So your crypto wallet just got drained. The transaction is confirmed on-chain, the funds are gone, and the exchange says "we can't help." What now?
This guide walks through the exact on-chain investigation techniques used by professional blockchain investigators — the same methods that helped South Korean prosecutors secure their first DEX rug pull indictment, and the same tools used to trace North Korean APT groups.
Step 1: Secure the Scene
Before investigating, preserve evidence:
# Record the attack transaction hash immediately
# Take screenshots of wallet balances before they change
# Export transaction history from your wallet
# Do NOT interact with the attacker's contract further
Why this matters: Blockchains are immutable, but your local evidence (wallet state, timestamps) isn't. Capture everything before it changes.
Step 2: Identify the Attack Transaction
Every exploit starts with a transaction. Find it on a block explorer:
| Chain | Explorer |
|---|---|
| Ethereum | Etherscan.io |
| BSC | BscScan.com |
| Solana | Solscan.io |
| Arbitrum | Arbiscan.io |
| Base | Basescan.org |
Look for:
- Token transfers you didn't authorize — Approvals you didn't make
- Large outflows to unknown addresses — Your funds moving out
- Contract interactions you don't recognize — Unknown function calls
Step 3: Trace the Funds — Following the Money
This is where on-chain forensics begins. The attacker has your funds, and they need to cash out. That's their weak point.
Direct Tracing
Your Wallet → Attacker Wallet A → Wallet B → Wallet C → CEX Deposit
Track each hop using block explorer "Internal Transactions" and "Token Transfers" tabs.
Clustering: Finding Connected Wallets
Attackers rarely use one wallet. They spread funds across multiple addresses to obscure the trail. Look for:
- Same timing patterns — Multiple wallets transacting within seconds
- Funding from same source — Multiple wallets funded by the same parent
- Dust transactions — Tiny test transfers before moving larger amounts
The CEX Bottleneck
Attacker wallets → Mixer/Tornado Cash → ... → CEX deposit address → KYC identity
When attackers convert crypto to fiat, they must use regulated exchanges. This is where pseudonymity breaks down. Law enforcement can subpoena the CEX for KYC data.
Step 4: Analyze the Smart Contract
If the exploit involved a smart contract interaction, analyze the contract:
Red Flags in Contract Code
- Hidden swap logic in transferFrom() — The ATM Token exploit hid a 20% auto-swap
- Unlimited mint functions — TesseraDAO attacker minted 2.5M USDT from nothing
- Admin key backdoors — Multiple projects had "owner-only" functions that drained funds
- Proxy upgradeability — Contract logic can be swapped after deployment
Tools for Contract Analysis
- Etherscan "Read Contract" — Check state variables and access controls
- Slither — Automated vulnerability scanner
- Foundry — Advanced testing and fuzzing framework
- OpenZeppelin — Compare against secure standard implementations
Step 5: Build the Timeline
Map every event chronologically:
| Time | Event | Significance |
|---|---|---|
| T-7d | Attacker deploys contract | Pre-planned attack |
| T-1d | Attacker funds wallet | Preparation phase |
| T-0 | Exploit transaction | Attack execution |
| T+1h | Funds split across wallets | Obfuscation |
| T+6h | CEX deposits begin | Cash-out attempt |
Timeline analysis reveals intent — a critical element for law enforcement.
Step 6: Check for Pattern Matches
Most attackers aren't first-timers. Cross-reference:
- Same contract deployer address — Attackers reuse wallets
- Same exploit pattern — The ATM Token attacker also hit DxSale and TesseraDAO
- Same CEX deposit addresses — Links to identity
- Same code patterns — Copy-pasted exploit contracts
Public Resources
- CertiK Alert (@CertiKAlert) — Real-time exploit notifications
- Blockaid — On-chain threat detection
- PeckShield — Attack analysis
- ChainSentinel API — Automated security checks
Step 7: Report and Recover
Filing a Report
- Local law enforcement — File a cybercrime report with transaction hashes and timeline
- FBI IC3 (if US-related) — Internet Crime Complaint Center
- Exchange notifications — Alert CEXs where attacker may cash out
- Blockchain analytics firms — Chainalysis, Elliptic, TRM Labs
What Actually Works
- CEX freezes — If funds land on a regulated exchange, they can be frozen before withdrawal
- Tether blacklists — USDT can be frozen at the contract level
- Law enforcement subpoenas — CEX KYC data leads to real identities
- Civil litigation — South Korea's CATFI case proves DEX rug pulls are prosecutable
Real-World Cases
The CATFI Precedent (South Korea, 2026)
5 suspects indicted for a $600K Solana DEX rug pull. Key breakthrough: attacker's pseudonymous wallets were traced to Korean CEX accounts with mandatory KYC.
Drift Protocol $285M (Solana, 2026)
North Korean APT drained Solana's largest perps exchange. Tether froze $14.5M. The on-chain trail revealed state-sponsored attack patterns.
ATM Token $243.5K (BSC, 2026)
Hidden swap logic in transferFrom() allowed systematic value extraction. Same attacker also exploited DxSale ($7.3M) and TesseraDAO ($2.5M).
Essential Tools for On-Chain Investigation
| Tool | Purpose | Cost |
|---|---|---|
| Etherscan/BscScan | Transaction tracing | Free |
| TokenSniffer | Token safety checks | Free |
| Revoke.cash | Approval management | Free |
| Arkham Intelligence | Wallet labeling | Free tier |
| ChainSentinel | Automated security API | Free tier |
| Nansen | Whale tracking | Paid |
| Chainalysis | Professional forensics | Enterprise |
Key Principles
- The blockchain never forgets — Every transaction is permanent and verifiable
- Pseudonymous ≠ anonymous — Cash-out requires KYC, breaking anonymity
- Speed matters — Reporting quickly increases chances of fund recovery
- Pattern recognition — Attackers repeat methods; previous incidents provide clues
- On-chain evidence is admissible — Courts increasingly accept blockchain data
The tools and techniques are accessible to everyone. You don't need to be a professional investigator to trace stolen funds — you just need to know where to look.
For automated security checks on any crypto address or token, try ChainSentinel API — real-time risk analysis with x402 pay-per-call pricing.
More investigation reports at On-Chain Investigations
Top comments (0)