One of the most common questions I get from people outside the crypto investigation world is: “If Bitcoin is anonymous, how do you trace it?”
The answer starts with correcting the premise. Bitcoin is not anonymous. It is pseudonymous. Every transaction is recorded on a public ledger that anyone can inspect. What Bitcoin does not provide is a direct link between a blockchain address and a real-world identity. The work of blockchain forensics is building that link.
How public blockchains create an investigative trail
When someone sends Bitcoin, the transaction is broadcast to the network, validated by miners, and permanently recorded in a block. That record includes the sending address, the receiving address, the amount, the timestamp, and the transaction fee. It is visible to anyone with an internet connection and remains visible forever.
This is fundamentally different from the traditional financial system, where transaction records are held privately by banks and can only be accessed through subpoena, court order, or regulatory examination. On a public blockchain, the investigator does not need permission to see the transactions. They need skill to interpret them.
The investigator’s toolkit
The primary analytical technique in blockchain forensics is clustering — the process of determining which addresses belong to the same entity. When you send Bitcoin, your wallet typically combines inputs from multiple addresses you control and sends change back to a new address you also control. An investigator who can identify these patterns can group hundreds or thousands of addresses into a single cluster, building a picture of one entity’s complete financial activity.
The major blockchain analytics firms — Chainalysis, TRM Labs, and Elliptic — maintain proprietary databases that map clusters to known entities: exchanges, darknet markets, mixers, ransomware wallets, and sanctioned addresses. When a cluster is linked to a real-world entity — typically through law enforcement data, open-source intelligence, or exchange KYC records — every address in that cluster is attributed.
This is how the Bitfinex hack launderers were caught. Despite six years of layering through mixers, darknet markets, and chain-hopping, the IRS Criminal Investigation division and its analytics partners were able to trace the flow of 119,754 stolen Bitcoin from the original hack through multiple obfuscation layers to wallets controlled by Ilya Lichtenstein and Heather Morgan. The $3.6 billion seizure was built on blockchain forensics.
What mixers do — and what they don’t do
Mixers are the primary tool criminals use to defeat blockchain tracing. Services like ChipMixer, Tornado Cash, and Samourai Wallet’s Whirlpool break the direct link between sending and receiving addresses by pooling funds from multiple users and redistributing them.
Mixing adds noise to the investigative trail. It does not delete it. The original deposit into the mixer and the subsequent withdrawal are both recorded on the blockchain. If an investigator can link the deposit to a known entity (through timing analysis, amount correlation, or other heuristics), the mixer’s privacy guarantee is compromised.
This is why law enforcement has been able to trace funds through mixers in cases like ChipMixer and Tornado Cash — and why the seizure of mixer infrastructure (which includes internal logs and databases) is so valuable. The mixer’s own records, combined with on-chain data, can undo years of obfuscation.
Where the limits are
I want to be honest about the limitations, because overselling the capabilities of blockchain forensics is as dangerous as underselling them.
Privacy coins like Monero use cryptographic techniques — ring signatures, stealth addresses, and confidential transactions — that make clustering and tracing significantly more difficult. Monero transactions are opaque by default: the sender, receiver, and amount are all obscured. While researchers have published theoretical attacks on Monero’s privacy model, practical tracing of Monero transactions remains substantially harder than tracing Bitcoin or Ethereum.
Cross-chain bridges and decentralised exchanges can also complicate tracing, particularly when the investigator lacks access to the internal records of the bridge or DEX. And sophisticated actors who combine multiple obfuscation techniques — chain-hopping, mixing, privacy coins, and peer-to-peer trading — can create investigative challenges that require significant time and resources to overcome.
But the fundamental point stands: public blockchains are not anonymous. They are the most transparent financial infrastructure ever built. The investigator’s challenge is not accessing the data — it is interpreting it. And the tools for interpretation get better every year.
For anyone who believes that “Bitcoin is anonymous” and therefore safe for criminal use, I would point to the growing list of cases where blockchain forensics led directly to arrest, prosecution, and asset seizure. The blockchain never forgets. The question is only how long it takes for someone with the right skills to read what it remembers.