Blockchain Explorers and Stolen Funds Tracking: Methods and Countermeasures

[Good Carder]

Bitcoin and other cryptocurrencies are often perceived as an anonymous "black box." However, the public nature of the blockchain turns it into a detective, recording every transaction and making it possible to trace stolen funds back to the blockchain. The reality is that Bitcoin is not anonymous, but pseudonymous: addresses don't contain names, but all transactions are permanently recorded in the public ledger — the amounts, times, and connections between wallets.

This on-chain data is often sufficient to establish connections between wallets and trace the movement of funds. Analytics companies like Chainalysis, Elliptic, and TRM Labs use not only public records but also external data: information from crypto exchanges and exchangers with KYC, IP addresses, payment service data, browser fingerprints, and other digital activity. As a result, a wallet address can be linked to a real person or organization.

According to an independent study by Delft University of Technology (September 2025), Chainalysis' clustering algorithms correctly group up to 95% of addresses associated with specific services, projects, and companies.

In this article, I'll examine how these mechanisms work, the methods carders use to cover their tracks, and how real-world investigations (including the $1.46 billion Bybit hack) reveal the current arms race between analysts and carders.

Part 1. How Analytics Platforms Work: Chainalysis, Elliptic, and TRM Labs​

1.1. Chainalysis: The Market Leader in Blockchain Analytics​

Chainalysis is a blockchain data analytics platform used to assess risks, track asset flows, and ensure regulatory compliance. Public blockchains offer transparency, but not clarity: a single address can belong to a person, a machine, an exchange hot wallet, a bridge, or a smart contract. Chainalysis uses clustering, heuristics, and attribution to group blockchain addresses into groups, then assigns them risk labels and behavioral patterns.

Chainalysis' key clustering methods include:

1. Common Input Ownership Heuristic (CIOH). When inputs from different addresses are combined in a single transaction, systems assume that all these addresses belong to the same owner. When you spend coins from two of your wallets in a single transaction, you provide the system with a key to combining all your addresses into a single cluster.
2. Ownership Heuristic. Analysts group addresses using ownership heuristics, allowing them to identify wallet clusters responsible for specific flows.
3. Attribution through external data. Information from KYC-certified exchanges, IP addresses, browser fingerprints, and other digital traces link anonymous addresses to real individuals.

Modern AI analysis significantly accelerates these processes. Chainalysis uses AI for address clustering and operational triage: Rapid is an AI-powered tool that quickly generates understandable insights for investigations and reduces manual verification.

Chainalysis's key investigative tools include:

Tool	Purpose	Why is this necessary?
Reactor	Investigation and tracking of fund flows between addresses and networks	Tracking hacks and movements of large wallets
KYT	Know Your Transaction – flags risky inflows and outflows in near real-time	Explains delays, rejections, or verification of deposits on regulated platforms
Rapid	AI triage quickly generates insights for investigations	Reduces manual verification, speeds up risk assessment
Hexagate	Blockchain threat detection, exploit and phishing tracking	Detection of suspicious activity before funds are fully withdrawn

The platform also provides incident response and real-time security monitoring. The acquisition of Hexagate makes it possible to detect suspicious blockchain activity, such as exploits or phishing attacks, before funds are fully withdrawn.

1.2 Address Clustering: How Chainalysis Links Millions of Wallets​

Chainalysis's key mechanism is clustering: the process of grouping multiple addresses into groups presumably controlled by a single entity (a person, an exchange, or a service).

How it works: the system takes an initial attribution (e.g., a single known exchange address) and deterministically groups millions of other addresses potentially controlled by that entity using powerful clustering algorithms.

The process is based on proven heuristics: studies show clustering accuracy of up to ~95%.

These clusters are then analyzed for connections to sanctioned addresses (listed on OFAC's SDN List), known mixers, or high-risk services.

1.3. Elliptic: A New Focus on Stablecoins and DeFi​

Elliptic is a key player in blockchain analytics, along with Chainalysis, Crystal, and TRM Labs. These government-backed companies have clear and benign goals: preventing the use of digital assets for laundering illicit proceeds.

Elliptic's new capabilities (2025-2026):
In October 2025, Elliptic launched a suite of tools for stablecoins with cross-chain tracking capabilities. This solution enables:

• Deeply analyze wallets and track assets moving between different blockchains.
• This is especially relevant for traditional financial institutions and large stablecoin issuers (Tether, Circle), which can use these tools to block suspicious addresses.

