[{"data":1,"prerenderedAt":1165},["ShallowReactive",2],{"tag-forensics":3},[4,420,787],{"_path":5,"_dir":6,"_draft":7,"_partial":7,"_locale":8,"title":9,"description":10,"slug":11,"date":12,"lastUpdated":13,"author":14,"readingTime":15,"category":16,"tags":17,"ogImage":22,"featured":7,"body":23,"_type":413,"_id":414,"_source":415,"_file":416,"_stem":417,"_extension":418,"sitemap":419},"\u002Farticles\u002F06-what-lawyers-need-to-know-about-defi","articles",false,"","What Lawyers Need to Know About DeFi","A plain-language guide to decentralized finance for attorneys: how DeFi protocols work, why they complicate asset tracing, and what forensic analysis can and cannot establish.","what-lawyers-need-to-know-about-defi","2026-04-24","2025-04-24","Nick Kampe",9,"Education",[18,19,20,21],"DeFi","decentralized finance","smart contracts","forensics","\u002Fog\u002Fwhat-lawyers-need-to-know-about-defi.png",{"type":24,"children":25,"toc":393},"root",[26,34,39,44,51,56,61,66,77,87,97,107,113,120,125,130,136,141,146,152,157,162,168,173,178,184,190,195,200,206,211,216,222,227,233,238,243,249,254,259,265,270,275,305,309,315,323,328,336,341,349,354,362,367,375,380,388],{"type":27,"tag":28,"props":29,"children":30},"element","p",{},[31],{"type":32,"value":33},"text","Decentralized finance, commonly abbreviated as DeFi, has grown from an experiment to a substantial segment of the cryptocurrency ecosystem. Billions of dollars move through DeFi protocols daily. That means DeFi is now appearing in litigation: in divorce proceedings where a party holds assets in a liquidity pool rather than an exchange account, in fraud cases where victims' funds were routed through DeFi before disappearing, and in securities and regulatory matters where the structure of a protocol is itself at issue.",{"type":27,"tag":28,"props":35,"children":36},{},[37],{"type":32,"value":38},"For attorneys handling these matters, DeFi presents distinct challenges compared to conventional cryptocurrency holdings. There is no exchange to subpoena for account records. The assets are controlled by smart contract code running on a public blockchain. The terminology is unfamiliar, and the mechanics require some explanation to be useful in court.",{"type":27,"tag":28,"props":40,"children":41},{},[42],{"type":32,"value":43},"This article covers what DeFi is, how it works in practice, why it complicates asset tracing, and what forensic analysis can realistically produce when DeFi is part of the picture.",{"type":27,"tag":45,"props":46,"children":48},"h2",{"id":47},"what-defi-is",[49],{"type":32,"value":50},"What DeFi Is",{"type":27,"tag":28,"props":52,"children":53},{},[54],{"type":32,"value":55},"Traditional finance relies on intermediaries: banks that hold deposits, brokers that execute trades, exchanges that match buyers and sellers, and lenders that manage loans. Each intermediary maintains records, is subject to regulatory oversight, and can be compelled through legal process to produce those records.",{"type":27,"tag":28,"props":57,"children":58},{},[59],{"type":32,"value":60},"DeFi replaces those intermediaries with software: specifically, with smart contracts deployed on a blockchain. A smart contract is a program stored permanently on the blockchain that executes automatically when specific conditions are met. The contract holds the funds and enforces the rules of the protocol without requiring a company or person to manage each transaction.",{"type":27,"tag":28,"props":62,"children":63},{},[64],{"type":32,"value":65},"The four most litigation-relevant DeFi categories are:",{"type":27,"tag":28,"props":67,"children":68},{},[69,75],{"type":27,"tag":70,"props":71,"children":72},"strong",{},[73],{"type":32,"value":74},"Decentralized exchanges (DEXs)",{"type":32,"value":76}," allow users to trade one cryptocurrency for another by interacting directly with a smart contract. Unlike a traditional exchange, there is no order book maintained by a company, no account registration, and no KYC process. The user connects a wallet, initiates a trade, and the smart contract executes it based on an automated pricing formula.",{"type":27,"tag":28,"props":78,"children":79},{},[80,85],{"type":27,"tag":70,"props":81,"children":82},{},[83],{"type":32,"value":84},"Lending protocols",{"type":32,"value":86}," allow users to deposit cryptocurrency as collateral and borrow against it, or to deposit assets that others borrow. The interest rates are set algorithmically based on supply and demand. A party might hold a substantial amount of cryptocurrency deposited as collateral in a lending protocol while simultaneously holding borrowed funds in a separate wallet.",{"type":27,"tag":28,"props":88,"children":89},{},[90,95],{"type":27,"tag":70,"props":91,"children":92},{},[93],{"type":32,"value":94},"Liquidity pools",{"type":32,"value":96}," are how most DEXs maintain the assets needed to execute trades. Users deposit pairs of tokens (for example, equal values of ETH and USDC) into a pool and receive liquidity provider tokens in return. Those liquidity provider tokens represent the depositor's share of the pool and accumulate trading fees over time. Liquidity positions are meaningful financial interests that may not be visible without specific knowledge of where to look.",{"type":27,"tag":28,"props":98,"children":99},{},[100,105],{"type":27,"tag":70,"props":101,"children":102},{},[103],{"type":32,"value":104},"Yield farming",{"type":32,"value":106}," involves moving assets among protocols to maximize returns, often in combination with the protocols above. A user might deposit collateral in a lending protocol, borrow against it, deposit the borrowed assets into a liquidity pool, and stake the resulting liquidity tokens in a rewards contract. The resulting position is complex, multi-layered, and difficult to value without reconstructing each step.",{"type":27,"tag":45,"props":108,"children":110},{"id":109},"why-defi-complicates-tracing",[111],{"type":32,"value":112},"Why DeFi Complicates Tracing",{"type":27,"tag":114,"props":115,"children":117},"h3",{"id":116},"no-kyc-and-no-account-records",[118],{"type":32,"value":119},"No KYC and No Account Records",{"type":27,"tag":28,"props":121,"children":122},{},[123],{"type":32,"value":124},"The absence of an intermediary means the absence of the records an intermediary would maintain. There is no exchange database containing a user's identity, no linked bank account, and no account statement documenting the position. A party who holds the majority of their cryptocurrency wealth in DeFi positions has not necessarily done anything to conceal it, but the evidence path is fundamentally different.",{"type":27,"tag":28,"props":126,"children":127},{},[128],{"type":32,"value":129},"The on-chain record is there. Every interaction with every DeFi protocol is recorded permanently on the blockchain, in more detail than a simple transfer between wallets. The challenge is interpreting that record, not finding it.",{"type":27,"tag":114,"props":131,"children":133},{"id":132},"smart-contract-intermediaries",[134],{"type":32,"value":135},"Smart Contract Intermediaries",{"type":27,"tag":28,"props":137,"children":138},{},[139],{"type":32,"value":140},"When a user interacts with a DeFi protocol, their funds often pass through multiple smart contract addresses before reaching their effective destination. A party who deposits funds into a lending protocol might see their funds move to a contract address, then an internal accounting address, then a reserve address, all in a single transaction. Without knowledge of the protocol's architecture, that transaction flow looks complex and may appear to terminate at an address with no obvious connection to the depositor.",{"type":27,"tag":28,"props":142,"children":143},{},[144],{"type":32,"value":145},"Analysts who are not familiar with specific DeFi protocols may misread this activity as an attempt at concealment when it is simply the normal operation of the protocol. Correctly interpreting DeFi transaction traces requires knowing which contract addresses belong to which protocols and understanding how those protocols internally account for user positions.",{"type":27,"tag":114,"props":147,"children":149},{"id":148},"cross-chain-bridges",[150],{"type":32,"value":151},"Cross-Chain Bridges",{"type":27,"tag":28,"props":153,"children":154},{},[155],{"type":32,"value":156},"DeFi operates across many different blockchains. A user who moves funds from Ethereum to a different chain through a bridge creates a gap in the on-chain trace: funds go into the bridge contract on one chain and emerge from the bridge contract on the other. The analyst following the money must identify the bridge