Trace Report & Asset-Recovery Package

Reconstruct value movement from a victim deposit address to its current disposition across at least two chains, attribute the destination clusters to the standard expected for an exchange-freeze request, and ship a recovery package an exchange compliance team or stablecoin issuer can act on.

Estimated effort25–40 hours over 2–3 weeks

Passing score70 / 100

ReviewerReviewed by a senior on-chain investigator playing the role of unit head. They will re-derive the trace from a public node and read the freeze package as if forwarding it to an exchange.

The brief

A fraud cell has handed you a victim case. The victim sent USDT (chain of your choice) to a deposit address controlled by an operator known to fan funds across at least one bridge before consolidation. Your task is to produce a trace report and an asset-recovery package against the operator's current disposition.

Pick a target. Either (a) reconstruct a real, publicly known incident (a documented bridge hack, ransomware payment, or scam disclosure where the originating tx is publicly cited) or (b) work from a synthetic-but-realistic flow you construct yourself across at least one bridge and one mixing or consolidation hop. State the path on page one.

This is an evidence product. Every quoted transaction must be pinned to a block height. Every cluster attribution must name the heuristic, the supporting evidence, and the residual ambiguity. The report must be reproducible from a public node by an independent analyst at the time of submission.

Do not republish licensed vendor data. Use vendor labels as leads requiring corroboration against block-level evidence. Do not contact exchange compliance under false pretences. If your case is synthetic, label every freeze request as a 'dry run' on the package itself.

Deliverables

1
Trace Report (long-form)
BLUF, flow narrative hop-by-hop, entity register with role and confidence per cluster, methodology section (heuristics used and their limits), caveats, recommended disposition. 8–14 pages.
format: trace-report.pdf + trace-report.md
2
Hop Ledger
Machine-readable per-hop record: chain, block height, tx hash, from/to (clustered where applicable), token contract, amount, decoded events, heuristic used to attribute, confidence, evidence pointers.
format: hops.csv + hops.jsonl
3
Flow Diagram
Sankey or directed graph of value flow from victim address to current disposition, with bridge and mixer hops visually distinct. Node labels reference entity-register IDs.
format: flow.svg + flow.png
4
Reproducibility Bundle
Scripts and queries used to derive every quoted fact, pinned to specific block heights, runnable against a public node. README with one-command repro.
format: repro/ + README.md
5
Asset-Recovery Package
Per disposition target: address, balance and token at snapshot time, chain, attribution evidence summary, recommended freeze route (stablecoin issuer / exchange compliance / sanctions referral), draft cover letter for the consumer, requested authority's intake template if applicable.
format: recovery/<target>.{md,pdf}
6
Methodology & Caveats Annex
Per-heuristic description (co-spend, change-id, bridge correlation, label-corroboration, mixer-anonymity-set), the conditions under which it fails, and the cases in this report where it was relied on at borderline confidence.
format: methodology.md

Suggested timeline

1. Scope & PIR
Days 1–2
Pick target, write PIRs, define cut-off, choose chains and tooling.
2. First-hop trace
Days 3–5
Walk the trace through the first bridge or consolidation hop, ledger every fact.
3. Cross-chain & opacity
Days 6–9
Reconstruct bridge hops, handle mixer/shielded boundaries honestly.
4. Attribution
Days 10–12
Cluster, attribute, sanctions-screen, calibrate confidence.
5. Recovery package
Days 13–15
Per target: route, evidence summary, cover letter, intake template.
6. Repro & QA
Days 16–17
Run repro from scratch, re-derive trace, fix any drift, submit.

Graded rubric (100 pts)

Each criterion is scored 0–4. Final score = Σ (score × weight) ÷ 4. You need ≥70 to earn the capstone seal on your transcript.

BLUF & analytic clarity

10 pts

0
Missing or unusable. No BLUF, or BLUF that does not state recommended disposition.
1
Present but materially deficient. Multiple gaps a reviewer would flag on first pass.
2
Meets minimum professional bar. BLUF states judgement, confidence and recommended disposition in 3–5 sentences.
3
Strong. Few corrections needed; would pass internal QA at a national-level cell.
4
Exemplary. BLUF and exec summary let a non-specialist compliance officer act on page one without reading the hop ledger.

Trace completeness & accuracy

20 pts

0
Missing or unusable. Trace ends in the middle of a hop or skips visible internal transfers.
1
Present but materially deficient. Multiple gaps a reviewer would flag on first pass.
2
Meets minimum professional bar. Trace continuous from victim deposit to current disposition. Internal transfers and emitted events decoded. Bridge hops correlated by amount, timing and bridge-published IDs.
3
Strong. Few corrections needed; would pass internal QA at a national-level cell.
4
Exemplary. Trace catches a non-obvious detail (router-internal swap, MEV-bundle adjacency, address-poisoning attempt) and addresses it in narrative.

