Crypto Forensics and Asset Tracing: Turning Blockchain Data Into Evidence

In October 2025, the U.S. Department of Justice announced the largest digital-asset seizure on record: 127,271 BTC, worth roughly $15 billion at the time, taken from wallets tied to Chen "Vincent" Zhi and the Prince Holding Group, an entity behind one of the biggest Pig-Butchering Scam compounds in Southeast Asia. Less than a month later, in November 2025, the UK Metropolitan Police secured convictions in a parallel case and recovered 61,000 BTC — valued at roughly £5 billion — from a Chinese national accused of laundering proceeds from an investment fraud that hit more than 128,000 victims between 2014 and 2017.

"Today's civil forfeiture complaint is the latest action taken by the Department to protect the American public from cryptocurrency investment scammers, and it will not be the last." — Matthew R. Galeotti, Head of the U.S. Justice Department's Criminal Division, on a separate $225.3 million crypto seizure announced in June 2025

Neither of these outcomes came from "looking at the blockchain." They came from months of tracing, attribution, exchange cooperation, and — critically — from being able to document what was found in a form that prosecutors, judges, and exchange compliance teams could actually use.

That is the work this article is about. In practical terms, asset tracing answers the question where did the funds move? Crypto forensics answers the next, much harder question: how can what we found be explained, defended, and used? On a public blockchain, the raw data is abundant. The evidence is not — it has to be built.

This piece doesn't cover recovery, doesn't restate what blockchain is, and isn't written for retail victims. It's written for compliance, risk, legal, and investigation teams who need to understand what happens between seeing a transaction graph and having something a regulator, an exchange, or a court can act on.

What Crypto Forensics Actually Means

In casual conversation, "crypto forensics" is sometimes used as a synonym for "blockchain analytics" or "follow the money." Inside compliance and investigation teams, the distinction matters quite a bit.

Crypto forensics is the methodology for analyzing, verifying, documenting, and presenting on-chain findings so that those findings can stand up to outside review. The work isn't done when an investigator sees the path the funds took. It is done when the path can be explained — clearly, accurately, and with its limits acknowledged — to someone who was not in the room when the analysis happened.

In practical terms, a forensic analysis exists to make on-chain findings usable in five places:

• Internal Compliance Review — confirming or dismissing a suspicious-activity signal that originated from monitoring or an alert.
• Regulatory Reporting — supporting suspicious activity reports or equivalent filings with structured underlying evidence.
• Exchange or Service Provider Escalation — giving another platform enough factual detail to act on a request within its own legal framework.
• Legal and Law Enforcement Support — providing material that can survive cross-examination, expert challenge, or evidentiary review.
• Recovery-Related Documentation — preserving the analytical record that may later support civil or criminal forfeiture proceedings.

A useful way to think about the broader process is in three layers: monitoring generates the alert, investigation determines what it means, and forensic analysis is responsible for the preservation and presentation of evidence. The forensic layer is narrower than "the investigation" as a whole. It is also the layer most often under-built — many teams have strong monitoring tools and capable investigators but no consistent practice for how findings get written down.

The maturity test for a compliance or investigations team isn't can we find the funds, it's can someone else act on what we found, and would the file hold up if it had to be defended six months later.

Asset Tracing vs Blockchain Analytics vs Crypto Forensics

These three terms get used interchangeably, especially in marketing material. They describe different things and combining them in the wrong order produces weak cases. A simple working formula:

• Analytics identifies signals and relationships across the data.
• Tracing reconstructs the movement of specific funds.
• Forensics documents and structures those findings as evidence.
• Investigation decides what action, if any, should follow.

The clearest way to keep them separate is to look at what each produces and what each is used for.

The order matters. Analytics surfaces something interesting. Tracing reconstructs how the funds got there. Forensics writes it down in a way someone else can use. Investigation decides what to do with the resulting file. Skip any step and the chain breaks — usually at the worst possible moment, like when an exchange's compliance team comes back with detailed follow-up questions or a court asks how attribution was established.

The Financial Action Task Force's Asset Recovery Guidance and Best Practices, issued in November 2025, makes a similar point at policy level: authorities should treat virtual assets as a distinct asset class across the entire recovery lifecycle — identification, tracing, seizure, valuation, management, and disposal. The same logic applies inside private-sector compliance: the lifecycle is end-to-end, and forensics is one specific link in it, not a substitute for the others.