protocol, understand how it operates, and follow the transaction on the destination chain from the corresponding bridge output.",{"type":27,"tag":28,"props":158,"children":159},{},[160],{"type":32,"value":161},"Bridge protocols are not nefarious by design, but they are used in cases of intentional fund movement across chains specifically because they create trace complexity. Identifying bridge activity and following funds across chains is possible but requires specific technical knowledge.",{"type":27,"tag":114,"props":163,"children":165},{"id":164},"liquidity-positions-are-not-cash-balances",[166],{"type":32,"value":167},"Liquidity Positions Are Not Cash Balances",{"type":27,"tag":28,"props":169,"children":170},{},[171],{"type":32,"value":172},"A party with $500,000 deposited in a liquidity pool does not hold $500,000 in a wallet balance. They hold liquidity provider tokens representing a share of the pool. The value of those tokens fluctuates based on the pool's composition and the exchange rates of the underlying assets. Valuing that position at a specific point in time requires knowing the pool's state at that moment.",{"type":27,"tag":28,"props":174,"children":175},{},[176],{"type":32,"value":177},"This creates both a valuation challenge and a disclosure problem. A party instructed to disclose all cryptocurrency holdings may list only their wallet balances, omitting the liquidity positions that represent the bulk of their holdings. Those positions are assets with real value, but they do not look like cryptocurrency balances unless the investigator knows to look for them and knows how to read them.",{"type":27,"tag":45,"props":179,"children":181},{"id":180},"defi-in-litigation-relevant-scenarios",[182],{"type":32,"value":183},"DeFi in Litigation-Relevant Scenarios",{"type":27,"tag":114,"props":185,"children":187},{"id":186},"rug-pulls-and-exit-scams",[188],{"type":32,"value":189},"Rug Pulls and Exit Scams",{"type":27,"tag":28,"props":191,"children":192},{},[193],{"type":32,"value":194},"A rug pull is a scenario where the developers of a DeFi protocol launch a project, attract user deposits, and then drain the protocol's funds by exploiting features of the smart contract they deployed. From a forensic perspective, tracing funds after a rug pull involves following the movement of stolen assets through the blockchain, identifying any exchange addresses where the funds were converted to other assets or cashed out, and establishing the connection between the protocol's developers and the addresses that received the stolen funds.",{"type":27,"tag":28,"props":196,"children":197},{},[198],{"type":32,"value":199},"Hypothetically, consider a protocol that raises $10 million in user deposits over a two-week period before its developers withdraw everything to a set of wallets they control. The blockchain records every deposit, every internal movement, and every withdrawal. The forensic challenge is connecting the withdrawal addresses to specific individuals. That connection typically requires a combination of blockchain tracing to exchanges and subpoenas for the exchange account records.",{"type":27,"tag":114,"props":201,"children":203},{"id":202},"protocol-exploits",[204],{"type":32,"value":205},"Protocol Exploits",{"type":27,"tag":28,"props":207,"children":208},{},[209],{"type":32,"value":210},"A protocol exploit occurs when a third party identifies a vulnerability in a DeFi protocol's smart contract code and uses it to extract funds beyond what they legitimately deposited. Unlike a rug pull, the funds leave through a mechanism the protocol's designers did not intend. Forensic analysis in exploit cases typically begins with the exploit transaction itself, follows the extracted funds through subsequent movements, and attempts to identify any point where the funds touched a KYC exchange.",{"type":27,"tag":28,"props":212,"children":213},{},[214],{"type":32,"value":215},"Exploit cases are often also analyzed through review of the smart contract's source code, to understand how the vulnerability worked and whether anyone with access to the protocol's development history could have known about it in advance.",{"type":27,"tag":114,"props":217,"children":219},{"id":218},"governance-attacks",[220],{"type":32,"value":221},"Governance Attacks",{"type":27,"tag":28,"props":223,"children":224},{},[225],{"type":32,"value":226},"DeFi protocols are often governed by token holders, who vote on protocol changes. An attacker who acquires enough governance tokens can vote to change the protocol in ways that benefit themselves at the expense of other users. These attacks are on-chain events with a complete record. Forensic analysis can reconstruct the governance votes, the token holdings that determined the outcome, and the subsequent protocol changes and fund movements.",{"type":27,"tag":45,"props":228,"children":230},{"id":229},"what-records-exist-and-what-do-not",[231],{"type":32,"value":232},"What Records Exist and What Do Not",{"type":27,"tag":28,"props":234,"children":235},{},[236],{"type":32,"value":237},"On-chain records for DeFi activity are comprehensive: every transaction, every contract interaction, every token movement. The public blockchain captures all of it. Off-chain records, meaning records held by institutions, are minimal to nonexistent. Most DeFi protocols do not maintain user databases, do not verify identities, and do not retain logs in a form subject to legal process.",{"type":27,"tag":28,"props":239,"children":240},{},[241],{"type":32,"value":242},"The exception is the protocol developers themselves. DeFi protocols are built by teams, and those teams maintain their own records: code repositories, deployment records, communications, and in some cases access to administrative functions of the protocol. When the protocol developers are parties to the litigation, or when their conduct is relevant, discovery directed at them can produce evidence that supplements the on-chain record.",{"type":27,"tag":45,"props":244,"children":246},{"id":245},"how-defi-activity-is-analyzed",[247],{"type":32,"value":248},"How DeFi Activity Is Analyzed",{"type":27,"tag":28,"props":250,"children":251},{},[252],{"type":32,"value":253},"Forensic analysis of DeFi activity follows the same fundamental methodology as other blockchain analysis, with the added requirement that the analyst understand the specific protocols involved. The analyst identifies the user's wallet address, traces all interactions with DeFi protocol contracts, reconstructs the positions held and the movements of funds, and values those positions at the relevant points in time.",{"type":27,"tag":28,"props":255,"children":256},{},[257],{"type":32,"value":258},"Commercial blockchain intelligence platforms have developed tools specifically for DeFi analysis, including databases of protocol contract addresses, decoding of protocol-specific transaction data, and position valuation tools. The quality of the analysis depends on the analyst's familiarity with the relevant protocols and the tools available.",{"type":27,"tag":45,"props":260,"children":262},{"id":261},"jurisdictional-questions",[263],{"type":32,"value":264},"Jurisdictional Questions",{"type":27,"tag":28,"props":266,"children":267},{},[268],{"type":32,"value":269},"DeFi protocols are deployed by developers who may be located anywhere in the world and who may operate with varying degrees of anonymity. The protocol itself is software running on a blockchain, not a legal entity. These facts create genuine jurisdictional complexity.",{"type":27,"tag":28,"props":271,"children":272},{},[273],{"type":32,"value":274},"When a DeFi protocol is used in connection with fraud or theft, identifying the responsible parties and bringing them within a court's jurisdiction requires connecting the on-chain activity to real-world individuals. That connection is the forensic challenge. Once individuals are identified, standard jurisdictional analysis applies, but the identification step is often the hardest part.",{"type":27,"tag":28,"props":276,"children":277},{},[278,280,287,289,295,297,303],{"type":32,"value":279},"For matters involving DeFi, ",{"type":27,"tag":281,"props":282,"children":284},"a",{"href":283},"\u002Fservices",[285],{"type":32,"value":286},"ConsensusIntel's services",{"type":32,"value":288}," include protocol-specific forensic analysis that goes beyond conventional blockchain tracing to address the mechanics of specific protocols, the valuation of DeFi positions, and the interpretation of DeFi transaction data for a legal audience. For DeFi-related matters and other complex cryptocurrency investigations, see the ",{"type":27,"tag":281,"props":290,"children":292},{"href":291},"\u002Fcase-types",[293],{"type":32,"value":294},"case