CBI Field Manual — Blockchain Investigation & Asset Tracing

1. 1

   Chain Doctrine & Investigative Posture

   Establishes what blockchain evidence is and is not, the analyst's posture toward it, and the cycle every case runs through.

   What Blockchain Evidence Is — And Is Not

   A blockchain transaction is a cryptographically signed, time-anchored, append-only record of value movement between addresses. That record is durable, reproducible by any analyst from a public node, and resistant to retroactive tampering. What it is not: an identity record. The chain says address A sent value to address B at time T; it does not say who controls A, who controls B, or why. The CBI analyst's central discipline is to keep this distinction visible in every product — pseudonymous on-chain truth in one column, off-chain attribution evidence in the other, and the confidence rating attached to the bridge between them.

   The Investigation Cycle (On-Chain Variant)

   CBI cases run through the standard intelligence cycle adapted for chain work: planning (PIRs, EEIs, scope of trace), collection (block data, mempool, exchange-published data, sanctions lists, partner attribution), processing (entity clustering, address tagging, decoding contract calls), analysis (flow reconstruction, hypothesis test, asset disposition), dissemination (trace report, evidence bundle, recommended actions) and feedback (gaps, new IOCs, re-tasking). Skipping planning is the single most common failure mode — analysts who open a block explorer before writing the PIRs end with a thousand-page trace that answers no decision.

   Source-Of-Truth Hierarchy

   Order, highest to lowest: (1) a confirmed, finalized block read from a node the analyst operates or controls; (2) the same block read from a reputable third-party node or block explorer; (3) a vendor analytics platform's labeled dataset; (4) community-curated address lists; (5) press reporting. Quote (1) or (2) as evidence; treat (3) as a useful lead requiring corroboration against (1)/(2); treat (4) and (5) as pointers only. A trace built primarily on vendor labels without independent block-level confirmation is fragile — when the labels move, the case moves.

   Confidence, Caveats & Honest Failure

   Every CBI finding carries an explicit confidence level — low, moderate, high — tied to evidence quality, independence and corroboration. Caveats are first-class content: 'attribution of the destination cluster to Exchange X rests on a single vendor label and one publicly known address; subpoena required to confirm', 'the trace passes through a mixer with non-deterministic output mapping; downstream addresses are candidates, not conclusions', 'the bridge hop is reconstructed by amount and timing heuristics and should be revisited if bridge operator data becomes available'. Honest failure ('the trace terminates at a centralized off-ramp; further attribution requires legal process') is a stronger product than overreach.

   Legal & Ethical Boundaries

   On-chain data is public; access to it requires no warrant. But CBI work touches material that does require care: off-chain attribution from KYC data is regulated; vendor-provided datasets are licensed and often non-redistributable; victim PII is sensitive; communications with exchanges that handle blocking and seizure orders are privileged. The standing rules: do not republish licensed vendor data; do not use stolen credentials or breach data as evidence in regulated proceedings; do not contact exchange compliance teams under false pretences; route sensitive actions (freezes, seizures, KYC pulls) through counsel and through the appropriate legal instrument.

2. 2

   UTXO Chains — Bitcoin And Family

   How tracing actually works on UTXO chains. Bitcoin is the doctrinal model; the same rules apply with minor variation to its forks and to most other UTXO designs.

   UTXO Model & Why It Matters For Tracing

   A UTXO chain represents balances as a set of unspent transaction outputs. Spending consumes whole outputs and produces new ones; there is no 'account'. This matters for tracing because (a) every transaction reveals which prior outputs were jointly controlled long enough to be co-spent, and (b) the change output is observable. Both facts power the dominant clustering heuristic — co-spend — and the dominant disambiguation heuristic — change identification — without which Bitcoin tracing would be guesswork.

   Co-Spend Heuristic

   If two outputs are spent as inputs of the same transaction, they were almost certainly controlled by the same entity at that moment, because signing requires the corresponding private keys. Iteratively applied across the chain, co-spend grows a cluster of addresses inferred to be under common control. Exceptions: coinjoin transactions are deliberate co-spends by mutually distrustful parties and break the heuristic for the addresses involved; lightning channel closes and some custodial-batching patterns can also confound it. The CBI standard is to record co-spend confidence per cluster and to mark addresses that have ever participated in coinjoin or similar mixing semantics.

   Change Identification Heuristics

   Most non-mixing UTXO transactions have one output that is a payment to a counterparty and one (or more) that is change returned to the sender. Heuristics that flag change: an output whose address has never appeared before (one-time change), an output whose amount has more decimal places than the round payment amount, an output whose script type matches the input script type while the other output's does not, an output whose subsequent spending pattern follows the sender's spending fingerprint. Applied carefully, change identification extends the co-spend cluster without requiring an actual co-spend event. Applied carelessly, it generates false attribution. Record heuristic, evidence and confidence per inferred change call.

