Ransomware and fraud proceeds move on chains that are public by design. The fancy commercial tools (Chainalysis Reactor, TRM Labs) cost five-figure subscriptions, but the free open-source stack now covers most of what an investigative journalist or DFIR analyst actually needs. This tutorial walks through tracing a known-bad wallet end to end with free tools.
The tools
Chainabuse, community-maintained database of wallets tagged as scams, ransomware, and fraud. Free public search. Run any wallet through it first to see if it’s already been reported.
OXT.me, open Bitcoin block explorer with clustering heuristics. Shows the cluster (group of addresses owned by the same entity) for any BTC address. Free.
WalletExplorer, Bitcoin block explorer that names known entities (exchanges, mixers, gambling sites) so you can see when a wallet sends to or receives from one. Free.
Etherscan, same kind of explorer for Ethereum, USDT, and tokens. Free.
Breadcrumbs, visualises wallet flows as a graph. Free tier covers most use cases.
Step 1: Identify the starting wallet
You typically start with a known-bad address. Sources: ransomware victim communications, public DFIR reports, OFAC sanctions list, or a Chainabuse search. Plug the wallet into Chainabuse first, if it’s been reported, you get attribution and date of first report.
Step 2: For BTC, cluster and label
Drop the address into OXT.me. The “Entity” panel shows the cluster, every address that’s been heuristically determined to belong to the same wallet (typically because they’ve co-spent inputs in transactions). A ransomware operator’s collection wallet is rarely a single address; it’s a cluster of dozens to hundreds.
Then run the address through WalletExplorer. WalletExplorer labels destinations: “Sent 0.5 BTC to Binance.com-2 deposit address” tells you the operator off-ramped through Binance on that date. That date is your starting point for an information request to Binance via law enforcement.
Step 3: For ETH and USDT, Etherscan
For Ethereum addresses, Etherscan’s transaction list is the starting point. The “Transfers” tab shows ERC-20 token movements (USDT, USDC). Etherscan’s labelled-addresses database includes major exchange deposit addresses, known mixers, and OFAC-sanctioned wallets, when your target sends to or receives from any of those, the label appears next to the transaction.
For USDT specifically, much of the volume is on Tron (TRC-20), use Tronscan for that.
Step 4: Follow the hops
Modern launderers route through 3-7 intermediate wallets before the off-ramp. For each hop, repeat the cluster lookup and the labelling check. Breadcrumbs visualises this as a graph automatically, paste the starting address, set max depth (3 is a reasonable starting point), and Breadcrumbs spiders the flow for you.
Look for: deposits to known exchanges (centralised off-ramps with KYC, where law enforcement can subpoena identity), DEX swaps to privacy coins (the trace ends at the swap, but the swap itself is evidence), bridge contracts to other chains (the trace continues on the destination chain).
Step 5: Document the chain
Take screenshots at every step. Note timestamps in UTC. Save the transaction hashes, they’re the immutable record. If you publish, link directly to the explorer pages so readers can verify themselves. If you go to law enforcement, a clear chain of evidence with timestamps and hashes is what they need to build a case.
Step 6: When you hit a mixer or DEX
Tornado Cash, Wasabi, Sinbad, Samourai’s Whirlpool, once funds enter a mixer, the trace gets dramatically harder. It’s not impossible (Chainalysis has demixing techniques that occasionally crack early Tornado Cash withdrawals) but it’s beyond what free tools can do.
What you can still do: note the mixer entry, note the date, and watch for known-pattern withdrawals. Many launderers withdraw with characteristic amounts and timing that occasionally let you re-link withdrawal to deposit on probability rather than certainty.
Step 7: Report and publish responsibly
Submit findings to Chainabuse so the next investigator benefits. For sanctions-relevant findings, the relevant authority depends on jurisdiction (OFAC in the US, OFSI in the UK, EU national FIUs).
If you publish, name the operator’s chain of custody but don’t name individuals unless the attribution is rock-solid. Wallet attribution to a real person is the highest-bar claim in this work; sloppy attribution is the most common cause of retraction.
Done well, the free toolchain handles 80% of what a professional investigator does. The remaining 20%, demixing, deep-cluster heuristics, real-time monitoring, is where commercial tools earn their keep. For most journalism and most early-stage DFIR work, the free stack is enough.