types we handle",{"type":32,"value":296}," or ",{"type":27,"tag":281,"props":298,"children":300},{"href":299},"\u002Fcontact",[301],{"type":32,"value":302},"contact us",{"type":32,"value":304}," to discuss whether your matter is a fit.",{"type":27,"tag":306,"props":307,"children":308},"hr",{},[],{"type":27,"tag":45,"props":310,"children":312},{"id":311},"frequently-asked-questions",[313],{"type":32,"value":314},"Frequently Asked Questions",{"type":27,"tag":28,"props":316,"children":317},{},[318],{"type":27,"tag":70,"props":319,"children":320},{},[321],{"type":32,"value":322},"Does a DeFi interaction leave any record that can be used in court?",{"type":27,"tag":28,"props":324,"children":325},{},[326],{"type":32,"value":327},"Yes. Every interaction with a DeFi protocol is recorded permanently on the public blockchain. The blockchain captures the wallet address that initiated the transaction, the protocol contract that was called, the function within the contract that executed, the assets moved, and the exact timestamp. This record is more detailed than a conventional cryptocurrency transfer because DeFi transactions involve complex contract interactions that are all preserved on-chain.",{"type":27,"tag":28,"props":329,"children":330},{},[331],{"type":27,"tag":70,"props":332,"children":333},{},[334],{"type":32,"value":335},"Can a party hide assets in DeFi positions?",{"type":27,"tag":28,"props":337,"children":338},{},[339],{"type":32,"value":340},"A party can decline to disclose DeFi positions, and those positions will not appear in exchange records or conventional financial statements. However, the on-chain record is public. If an investigator knows to look for DeFi activity and has a known wallet address to start from, the full picture of DeFi positions held from that address can be reconstructed. The practical question is whether the investigator knows to look and has the right starting point.",{"type":27,"tag":28,"props":342,"children":343},{},[344],{"type":27,"tag":70,"props":345,"children":346},{},[347],{"type":32,"value":348},"How are liquidity pool positions valued for litigation purposes?",{"type":27,"tag":28,"props":350,"children":351},{},[352],{"type":32,"value":353},"Liquidity pool positions are valued by identifying the pool's composition at the relevant point in time, calculating the depositor's proportional share, and applying the token prices at that moment. This requires historical data from the blockchain and the relevant price oracles. Valuation is more involved than reading a wallet balance but is tractable given the right tools and data.",{"type":27,"tag":28,"props":355,"children":356},{},[357],{"type":27,"tag":70,"props":358,"children":359},{},[360],{"type":32,"value":361},"What is the difference between a rug pull and a legitimate project failure?",{"type":27,"tag":28,"props":363,"children":364},{},[365],{"type":32,"value":366},"In a rug pull, the developers retain the ability to withdraw user funds and exercise that ability intentionally. In a legitimate project failure, the funds may be lost due to market conditions, technical failures, or unforeseen circumstances, but there is no intentional extraction. The distinction is often a matter of smart contract design and the on-chain record of what the developers' addresses did. A forensic analysis of the contract code and the transaction history can often distinguish the two.",{"type":27,"tag":28,"props":368,"children":369},{},[370],{"type":27,"tag":70,"props":371,"children":372},{},[373],{"type":32,"value":374},"Are DeFi developers subject to U.S. jurisdiction?",{"type":27,"tag":28,"props":376,"children":377},{},[378],{"type":32,"value":379},"This is genuinely contested legal territory. Courts have approached questions of DeFi developer liability differently, and the law is evolving. What forensic analysis can contribute is the identification of the individuals or entities who deployed and controlled the relevant protocol, which is a prerequisite for any jurisdictional analysis. Whether jurisdiction exists over those individuals is a separate legal question.",{"type":27,"tag":28,"props":381,"children":382},{},[383],{"type":27,"tag":70,"props":384,"children":385},{},[386],{"type":32,"value":387},"Can I compel a DeFi protocol to produce records?",{"type":27,"tag":28,"props":389,"children":390},{},[391],{"type":32,"value":392},"There is no centralized entity to compel for most DeFi protocols. The protocol is software on a blockchain. However, if the protocol was developed by an identifiable team, those individuals or entities may be subject to discovery. And the on-chain records are publicly available without any compulsion; the challenge is interpreting them, not accessing them.",{"title":8,"searchDepth":394,"depth":394,"links":395},2,[396,397,404,409,410,411,412],{"id":47,"depth":394,"text":50},{"id":109,"depth":394,"text":112,"children":398},[399,401,402,403],{"id":116,"depth":400,"text":119},3,{"id":132,"depth":400,"text":135},{"id":148,"depth":400,"text":151},{"id":164,"depth":400,"text":167},{"id":180,"depth":394,"text":183,"children":405},[406,407,408],{"id":186,"depth":400,"text":189},{"id":202,"depth":400,"text":205},{"id":218,"depth":400,"text":221},{"id":229,"depth":394,"text":232},{"id":245,"depth":394,"text":248},{"id":261,"depth":394,"text":264},{"id":311,"depth":394,"text":314},"markdown","content:articles:06-what-lawyers-need-to-know-about-defi.md","content","articles\u002F06-what-lawyers-need-to-know-about-defi.md","articles\u002F06-what-lawyers-need-to-know-about-defi","md",{"loc":5},{"_path":421,"_dir":6,"_draft":7,"_partial":7,"_locale":8,"title":422,"description":423,"slug":424,"date":425,"lastUpdated":426,"author":14,"readingTime":15,"category":427,"tags":428,"ogImage":432,"featured":7,"body":433,"_type":413,"_id":783,"_source":415,"_file":784,"_stem":785,"_extension":418,"sitemap":786},"\u002Farticles\u002F05-common-mistakes-crypto-investigations","Common Mistakes in Cryptocurrency Investigations","Eight critical mistakes attorneys and investigators make in cryptocurrency cases, why they matter, and how to avoid them before they compromise your investigation.","common-mistakes-crypto-investigations","2026-04-21","2025-04-21","Methodology",[429,21,430,431],"investigation","mistakes","best practices","\u002Fog\u002Fcommon-mistakes-crypto-investigations.png",{"type":24,"children":434,"toc":771},[435,440,445,451,456,461,466,471,477,482,487,492,505,511,516,521,526,539,545,550,555,560,571,577,582,587,592,597,603,608,613,618,624,629,634,639,644,650,655,660,665,676,682,687,699,702,706,714,719,727,732,740,745,753,758,766],{"type":27,"tag":28,"props":436,"children":437},{},[438],{"type":32,"value":439},"Cryptocurrency investigations fail for a predictable set of reasons. The same errors appear across case types, whether the matter involves divorce asset concealment, business fraud, theft, or regulatory enforcement. Most of these mistakes are avoidable. Many of them become significantly more difficult to correct once the investigation is already underway. Understanding them before you begin is more valuable than discovering them midway through.",{"type":27,"tag":28,"props":441,"children":442},{},[443],{"type":32,"value":444},"The following are the errors that matter most, based on how often they occur and how seriously they compromise an investigation when they do.",{"type":27,"tag":45,"props":446,"children":448},{"id":447},"mistake-1-not-preserving-evidence-immediately",[449],{"type":32,"value":450},"Mistake 1: Not Preserving Evidence Immediately",{"type":27,"tag":28,"props":452,"children":453},{},[454],{"type":32,"value":455},"Digital evidence has a finite window before it becomes unavailable. Exchange data retention policies typically run five to seven years, but some platforms retain less. More critically, exchanges may suspend or close accounts that are subjects of investigations, and private wallets can be emptied and the funds moved to new addresses in minutes if a party becomes aware that they are under scrutiny.",{"type":27,"tag":28,"props":457,"children":458},{},[459],{"type":32,"value":460},"The window for effective evidence preservation is often shorter than the timeline of the legal proceedings. By the time a case reaches the stage where forensic analysis is requested, months may have passed since the conduct at issue. If the investigation has not been initiated promptly, some evidence may already be gone.",{"type":27,"tag":28,"props":462,"children":463},{},[464],{"type":32,"value":465},"The practical implication is straightforward: when cryptocurrency is relevant to a matter, identify and preserve the evidence before doing