Skip to content
ROBSLAW
Knowledge
Technology explainers

How on-chain tracing works: a non-technical guide

Blockchain tracing is often described as if it reveals identities. It does not. This article explains what it actually does — and where the limits are.

Published
Last updated
min read
2 min read

Victims often arrive believing that because every cryptocurrency transaction is "on the public ledger," their funds can be recovered. The first statement is true; the conclusion does not follow. This article walks through what on-chain tracing actually reveals — and where the practical limits are.

What on-chain tracing is

On-chain tracing is the analysis of the public record of transactions on a blockchain to identify how funds moved between addresses. For major chains (Bitcoin, Ethereum, TRON, and most major EVM L2s), every transaction is recorded, timestamped, and immutable.

Professional tracing tools such as Chainalysis Reactor and Arkham Intelligence add two things the public ledger does not provide on its own:

  1. Clustering. Addresses are grouped by the highest-confidence inference that they are controlled by the same party, based on transaction patterns.
  2. Attribution. Clusters are labelled with the real-world entity controlling them when that can be inferred — for example, "Binance hot wallet" or "OFAC-sanctioned mixer."

What it does not reveal

The tracing tells you which addresses funds moved through. It does not tell you who controls those addresses, unless that cluster is already attributed. A fresh address in a chain of hops tells you only that a hop occurred.

Identity comes in at the edges. If funds leave the chain through a regulated exchange that performed KYC, the identity of the customer who withdrew is potentially obtainable — but only via legal process directed at the exchange.

The recovery logic

In practical terms, recovery depends on reaching a point where the on-chain trace crosses into a regulated institution with a KYC relationship. At that point, a freezing order can be served and the institution can be compelled to disclose the identified customer.

If the trace never crosses that line — because funds are in a sanctioned mixer, in a self-custody wallet that never moves again, or in an unregulated venue — the on-chain evidence is not enough on its own.

A short vocabulary

  • Deposit address. An address assigned by an exchange to a customer. Deposits to this address credit the customer's account.
  • Hot wallet. An address controlled by an exchange and connected to the internet for operational use.
  • Cold wallet. An exchange address kept offline for custody. Generally harder to reach with any operational injunction.
  • Cashout. The event of converting crypto to fiat via a regulated venue — typically the point at which identity becomes legally obtainable.
  • Mixer. A service that combines deposits from many parties and releases equivalent amounts to new addresses, breaking the link between sender and receiver. If your funds fully enter a sanctioned mixer, on-chain tracing stops there.

Further reading

  • Chainalysis' public resources on clustering methodology.
  • The US Department of the Treasury OFAC announcements relating to sanctioned mixing services.
  • Our page on cryptocurrency fraud recovery describes how we use tracing in a live matter.
ShareLinkedInEmail

If your situation relates to the topics above, we offer a free initial consultation.

Request a free consultation

Related articles