What a Forensic Asset Tracing Report Should Establish

A forensic report is not a screenshot of a transaction graph. It is a structured document that lets a reader who was not part of the analysis understand what was done, what was found, what is uncertain, and what was outside the scope.

A working report typically establishes, at minimum:

• Transaction Hashes — the on-chain identifiers for every transaction included in the analysis. These are the anchor points anyone can verify independently.
• Wallet Addresses — sender, receiver, and intermediate addresses, presented with enough context to show why each one is in the report.
• Asset Type and Amount — which token, on which chain, in what quantity, at what valuation at the time of movement.
• Timestamps — block-time data for each step, not just rough dates.
• Movement Timeline — a chronological narrative of how the funds moved, often with a chart or annotated graph as a visual aid.
• Source of Funds — where the funds entered the analyzed scope (a victim wallet, a known scam cluster, an exchange withdrawal).
• Destination of Funds — where they ended up at the cut-off point of the analysis, including any identified off-ramp.
• Intermediate Wallets — the addresses between source and destination, including any that look like consolidation points, peel chains, or staging wallets.
• Known Services and Entities — exchanges, mixers, bridges, services, or merchant clusters that the funds passed through.
• Risk Exposure — categorized exposure to scams, darknet, sanctioned entities, mixers, ransomware, fraud-linked wallets.
• Attribution Confidence — for each entity tag, an honest assessment of how strong the attribution is and what evidence supports it.
• Open Questions and Limitations — what the analysis could not resolve, and why.

The "known services and entities" layer is often the most powerful part of a report, because it transforms an anonymous-looking string of addresses into a story with named actors.

When funds move across bridges, swap protocols, or wrapped-asset paths, the report needs a different kind of care. A forensic analysis that loses the trail at a bridge and quietly picks it up on the other chain — without explaining how the link was made — is producing a story that may or may not be true. Cross-Chain Analysis is a discipline of its own, and any report involving cross-chain movement should be explicit about how the analyst connected the dots.

What makes a forensic report defensible is rarely how impressive the graph looks. It is whether every claim is sourced, every assumption is named, and every gap is acknowledged. A report that confidently says "the funds went to address X" can be challenged. A report that says "the funds were traced through Y intermediate hops to address X, with high-confidence attribution to Exchange Z based on cluster heuristic A and previously reported intelligence B; the analysis stops here because of limitation C" is much harder to dismiss.

It is equally important to say what a report should not claim. A report should not say the analysis has identified the person behind a wallet — unless KYC data has been independently obtained through proper legal channels. It should not state that an exchange will definitely freeze the funds. It should not assert that funds can be recovered. Those are conclusions belonging to other steps in the lifecycle, and overstating them is the single fastest way to lose credibility.

Why Evidence Quality Matters More Than a Transaction Graph

There is a recurring failure pattern in immature forensic work: someone produces a beautiful, dense, color-coded graph and presents it as evidence. The graph is technically accurate — and almost completely useless to anyone outside the team that built it.

A transaction graph alone is not evidence. It's a visualization of data. Evidence is what you get when the graph is paired with explanation, structure, and honest treatment of uncertainty.

In practical terms, a forensic narrative needs to answer at least five questions, and answer them in a way a non-analyst can follow:

• Relevance — why these specific wallets matter to the case, and not the thousands of others on the graph nearby.
• Direct Exposure — which wallets actually received funds from a known illicit source, with no intermediaries in between.
• Indirect Exposure — which wallets are connected to illicit activity through one or more hops, and how many.
• Confirmed vs. Probabilistic Attribution — which entity tags are based on hard evidence (e.g., a published government action, a confirmed KYC record) and which are based on heuristic clustering or third-party tagging.
• Assumptions and Gaps — every methodological choice that could be challenged, plus every place where the trail goes dark.

The distinction between direct and indirect exposure is especially important. A wallet that received 1 ETH directly from a sanctioned address one block ago is not the same risk story as a wallet that received 1 ETH from a service that, six hops earlier, processed funds from a similar source.

Industry analysis estimates more than $75 billion in on-chain balances linked to criminal activity worldwide, with cumulative seizures over the past decade reaching roughly $34 billion by year-end 2025. (Source: industry asset-recovery research published November 2025)

The gap between those two figures — what's potentially seizable versus what has actually been seized — is largely an evidence gap, not a detection gap. Investigators often know where suspect funds sit; what slows them down is producing the documented, jurisdiction-appropriate package that lets an exchange act, a court order be issued, or an MLA request go through.

