Sitemap
Open in app

Sign in

Medium Logo
Write
Search

Sign in

SlowMist’s On-Chain Detective Guide: Crypto Asset Tracing Handbook

10 min readAug 15, 2025
Press enter or click to view image in full size

Background

While the crypto industry has made significant technological strides in recent years, crypto-related crime has grown just as rapidly. The threats range from an increasing number of scams — such as Ponzi schemes, phishing sites, and fraudulent projects — to exploits targeting DeFi protocols, attacks involving unauthorized exchange access, and asset theft following private key leaks. Both the frequency and scale of on-chain crimes continue to rise. According to the SlowMist Hacked database, the blockchain ecosystem suffered 531 security incidents in 2024 and the first half of 2025 alone, with total losses reaching $4.386 billion. Scam Sniffer, a Web3 anti-fraud platform, further reports that Wallet Drainer phishing attacks alone caused approximately $534 million in losses, affecting 375,600 addresses. The actual number of victims is likely far higher than these figures indicate.

Anonymity in cryptocurrency is a double-edged sword. While it protects users’ privacy, it also makes it harder to accurately detect and attribute malicious activity. In addition, the inherently global nature of blockchain often hinders cross-border investigations, judicial cooperation, and asset freezes. As a result, even when the on-chain trail is clear, achieving meaningful progress in some cases remains difficult. This “visible yet untouchable” gap is a major pain point for many cryptocurrency victims.

Many people assume, “Since crypto assets are on-chain and all transfers are public and transparent, recovering funds should be easy, right?” In reality, it is not. On-chain visualization is only the first step; actual recovery involves navigating a series of complex challenges. Attackers often launder funds by moving them through dozens of wallets, withdrawing via anonymous exchanges, mixing assets through mixers, or routing them via proxy contracts. At the same time, most ordinary users lack even basic on-chain knowledge, leaving them powerless against such risks. As a result, even when the movement of funds can be clearly traced, freezing or recovering them may still be impossible.

For this reason, basic on-chain tracing knowledge should not be viewed solely as a “professional skill” for security researchers or hacktivist groups, but as essential learning for everyone in the crypto ecosystem. Whether you are an average investor or work in crypto projects, media analysis, legal support, law enforcement, or other related fields, understanding how on-chain fund flows work, mastering basic tracing tools and techniques, and recognizing abnormal transaction patterns form your first line of defense against risk. In critical moments, timely identification of suspicious fund movements can buy precious hours to freeze assets, and proper use of basic tools can help victims piece together a complete case.

This book, The Blockchain Crypto Asset Tracing Handbook, was written with this goal in mind. It is not a professional research report, nor does it aim to provide a deep technical analysis. Instead, it seeks to help readers grasp the basic framework of on-chain tracing, master practical tools, and enhance their ability to assess and respond to on-chain risks in a clear and actionable way. Whether you are a researcher, investor, journalist, legal professional, law enforcement officer, or an ordinary victim, you will find valuable guidance here.

Due to space limitations, this article only presents the handbook’s key directory structure, which can also serve as a guide. The full content is available at: https://github.com/slowmist/Crypto-Asset-Tracing-Handbook.

Key content

Basic Concepts

1. Mainstream Blockchains and Cryptocurrencies

  • Introduces the technical models, ecosystem characteristics, and key tracking points of major public chains, including BTC, ETH, TRON, BNB Chain, Polygon, Solana, Avalanche, Optimism, and Arbitrum.
  • Explains the role of stablecoins such as USDT and USDC and their importance in asset tracing and law enforcement efforts.

2. Core Concepts in Tracing

  • Blockchain address classification: Covers deposit addresses, hot wallets, cold wallets, contract addresses, multi-signature addresses, black hole addresses, and more.
  • Transaction structure and elements: Details key data points such as block height, transaction hash, gas, asset mixing, exchanges, cross-chain activity, input data, event logs, and others.
  • Platform differentiation: Explains centralized exchanges (CEX), decentralized exchanges (DEX), cross-chain bridges, and nested platforms, highlighting their distinct roles in tracking and analysis.
  • UTXO and change mechanism: Provides a detailed explanation of Bitcoin and similar chains’ capital input-output model, including the concept of change addresses and their impact on fund tracing.

3. Blockchain Explorers

  • This section introduces commonly used blockchain explorers for major chains and their functions, demonstrating how to query addresses, track transactions, interact with contracts, and perform other basic operations.
  • Explains the key roles of tabs, transaction details, token transfer records, contract call functions, and event logs within the blockchain explorer.

