The Difference Between a Blockchain Analyst and a Blockchain Expert Witness
· 7 min read
Education
How to Read a Blockchain Transaction: A Guide for Attorneys
Nick Kampe
9 min read When a client hands you a transaction hash — a long string of letters and numbers that looks like 0x3a9f...c841 — and tells you it represents the fraudulent transfer at the center of their case, you need to know what to do with it. Reading a blockchain transaction is not a technical skill reserved for engineers. It is a core literacy skill for any attorney handling digital asset disputes. This guide explains what you are looking at and what it means for your case.
What a Transaction Hash Is
A transaction hash (also called a transaction ID or TXID) is a unique identifier for a single blockchain transaction. Every transaction ever recorded on a public blockchain has one, and no two are the same. The hash is computed from the transaction data itself, which means it is a tamper-evident fingerprint: if any detail of the transaction changed, the hash would change.
This property makes blockchain transactions attractive as evidence. A transaction hash you look up today will show the same data it showed when the transaction was recorded, because the underlying blockchain ledger is immutable. The information is also publicly accessible — anyone with internet access can look it up.
Where to Look It Up
For Ethereum and most EVM-compatible blockchains, go to Etherscan.io and paste the transaction hash into the search bar. For Bitcoin, use Blockchain.com/explorer or Mempool.space. For Solana, use Solscan.io. For Tron, use Tronscan.org.
Each of these is a block explorer — a publicly accessible interface to the raw blockchain data. The data they show is the same data that anyone else looking at the same blockchain can access. These platforms do not create or curate the data; they display it.
What You Will See: Ethereum Transaction Fields
When you look up an Ethereum transaction on Etherscan, here is what each field means:
Transaction Hash — The unique identifier you searched for. If it matches what your client gave you, you are looking at the right transaction.
Status — "Success" means the transaction executed as intended. "Failed" means the transaction was submitted but reverted, typically due to a smart contract condition not being met. A failed transaction still costs gas and is still permanently recorded on the chain.
Block — The block number in which this transaction was confirmed. Blockchain records are organized into sequential blocks. Higher block numbers are more recent. The block timestamp tells you exactly when the transaction was confirmed.
Timestamp — The date and time the transaction was confirmed, expressed in UTC. This is evidence of when the transfer occurred. Blockchain timestamps are set by the network's consensus process and are generally accurate to within a few seconds of real-world time.
From — The address that initiated and signed the transaction. This is the sender. Every Ethereum transaction is cryptographically signed by the sender's private key. The "From" field is not self-reported — it is mathematically derived from the signature. This is why it cannot be forged.
To — The address that received the transaction. This may be a user wallet (an externally owned account) or a smart contract. If it is a contract address, the transaction is interacting with that contract's code, which is more complex to interpret.
Value — The amount of native cryptocurrency (ETH, in this case) transferred directly. Many ERC-20 token transfers show a value of 0 ETH, because the token transfer is handled by the contract, not by the native value field.
Transaction Fee — The gas fee paid to the network. This is important in some disputes but is not part of the transferred value.
Input Data — If the "To" address is a contract, this field contains the encoded instructions telling the contract what to do. This is where ERC-20 token transfers are encoded, and it is where DeFi protocol interactions are documented. Reading input data requires technical interpretation.
Token Transfers vs. ETH Transfers
A common point of confusion: when someone transfers USDC, USDT, or any ERC-20 token, the ETH value field of the transaction will show 0. The actual token transfer is encoded in the "Input Data" as a function call to the token contract's transfer() function.
Etherscan helpfully decodes this and displays it in an "ERC-20 Tokens Transferred" section beneath the main transaction fields. This shows the token, the amount, the sender, and the recipient. This is the information you need for most cryptocurrency dispute tracing involving stablecoins or tokens.
What a Bitcoin Transaction Looks Like
Bitcoin transactions work differently. Bitcoin has no "From" field in the same sense — instead, Bitcoin uses an Unspent Transaction Output (UTXO) model. Each Bitcoin transaction consumes specific prior outputs (inputs) and creates new outputs.
On Blockchain.com or Mempool.space, a Bitcoin transaction shows:
- Inputs: One or more prior UTXOs being spent, with their addresses
- Outputs: One or more destination addresses and amounts
The key distinction from Ethereum: there is no single "sender" address by design. Multiple input addresses may appear in the same transaction. Blockchain forensics uses this structure — the common-input ownership heuristic — to infer that multiple input addresses are likely controlled by the same party. That inference is probabilistic, not absolute.
Confirmations: What They Mean for Evidence
Every transaction shows a "confirmations" count — how many blocks have been added on top of the block containing this transaction. For Bitcoin, 6+ confirmations is the standard for finality. For Ethereum, finality is more complex but practically speaking, transactions older than a few minutes are permanent.
For evidentiary purposes, a transaction with hundreds or thousands of confirmations is finalized. It cannot be reversed, altered, or removed. This is different from a bank transaction that can be reversed by the institution for days or weeks after it posts.
What a Block Explorer Does Not Show
Block explorers display on-chain data. They do not show you who controls an address. An Ethereum address is just a public key hash. The block explorer cannot tell you that 0x3a9f...c841 belongs to your opposing party's personal wallet without additional evidence. That attribution step — connecting an address to a person — requires external evidence: exchange KYC records, IP logs, device data, or other corroboration.
This is the foundational limitation of blockchain evidence. The transaction is undeniable. The attribution of who initiated it is a separate question.
Internal Transactions
On Ethereum, you will often see a tab labeled "Internal Transactions." These are value transfers triggered by smart contract execution, not by a direct user transaction. When a DeFi protocol routes funds through multiple contracts in a single user transaction, those sub-transfers show up as internal transactions.
Internal transactions are important for tracing fund flows through DeFi. A user's transaction may show 0 ETH value in the main record, but internal transactions reveal that the contract sent funds to multiple destinations. Forensic analysis of DeFi interactions requires reading internal transaction data.
How to Preserve This Evidence
For litigation purposes, screenshots of block explorer pages are acceptable exhibits but are better supplemented with:
- Direct node queries or API exports with query parameters logged, establishing that the data came from the blockchain itself, not from a third-party display that could theoretically be manipulated
- SHA-256 hashes of exported transaction data files recorded at the time of capture
- Timestamps of when data was retrieved, establishing the point-in-time snapshot
A blockchain forensic expert can provide authenticated blockchain data that has been preserved with proper chain of custody, and can explain the technical meaning of each field in a format appropriate for expert disclosure.
The Practical Takeaway
Understanding how to read a blockchain transaction lets you evaluate the strength of the blockchain evidence in your matter before you engage an expert. You can assess whether the transaction hash your client provided actually shows what they claim, understand what the opposing party's exhibit actually contains, and ask better questions of a forensic expert.
The on-chain data is public and permanent. Getting to it requires only knowing where to look and what each field means. The harder part — attributing that transaction to a specific person — is where qualified forensic analysis begins.
Related Articles
Deconstructing a Ponzi on the Blockchain: Methodology and Evidence
· 11 min read
What Happens When Cryptocurrency Is Sent to the Wrong Address
· 7 min read
Was this article helpful?
If your matter involves blockchain evidence, ConsensusIntel can help you evaluate your options.
Get in Touch