anything else that might alert the opposing party. This means serving subpoenas to exchanges early, identifying device evidence while devices are still in the party's possession, and beginning blockchain analysis before the relevant wallet addresses become active in ways that complicate the picture.",{"type":27,"tag":28,"props":467,"children":468},{},[469],{"type":32,"value":470},"Early engagement with a forensic analyst is not a luxury for complex cases. It is a standard practice that improves outcomes across all case types.",{"type":27,"tag":45,"props":472,"children":474},{"id":473},"mistake-2-relying-solely-on-exchange-subpoena-responses",[475],{"type":32,"value":476},"Mistake 2: Relying Solely on Exchange Subpoena Responses",{"type":27,"tag":28,"props":478,"children":479},{},[480],{"type":32,"value":481},"Subpoenas to cryptocurrency exchanges are a critical part of the investigation toolkit. They produce KYC documentation, transaction histories, linked bank accounts, IP logs, and device fingerprints. When a party has used a regulated domestic exchange, the subpoena response can be the single most important piece of evidence in the case.",{"type":27,"tag":28,"props":483,"children":484},{},[485],{"type":32,"value":486},"The mistake is treating the exchange response as the complete picture. Parties with meaningful cryptocurrency holdings often use multiple exchanges, and frequently use self-custody wallets for a portion of their holdings. A party who reports holdings at one exchange but fails to disclose additional wallets has not been caught by a single subpoena.",{"type":27,"tag":28,"props":488,"children":489},{},[490],{"type":32,"value":491},"The blockchain itself tells you more than any individual exchange can. By tracing transactions outward from the addresses identified in the exchange response, an analyst can identify where else the party sent funds, what other wallets they control, and whether those wallets subsequently moved to different exchanges. The exchange subpoena establishes the starting point; blockchain tracing extends the picture beyond it.",{"type":27,"tag":28,"props":493,"children":494},{},[495,497,503],{"type":32,"value":496},"See ",{"type":27,"tag":281,"props":498,"children":500},{"href":499},"\u002Fresources\u002Fsubpoenaing-cryptocurrency-exchange-records",[501],{"type":32,"value":502},"Subpoenaing Cryptocurrency Exchange Records",{"type":32,"value":504}," for guidance on structuring the initial subpoena request and identifying which exchanges to target.",{"type":27,"tag":45,"props":506,"children":508},{"id":507},"mistake-3-conflating-addresses-with-identities",[509],{"type":32,"value":510},"Mistake 3: Conflating Addresses with Identities",{"type":27,"tag":28,"props":512,"children":513},{},[514],{"type":32,"value":515},"This is the most consequential analytical error in blockchain forensics. An analyst traces funds from a known wallet to a new address and concludes, based on clustering heuristics, that the new address belongs to the same controller. The analysis of the on-chain data may be correct. But the conclusion that the controller of the new address is the specific individual under investigation requires additional attribution evidence.",{"type":27,"tag":28,"props":517,"children":518},{},[519],{"type":32,"value":520},"The blockchain shows what addresses did. It does not directly show who controlled those addresses. Attribution, meaning the connection of an address to a real-world identity, requires off-chain evidence: exchange records, device forensics, signed message evidence, or other documentation that ties the key material to a specific person.",{"type":27,"tag":28,"props":522,"children":523},{},[524],{"type":32,"value":525},"Expert testimony that overstates the attribution is a credibility problem waiting to happen. When opposing counsel asks the expert to explain the specific evidence connecting the identified address to the defendant, an answer that amounts to \"the clustering analysis suggests it\" is not sufficient. A well-constructed attribution case layers the on-chain analysis with the off-chain evidence and states conclusions at the level the evidence supports.",{"type":27,"tag":28,"props":527,"children":528},{},[529,531,537],{"type":32,"value":530},"For a full treatment of how ownership is established, see ",{"type":27,"tag":281,"props":532,"children":534},{"href":533},"\u002Fresources\u002Funderstanding-wallet-ownership-evidence",[535],{"type":32,"value":536},"Understanding Wallet Ownership Evidence",{"type":32,"value":538},".",{"type":27,"tag":45,"props":540,"children":542},{"id":541},"mistake-4-ignoring-defi-activity",[543],{"type":32,"value":544},"Mistake 4: Ignoring DeFi Activity",{"type":27,"tag":28,"props":546,"children":547},{},[548],{"type":32,"value":549},"Decentralized finance protocols, including decentralized exchanges, lending platforms, and liquidity pools, have become a substantial part of how cryptocurrency is used and held. A party who has routed funds through DeFi protocols has created a transaction trail that looks very different from a simple transfer between wallets.",{"type":27,"tag":28,"props":551,"children":552},{},[553],{"type":32,"value":554},"DeFi activity does not appear in exchange records, because there is no exchange in the traditional sense. The user interacts directly with a smart contract deployed on a blockchain, and the entire transaction history is recorded on-chain. But the records require different analytical techniques than straightforward Bitcoin or Ethereum transfers. Understanding what liquidity positions a party held, what yield they earned from those positions, and what their unrealized gains looked like at a given point in time requires specific knowledge of the protocols involved.",{"type":27,"tag":28,"props":556,"children":557},{},[558],{"type":32,"value":559},"Investigators who are not familiar with DeFi often miss this activity entirely, either because they do not know to look for it or because they do not know how to interpret what they find. The result is an incomplete picture of the party's holdings and a forensic report that excludes a potentially significant portion of their assets.",{"type":27,"tag":28,"props":561,"children":562},{},[563,564,569],{"type":32,"value":496},{"type":27,"tag":281,"props":565,"children":567},{"href":566},"\u002Fresources\u002Fwhat-lawyers-need-to-know-about-defi",[568],{"type":32,"value":9},{"type":32,"value":570}," for a substantive treatment of how DeFi works and why it creates distinctive investigative challenges.",{"type":27,"tag":45,"props":572,"children":574},{"id":573},"mistake-5-not-accounting-for-forks-and-airdrops",[575],{"type":32,"value":576},"Mistake 5: Not Accounting for Forks and Airdrops",{"type":27,"tag":28,"props":578,"children":579},{},[580],{"type":32,"value":581},"Cryptocurrency networks occasionally split into two chains through a process called a fork. When this happens, holders of the original cryptocurrency typically receive an equivalent amount of the new cryptocurrency at the moment of the fork. Bitcoin, for example, has forked multiple times, producing Bitcoin Cash and Bitcoin SV as separate assets that holders of Bitcoin received automatically based on their balance at the time of each fork.",{"type":27,"tag":28,"props":583,"children":584},{},[585],{"type":32,"value":586},"Similarly, protocols sometimes distribute new tokens to existing holders through airdrops, without the holders taking any active steps to claim them. These distributions can have significant value.",{"type":27,"tag":28,"props":588,"children":589},{},[590],{"type":32,"value":591},"The relevance to litigation is that a party's cryptocurrency holdings at a given time may include assets they acquired passively through forks and airdrops, and a financial disclosure that omits those assets is incomplete. Conversely, a valuation that does not account for forked assets may substantially understate the value of the holdings.",{"type":27,"tag":28,"props":593,"children":594},{},[595],{"type":32,"value":596},"An investigator who does not account for the fork history of the relevant blockchains, and the airdrop history of the relevant protocols, will produce an incomplete asset inventory. This is a specialized enough area that it often goes unexamined, making it a place where thorough forensic analysis can add meaningful value.",{"type":27,"tag":45,"props":598,"children":600},{"id":599},"mistake-6-misunderstanding-wallet-software-vs-the-blockchain",[601],{"type":32,"value":602},"Mistake 6: Misunderstanding Wallet Software vs. the Blockchain",{"type":27,"tag":28,"props":604,"children":605},{},[606],{"type":32,"value":607},"A common source of confusion in