Tracing Tools

1. Introduction to MistTrack

MistTrack is an on-chain analysis and anti-money laundering platform independently developed by SlowMist. Its core functions include transaction monitoring, risk assessment, address labeling, and analysis of transaction behavior and traceability. It currently supports querying and tracking data across 18 major public chains and maintains a large risk intelligence database. MistTrack plays a key role in assisting investigations of on-chain security incidents and supporting compliance and risk management.

2. MistTrack in Use

  • How to use a blockchain explorer together with MistTrack for on-chain fund tracking.
  • How to identify high-risk addresses, analyze transaction paths, and trace the final destination of funds.

3. Community Tools

Introduce commonly used on-chain analysis and investigation tools publicly shared by well-known sleuth ZachXBT, helping users select the appropriate auxiliary tools based on their needs.

Common Fund Movement Patterns

1. Peel Chain: Funds are gradually split into multiple addresses through numerous small transfers, extending the funding path.

2. One-to-many Distribution: Large amounts are divided into smaller portions and dispersed across multiple addresses, forming a “fan-shaped” structure.

3. Multi-hop Transfers: Funds move rapidly across multiple addresses, with each address used only once, avoiding contracts and creating long transaction paths.

4. Mixer Usage: Funds are injected into a mixing pool and combined with other assets, breaking the direct link between inflows and outflows.

5. Cross-Chain Bridge Hops: Assets are transferred to other chains via cross-chain bridges, breaking the transaction path, changing asset forms, and evading single-chain monitoring.

6. Many-to-one Consolidation: Dispersed assets are quickly consolidated into a core wallet for easier withdrawal or transfer, often during emergency escape attempts.

7. P2P/OTC: Assets are exchanged for fiat or privacy coins through peer-to-peer transactions or over-the-counter intermediaries.

What to Do If You Get Hacked

1. Prioritize Loss Prevention

Emergency Loss Prevention:

  • When assets show abnormal activity, immediately transfer the remaining funds to a secure wallet or trade them in advance to minimize losses.
  • If you hold freezeable tokens (such as USDT or USDC), contact the issuer as soon as possible to request a freeze.
  • If assets flow into centralized exchanges, collect evidence and apply for freezing.
  • Use on-chain tracking tools (such as MistTrack) to trace the hacker’s path and mark high-risk addresses.
  • Check whether wallet permissions have been tampered with or if any malicious multi-signature activity has occurred (see linked article on malicious multi-signatures).

Prevent further damage:

  • Verify the security of related wallets and mnemonics;
  • Promptly revoke authorizations (e.g., via Revoke.cash)
  • Change passwords, and enable multi-factor authentication to close potential attack vectors;
  • Remain vigilant against fake customer service scams.

2. Preserve the Scene

  • Remain calm, disconnect from the Internet, but do not shut down your computer or delete any files, preserving the original environment for evidence collection.
  • Save all relevant evidence, including chat logs, emails, web pages, and other related materials.

3. Conduct Preliminary Analysis

  • Use blockchain explorers and MistTrack to trace fund flows and identify coin mixing, cross-chain transfers, and inflows to centralized platforms.
  • Understand the context of addresses through risk reports.
  • Submit the attacker’s address to relevant platforms to aid in prevention.

4. Contact Professional Agencies

Seek assistance from security firms for on-chain analysis, coordination of asset freezes, on-chain investigation, and report preparation.

5. File a Police Report and Seek Legal Assistance Early

  • Report the case to the police and prepare detailed documentation.
  • If cross-border assets are involved, consult a lawyer to facilitate international investigations.
  • Multiple victims can file a joint report to improve the chances of a successful outcome.

6. Ongoing Follow-up and Profiling

Continuously monitor both on-chain and off-chain clues — such as addresses, transactions, social media, and devices — to build a comprehensive profile of the attacker.

7. Tokens Eligible for Freezing

Includes USDT (Tether), USDC (Circle), BUSD, TUSD, PAX, GUSD, and other freezeable tokens; apply for freezing promptly to prevent further loss of funds.

Cross-chain Bridge Tracking Analysis

1. Introduction to Bridges

The core function of a Bridge is to let users lock assets on one chain and receive a mapped version of the equivalent asset (Wrapped Token) on another chain, or to directly release the native asset. The main types include decentralized verification, Relay/Observer, Multi-Signature/Escrow, Liquidity Pool, and Native Cross-Chain bridges.

2. Bridge Analysis

  • Cross-chain Bridge Explorers: Many cross-chain bridges offer dedicated explorers that enable users to directly view transaction details, amounts, and destination addresses across chains.
  • Blockchain Explorers:

If no official explorer is available, an on-chain browser (such as BscScan or Etherscan) can be used to parse cross-chain transaction data.

Pay attention to the transaction’s input data (decoded) and event logs. Key information includes the receiver (the address receiving funds after the cross-chain transfer) and the dstChainId (destination chain ID).

