comprehensibility. A report that can be understood only by another specialist has not completed its job. The dish has been cooked but not yet plated.
The forensic kitchen’s finest achievement is not the complexity of the recipe. It is the clarity of the dish as it arrives at the table.
Cryptocurrency forensic methodology – the analytical techniques, the heuristics, the tools – is largely consistent across jurisdictions. The blockchain does not change because the dispute is being heard in London rather than Los Angeles or Sydney. What changes, significantly and in ways that directly affect how forensic evidence is prepared, presented, and assessed, is the legal framework within which that methodology must operate.
The United States presents the most complex forensic expert environment of the three jurisdictions, primarily because of the Daubert standard and the significant body of case law that has developed around it in the cryptocurrency context.
The Daubert standard – established by the Supreme Court in Daubert v. Merrell Dow Pharmaceuticals Inc. (1993) and refined in Kumho Tire Co. v. Carmichael (1999) – requires that expert testimony be based on sufficient facts or data, be the product of reliable principles and methods, and reflect a reliable application of those methods to the facts of the case. The trial judge acts as gatekeeper, and expert evidence that does not satisfy the Daubert criteria may be excluded before the jury hears it.
Rule 26 of the Federal Rules of Civil Procedure governs expert disclosure in civil proceedings and requires a comprehensive written report containing the expert’s complete opinions, the basis and reasons for them, the facts and data considered, the exhibits to be used, the expert’s qualifications, a list of prior cases in which the expert has testified, and the expert’s compensation.
The United States also presents the most developed body of cryptocurrency-specific case law of the three jurisdictions. Beyond Sterlingov, decisions addressing the admissibility and reliability of blockchain analytics evidence have emerged from multiple federal district courts, and this jurisprudence is developing rapidly.
The United Kingdom’s approach to expert evidence in civil proceedings is governed primarily by Part 35 of the Civil Procedure Rules and its accompanying Practice Direction, which together establish a detailed framework for the instruction, preparation, and presentation of expert evidence in the civil courts.
The most significant feature of the Part 35 regime is its emphasis on the expert’s overriding duty to the court and its specific requirements for the form and content of the expert report – including a statement that the expert understands their duty to the court, a statement of the substance of all material instructions received, and a statement of the range of opinion on the matters addressed, with reasons for the expert’s own opinion within that range.
The joint expert meeting is a more established feature of UK civil practice than in the other jurisdictions we work in, and it carries particular weight in cryptocurrency forensic disputes. The joint statement produced following a meeting of experts becomes a key document for the court.
The D’Aloia decision, examined throughout this article, remains the most significant UK judicial statement on the admissibility and reliability of cryptocurrency tracing evidence in civil proceedings. Its emphasis on transparency, mathematical auditability, and the inadequacy of black box methodology is the benchmark against which UK cryptocurrency forensic reports should be assessed.
Australia presents a distinctive expert evidence framework that reflects both its common law heritage and the specific procedural instruments developed at federal and state level to govern expert witnesses in Australian courts.
The Evidence Acts – at federal level, the Evidence Act 1995 (Cth), and the equivalent instruments in each state and territory – govern the admissibility of opinion evidence, including expert evidence. Under the uniform Evidence Acts that apply in most Australian jurisdictions, opinion evidence is admissible only if it is wholly or substantially based on the expert’s specialised knowledge, and that knowledge must be based on the expert’s training, study, or experience.
Australia has seen a significant increase in cryptocurrency-related litigation at both the civil and criminal level in recent years. The judicial familiarity with the issues is developing, but it is not yet as advanced as in the US or UK – which places a premium on the expert’s ability to perform the Human Bridge function: translating blockchain complexity into language and concepts that a court encountering cryptocurrency forensic evidence for the first or second time can follow and assess with confidence.
Many of the matters we encounter do not sit neatly within a single jurisdiction. Funds stolen in Australia may be traced to exchanges in the UK and wallets linked to individuals in the United States. In these cross-jurisdictional matters, the forensic report must be prepared with an awareness of the procedural requirements of every jurisdiction in which it may be used – and where those requirements conflict, the instructing lawyer and the forensic expert must work together to determine how the report can be structured to satisfy the most demanding standard without becoming procedurally deficient in the others.
The blockchain is borderless. The law is not. And the forensic expert who understands only the blockchain – but not the legal environment in which their evidence will be assessed – is an expert who has mastered the kitchen but not yet learned how to serve the table.
This section is updated as new content is published. Each resource listed below explores a specific aspect of cryptocurrency forensic methodology in greater depth, with direct application to litigation practice across the USA, UK, and Australia.
Cryptocurrency Tracing Methodology Scrutinised: D’Aloia v Persons Unknown How the UK High Court rejected black box expert evidence and what it means for every cryptocurrency forensic report produced for litigation.
Content forthcoming
Content forthcoming
Content forthcoming
Content forthcoming
Content forthcoming
Content forthcoming
Content forthcoming
Content forthcoming
To discuss a matter requiring cryptocurrency forensic expertise, schedule a consultation with the Captura Cyber team.