investigations is the distinction between what a wallet application shows and what the blockchain actually records. Wallet software is a user interface that reads data from the blockchain and presents it in a convenient format. The wallet itself does not store cryptocurrency. The funds are on the blockchain. The wallet software reads the blockchain and shows the user their balance.",{"type":27,"tag":28,"props":609,"children":610},{},[611],{"type":32,"value":612},"The practical implication is that deleting wallet software from a device does not delete the on-chain record. The transactions that occurred from the associated addresses remain permanently recorded on the blockchain. The wallet application's locally stored data on the device may be recoverable through device forensics even after the application is deleted, but the on-chain record is recoverable regardless of what happens to the device.",{"type":27,"tag":28,"props":614,"children":615},{},[616],{"type":32,"value":617},"This distinction also matters for valuation. The balance shown by a wallet application at a specific moment in time reflects the blockchain state at that moment. If a party screenshots their wallet to show a low balance during a disclosure period, the actual transaction history of the underlying addresses is available on the blockchain and may tell a different story.",{"type":27,"tag":45,"props":619,"children":621},{"id":620},"mistake-7-overlooking-on-ramp-and-off-ramp-patterns",[622],{"type":32,"value":623},"Mistake 7: Overlooking On-Ramp and Off-Ramp Patterns",{"type":27,"tag":28,"props":625,"children":626},{},[627],{"type":32,"value":628},"Cryptocurrency needs to be acquired with traditional currency and often needs to be converted back to traditional currency at some point. These conversion points, called on-ramps and off-ramps, are where the cryptocurrency ecosystem intersects most directly with the regulated financial system and where the most comprehensive records are available.",{"type":27,"tag":28,"props":630,"children":631},{},[632],{"type":32,"value":633},"Common on-ramps include purchases through exchanges, peer-to-peer trading platforms, Bitcoin ATMs, and over-the-counter brokers. Common off-ramps include the same channels in reverse. Each of these conversion points typically involves some form of record keeping, and many of them involve regulated entities that are subject to subpoena.",{"type":27,"tag":28,"props":635,"children":636},{},[637],{"type":32,"value":638},"Investigators who focus only on the on-chain record and do not examine the on-ramp and off-ramp activity miss the points where cryptocurrency connects to the traditional financial system. The purchase history at an exchange tells you when and how cryptocurrency was acquired. The off-ramp history tells you when and how it was converted back to cash, and where that cash went.",{"type":27,"tag":28,"props":640,"children":641},{},[642],{"type":32,"value":643},"Looking at a party's bank records alongside their exchange records often reveals patterns that neither record set shows clearly on its own: cryptocurrency purchases followed by a decline in banking activity, periodic transfers to exchanges followed by corresponding bank deposits, or cryptocurrency activity that aligns suspiciously with unexplained cash flows.",{"type":27,"tag":45,"props":645,"children":647},{"id":646},"mistake-8-not-retaining-a-technical-expert-early-enough",[648],{"type":32,"value":649},"Mistake 8: Not Retaining a Technical Expert Early Enough",{"type":27,"tag":28,"props":651,"children":652},{},[653],{"type":32,"value":654},"The most pervasive mistake in cryptocurrency litigation is treating forensic analysis as a late-stage activity. Attorneys who begin thinking about expert analysis only after discovery has closed, or when the matter is approaching trial, frequently find that the available evidence has deteriorated, the timeline for analysis is too compressed to produce high-quality work, and the strategy for using blockchain evidence was not integrated into the discovery plan.",{"type":27,"tag":28,"props":656,"children":657},{},[658],{"type":32,"value":659},"Early expert involvement changes the investigation fundamentally. A forensic analyst who is engaged at the outset of a matter can help identify which exchanges to subpoena and in what order, advise on what device evidence to preserve and how, flag potential evidentiary issues before they become problems, and structure the blockchain analysis to fit the specific legal theories at issue.",{"type":27,"tag":28,"props":661,"children":662},{},[663],{"type":32,"value":664},"The analysis itself takes time, particularly in complex matters involving multiple blockchains, DeFi activity, or deliberate obfuscation. Rushing that analysis at the end of a discovery period increases the risk of errors and limits the analyst's ability to address complications that arise during the work.",{"type":27,"tag":28,"props":666,"children":667},{},[668,670,674],{"type":32,"value":669},"Retaining a forensic expert at the same time you retain other financial experts, rather than treating cryptocurrency as a specialty to be addressed later, is the practice that consistently produces better results. See ",{"type":27,"tag":281,"props":671,"children":672},{"href":283},[673],{"type":32,"value":286},{"type":32,"value":675}," for how we structure engagements to support the litigation timeline from initial engagement through trial.",{"type":27,"tag":45,"props":677,"children":679},{"id":678},"building-on-solid-ground",[680],{"type":32,"value":681},"Building on Solid Ground",{"type":27,"tag":28,"props":683,"children":684},{},[685],{"type":32,"value":686},"Most of these mistakes share a common theme: treating cryptocurrency investigation as a peripheral or late-stage concern rather than integrating it into the core strategy of the matter from the beginning. The blockchain does not forgive gaps in the investigative approach. But the blockchain also does not forget. For cases where the evidence was preserved and the analysis was done correctly, the on-chain record provides a level of detail and permanence that investigators in other asset categories rarely have access to.",{"type":27,"tag":28,"props":688,"children":689},{},[690,692,697],{"type":32,"value":691},"For guidance specific to your matter, ",{"type":27,"tag":281,"props":693,"children":694},{"href":299},[695],{"type":32,"value":696},"contact ConsensusIntel",{"type":32,"value":698},". A brief conversation about the facts often clarifies what the available evidence can show and what approach makes the most sense given your timeline and litigation strategy.",{"type":27,"tag":306,"props":700,"children":701},{},[],{"type":27,"tag":45,"props":703,"children":704},{"id":311},[705],{"type":32,"value":314},{"type":27,"tag":28,"props":707,"children":708},{},[709],{"type":27,"tag":70,"props":710,"children":711},{},[712],{"type":32,"value":713},"What should I do if I only just discovered that cryptocurrency may be an issue in my case?",{"type":27,"tag":28,"props":715,"children":716},{},[717],{"type":32,"value":718},"Act immediately on evidence preservation. The most time-sensitive step is identifying and subpoenaing exchanges that may hold relevant records. Blockchain analysis can be done at any time, since the on-chain record is permanent, but exchange data retention policies mean that institutional records may be lost if not preserved promptly. Engage a forensic analyst as soon as possible to help triage the most urgent preservation steps.",{"type":27,"tag":28,"props":720,"children":721},{},[722],{"type":27,"tag":70,"props":723,"children":724},{},[725],{"type":32,"value":726},"How do I know which exchanges to subpoena?",{"type":27,"tag":28,"props":728,"children":729},{},[730],{"type":32,"value":731},"Blockchain analysis of any known wallet addresses associated with the party can often identify exchange deposit addresses in the transaction history, pointing you toward the specific exchanges that received funds. Credit card or bank records showing purchases from exchange platforms are another indicator. Interrogatories requiring the party to identify all exchange accounts, and all wallets associated with those accounts, are a standard starting point.",{"type":27,"tag":28,"props":733,"children":734},{},[735],{"type":27,"tag":70,"props":736,"children":737},{},[738],{"type":32,"value":739},"What if the party denies owning any cryptocurrency?",{"type":27,"tag":28,"props":741,"children":742},{},[743],{"type":32,"value":744},"A denial does not end the inquiry. Bank records, credit card statements, tax records (the IRS treats cryptocurrency as property subject to capital gains tax, and some parties