   Coinjoin, PayJoin, And Privacy Tooling

   Coinjoin protocols (Wasabi, Whirlpool, JoinMarket families) combine inputs from multiple parties into a transaction with structured equal-value outputs, deliberately breaking the co-spend heuristic for participants. PayJoin variants involve the merchant adding their own input to the payer's transaction, simultaneously breaking the assumption that all inputs are sender-controlled. CBI doctrine: a transaction with coinjoin structural signatures (specific input/output count ratios, equal-value outputs, known coordinator scripts) is reported as 'pass-through with broken clustering on these outputs', not as 'destination unknown'. Downstream addresses are candidates pending corroboration from other evidence streams (subsequent co-spend, exchange deposit attribution, IP correlation when available).

   Bitcoin-Family Variants & Forks

   Litecoin, Bitcoin Cash, Dogecoin and most major UTXO forks inherit the Bitcoin tracing model. Watch for protocol differences that affect tracing: confidential-transaction chains (e.g. Monero — see Chapter 5) hide amounts and addresses by design; some chains (e.g. Zcash) support optional shielded pools that are opaque except where shielded-to-transparent transitions are observable; chains with native privacy primitives should not be quoted with the same confidence as Bitcoin without explicit caveat.

3. 3

   Account Chains — Ethereum, EVM & Beyond

   How tracing changes when the model is accounts and smart contracts rather than UTXOs.

   Externally Owned Accounts vs Contract Accounts

   EVM chains expose two account types. Externally owned accounts (EOAs) are controlled by a private key and initiate transactions. Contract accounts are controlled by code and only act in response to a call. Tracing must keep this distinction explicit because most operationally interesting flows pass through contracts — DEXes, bridges, mixers, lending pools, NFT markets — whose internal logic must be decoded to reconstruct who paid what to whom. A transaction showing 'value: 0, to: 0xRouter, data: 0x...' is not 'no transfer'; it is a swap whose token movements are inside the internal calls.

   Internal Transfers, Logs & Event Decoding

   On EVM chains the headline transaction fields capture only the outermost call. Real flow lives in internal transfers (sub-calls between contracts) and in emitted event logs (the standardized record of what the contract claims happened). ERC-20 transfers emit a Transfer(from,to,value) event; ERC-721 emits Transfer(from,to,tokenId); DEX routers emit swap events with amount-in/amount-out per leg. The CBI standard trace captures: outer tx, full internal call tree, all emitted logs decoded against verified ABIs, and the net token-balance delta per address. A trace that quotes only the outer tx hash is operationally incomplete.

   Stablecoins, Token Standards & Native Asset Distinction

   Most modern fraud flow is denominated in stablecoins (USDT, USDC and their cross-chain variants) rather than native ETH/BNB/TRX. Operationally this matters in two ways. First, the issuer of a fiat-backed stablecoin can blacklist addresses, freezing balances — Tether and Circle do this routinely in response to law-enforcement requests, and securing such a freeze is often the single highest-leverage action a CBI analyst can drive. Second, token contracts are upgradable on some chains, and the meaning of 'a USDT transfer' depends on the contract address per chain — never quote a stablecoin movement without naming the chain and the token contract.

   Account Clustering Heuristics

   EOA clustering is harder than UTXO clustering because there is no co-spend signal. Useful heuristics: shared funding source from a CEX withdrawal cluster, shared gas-payer (especially when one address pays gas for transactions from multiple others via meta-transactions or relayer patterns), shared nonce-pattern indicative of script automation, shared bridge-deposit timing, shared interaction with non-public contracts, ENS or other naming linkages, dust-correlation attacks where an analyst-sent dust trace is rebroadcast by a wallet's auto-consolidation behavior. As with UTXO heuristics, record method, evidence and confidence per inferred linkage.

   Non-EVM Account Chains — Solana, Tron, Others

   Solana exposes accounts as program-derived addresses with associated token accounts per mint; tracing requires walking token-account ownership rather than reading balances directly off the wallet address. Tron is EVM-similar at the contract surface but with distinct address formats and a heavy concentration of USDT-TRC20 flow that makes it the dominant rail for modern grooming-investment fraud. Document each chain's idiosyncrasies in the case file; do not assume EVM intuitions transfer.

4. 4

   Bridges, Mixers & Cross-Chain Tracing

   How value moves between chains, how privacy infrastructure interrupts a trace, and how a disciplined analyst recovers a defensible chain of custody across those hops.