This is why "quality of evidence" is a competitive variable for serious compliance and investigations teams. The same set of on-chain findings can produce: a memo that goes nowhere; a report that gets bounced back with follow-up questions; or a package that lets an exchange's compliance officer act the same day. The underlying data is identical. The forensic discipline is what makes the difference.

The audience for forensic evidence is also not who many analysts assume it is. The reader is rarely another blockchain analyst. It is a compliance officer who has 20 minutes between meetings; a lawyer who needs to understand the case before drafting a motion; a regulator who is comparing several reports; or an exchange compliance team who has to weigh the request against their own policy. Each of them has a different threshold for what counts as "clear enough." A good forensic report is written for the least technical reader who will need to act on it.

Where Crypto Forensic Findings Are Used

Forensic output gets consumed in four broad contexts. Each one has its own expectations for what the report should look like and what it should claim.

Internal Compliance Review

This is the most common use case and the lowest-stakes one — at least at first. An alert fires; a wallet looks suspicious; a transaction triggers a monitoring rule. A forensic review either confirms or dismisses the signal.

The purpose at this stage is to make a defensible internal decision: is the alert real, what is the appropriate user-risk-level change, does the case need enhanced due diligence, and is there enough material to escalate further? The forensic output here doesn't have to be courtroom-grade. It does have to be:

• Reproducible — another reviewer should be able to retrace the analysis.
• Documented — risk score at review time, addresses checked, sources consulted.
• Reasoned — the decision (approve / pause / escalate / report) should explain why.

Exchange or Service Provider Requests

When a forensic analysis identifies that suspect funds reached an exchange, custodian, or other regulated service provider, the next step is typically a formal request to that provider — sometimes from the affected user's legal counsel, sometimes from law enforcement.

A forensic package supporting that request should clearly establish:

• Transaction Hashes and Timestamps for the deposits in question.
• The Destination Wallet attributed to that specific exchange, with the basis for attribution.
• Amount and Asset Type in a form the exchange's compliance system can verify quickly.
• Movement Timeline showing how the funds got from origin to the exchange.

What the report should not do is tell the exchange what to conclude. Exchanges operate under their own legal and procedural frameworks. Whether they freeze, hold, or restrict funds depends on their jurisdiction, the legal basis presented, internal policies, and often a court order. In practical terms, a forensic report supports a request; it does not compel an action. Strong reports are written with that distinction firmly in mind.

Legal and Law Enforcement Escalation

When findings are escalated to law enforcement, civil litigation counsel, or regulators, the bar rises sharply. The evidence has to be factual, limited to what can be supported, and clearly separated from interpretation.

Three principles tend to define the difference between a forensic report that works in this context and one that doesn't:

• Factual vs. Interpretive Separation — confirmed on-chain data is presented as fact; everything inferential is clearly labeled as such.
• No Overstatement of Findings — attribution is presented with its actual confidence level, not rounded up.
• Explicit Limitations — what the analysis could not determine is stated openly, not buried.

This is also the context where international cooperation typically becomes a real factor. Mutual Legal Assistance Treaty (MLAT) requests, civil forfeiture complaints, and cross-border subpoenas all rely on forensic material being clean enough to survive scrutiny in jurisdictions other than where the analysis was performed. The November 2025 FATF guidance specifically called for stronger frameworks here, noting that more than 80% of jurisdictions still operate at low or moderate effectiveness in asset recovery — a gap that is, in part, an evidence-quality gap rather than a willingness gap.

In practical terms, an investigator who has worked with law enforcement before tends to write forensic reports differently than one who hasn't. The phrasing becomes more careful, the claims more conservative, the limitations more visible. None of this weakens the case. It strengthens it.

Recovery-Related Cases

Asset tracing can show where stolen funds moved and may identify possible cash-out points or consolidation wallets. That is genuinely valuable, and in some cases it has supported very large recoveries — the $15 billion Prince Group seizure and the UK's 61,000-BTC recovery are recent examples where forensic tracing played a real role in the outcome.

But recovery is not a guaranteed downstream effect of finding the funds. It depends on:

• Timing — whether the funds are still where the analysis found them, or have already moved through a mixer, bridge, or unsupported chain.
• Exchange Cooperation — whether the receiving platform can and will act on a valid legal request.
• Jurisdiction — whether the relevant legal frameworks support seizure or freezing of digital assets, and on what basis.
• Legal Process — whether the appropriate procedural steps (civil forfeiture, criminal restraining order, court-ordered freezing) can be initiated and sustained.