have filed or received 1099s), device records, social media posts, and communications may all contain evidence of cryptocurrency activity. Blockchain analysis of any addresses identified through those sources can then proceed without the party's cooperation.",{"type":27,"tag":28,"props":746,"children":747},{},[748],{"type":27,"tag":70,"props":749,"children":750},{},[751],{"type":32,"value":752},"Can forensic analysis still be useful if evidence was not preserved promptly?",{"type":27,"tag":28,"props":754,"children":755},{},[756],{"type":32,"value":757},"Yes, often substantially. The on-chain record does not disappear. Analysis of historical blockchain data is just as reliable as analysis of recent data. The limitation on late-stage analysis is typically not the blockchain itself, but the loss of institutional records (exchange data that was not subpoenaed before the retention window closed) or device evidence that was not preserved. What survives is often enough to support a meaningful forensic analysis.",{"type":27,"tag":28,"props":759,"children":760},{},[761],{"type":27,"tag":70,"props":762,"children":763},{},[764],{"type":32,"value":765},"What is the difference between a forensic report and expert testimony?",{"type":27,"tag":28,"props":767,"children":768},{},[769],{"type":32,"value":770},"A forensic report is the written documentation of the analyst's findings and methodology, typically produced as a deliverable during the investigation phase and subject to disclosure under applicable expert disclosure rules. Expert testimony is the analyst's in-person presentation of those findings, subject to examination by both parties. Both are important, and the quality of the testimony depends significantly on the quality of the underlying report.",{"title":8,"searchDepth":394,"depth":394,"links":772},[773,774,775,776,777,778,779,780,781,782],{"id":447,"depth":394,"text":450},{"id":473,"depth":394,"text":476},{"id":507,"depth":394,"text":510},{"id":541,"depth":394,"text":544},{"id":573,"depth":394,"text":576},{"id":599,"depth":394,"text":602},{"id":620,"depth":394,"text":623},{"id":646,"depth":394,"text":649},{"id":678,"depth":394,"text":681},{"id":311,"depth":394,"text":314},"content:articles:05-common-mistakes-crypto-investigations.md","articles\u002F05-common-mistakes-crypto-investigations.md","articles\u002F05-common-mistakes-crypto-investigations",{"loc":421},{"_path":788,"_dir":6,"_draft":7,"_partial":7,"_locale":8,"title":789,"description":790,"slug":791,"date":792,"lastUpdated":793,"author":14,"readingTime":15,"category":16,"tags":794,"ogImage":798,"featured":7,"body":799,"_type":413,"_id":1161,"_source":415,"_file":1162,"_stem":1163,"_extension":418,"sitemap":1164},"\u002Farticles\u002F02-can-blockchain-transactions-be-traced","Can Blockchain Transactions Be Traced? A Primer for Attorneys","A clear explanation of how blockchain transaction tracing works, what analysts can and cannot determine, and what attorneys should understand before engaging a forensic expert.","can-blockchain-transactions-be-traced","2026-04-10","2025-04-10",[795,796,797,21],"blockchain tracing","transaction analysis","evidence","\u002Fog\u002Fcan-blockchain-transactions-be-traced.png",{"type":24,"children":800,"toc":1148},[801,806,812,817,822,827,833,838,843,848,854,859,864,869,874,880,885,890,895,901,906,911,922,928,933,938,944,949,954,959,964,970,975,980,985,990,996,1001,1014,1020,1025,1030,1049,1052,1056,1064,1069,1077,1082,1090,1095,1103,1108,1116,1121,1129,1134,1137],{"type":27,"tag":28,"props":802,"children":803},{},[804],{"type":32,"value":805},"The short answer is yes, blockchain transactions can be traced, but what tracing can establish and what it cannot establish are questions that matter enormously in litigation. Cryptocurrency is frequently described as either completely anonymous or completely traceable, depending on who is doing the describing and what point they are trying to make. Neither characterization is accurate. A more precise understanding of what blockchain forensics actually produces is essential for any attorney who intends to use, challenge, or evaluate this kind of evidence.",{"type":27,"tag":45,"props":807,"children":809},{"id":808},"how-public-blockchains-work",[810],{"type":32,"value":811},"How Public Blockchains Work",{"type":27,"tag":28,"props":813,"children":814},{},[815],{"type":32,"value":816},"A blockchain is a distributed ledger: a database maintained simultaneously by thousands of computers around the world, none of which has singular authority over the record. When a cryptocurrency transaction occurs, it is broadcast to the network, validated by nodes operating on the network, and then permanently recorded in a block that is appended to the chain of prior blocks. Every block contains a cryptographic reference to the block before it, which is why altering history would require redoing an enormous amount of computational work and would be immediately visible to the rest of the network.",{"type":27,"tag":28,"props":818,"children":819},{},[820],{"type":32,"value":821},"For the most widely used public blockchains, including Bitcoin, Ethereum, and most of their derivatives, this ledger is fully public. Anyone can view it. There are websites, commonly called block explorers, that allow a person to look up any address or transaction by entering it into a search field. The amount transferred, the sending address, the receiving address, the transaction fee paid, and the exact timestamp of inclusion in the blockchain are all visible to any observer.",{"type":27,"tag":28,"props":823,"children":824},{},[825],{"type":32,"value":826},"This transparency is not a bug or an oversight. It is a design choice. Public verifiability is how participants in the network confirm that transactions are legitimate without having to trust a central authority. The tradeoff is that the record of every transaction is permanently and publicly available.",{"type":27,"tag":45,"props":828,"children":830},{"id":829},"what-is-actually-visible-on-chain",[831],{"type":32,"value":832},"What Is Actually Visible On-Chain",{"type":27,"tag":28,"props":834,"children":835},{},[836],{"type":32,"value":837},"When an analyst examines a blockchain address, the information available includes the complete transaction history: every inbound transfer, every outbound transfer, the current and historical balance, and the specific amounts and timestamps of each movement. For Ethereum and related chains, additional information is available, including interactions with smart contracts, token transfers, and internal transaction traces.",{"type":27,"tag":28,"props":839,"children":840},{},[841],{"type":32,"value":842},"What is not directly visible is the identity of the person who controls the address. A Bitcoin address is a string of characters derived from a cryptographic public key. The blockchain records that a given address sent or received a given amount at a given time. It does not record a name, a social security number, or an IP address. Identity must be established through means outside the blockchain itself.",{"type":27,"tag":28,"props":844,"children":845},{},[846],{"type":32,"value":847},"This is the gap that blockchain forensic analysis works to bridge, using a combination of techniques applied to the on-chain data together with off-chain evidence gathered through discovery, device examination, and exchange records.",{"type":27,"tag":45,"props":849,"children":851},{"id":850},"address-clustering-heuristics",[852],{"type":32,"value":853},"Address Clustering Heuristics",{"type":27,"tag":28,"props":855,"children":856},{},[857],{"type":32,"value":858},"One of the foundational techniques in blockchain analysis is address clustering. Most cryptocurrency wallets, particularly Bitcoin wallets, generate a new address for each transaction as a privacy measure. A person's holdings might be spread across dozens or hundreds of addresses, none of which is obviously connected to the others simply by looking at any single address.",{"type":27,"tag":28,"props":860,"children":861},{},[862],{"type":32,"value":863},"However, the way transactions are constructed on-chain creates linkages. When a transaction has multiple input addresses, for example when a user's wallet combines funds from several prior received payments to make a single outgoing payment, those input addresses can be inferred to belong to the same controlling entity. This is called the common input ownership heuristic, and it is one of the most powerful tools available to analysts.",{"type":27,"tag":28,"props":865,"children":866},{},[867],{"type":32,"value":868},"Change address analysis is another clustering technique. When a Bitcoin transaction sends a