What is Blockchain Forensics? An In-Depth Guide

Blockchain forensics is the process of using blockchain data for tracking criminal activity in cryptocurrency.

Blockchain forensics is used by law enforcement agencies to trace illicit funds, tie criminals to a real world identity, and take enforcement action, such as freezing funds or bringing criminal charges in a court of law. 

Blockchain forensics is also crucial to crypto businesses that must track wallets and transactions to prevent exposure to criminal activity ensuring compliance with Know Your Customer (KYC), Countering the Financing of Terrorism (CFT), and Anti-Money Laundering (AML) programs while mitigating exposure to criminal activity.

This article will discuss, in greater depth, what blockchain forensics is, explain its use cases, and detail key supporting features in Merkle Science’s blockchain forensics tools Tracker and Compass. 

Blockchain Forensics vs Blockchain Analytics: Differences Explained

Blockchain forensics and blockchain analytics are occasionally used interchangeably, but there are meaningful differences between the two. 

Blockchain analytics is the more encompassing term. Blockchain analytics can refer to the use of blockchain data for any purpose: analysts and journalists may be looking for trends that they can document for their stories. Investors may be monitoring on-chain activity to identify short- or long-term investment opportunities. And law enforcement may use blockchain data to track illicit funds. 

Blockchain forensics, in contrast, only refers to this last use case: law enforcement may leverage blockchain data to track illicit funds, unravel layering and obfuscation techniques, and conduct attribution, linking wallets to real world identities. For crypto companies, blockchain forensics may be necessary for preventing crime that may affect their business and users as well as complying with AML, KYC, and CFT regulations.

The Use Cases of Blockchain Forensics

There are many use cases for blockchain forensics for businesses and law enforcement agencies. Here are a few of the most common ways blockchain forensics can be used:

• Fraud detection - There are many types of fraud that criminals can commit through digital assets. For example, criminals can engage in wash trading, which is when a digital asset is bought and sold, even though there is no change in beneficial ownership. In other words, the buyer and seller are the same individual or organization. 
  
  In crypto, wash trading is often done to create the illusion of trading activity. The perpetrator is trying to make it seem that the digital asset being traded is substantially more active than it truly is. Crypto entrepreneur Justin Sun was charged with wash trading by the Securities and Exchange Commission (SEC) in March 2023. Blockchain forensics tools can prevent instances of wash trading and other fraud by detecting behavioral patterns possibly representative of such crimes. 

• Regulatory compliance - At its core, blockchain forensics plays a critical role in compliance for crypto companies. To meet requirements for KYC, CFT, and AML, organizations rely on blockchain analytics solutions. These tools form a key part of the compliance stack, leveraging blockchain forensics to identify and mitigate risks associated with customers, clients, and transactions.
  
  Companies must use these compliance solutions to avoid doing business with sanctioned individuals or entities like ransomware operators or terrorist organizations. Failure to follow KYC, CFT, or AML guidelines can result in severe consequences for businesses. For example, in November 2023, Binance was widely criticized for allowing Hamas transactions on its platform, received a significant fine, and faced even more intense government scrutiny. 

• Tracking and tracing illicit funds - Blockchain forensics is especially relevant when a crime has already occurred. For example, in the event of a hack, criminal investigators will track the funds from the victim’s wallet across the laundering trail. This trail will typically involve multiple hops as criminals try to obfuscate and evade, often through a combination of techniques like peel chains, coin mixers, coin swaps, chain hops, and more. 
  
  Crypto investigators may streamline this tracking through blockchain analytics tools, but their investigation is not limited there. They may also gather data from blockchain explorers, open source tools, or even the dark web. The aim is to generally track funds to an exit node, like an exchange, where wallets can be linked to criminals and be used to bring charges. In some cases, the investigators may even be able to seize funds and eventually return them to victims. 

