Are open-source crypto investigations possible? The narrative around cryptocurrency investigations often assumes that meaningful tracing requires expensive, enterprise-grade tools. Platforms like Chainalysis or TRM Labs dominate the conversation, creating the impression that without them, investigators are effectively blind.
However, a growing body of investigative work shows that with the right methodology, discipline, and use of open-source tools, it is entirely possible to trace crypto flows, identify patterns, and build defensible intelligence, even in largely unlabelled blockchain environments.
The following methodology was outlined at a webinar we attended a few weeks ago, presented by the International Consortium of Investigative Journalists.
The problem: transparency without identity
- For investigators, it is a massive dataset with missing identities
- For criminals, it is a system that appears anonymous but is permanently recorded
The methodology below is designed to bridge that gap.
Step 1: Start with attributed wallets, not transactions
- Public court records and legal filings
- Government disclosures (some jurisdictions do not redact wallet addresses)
- Victim reports and scam submissions
- Financial statements and leaked datasets
- Test transactions, sending small amounts to confirm behaviour
This step is foundational. Without attribution, blockchain data is just noise.
Step 2 - Use public block explorers as your core toolset
You don’t need premium platforms to begin tracing. Free tools provide a surprising level of visibility. Some examples of these tools are:
These tools allow you to view transaction histories, identify counter-parties, track inflows and outflows, and detect behavioural patterns.
If the data feels overwhelming in the beginning, that is normal. The value comes from pattern recognition over time.
Step 3: Identify wallet types (hosted vs self-custody)
Understanding wallet types is the first step towards interpreting behaviour.
Hosted wallets (exchange-controlled) belong to centralized platforms and often aggregate funds into large pooled wallets. They are easier to attribute once identified.
Self-custody wallets (unhosted) are controlled entirely by individuals. These wallets don’t have built-in identity linkage and are frequently used in laundering chains.
A key investigative goal is determining when funds move between these two categories. That transition often represents entry into the financial system or exit into fiat or cash equivalents.
Step 4: detect "hot wallet" patterns
Centralized exchanges operate large pooled wallets, often called hot wallets. These have recognizable characteristics:
- High-transaction volume
- Constant inflows from many addresses
- Regular sweeping behaviour
If you can link a wallet to an exchange, you will anchor your investigation to a real-world entity, and create a potential legal or compliance touchpoint.
To validate your connection, you can compare against public proof-of-reserve data, cross-reference multiple independent sources, and look for repeated structural patterns.
Step 5: follow the flow, not just the funds
Tracing is not about single transactions, it is about movement patterns over time. Focus on:
- Repeated transfers between clusters
- Sudden jumps across blockchains
- Rapid creation of new wallets
- Use of stablecoins like USDT in laundering flows
Example patterns to watch:
- Peel chains: small amounts split repeatedly
- Aggregation hubs: many inputs, few outputs
- Burst activity: high volume over short periods
Beyond financial movements, these patterns often reveal operational behaviour.
Step 6: build your own wallet intelligence database
Professional tools rely heavily on proprietary labelling. You can replicate part of this capability manually.
Build a database of:
- Known scam wallets
- Exchange deposit addresses
- Frequently recurring intermediaries
- High-risk clusters
Store this in structured formats, such as JSON for nested transaction relationships, relational tables for quick querying, and graph structures for link analysis.
Over time, your dataset becomes more valuable than any single tool.
Step 7: validate through reproducibility
One of the strongest aspects of blockchain investigations is that they are verifiable. Every claim you make should be reproducible by another analyst.
Validation methods include independent replication of transaction paths, cross-checking with other researchers, and comparing multiple data sources. If your findings cannot be reproduced, they will not hold up under scrutiny.
Step 8: accept the limits and work around them
Some realities cannot be avoided: many wallets remain unattributed. Criminals frequently rotate addresses, and entire operations may exist outside labelled datasets.
However, these limitations also create opportunity. Unlabelled environments increase reliance on behavioural analysis, reward patience and pattern recognition, and ultimately allow independent investigators to discover what tools miss.
In some cases, even major analytics platforms fail to label active laundering operations.
Step 9: expand beyond the blockchain
Crypto tracing is not an isolated activity. The strongest investigations connect blockchain data cwith orporate registries and shell companies, offshore jurisdictions, OSINT sources, domains, emails, social media, and with infrastructure in the physical-world, such as cash-out points.
For example, a wallet linked to a transaction may connect to a company registered in a secrecy-friendly jurisdiction, which in turn links to a known fraud network.
This is where investigations move from technical tracing to intelligence work.
Step 10: think like an adversary
The most effective investigators understand how criminals operate. Common tactics include:
- Generating fresh wallets for each transaction
- Using informal crypto-to-cash brokers
- Mixing legitimate and illicit funds
- Operating across multiple jurisdictions
Your methodology should adapt to these behaviours, rather than assuming static patterns.
The value of open-source crypto investigations
A largely unlabelled blockchain may seem like a barrier. However, the same lack of attribution that protects criminals also limits them. Every transaction they make is permanently recorded.
The advantage goes to the investigator who builds their own datasets, understands transaction behaviour, and connects digital and real-world intelligence.
If you have a methodology, you won’t need expensive tools to solve the mystery.