Close Menu
  • Home
  • News
  • Security
  • Privacy
  • Cybercrime
    • Threat Groups
    • Ransomware
    • Explainers
    • Stealer Logs
  • AI
  • OSINT
  • Tools
    • Ransomtracker
    • Stealercheck
    • FortiBleed Checker
  • About Us
Facebook X (Twitter) Instagram Threads
Ransomnews
  • Home
  • News
  • Security
  • Privacy
  • Cybercrime
    • Threat Groups
    • Ransomware
    • Explainers
    • Stealer Logs
  • AI
  • OSINT
  • Tools
    • Ransomtracker
    • Stealercheck
    • FortiBleed Checker
  • About Us
Facebook X (Twitter) LinkedIn
Ransomnews
Cybercrime

Tracing crypto laundering: tutorial with Chainabuse, OXT, Walletexplorer, and Etherscan

Ransomnews Research TeamBy Ransomnews Research TeamMay 7, 2026Updated:May 7, 2026No Comments4 Mins Read779 Views
Share Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
A network of cryptocurrency wallet icons with one traced through intermediaries to an exchange
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link

Ransomware and fraud proceeds move on chains that are public by design. The fancy commercial tools (Chainalysis Reactor, TRM Labs) cost five-figure subscriptions, but the free open-source stack now covers most of what an investigative journalist or DFIR analyst actually needs. This tutorial walks through tracing a known-bad wallet end to end with free tools.

The tools

Chainabuse, community-maintained database of wallets tagged as scams, ransomware, and fraud. Free public search. Run any wallet through it first to see if it’s already been reported.

OXT.me, open Bitcoin block explorer with clustering heuristics. Shows the cluster (group of addresses owned by the same entity) for any BTC address. Free.

WalletExplorer, Bitcoin block explorer that names known entities (exchanges, mixers, gambling sites) so you can see when a wallet sends to or receives from one. Free.

Etherscan, same kind of explorer for Ethereum, USDT, and tokens. Free.

Breadcrumbs, visualises wallet flows as a graph. Free tier covers most use cases.

Step 1: Identify the starting wallet

You typically start with a known-bad address. Sources: ransomware victim communications, public DFIR reports, OFAC sanctions list, or a Chainabuse search. Plug the wallet into Chainabuse first, if it’s been reported, you get attribution and date of first report.

Step 2: For BTC, cluster and label

Drop the address into OXT.me. The “Entity” panel shows the cluster, every address that’s been heuristically determined to belong to the same wallet (typically because they’ve co-spent inputs in transactions). A ransomware operator’s collection wallet is rarely a single address; it’s a cluster of dozens to hundreds.

Then run the address through WalletExplorer. WalletExplorer labels destinations: “Sent 0.5 BTC to Binance.com-2 deposit address” tells you the operator off-ramped through Binance on that date. That date is your starting point for an information request to Binance via law enforcement.

Step 3: For ETH and USDT, Etherscan

For Ethereum addresses, Etherscan’s transaction list is the starting point. The “Transfers” tab shows ERC-20 token movements (USDT, USDC). Etherscan’s labelled-addresses database includes major exchange deposit addresses, known mixers, and OFAC-sanctioned wallets, when your target sends to or receives from any of those, the label appears next to the transaction.

For USDT specifically, much of the volume is on Tron (TRC-20), use Tronscan for that.

Step 4: Follow the hops

Modern launderers route through 3-7 intermediate wallets before the off-ramp. For each hop, repeat the cluster lookup and the labelling check. Breadcrumbs visualises this as a graph automatically, paste the starting address, set max depth (3 is a reasonable starting point), and Breadcrumbs spiders the flow for you.

Look for: deposits to known exchanges (centralised off-ramps with KYC, where law enforcement can subpoena identity), DEX swaps to privacy coins (the trace ends at the swap, but the swap itself is evidence), bridge contracts to other chains (the trace continues on the destination chain).

Step 5: Document the chain

Take screenshots at every step. Note timestamps in UTC. Save the transaction hashes, they’re the immutable record. If you publish, link directly to the explorer pages so readers can verify themselves. If you go to law enforcement, a clear chain of evidence with timestamps and hashes is what they need to build a case.

Step 6: When you hit a mixer or DEX

Tornado Cash, Wasabi, Sinbad, Samourai’s Whirlpool, once funds enter a mixer, the trace gets dramatically harder. It’s not impossible (Chainalysis has demixing techniques that occasionally crack early Tornado Cash withdrawals) but it’s beyond what free tools can do.

What you can still do: note the mixer entry, note the date, and watch for known-pattern withdrawals. Many launderers withdraw with characteristic amounts and timing that occasionally let you re-link withdrawal to deposit on probability rather than certainty.

Step 7: Report and publish responsibly

Submit findings to Chainabuse so the next investigator benefits. For sanctions-relevant findings, the relevant authority depends on jurisdiction (OFAC in the US, OFSI in the UK, EU national FIUs).

If you publish, name the operator’s chain of custody but don’t name individuals unless the attribution is rock-solid. Wallet attribution to a real person is the highest-bar claim in this work; sloppy attribution is the most common cause of retraction.

Done well, the free toolchain handles 80% of what a professional investigator does. The remaining 20%, demixing, deep-cluster heuristics, real-time monitoring, is where commercial tools earn their keep. For most journalism and most early-stage DFIR work, the free stack is enough.

Share. Facebook Twitter Pinterest LinkedIn Tumblr Telegram Email Copy Link
Previous ArticleHow to set up a malware analysis sandbox at home: FlareVM, REMnux, and Cuckoo tutorial
Next Article How to investigate a phishing kit: tutorial with urlscan.io, PhishTank, and Sublime Security
Ransomnews Research Team

The Ransomnews Research Team is the collective byline used for collaborative pieces, editorial briefings, and articles drawing on contributions from multiple researchers. Coverage spans ransomware operations, breach economics, threat actor profiling, OSINT methodology, and emerging risks across security, privacy, and AI.

Related Posts

Anubis ransomware is exploiting Citrix Bleed 2 for access

July 10, 2026

Kairos took $1M from a US government body and encrypted nothing

July 10, 2026

Ransomware statistics 2026: confirmed attacks by month

July 8, 2026

Comments are closed.

Facebook X (Twitter) LinkedIn
© 2026 Ransomnews.com

Type above and press Enter to search. Press Esc to cancel.

Cookies on Ransomnews

We use strictly-necessary cookies to run the site and may use first-party analytics to understand which articles are read. Some pages contain affiliate links — when you click one, the affiliate network sets cookies on the merchant's domain to attribute the referral. See the Cookie Policy and Affiliate Disclosure for detail.

RANSOMNEWS.COM

Tracking the criminal infrastructure of the internet.

Independent coverage of ransomware, breach economics, threat actors, privacy, AI security, and the open-source investigation toolkit.

// Topics

  • News
  • Security
  • Privacy
  • Cybercrime
  • AI
  • OSINT
  • Threat Groups
  • Stealer Logs
  • Ransomtracker
  • Stealercheck
  • FortiBleed Checker

// Site

  • About Us
  • Editorial Team
  • Contact
  • Tip Line
  • Editorial

// Legal

  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • Funding & Independence
  • RSS Feed
© 2026 Ransomnews.com · Tracking the criminal infrastructure of the internet.