Chainalysis Reveals Top 3 Mistakes Made By On-Chain Investigators

Analytics firm Chainalysis has released a report that gives insight into the common mistakes made by blockchain investigators. These analysts usually rely on the on-chain data provided on the blockchain— a publicly distributed ledger— to track the movement of funds between crypto addresses. 

The public nature of the blockchain makes crypto investigations easy for law enforcement and finance investigators. However, the pseudonymous nature of wallet addresses requires them to use best-in-class tools to avoid mistakes in their analysis. The report highlights three common errors that investigators make with blockchain data that quickly lead them astray.

Not Identifying Mixers

Mixers are tools used to disguise the path of funds by aggregating cryptocurrency from several users. An equal amount of the users’ pool funds is returned to their address with a small fee charged. The mixer service is popular among money launderers for “cleaning” their crypto tokens and throwing investigators off the trail.

Although analysts can still follow the money despite the use of a mixer, they must be aware of its potential use. Making use of a blockchain analysis tool allows them to mark out addresses used in a pool.

An example of this is the ransomware attack on the Colonial pipeline in May. As seen in the chart above, the Darkside administrator moved ransomed funds into a wallet labeled ‘Darkside dormant funds’ immediately after the attack. The money remained there until October when it was moved to a second wallet (Darkside consolidation). Shortly after, the money was transferred into a known mixing service. This trace was made possible because of the Chainalysis Reactor Tool, which identified that the last address in the chain belonged to a mixing service.

Join our Telegram group and never miss a breaking digital asset story.

Tracing Funds Through a Service

Investigation of funds moved into an exchange is virtually impossible to trace and poses a challenge to investigators. In this instance, it is counterintuitive to rely on blockchain data alone.

When deposits are made into an exchange, the money gets mixed up with the funds of other exchange users and their wallets. Investigators should therefore seek to cooperate with exchanges to work out which funds are associated with specific addresses.

Chainalysis Reactor does not display the outbound transaction history for specific service deposit addresses. This prevents investigators from erroneously pursuing funds after they are deposited in an exchange, which can be a drain on both time and resources.

Failing To Identify Nested Services and Merchant Service Providers

Nested services, such as over-the-counter (OTC) exchanges that use the addresses of larger platforms, need to be appropriately labelled. Failure to identify merchant services can lead to erroneous investigations.

An example of this surfaced in June 2021, where a ransomware strain called Ever101 transferred cash to the adult entertainment site, RubRatings.  This conclusion proved to be false, and it turned out that RubRating used the same merchant service Ever101 wired payments to.

Investigators can be easily led astray if they fail to identify the uses of merchant services, as seen in the example above. Failure to use proper analysis tools can lead to false news reports and false accusations of innocent parties.

Growing Importance of On-Chain Literacy

With the gradual increase in ransomware attacks, there is a growing need for prospective investors to evaluate cryptocurrencies as suitable investments. This need has been highlighted in a report by ARK invest, an analytic investment firm.

ARK covered this topic in a three-part series:

Is there any need for more understanding of On-chain metrics for cryptocurrencies? Let us know your thoughts in the comments below.