DEV Community

Cover image for How Stolen Crypto Gets Traced — and Why It Rarely Stays Hidden
mrtd
mrtd

Posted on • Originally published at mrtd.net

How Stolen Crypto Gets Traced — and Why It Rarely Stays Hidden

#crypto #security #blockchain #onchainforensics

Originally published on MRTD.NET — fast, sourced news on crypto security, cyber & SEO.

The counterintuitive truth about stolen crypto

When a protocol gets drained, the instinct is to assume the money is gone — spirited into the anonymous ether. The opposite is usually true. Public blockchains record every transfer permanently and openly, so stolen funds leave an immutable, timestamped trail that anyone can follow in real time. Thieves can move the money almost instantly; what they struggle to do is spend it without revealing themselves. That gap — between moving and cashing out — is where nearly every recovery happens.

This is an evergreen companion to our Crypto Hack Tracker and incident post-mortems: not how thefts happen, but how the stolen funds get chased.

Why crypto is traceable in the first place

Three properties make blockchains hostile to launderers:

  • The ledger is public and permanent. Once funds move, the transaction is visible forever. There is no delete button.
  • Wallets are pseudonymous, not anonymous. An address isn't a name — but the moment any address touches a service that knows its customer (an exchange, an off-ramp), its entire history becomes attributable.
  • Address clustering. Analysts group wallets likely controlled by one actor using on-chain heuristics — funding sources, change-address patterns, repeated gas-payers, contract fingerprints — collapsing dozens of scattered addresses into a single traceable entity.

Who does the tracing

A mature forensics industry now exists. Commercial analytics firms — Chainalysis, TRM Labs, Elliptic, and intelligence platforms like Arkham — map fund flows and label entities. TRM's Beacon Network (2025) gives investigators, exchanges and custodians a real-time channel to coordinate freezes. Security outfits like PeckShield, SlowMist and Lookonchain flag incidents within minutes and publish the fund movements, while independent investigators such as ZachXBT fuse on-chain tracing with old-fashioned OSINT. The speed of that public alerting is itself a weapon: the faster an address is labeled "stolen," the harder it is to cash out.

What thieves try — and why it usually isn't enough

Launderers do have tools to break the trail. Mixers like Tornado Cash pool funds to sever the link between deposit and withdrawal. Cross-chain bridges and chain-hopping move value between blockchains to shake single-chain tools. Peel chains skim small amounts across thousands of hops. State-linked actors stretch laundering over weeks in sub-$500K tranches.

But each of these obscures rather than erases. Mixers leak signal through timing and amounts; bridges are increasingly mapped by cross-chain analytics; peel chains are pattern-recognizable; and all of it eventually has to converge on an exit. Tornado Cash itself shows the cat-and-mouse: OFAC-sanctioned in August 2022 (cited as laundering over $7B, including $455M+ for North Korea's Lazarus Group), then delisted in March 2025 after a court ruled its immutable contracts aren't sanctionable property. The legal status changed; the traceability did not.

The choke points

Funds become catchable wherever crypto meets the regulated world:

  • Centralized exchanges + KYC — the decisive choke point. When laundered funds hit a compliant exchange, accounts get identified and balances frozen. This is the mechanism behind most seizures.
  • Fiat off-ramps — converting to bank money requires KYC'd intermediaries.
  • Stablecoin freezes — issuers can freeze tokens on-chain. Tether says it has helped freeze billions in USDT across thousands of cases with law enforcement worldwide (a single August 2025 action froze ~$344M alongside OFAC); Circle can freeze USDC too, more conservatively.
  • Law-enforcement coordination — the FBI, IRS-CI and partners act on the trail that analytics firms hand them, within a freeze window measured in hours.

It does work — the receipts

  • Bitfinex (2016): US authorities seized 94,000+ BTC in 2022 (then ~$3.6B); Ilya Lichtenstein was sentenced to 5 years in 2024.
  • Poly Network (2021): ~$610M drained — and returned almost entirely within days.
  • Euler Finance (2023): ~$197M exploited; the attacker returned the recoverable funds.
  • Ronin / Axie Infinity (2022): ~$600M stolen by Lazarus; Chainalysis and US agencies clawed back ~$30M — the first-ever seizure of crypto stolen by a North Korean group.

The hard reality

Recovery is bimodal. When the attacker is cooperative or careless and the theft is reported fast, most funds can come back (Poly Network, Euler). Against professional or state actors, expect partial recovery at best. Chainalysis put 2025 crypto theft above $3.4B, with North Korea's Lazarus alone responsible for roughly $2B — about three-quarters of service-compromise losses. Bybit's $1.5B 2025 loss was mostly laundered despite intense tracing. Tracing isn't magic; it's leverage.

If you're hit: the playbook

  1. Move in hours, not days. The freeze window is tiny and closes as funds split and hop. Speed is the single biggest determinant of recovery.
  2. Notify exchanges and stablecoin issuers immediately with the attacker addresses — on-chain freezes can lock funds before cash-out.
  3. Engage analytics/IR firms (Chainalysis, TRM, Elliptic) and credible independent investigators to trace and publicly flag the flow.
  4. Report to law enforcement early — seizures legally require their involvement.
  5. Preserve evidence: transaction hashes, timestamps, the anchor attacker addresses, logs.
  6. Set expectations. Making stolen funds unspendable is a win even when full recovery isn't possible.

The thief's problem is permanent: the blockchain remembers. For the defensive side of this coin, see How to Actually Protect Your Crypto.

Informational only — not financial, legal, or security advice.

Top comments (0)