A forensic report in a recovery context should make all of this visible, not obscure it. Promising recovery on the basis of tracing alone is one of the more common forms of overstatement in the field, and one of the easiest ways to damage credibility with sophisticated clients.

The value of forensic asset tracing in a recovery context is not that it produces recovery. It is that it produces the documented foundation without which recovery is essentially impossible to attempt.

What Crypto Forensics Cannot Prove on Its Own

Maturity in this field means knowing what the method cannot do, and saying so plainly. A forensic analysis, on its own, cannot:

• Guarantee Recovery of Funds — tracing where funds went is not the same as getting them back.
• Prove Criminal Intent — movement patterns can be consistent with laundering or fraud, but intent is a legal determination, not an on-chain one.
• Directly Identify a Wallet Owner — a blockchain address is not a name. Identification typically requires KYC data, legal process, or service-provider cooperation.
• Replace Legal Process — even the most thorough report doesn't substitute for a subpoena, an MLAT request, a court order, or a forfeiture complaint.
• Force an Exchange to Freeze Funds — exchanges respond to legal instruments and internal policy, not to forensic reports alone.
• Close All Gaps After Mixers, Bridges, Privacy Tools, or Unsupported Chains — some trails go cold, and a credible report says so rather than papering over it.
• Produce 100% Certainty Where Attribution Is Probabilistic — heuristic clustering is powerful but not infallible.

These aren't weaknesses of the method. They are honest limits — and stating them clearly is what makes the rest of the analysis trustworthy. A report that quietly omits its limitations is, paradoxically, harder to act on than one that names them up front. Compliance officers, lawyers, and law-enforcement contacts have all seen enough overconfident output to know what they are reading.

The shift in the field over the past two years has been precisely toward this kind of disciplined honesty. The forensic reports that produce real outcomes in 2026 — the ones that survive legal review, support successful exchange escalations, and underpin record-breaking seizures — share a common feature: they don't oversell. They show their work.

How AMLBot Supports Forensic Asset Tracing

Different parts of the lifecycle described above need different tools. AMLBot's product stack is structured around that lifecycle rather than around any single step.

AMLBot Tracer is built specifically for the tracing and forensic side. It helps trace funds across wallets and chains, flag high-risk accounts and transactions, identify on-ramp and off-ramp addresses, surface swap activity, and assemble a coherent narrative of fund movement that can be used as the foundation of a forensic report. The point of the tool is not to produce a graph; it is to produce a story the graph supports.

Crypto Transaction Monitoring sits earlier in the chain — at the alert and detection layer. It provides real-time risk scoring, ongoing wallet monitoring, and the continuous transaction surveillance that produces the signals which later require forensic review. In practical terms, the better the monitoring layer, the more focused the forensic work downstream: investigators end up working on cases that actually warrant the depth, rather than chasing noise.

Crypto Compliance Consulting addresses the procedural side: building AML/KYC procedures, transaction monitoring frameworks, investigation processes, and blockchain forensics support tailored to a specific platform's risk profile and regulatory context. This is the layer where the workflow gets built — who escalates, who documents, what the report template looks like, how findings are preserved, and how the team handles requests from exchanges, regulators, or law enforcement.

No one of these layers is sufficient alone. Monitoring without forensics produces alerts that go nowhere. Forensics without solid procedures produces findings that don't get acted on. Procedures without tooling produce well-intentioned policies that can't be executed at scale. The combination is what defines a mature operation.

Conclusion

Asset tracing answers a clear, narrow question: where did the funds move? Crypto forensics answers a harder one: how can those findings be documented, explained, and used by people who weren't part of the analysis?

The cases that defined 2025 — the largest crypto seizure in history, the UK's record 61,000-BTC recovery, the $225 million USSS-led seizure tied to investment fraud — share a pattern. They succeeded because the on-chain findings were converted into structured, defensible evidence that exchanges, prosecutors, and courts could act on.

For mature compliance, risk, and investigations teams, this is the practical takeaway. Detection and alerts matter, but they are not the finish line. Crypto forensics and asset tracing are the evidence layer that connects what is found on-chain to what can be done about it — and the quality of that evidence is, increasingly, the difference between an interesting graph and an outcome.

FAQ