specific amount to a recipient, the remaining funds must go somewhere. They typically return to an address controlled by the sender. Recognizing which address in a transaction is the change address and which is the intended recipient allows analysts to extend the cluster of addresses associated with a given wallet.",{"type":27,"tag":28,"props":870,"children":871},{},[872],{"type":32,"value":873},"These heuristics are probabilistic, not certain. They are strong enough that commercial forensic tools used by law enforcement and professional investigators have been validated against ground truth in thousands of cases. But they are heuristics, and they can produce false positives in specific circumstances. An expert who presents clustering analysis should be able to articulate the basis for their conclusions and acknowledge the limitations.",{"type":27,"tag":45,"props":875,"children":877},{"id":876},"exchange-attribution",[878],{"type":32,"value":879},"Exchange Attribution",{"type":27,"tag":28,"props":881,"children":882},{},[883],{"type":32,"value":884},"Many users, particularly those who acquired cryptocurrency through mainstream channels, at some point moved funds through a regulated exchange. Exchanges like Coinbase, Kraken, Binance, and others maintain large numbers of deposit addresses: addresses that belong to the exchange but are assigned to specific user accounts for receiving funds.",{"type":27,"tag":28,"props":886,"children":887},{},[888],{"type":32,"value":889},"Over time, forensic analysts and blockchain intelligence firms have catalogued enormous numbers of these exchange deposit addresses. When a transaction involves a known exchange address, the analyst can identify which exchange received or sent the funds, even without access to the exchange's internal records. That attribution then becomes a starting point for a subpoena: the exchange can be compelled to produce the account associated with that deposit address, along with the KYC documentation that identifies the account holder.",{"type":27,"tag":28,"props":891,"children":892},{},[893],{"type":32,"value":894},"The combination of blockchain attribution and exchange subpoena is how most cryptocurrency investigations that ultimately succeed in connecting an address to a person actually work. The blockchain tells you which exchange received the funds; the exchange tells you who the account belongs to.",{"type":27,"tag":45,"props":896,"children":898},{"id":897},"chain-hopping-and-cross-chain-bridges",[899],{"type":32,"value":900},"Chain-Hopping and Cross-Chain Bridges",{"type":27,"tag":28,"props":902,"children":903},{},[904],{"type":32,"value":905},"Users who want to move funds across different blockchain networks use bridges, which are protocols that lock assets on one chain and release equivalent assets on another. Someone might move funds from Ethereum to a different blockchain, or convert between token types, in ways that create breaks in the on-chain trail.",{"type":27,"tag":28,"props":907,"children":908},{},[909],{"type":32,"value":910},"Chain-hopping, meaning the practice of moving funds across multiple blockchains in sequence, is used both for legitimate purposes (accessing services on a specific chain) and as an attempt to complicate tracing. The technique does add investigative complexity, but it does not make tracing impossible. Bridges and cross-chain transactions leave records on both chains they connect. The analyst's task is to follow the logical flow of value across the break points, using the bridge transaction records as the connecting evidence.",{"type":27,"tag":28,"props":912,"children":913},{},[914,916,920],{"type":32,"value":915},"For DeFi activity and smart contract interactions specifically, see ",{"type":27,"tag":281,"props":917,"children":918},{"href":566},[919],{"type":32,"value":9},{"type":32,"value":921},", which covers these mechanics in more depth.",{"type":27,"tag":45,"props":923,"children":925},{"id":924},"mixing-services",[926],{"type":32,"value":927},"Mixing Services",{"type":27,"tag":28,"props":929,"children":930},{},[931],{"type":32,"value":932},"Mixing services (also called tumblers or coinjoin implementations, depending on the specific technique) attempt to break the link between sending and receiving addresses by pooling funds from multiple users and redistributing them in ways that obscure the original source. A user sends cryptocurrency to a mixing service and receives back an equivalent amount, minus a fee, in a way that is intended to prevent an observer from connecting the input and output.",{"type":27,"tag":28,"props":934,"children":935},{},[936],{"type":32,"value":937},"Mixing does complicate analysis. A well-implemented mixing transaction makes it significantly harder to follow the specific path of a party's funds. However, several things remain true. The fact that funds passed through a mixing service is visible on the blockchain. Mixing services interact with the broader ecosystem in ways that sometimes reveal their operating addresses. And mixing services, like exchanges, are potential targets for legal process. The use of a mixing service is itself evidence that a court may find relevant to questions of intent.",{"type":27,"tag":45,"props":939,"children":941},{"id":940},"the-critical-limitation-address-vs-person",[942],{"type":32,"value":943},"The Critical Limitation: Address vs. Person",{"type":27,"tag":28,"props":945,"children":946},{},[947],{"type":32,"value":948},"The most important limitation in blockchain forensics, and the one most frequently misunderstood, is that the blockchain establishes facts about addresses, not about people.",{"type":27,"tag":28,"props":950,"children":951},{},[952],{"type":32,"value":953},"An analyst can demonstrate, with a high degree of confidence, that address A received funds from address B, that address A subsequently sent those funds to an exchange deposit address attributable to Coinbase, and that this all occurred on a specific date. That is what the blockchain proves. It does not, by itself, prove that a particular individual controlled address A.",{"type":27,"tag":28,"props":955,"children":956},{},[957],{"type":32,"value":958},"Attribution of an address to a person requires additional evidence. That evidence typically comes from exchange records that show the account associated with an address was registered to a specific person with verified identity documents. It may also come from device forensics that demonstrate wallet software was installed on a device belonging to the subject, from seed phrase or private key material found in the subject's possession, or from the subject's own statements, such as a prior disclosure listing the address.",{"type":27,"tag":28,"props":960,"children":961},{},[962],{"type":32,"value":963},"A forensic report that conflates these two layers, presenting blockchain evidence as if it directly proves who controlled a wallet, will face legitimate challenge. Sound expert testimony distinguishes clearly between the blockchain-derived facts and the attribution evidence, and acknowledges what remains uncertain. This approach is more credible, not less, because it reflects the actual state of the evidence.",{"type":27,"tag":45,"props":965,"children":967},{"id":966},"what-analysts-can-and-cannot-conclude",[968],{"type":32,"value":969},"What Analysts Can and Cannot Conclude",{"type":27,"tag":28,"props":971,"children":972},{},[973],{"type":32,"value":974},"To summarize the practical scope of blockchain forensic analysis:",{"type":27,"tag":28,"props":976,"children":977},{},[978],{"type":32,"value":979},"Analysts can typically establish: the complete transaction history of a given address, the amounts and timing of all transfers, which exchanges received or sent funds based on address attribution databases, whether funds were routed through mixing services or privacy tools, the clustering of related addresses likely controlled by the same entity, and the path of funds across multiple hops.",{"type":27,"tag":28,"props":981,"children":982},{},[983],{"type":32,"value":984},"Analysts cannot typically establish without additional evidence: the identity of the person controlling an address, whether a specific person was the one who initiated a specific transaction at a specific moment, or the contents of private communications about transactions.",{"type":27,"tag":28,"props":986,"children":987},{},[988],{"type":32,"value":989},"The strength of a given tracing analysis depends heavily on the starting information available. If the investigation begins with a confirmed wallet address associated with the subject, through an exchange record or a prior disclosure, the analysis can be comprehensive. If the