   Bridge Architectures & Tracing Implications

   Cross-chain bridges fall into three architectural buckets, each with distinct tracing implications. Lock-and-mint bridges hold the source asset in a custody contract and mint a wrapped asset on the destination chain; trace continuity requires correlating the source-chain lock event with the destination-chain mint event by amount, timing and bridge-published correlation IDs. Burn-and-mint bridges (notably Circle's CCTP for USDC) burn the asset on the source chain and emit a verifiable message that authorizes mint on the destination chain — the message hash is the trace anchor. Liquidity-network bridges (e.g. Stargate, Synapse) settle by debiting a destination-side liquidity pool while crediting the source-side pool, with no per-transaction custody link; correlation relies on bridge-emitted events and amounts. Naming the bridge architecture in the report is mandatory; the confidence model differs sharply between them.

   Reconstructing A Bridge Hop

   Standard hop reconstruction: identify the deposit transaction on the source chain (caller address, amount, token, bridge contract, emitted event with destination chain ID and destination address); search the destination chain within the bridge's expected settlement window for a mint or release transaction matching destination address, token equivalent and amount within fee tolerance; capture the bridge's published correlation ID if available; record the latency. When multiple candidate matches exist (a common case on heavy-traffic bridges), report all candidates with the discriminating evidence and the residual ambiguity. Never report a single match as confirmed without the discriminator.

   Mixers — Tornado-Class, Centralized & Tumbler Services

   Tornado-Cash-class mixers use zero-knowledge proofs to break the deterministic link between deposit and withdrawal; tracing recovers candidate sets, not unique successors, and confidence depends on the anonymity-set size at the time of withdrawal, the fixed denominations used, and any operational mistakes by the user (same-block deposit-and-withdraw, reuse of pre/post addresses, predictable timing). Centralized mixers and tumblers route through operator-controlled pools and are vulnerable to operator-side data, subpoena, and to flow analysis when their volume is low. Sanctions and regulatory status of specific mixer contracts (Tornado Cash being the canonical case) must be checked at report time, because legal posture toward downstream addresses can hinge on it.

   Cross-Chain Bridge Hacks & Stolen-Funds Tracing

   Major bridge exploits (Ronin, Wormhole, Nomad, Harmony, Multichain among them) are recurring high-value cases. The pattern: exploiter drains the bridge custody pool, fans out across multiple destination chains via further bridges, swaps into ETH or a stablecoin, optionally launders through Tornado-Cash-class mixers, and eventually attempts to off-ramp via CEX, OTC desk or stablecoin issuer-controlled rail. The CBI standard for these cases is real-time tagging of exploiter addresses, public-coordination announcements to exchanges and stablecoin issuers, and rapid issuance of freeze requests against the off-ramp candidates. Time-to-tag is the dominant variable in whether funds are recovered.

   DEX Aggregators, MEV Bots & Wash-Sale Noise

   Aggregator routers (1inch, 0x, Paraswap, Odos and their successors) split a single user trade across multiple liquidity venues, producing a transaction with many internal swap legs that are not separate trades. MEV bundles insert sandwich and arbitrage transactions adjacent to user trades, producing addresses with vast transaction histories that are not human-operated. The analyst's mistake-to-avoid is treating aggregator-internal addresses or MEV-bot addresses as 'persons of interest' — they are infrastructure, not actors. Maintain an internal allowlist of aggregator routers and MEV-bot signatures; refresh quarterly.

5. 5

   Privacy Coins, Lightning & Opaque Surfaces

   What you can and cannot do when the chain is designed to defeat tracing. Monero is the doctrinal case; Lightning and shielded pools follow.

   Monero — Why The Surface Is Hardened

   Monero's protocol uses ring signatures (the actual signer is hidden among a set of decoys), stealth addresses (each transaction's output goes to a one-time address derived from the recipient's view key, not to a public address) and confidential transactions (amounts are hidden). The combined effect is that the chain reveals neither sender, recipient nor amount under normal conditions. Heuristic attacks on ring signatures exist (decoy-selection bias, EAE-style attacks, timing analysis, exchange-correlation when both sides KYC) but they yield probabilistic candidate sets, not deterministic traces, and their effectiveness has fallen as the protocol has hardened. CBI doctrine: never publish an XMR trace at the same confidence as a BTC or ETH trace; report what is observable (deposits to known service addresses, withdrawals to known service addresses) and what is not.

   Off-Chain & Layer-2 Surfaces — Lightning, Rollups

   Bitcoin's Lightning Network and EVM rollups present different tracing surfaces. Lightning channels open and close on-chain but route value off-chain between open and close; the on-chain footprint shows funding and settlement amounts but not intermediate routing. Optimistic and ZK rollups post compressed state to L1; the analyst reads the L2 chain directly (it is public on each rollup) but must record that the L1 footprint alone is insufficient for L2 flow detail. The mistake-to-avoid is quoting an L1 transfer summary as 'the' trace when the operational activity lives on L2.