How Blockchain Analytics Simplifies Blockchain Forensics 

Merkle Science’s Tracker is a popular choice for law enforcement agencies and crypto businesses that need assistance with blockchain forensics. Compass is ideal for businesses that need to comply with AML, CFT, and KYC regulations. These solutions have several key features: 

• Address clustering - Given the ease of creating blockchain addresses, criminal entities often have many of them. In some cases, larger criminal organizations and networks can have control over thousands of different accounts. In this kind of environment, it would be operationally difficult for organizations to make individual decisions about each wallet—for example, manually adding each wallet to a blacklist. Merkle Science clusters related addresses together, as a quality-of-life feature for organizations. A crypto business, for example, can block all addresses associated with a terrorist organization sanctioned by the Office of Foreign Assets Control (OFAC). 
• Behavior-based, fully customizable rule engine - A blacklist is essential to any organization in crypto: they must be able to block addresses that have been directly associated with criminal activity. Criminals, of course, will try to bypass the blacklist by conducting transactions that have not been flagged. In this case, certain behaviors may hint at criminal activity. For example, if an account that has broken up a large amount of funds through a series of increasingly small funds may be a criminal trying to launder money. This obfuscation technique is known as a peel chain. Businesses can set rules in Compass that capture suspicious activities, and even set these rules on a per market basis (i.e. their operations in Dubai will operate by a different rule engine than their operations in Singapore). 
• Risk scoring - Not every suspicious transaction is black-or-white criminal activity. Some transactions may be more likely to represent criminal activity, while others may be less so. Compass portrays this scale through risk scoring. Transactions will be bucketed into high risk, medium risk, and low risk groups, depending on the parameters set in the organization’s rule engine. This categorization is important: Instead of binary decision-making (i.e. to block a transaction or not), businesses can have a much more granular approach to conducting business. For example, if a possible transaction is flagged as medium risk, the business can request more KYC information from the initiating party. That way, if the person proves to be a normal user, the business will not be denying legitimate business on the basis of a false positive. 
• Automated graphing - Connecting the dots on simple crime, such as a robbery, may be simple. Connecting the dots in crypto crime is often exponentially more difficult. For example, crypto investigators may know that two wallets are linked, but not know how. Without blockchain analytics, these investigators would have to manually pour over the blockchain to find the one transaction in the ledger linking the two wallets. This herculean task could take an untold number of man-hours. With Tracker, this graphing is done automatically. After adding addresses to their board, the platform will automatically visualize how transactions link them. This automated graphing dramatically enhances a crypto investigation by shedding light into the illicit money trail, even in spite of the evasion and obfuscation techniques.  
• Annotation and sharing capabilities - A crypto investigator will work with many different types of stakeholders, including other investigators, prosecutors, regulators, and judges. Some of these professionals may have a background in blockchain analytics, but understanding a money laundering trail—which is usually layered through various techniques like multi-wallet transfers, chain hopping, and coin mixers—is difficult to follow by nodes alone. Other professionals will have no blockchain knowledge at all. To help collaboration, Tracker has annotation capabilities: crypto investigators can name each node, describe what is happening, and then extend access through one-click sharing. These collaborative features go a long way in streamlining the investigative process. 

Conclusion 

Blockchain forensics is a crucial discipline. Investigators must perform blockchain forensics to follow laundering trails, identify exit nodes, and take enforcement action, such as recovering funds or prosecuting criminals. Crypto businesses must use blockchain forensics to protect their platforms and adhere to relevant regulations. 

Blockchain analytics tools streamline blockchain forensics efforts. With Merkle Science’s Compass, businesses can detect anomalies, set behavior-based rules, and assign appropriate risk scores, so they can take the best course of action. Through our Tracker tool, crypto investigators can automatically graph links, view clusters, and share their findings with key collaborators.

While blockchain analytics and blockchain forensics are often used interchangeably, they have a different relationship. The former dramatically simplifies the latter, making it accessible to the organizations and investigators who need it the most. 

Get in touch to find out more about Merkle Science’s tools for blockchain analytics and forensics.