Smith notes that carders often convert stolen assets into unblockable stablecoins in the early stages of laundering to avoid issuer interference. New tools have been created to counter this.

1.4. TRM Labs: Automatic Cross-Chain Tracking​

TRM Labs is the third major platform specializing in automated tracing across multiple blockchains and bridges.

TRM's cross-chain tracing: When carders use chain-hopping — moving funds across different blockchains using bridges — this greatly complicates manual investigation. TRM was the first company in the industry to integrate cross-chain transactions via bridges into its platform.

TRM's key feature is automatic cross-chain indirect exposure tracing: the system automatically "follows money" across multiple blockchains, regardless of the number of bridges used, and presents the results as part of the overall incoming and outgoing flow.

How it works: By plotting a single Bitcoin address in the graph, you can see its indirect exposure to a sanctioned address through a chain of 34 hops, including two bridges, in a single click. The time-ordering feature ensures the chronological validity of each transfer: funds are never shown as sent before they have been received, which is critical for legal cases.

Part 2. Methods for Bypassing and Hiding Transactions​

Opponents of analytics have developed a whole arsenal of methods for breaking chains of custody. Some of these approaches rely on the inherent privacy of certain coins, while others exploit vulnerabilities created by the blockchain architecture itself.

2.1. Avalanche Transfers and the Fragmentation Strategy​

The strategy involves creating a "web" of tens of thousands of intermediate wallets. Hackers associated with the Lazarus group converted 86.3% of the coins stolen from Bybit (440,091 ETH) into 12,836 BTC and distributed them across 9,117 wallets.

The logic behind the "avalanche" transfers:

• The funds are broken down into many small amounts.
• Each amount passes through a chain of dozens of intermediate addresses.
• A complex, branching graph structure is created.
• The end goals are mixed with legitimate traffic.

Limitation of the method: fragmentation alone doesn't hide the origin of funds; it merely increases the amount of work for the analyst. As long as all addresses are on transparent blockchains, they can still be clustered. The avalanche transfer strategy is most effective when combined with other methods (mixers, private coins, sweep protocols).

2.2 Mixers and CoinJoin​

Crypto mixers (also known as tumblers) are services that mix coins from different users to sever the connection between the incoming and outgoing transactions. A typical mechanism is for the mixer to accept coins from one user and return funds from another part of its pool, creating the appearance of a lack of direct connection.

Attacks on mixers via clustering: Blockchain analytics platforms can deanonymize mixers by analyzing timing patterns, volumes, and participant clustering. By monitoring enough network nodes, it's possible to link inputs and outputs even in well-mixed transactions.

New mixers without a single coordinator (JoinMarket, JoinStr) are the next step in privacy development. JoinMarket simply has no coordinator because the structure is a liquidity market. The mechanism itself was discussed in Article 36 ("Next-Generation Crypto Mixers"). However, analytics platforms continue to track them.

2.3. Privacy coins (Monero, Zcash)​

Monero and Zcash have built privacy into the protocol, not into a surface-level service.

Monero (XMR) uses three mechanisms:

• Ring signatures to hide the sender (11-16 participants).
• Hidden addresses to hide the recipient.
• RingCT to hide the transfer amount.

Monero is particularly effective against Chainalysis and other analytics firms because their clustering algorithms are built on transparent blockchain analysis. Many experts agree that if you transfer your funds to private coins, you can easily bypass the oversight of analytics systems. However, Monero's liquidity on regulated exchanges is rapidly declining: in recent years alone, Monero has been delisted from 73 major crypto exchanges.

2.4. THORChain and Swap Protocols: A New Trend for 2025–2026​

THORChain is a decentralized swap protocol that has emerged on analysts' radars as a key tool for laundering large amounts of stolen funds. Unlike mixers, THORChain makes no attempt to conceal the origin of funds; it simply enables the conversion of stolen assets into other cryptocurrencies without KYC, without intermediaries, and without the possibility of freezing transactions for node operators.

The Kelp DAO thief used THORChain to launder 80 million ETH, exchanging it through THORChain for Bitcoin. The carder's activity caused THORChain's 24-hour volume to increase tenfold to 394 million, generating $660,000 in fees for the protocol.

THORChain remains a neutral, permissionless infrastructure, refusing to block transactions even with clear evidence of fraud origin.

2.5. Smart Contracts and Cross-Chain Bridges​

Cross-chain bridges are a popular tool for legally transferring assets between networks. In fraud schemes, bridges create additional steps in the transfer chain, complicating tracking. TRM Labs has developed automated bridge tracking mechanisms, processing over 150 bridge protocols on 30+ blockchains.