Cluster attribution & heuristic discipline

15 pts

0
Missing or unusable. Clusters attributed without naming the heuristic or evidence.
1
Present but materially deficient. Multiple gaps a reviewer would flag on first pass.
2
Meets minimum professional bar. Per cluster: heuristic used, supporting evidence, confidence, and residual ambiguity. Vendor labels treated as leads, not proof.
3
Strong. Few corrections needed; would pass internal QA at a national-level cell.
4
Exemplary. Borderline calls are reported as candidate sets with explicit anonymity-set or alternative-match counts, not collapsed to a single attribution.

Reproducibility

15 pts

0
Missing or unusable. Trace cannot be re-derived from the report. No pinned block heights.
1
Present but materially deficient. Multiple gaps a reviewer would flag on first pass.
2
Meets minimum professional bar. Independent analyst can re-derive every fact from the repro bundle and a public node. Block heights pinned everywhere.
3
Strong. Few corrections needed; would pass internal QA at a national-level cell.
4
Exemplary. Repro bundle runs in one command and regenerates the hop ledger and the flow diagram bit-for-bit at the pinned heights.

Privacy-tooling honesty

10 pts

0
Missing or unusable. Mixer/shielded-pool/Lightning hops reported as deterministic continuations.
1
Present but materially deficient. Multiple gaps a reviewer would flag on first pass.
2
Meets minimum professional bar. Privacy hops reported with broken-clustering caveat. Downstream addresses reported as candidates pending corroboration.
3
Strong. Few corrections needed; would pass internal QA at a national-level cell.
4
Exemplary. Where corroboration exists (timing, amount, exchange-side data) it is presented; where it does not, the trace is paused at the boundary with explicit re-anchor strategy.

Recovery package operability

15 pts

0
Missing or unusable. Recovery requests are generic. No instrument named, no intake template followed.
1
Present but materially deficient. Multiple gaps a reviewer would flag on first pass.
2
Meets minimum professional bar. Per target: correct freeze route, evidence summary scoped to the consumer, draft cover letter, intake template observed.
3
Strong. Few corrections needed; would pass internal QA at a national-level cell.
4
Exemplary. Package is timed against the operator's expected cash-out window. Targets are prioritized by recoverable balance × probability of freeze.

Sanctions & high-risk screening

5 pts

0
Missing or unusable. No sanctions screening.
1
Present but materially deficient. Multiple gaps a reviewer would flag on first pass.
2
Meets minimum professional bar. All addresses screened against current OFAC/EU/UK lists at submission time. Direct or near-touching exposure called out.
3
Strong. Few corrections needed; would pass internal QA at a national-level cell.
4
Exemplary. Sanctions analysis distinguishes legal sanction from vendor high-risk labels and explains the operational consequences of each.

Writing & evidence appendix quality

10 pts

0
Missing or unusable. Prose is sloppy. Appendix incomplete.
1
Present but materially deficient. Multiple gaps a reviewer would flag on first pass.
2
Meets minimum professional bar. Prose is direct. Appendix complete. Hop ledger machine-readable.
3
Strong. Few corrections needed; would pass internal QA at a national-level cell.
4
Exemplary. Reads like a published service product. Hop ledger schema is documented and stable across cases.

Pre-submission checklist

Every item must be true before you submit. Reviewers will spot-check.

Every quoted transaction is pinned to a block height (or block hash)
Every cluster attribution names the heuristic and its supporting evidence
Bridge hops have explicit correlation evidence (event, amount, timing, bridge ID)
Mixer / shielded / Lightning hops are reported as broken-clustering with downstream candidates
Vendor labels are treated as leads, not as evidence
Repro bundle regenerates the hop ledger from a public node in one command
Asset-recovery package observes the consumer's intake template per target
All addresses are sanctions-screened at submission time
No licensed vendor data is republished
Caveats explicitly state what would invalidate each load-bearing attribution

Stretch goals (bonus 0–10 pts)

Add a time-to-cash-out forecast based on the operator's historical fanning pattern, with I&W to detect imminent off-ramp
Include a sanctions-jurisdictional matrix showing freeze viability per target by issuer jurisdiction
Author a parallel trace using a second independent vendor / methodology and reconcile the differences
Publish the hop-ledger schema as a reusable internal standard with a JSON Schema definition