   Shielded Pools — Zcash And Family

   Zcash and related designs offer shielded pools where transactions are fully private inside the pool. Observable transitions are shielded-in (transparent → shielded), shielded-shielded (no observable detail), and shielded-out (shielded → transparent). The analyst reports the observable transitions with timestamps and amounts; the inside is opaque by design. Where shielded usage is rare and amounts are distinctive, timing-and-amount correlation across shielded-in and shielded-out events yields candidate matches with explicit confidence caveats.

   Operational Recovery Despite Opaque Surfaces

   An opaque hop does not end a case. The standard recovery posture is to anchor at the boundary — the last clearly observable on-chain action before the opacity and the first clearly observable on-chain action after it — and to drive corroboration from off-chain evidence: exchange KYC where one boundary is at a CEX, IP and device data where available under legal process, persona-side OSINT linking on-chain boundaries to off-chain actors, and timing patterns visible across other parallel cases. Report the opaque hop honestly; resume the trace at the post-opacity boundary; carry the uncertainty forward in the confidence rating.

6. 6

   Attribution, Freezes & Reporting

   How CBI analysts convert a clean on-chain trace into actionable disposition — exchange freezes, stablecoin blacklisting, law-enforcement product and the written report that survives challenge.

   Exchange & VASP Attribution

   Cluster-to-exchange attribution rests on a mix of: publicly disclosed hot-wallet addresses, vendor analytics labels (treated as leads requiring corroboration), behavioral signatures (large-batch consolidations, exchange-typical withdrawal patterns, fee-policy fingerprints), and direct confirmation from exchange compliance under legal process. Confidence in attribution rises with corroborated independent signals and falls with reliance on a single vendor label. Mis-attributing a destination cluster to the wrong exchange is operationally costly — freeze requests fail, time is lost, and credibility erodes — so resist publishing attribution above the confidence the evidence supports.

   Freezes & Seizures — Stablecoin Issuer Route

   USDT (Tether) and USDC (Circle) can blacklist addresses at the contract level, immobilizing the balance and preventing onward transfer. Issuers respond to verified law-enforcement requests with established intake channels; in many jurisdictions civil-recovery counsel can also drive freezes via court orders served on the issuer. The CBI workflow: identify the destination address holding the asset (post-trace, pre-cash-out), confirm balance and token, prepare the freeze package (case summary, trace evidence, requesting authority), route through the appropriate intake, monitor the chain for compliance confirmation, and lock the case status to 'frozen / awaiting disposition'. Speed matters: operator-side cash-out windows are short.

   CEX Freezes & Recovery Pathways

   When the destination is a centralized exchange deposit address rather than a self-custody address holding a freezable asset, the freeze route is different: the request goes to the exchange compliance team, supported by the trace and the originating victim case, and the exchange's response depends on its jurisdiction, KYC posture, and the legal instrument supporting the request. Some jurisdictions support administrative freezes on civil complaint; most require court order. Maintain a known-good liaison list per exchange and per jurisdiction; route appropriately; do not contact compliance teams under false pretences or via unofficial channels.

   Sanctions, OFAC & High-Risk Address Lists

   Sanctioned addresses (OFAC SDN list, EU/UK equivalents) carry hard legal consequences for any regulated counterparty interacting with them. Every CBI trace touching cash-out infrastructure must be checked against current sanctions lists; report any direct or near-touching exposure prominently. Vendor-published high-risk-address lists (mixers, darknet markets, ransomware clusters) inform risk scoring but are not the same as legal sanction — keep the distinction explicit in reporting.

   Writing The Trace Report — BLUF, Flow, Evidence Appendix

   The CBI standard report opens with a BLUF (3–5 sentences: judgement, confidence, recommended disposition). The executive summary expands for non-specialist readers. The flow narrative walks the value from origin to current disposition, hop by hop, with each hop carrying transaction hash(es), chain, amounts, decoded events where relevant and the heuristic confidence at that hop. An entity register names every cluster touched with its inferred role and confidence. An evidence appendix preserves the transaction hashes, block numbers, capture timestamps and the source node or explorer per quoted fact. Recommended actions are separated from findings.

   Reproducibility & Re-Run Discipline

   A CBI trace must be reproducible end-to-end from the source data by an independent analyst. Standard discipline: pin block heights or block hashes for every quoted fact (chains reorganize, vendor labels change, frontend block explorers re-render), store the queries and scripts used to generate the trace, archive the vendor-tool outputs that informed it, and re-run the trace at report finalization to catch any drift since collection started. A trace that cannot be re-run is not evidence; it is a memo.

GACS.app — Academic & Intelligence Standards Division