investigation must begin from scratch with no confirmed address, the path to attribution is longer.",{"type":27,"tag":45,"props":991,"children":993},{"id":992},"chain-of-custody-for-on-chain-evidence",[994],{"type":32,"value":995},"Chain of Custody for On-Chain Evidence",{"type":27,"tag":28,"props":997,"children":998},{},[999],{"type":32,"value":1000},"Blockchain evidence has an inherent advantage over many other forms of digital evidence: the record itself is stored on a distributed network and cannot be altered after the fact. The transaction history of an address on 2018 is the same transaction history visible today.",{"type":27,"tag":28,"props":1002,"children":1003},{},[1004,1006,1012],{"type":32,"value":1005},"That said, preserving a proper record of how the evidence was collected matters for admissibility purposes. The methodology used to collect and analyze the data, the tools employed, the queries run, and the results obtained should all be documented in a way that allows an opposing expert or a court to evaluate the work. Hash verification of collected data, timestamped exports from blockchain explorers, and reproducible analysis methodology are all best practices that support admissibility. See ",{"type":27,"tag":281,"props":1007,"children":1009},{"href":1008},"\u002Fresources\u002Fblockchain-evidence-admissibility",[1010],{"type":32,"value":1011},"Blockchain Evidence Admissibility",{"type":32,"value":1013}," for a full discussion of the evidentiary framework.",{"type":27,"tag":45,"props":1015,"children":1017},{"id":1016},"bringing-it-together",[1018],{"type":32,"value":1019},"Bringing It Together",{"type":27,"tag":28,"props":1021,"children":1022},{},[1023],{"type":32,"value":1024},"Blockchain forensics is a legitimate investigative discipline with a well-developed methodology. It is most powerful when combined with traditional discovery: exchange subpoenas, device forensics, and financial records that provide the off-chain evidence needed to complete the attribution picture.",{"type":27,"tag":28,"props":1026,"children":1027},{},[1028],{"type":32,"value":1029},"The goal of a forensic engagement is not to produce a definitive conclusion without sufficient evidence, but to produce a rigorous and defensible analysis of what the available evidence actually shows. Courts and opposing counsel will both scrutinize the work. The analysis that holds up is the analysis that is methodologically sound, clearly documented, and honest about what it cannot establish.",{"type":27,"tag":28,"props":1031,"children":1032},{},[1033,1035,1041,1043,1048],{"type":32,"value":1034},"For a detailed look at ",{"type":27,"tag":281,"props":1036,"children":1038},{"href":1037},"\u002Fmethodology",[1039],{"type":32,"value":1040},"ConsensusIntel's methodology",{"type":32,"value":1042},", including how analyses are structured and documented for use in litigation, visit the methodology page. For an overview of the types of matters we handle, see ",{"type":27,"tag":281,"props":1044,"children":1045},{"href":291},[1046],{"type":32,"value":1047},"Case Types",{"type":32,"value":538},{"type":27,"tag":306,"props":1050,"children":1051},{},[],{"type":27,"tag":45,"props":1053,"children":1054},{"id":311},[1055],{"type":32,"value":314},{"type":27,"tag":28,"props":1057,"children":1058},{},[1059],{"type":27,"tag":70,"props":1060,"children":1061},{},[1062],{"type":32,"value":1063},"Is Bitcoin actually anonymous?",{"type":27,"tag":28,"props":1065,"children":1066},{},[1067],{"type":32,"value":1068},"Bitcoin is pseudonymous, not anonymous. Transactions are permanently recorded on a public ledger, and while wallet addresses do not automatically reveal identities, the combination of blockchain analysis and off-chain evidence frequently allows analysts to connect addresses to specific individuals. The degree of privacy a user has depends largely on how carefully they structured their transactions.",{"type":27,"tag":28,"props":1070,"children":1071},{},[1072],{"type":27,"tag":70,"props":1073,"children":1074},{},[1075],{"type":32,"value":1076},"Are some cryptocurrencies impossible to trace?",{"type":27,"tag":28,"props":1078,"children":1079},{},[1080],{"type":32,"value":1081},"Privacy-focused cryptocurrencies, such as Monero, use cryptographic techniques designed to obscure transaction amounts, sender identities, and recipient identities. Tracing these transactions is substantially more difficult than tracing Bitcoin or Ethereum. That said, users of privacy coins typically acquire and dispose of them through exchanges that maintain records, and those transition points are traceable. The on-chain portion is harder; the surrounding activity often is not.",{"type":27,"tag":28,"props":1083,"children":1084},{},[1085],{"type":27,"tag":70,"props":1086,"children":1087},{},[1088],{"type":32,"value":1089},"How reliable are address clustering techniques?",{"type":27,"tag":28,"props":1091,"children":1092},{},[1093],{"type":32,"value":1094},"The common input ownership heuristic and related clustering methods have been validated extensively. Commercial blockchain forensic tools used by law enforcement agencies, and subject to Daubert challenges in federal court, have generally withstood scrutiny. The reliability of a specific clustering conclusion depends on the quality of the underlying data and the analyst's judgment. A qualified expert will be able to explain the basis for their conclusions and identify where uncertainty exists.",{"type":27,"tag":28,"props":1096,"children":1097},{},[1098],{"type":27,"tag":70,"props":1099,"children":1100},{},[1101],{"type":32,"value":1102},"What if the subject used multiple exchanges?",{"type":27,"tag":28,"props":1104,"children":1105},{},[1106],{"type":32,"value":1107},"Using multiple exchanges makes the picture more complex but does not make tracing impossible. Blockchain analysis can identify which exchange received funds from a given address, even across multiple exchanges. Each exchange can then be subpoenaed separately. The full picture may require combining records from several sources, but the methodology is the same.",{"type":27,"tag":28,"props":1109,"children":1110},{},[1111],{"type":27,"tag":70,"props":1112,"children":1113},{},[1114],{"type":32,"value":1115},"How far back can blockchain transactions be traced?",{"type":27,"tag":28,"props":1117,"children":1118},{},[1119],{"type":32,"value":1120},"Bitcoin's blockchain contains every transaction since the genesis block in January 2009. Ethereum's blockchain has been continuous since July 2015. Blockchain forensics can examine transactions from any point in that history, provided a known starting address exists. There is no practical statute of limitations on the on-chain record itself, though older exchange records may be subject to the exchange's data retention policies.",{"type":27,"tag":28,"props":1122,"children":1123},{},[1124],{"type":27,"tag":70,"props":1125,"children":1126},{},[1127],{"type":32,"value":1128},"What should an attorney bring to an initial consultation with a blockchain forensic analyst?",{"type":27,"tag":28,"props":1130,"children":1131},{},[1132],{"type":32,"value":1133},"Bring any known wallet addresses or exchange account information associated with the subject, any exchange statements or disclosures already in hand, relevant financial records that might show cryptocurrency purchases or conversions, and a clear description of the timeline and the key questions the analysis needs to answer. The more starting information available, the more efficiently the analysis can proceed.",{"type":27,"tag":306,"props":1135,"children":1136},{},[],{"type":27,"tag":28,"props":1138,"children":1139},{},[1140,1142,1146],{"type":32,"value":1141},"If your matter involves cryptocurrency transactions you need to understand, evaluate, or challenge, ",{"type":27,"tag":281,"props":1143,"children":1144},{"href":299},[1145],{"type":32,"value":696},{"type":32,"value":1147}," for a consultation on what forensic analysis can realistically establish given your facts.",{"title":8,"searchDepth":394,"depth":394,"links":1149},[1150,1151,1152,1153,1154,1155,1156,1157,1158,1159,1160],{"id":808,"depth":394,"text":811},{"id":829,"depth":394,"text":832},{"id":850,"depth":394,"text":853},{"id":876,"depth":394,"text":879},{"id":897,"depth":394,"text":900},{"id":924,"depth":394,"text":927},{"id":940,"depth":394,"text":943},{"id":966,"depth":394,"text":969},{"id":992,"depth":394,"text":995},{"id":1016,"depth":394,"text":1019},{"id":311,"depth":394,"text":314},"content:articles:02-can-blockchain-transactions-be-traced.md","articles\u002F02-can-blockchain-transactions-be-traced.md","articles\u002F02-can-blockchain-transactions-be-traced",{"loc":788},1779289486700]