Part 3. Real-World Example: Tracking Funds After the Bybit Hack (2025-2026)​

In February 2025, hackers withdrew approximately 500,000 ETH, worth approximately $1.46 billion at the time, from the Bybit exchange by breaching its multi-signature cold wallet infrastructure. The hackers gained access to enough keys to authorize the mass withdrawal.

Key dates and events:

• February 2025 – An attack that attracted the attention of the entire crypto community.
• Within 48 hours – independent researchers linked the attack to Lazarus Group by comparing the patterns of fund movement with the group's previous attacks.
• March 2025 – Bybit CEO Ben Zhou reports: 88.87% of stolen funds remain traceable, 7.59% "have gone underground," and 3.54% are frozen.
• February 22, 2025 – The FBI officially confirms that the Lazarus Group (identified as TraderTraitor) is behind the attack.

3.1. Detailed analysis of the investigation and money laundering methods​

The hackers' main strategy: the scammers first converted all stablecoins (stETH, cmETH, mETH) into native ETH. They then began systematically laundering the funds in $27 million increments into more than 10 additional wallets.

The total cost of the operation as of March 2025: 440,091 ETH converted into 12,836 BTC and distributed across 9,117 wallets.
What tools did the carders use (first-hand information):

Tool	Role in the scheme
Wasabi Mixer	We ran 193 BTC through this mixer.
CryptoMixer	Used for additional "stirring"
Railgun	Private transaction platform
Tornado Cash	Used to send 400 ETH at the start of the laundering campaign
THORChain	The key channel for converting ETH to BTC

Successes and failures of the investigation:

• Success: Fast attribution (48 hours) and blacklist updates by exchanges helped freeze about 3.54% of funds.
• Failures: About 7.6% of funds "went underground" — their origins can no longer be traced using standard methods.

The key takeaway from the Bybit case is that time is critical in blockchain forensics. The faster funds are tracked and blacklisted, the greater the chance of freezing them before carders reach the final off-ramp services.

Part 4. Defense and Countermeasures: Roadmap for 2026–2027​

In carding, it is critical for carders who want to protect their assets from blocking or mislabeling to understand how analytical systems work.

4.1. What can carders and scammers do?​

1. Regularly check your address history. Run your addresses through free tools like Chainalysis to ensure they haven't received tainted funds from suspicious sources. If a transaction isn't related to you, promptly report the error.
2. Don't mix personal and exchange-traded assets. Address clustering can accidentally link your clean funds to a suspicious wallet if they were ever held at the same address.
3. Use a hardware wallet for large amounts. This reduces the risk of your funds being mistakenly associated with online trading activity.
4. Avoid using public mixers. Many have already been compromised, and their addresses have been blacklisted. If your funds passed through Tornado Cash, they will likely be blocked if you attempt to deposit them to any regulated exchange.

Conclusion: Global Surveillance or Privacy as a Choice​

Blockchain analytics has come a long way between 2025 and 2026: from manual analysis of individual transactions to automated AI systems tracking hundreds of thousands of connections across dozens of blockchains in seconds.

Three key takeaways from this article:

1. Analytical systems have achieved high clustering accuracy (up to 95%), but they are not infallible. Privacy coins (Monero) and decentralized protocols (THORChain) pose significant challenges to even the most advanced tools.
2. Speed of investigation is critical. The Bybit hack showed that attribution within 48 hours allowed for the freezing of 3.54% of funds. Every hour of delay reduces the chances of success.
3. Carders are increasingly abandoning centralized mixers, switching to decentralized swap protocols (THORChain, Ren) and private coins, which are more difficult to track and impossible to freeze centrally.

Platforms like Chainalysis, Elliptic, and TRM Labs have evolved from niche tools into a mandatory component of the compliance infrastructure of any major crypto exchange. But carders aren't standing still either — they're adapting, creating new tools and leveraging DeFi's architectural complexity.

For those seeking to protect their legitimate assets from erroneous blocking or labeling, I urge you to remember that every step you take on a public blockchain leaves traces that can be analyzed. Understanding these mechanisms is your best tool for maintaining control of your funds.

A quick one-line reminder:
"A public blockchain remembers everything. Clusters connect millions of wallets through shared transactions. Cross-chain bridges are no longer a barrier for analysts. THORChain and privacy coins are the last bastion for money launderers, but their walls can also crumble. The cleanest trace is one that has never touched suspicious addresses."