  • The receiving address format may require conversion across chains, such as converting an EVM address to a TRON address.
  • MistTrack Cross-chain Analysis: MistTrack provides one-click analysis of cross-chain transactions, supports multiple bridge protocols, and enables intra-transaction DEX analysis.

Privacy Tool Tracking Analysis

1. Introduction to Mixers

Mixers are tools that enhance transaction privacy by pooling multiple users’ assets and breaking the direct mapping of funds. The main types include smart contract mixers, centralized mixers, collaborative mixing protocols, and privacy coins.

2. Mixer Analysis

  • Tornado Cash Analysis
  • Wasabi Coinjoin Analysis

NFT Tracking Analysis

1.Identify the NFT contract address and token ID.

2.Use tools (such as NFTScan or NFTGo) to trace the NFT’s full history from minting to its current state.

3.Pay special attention to the movement of funds after the NFT is sold at a high price or transferred to the attacker’s address.

Address Behavior Analysis

1. Active Behavior Feature Identification

  • Sleep wake-up: Sudden large-scale transfers following a long period of inactivity, often seen in cases of absconding or liquidation.
  • High-frequency transfers: Numerous small transfers occurring in a short time, commonly used for money laundering or fund dispersion.
  • Fixed-amount transfers: Transfers of large sums in similar amounts, potentially automated or mixed.
  • Short-lifetime address: A newly created address with rapid incoming and outgoing funds, typically used as a temporary wallet.

2. Address Clustering Analysis

  • Input clustering: Multiple addresses are used as transaction inputs to infer they belong to the same entity.
  • Behavioral synchronization: Addresses perform similar actions at similar times.
  • Shared services: Multiple addresses interact with the same contract or service following similar behavior patterns.
  • Consistent transaction parameters: Similar gas fees, slippage settings, and other transaction parameters.
  • Address naming patterns: Some attack groups exhibit identifiable patterns in how they name addresses.

3. Risk Behavior Profiling

  • Rapid fund laundering: Quick movement of assets to obscure origins.
  • Frequent use of mixing protocols: Repeated interactions with mixers to break transaction links.
  • Frequent cross-chain transfers: Moving funds across multiple chains to evade tracking.
  • Suspicious contract interactions or failed calls: Unusual or unsuccessful contract executions.
  • Automated phishing or theft operations: Systematic automated actions targeting victims’ assets.

4. Address Labels and Off-Chain Identity

  • Interact with centralized exchanges and use KYC information to identify individuals.
  • Identify potential links to funds associated with high-risk addresses.
  • Correlate on-chain activities with social platform behavior timestamps.
  • Use leaked data to assist in fuzzy identity matching.

5. AI Tools and Analysis

Leveraging AI platforms like MistTrack MCP enables automated generation of address profiles, risk scores, and transaction graphs, enhancing both the efficiency and accuracy of analysis. Users can issue natural language queries to track fund flows and behavioral profiles, obtaining results quickly.

Recommendations for Asset Freezing and Recovery

Asset freezing and recovery are complex processes involving multiple factors, including legal procedures, exchange cooperation, and cross-border law enforcement. Freeze requests typically must be initiated by the police or lawyers, making them difficult for individuals to handle alone. It is recommended to prepare a complete chain of evidence and work with a professional security team. Freezing serves only as a temporary measure; actual asset recovery depends on a full, closed-loop process of on-chain analysis, judicial coordination, and platform cooperation.

Closing Remarks

We recognize that a handbook cannot resolve all on-chain security issues. However, if it can give you extra seconds to make judgments during abnormal transfers, help preserve clues when a project absconds, or enable more accurate descriptions of suspicious asset flows in media and community discussions, then it has fulfilled its intended purpose.

Blockchain security is an ongoing battle between offense and defense. SlowMist will continue collaborating with the community to advance quality security education and knowledge sharing. Each disclosure of fund flows delivers a strong blow to fraud, and every clear educational article, shared tracking process, and case analysis serves as a solid shield, helping the community collectively safeguard security.

This concludes the introduction. You are welcome to read and share the full version:

https://github.com/slowmist/Crypto-Asset-Tracing-Handbook

or PDF version:

https://www.slowmist.com/report/SlowMist-Crypto-Asset-Tracing-Handbook(Beta-EN).pdf

Note: This handbook is intended for educational and informational purposes only and does not constitute legal, investment, or law enforcement advice. The tools, platforms, and cases mentioned are compiled or simulated from publicly available information and are not aimed at any individual or organization. When conducting actual tracking, please exercise discretion according to your own circumstances and seek professional assistance as needed. If you have any suggestions or notice any errors, please contact us.

About SlowMist

SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.

SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.

--

--

SlowMist
SlowMist

Written by SlowMist

3.9K followers
6 following

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.

Responses (3)

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech