The open ledger is transparent: transaction amounts, times, and addresses are always visible. However, the identities behind these transfers remain hidden.

Previously, ForkLog explored the mechanics of tracking coins using TXID and UTXO models. This process can be done manually by examining data in any blockchain explorer.

But this approach has its limits. The blockchain only shows the movement of funds, not the initiator of the transfer. This is where OSINT—open-source intelligence—comes into play. It helps link an anonymous address to a real person.

Let’s examine what data the ledger reveals on its own, what must be gathered externally, how investigations are structured step by step, the tools they rely on, and where the line is drawn between analytics and surveillance.

Beyond the Blockchain

The distributed ledger hides nothing. Every transfer and wallet cluster is visible to any observer. This is the essence of on-chain analysis. However, the method has its limits: the chain answers the question "where" but not "who".

This gap is filled by OSINT—open-source intelligence. This discipline predates the crypto industry: monitoring publicly available radio frequencies was established in the UK and the US during World War II.

The essence of the method has not changed since then. It involves analyzing information that is publicly accessible and collected without breaching security systems. In the blockchain sphere, this includes almost everything: forum messages, domain registration details, old screenshots, and database leaks.

This connection works due to pseudonymity. Unlike absolute anonymity, in the Bitcoin network and most other blockchains, users are hidden behind alphanumeric addresses, but all their actions remain permanently recorded in the ledger.

“The identity is not revealed directly, but the trace is noticeable and unchangeable,” explain OSINT Industries.

In practice, on-chain analysis and OSINT serve different purposes. The former reconstructs the route of coins: who transferred what to whom and through which addresses the funds passed.

Open-source intelligence links addresses to external data—such as an exchange account, a social media profile, or a domain record. A single mistake by a user can lead to their de-anonymization.

The chain provides amounts and connections, while off-chain gives context; together they lead to a specific user. Source: ForkLog.

Why Dig at All?

OSINT encompasses five different areas, each with its own tasks and outcomes.

The first is investigating theft and fraud. Independent analysts publish data that helps quickly freeze stolen assets. For example, in the case of the $243 million theft from Genesis creditor, such an investigation allowed for the blocking of over $9 million.

The second is compliance and sanctions screening. Cryptocurrency transactions often span multiple platforms and jurisdictions. In such cases, it is crucial not only to track the transfer but also to link it to a real person.

The third is threat intelligence. It helps track the flow of funds associated with ransom payments and the operation of illegal platforms.

The fourth is market analysis. Many large holders and their associated wallets have long been under close observation. Traders interpret the movement of their funds as signals of impending sell-offs or asset accumulation.

The fifth is journalistic investigations. The collapse of the FTX exchange in 2022 began with a publication by CoinDesk: the outlet compared corporate documents with on-chain data and discovered that the business relied on an illiquid token, FTT.

All five scenarios share a common mechanism: from a trace in the ledger to external data, and from there to a specific name.

Five scenarios for applying OSINT in the crypto industry. Source: ForkLog.

From Address to Name

Investigations rarely start with a ready-made name. More often, the starting point is just an anomaly: a hacked contract, an address from a victim's complaint, or a wallet from a dubious scheme.

Researchers divide the process into four stages: lead, data collection, address attribution, and verification. There is no strict order of actions, but the logic remains unchanged—moving from a digital trace in the ledger to a real person.

Lead sets the direction. The starting point can be the incident itself, a specific address, the type of wallet (e.g., hot, exchange), or a smart contract. This determines the search strategy.

Data collection is pure OSINT. The analyst searches for any connection between the address and off-chain data: domain records, social media profiles, forum and Discord discussions, database leaks, and old screenshots. Each finding becomes a link between the pseudonym and the individual.

Attribution consolidates disparate facts. Addresses are grouped into clusters based on counterparties, times, and amounts of transfers, and then linked to an exchange, service, or individual. Often, a single mistake can determine the outcome: a publicly exposed wallet or a deposit on a KYC platform can immediately reveal the owner.

Verification leaves the final word to the analyst. At this stage, connections are rechecked, contradictions are sought, and the likelihood of error is assessed.

This holds the main limitation of the method. Attribution is always probabilistic: it states not “this is definitely them,” but “this is likely them.”

In the most complex investigations, on-chain analysis is supplemented by examining devices, RAM, and network traffic. Missing any of these layers raises doubts about the conclusions.

Each of the four stages employs its own set of tools—from blockchain explorers to visualization systems.

Four stages of investigation—from lead to verification. Source: ForkLog.

The Analyst's Arsenal

When discussing forensic tools, people often mention a couple of well-known platforms. However, the actual arsenal of an analyst is much broader and largely free.

The basic level consists of blockchain explorers. These include Etherscan for Ethereum, Blockchair and WalletExplorer for Bitcoin, Solscan and TronScan for Solana and TRON, respectively. They display transactions, balances, and address histories.

The next layer consists of visualization systems. They represent the flow of funds as a graph. This category includes Arkham, Breadcrumbs, and OXT. With these tools, analysts can track asset movements and quickly identify related clusters.

A separate category is commercial forensic platforms like Chainalysis, TRM Labs, Elliptic, and Scorechain. These are used by exchanges, banks, and law enforcement for compliance and risk assessment. Access to them is usually paid and provided to corporate clients.

Searching for off-chain data relies on traditional OSINT. Maltego builds graphs of connections between people and accounts, SpiderFoot automates information gathering from hundreds of sources, and IntelligenceX searches for data in archives and leaks, including Bitcoin addresses.

This toolkit also includes IP geolocation through MaxMind and Google dorks—special search operators to narrow results. For example, a query with the site: parameter finds mentions of a wallet on a specific site.

Understanding the variety of software is aided by directories. OSINT Framework is a tree of categories with tools for any task. There are also open collections on GitHub specifically compiled for blockchain investigations.

The entry barrier to the profession is low, as most services are open to everyone. This is why debates around OSINT continue regarding where legitimate investigation ends and invasion of privacy begins.

OSINT and on-chain analyst tools. Source: ForkLog.

Legal, but Not Uncontroversial

OSINT is legal by nature. It works with open data and does not circumvent security systems. Problems arise not at the search stage but when using the results.

The first challenge is legal. According to Article 6 of the GDPR, there must be lawful grounds for processing personal data, even if that information is publicly available.

The second challenge is the cost of error. Incorrect attribution of an address poses risks to real people: a tool for tracking down criminals could point to an innocent person. Moreover, published accusations can remain in search results and web archives for years.

OSINT has principled opponents. Some in the industry view financial privacy as an inherent right, not a loophole for criminals.

This logic is reflected in privacy coins: Monero by default hides amounts and addresses, while Zcash offers shielded transactions at the user's discretion. For proponents of this approach, OSINT is not a tool for fighting crime but an instrument of total surveillance.

There is no clear winner in this debate. The transparency of the ledger works both ways: it aids analysts but also facilitates surveillance.

Self-Taught Sleuths

Many well-known on-chain detectives lack formal diplomas or credentials.

A researcher known as ZachXBT entered the crypto industry during the ICO boom of 2017 as an ordinary retail investor. After losing money on scam projects, he self-studied blockchain forensics.

Years later, his investigation helped uncover a $243 million theft. He identified the perpetrators through off-chain traces: a accidentally revealed name, recurring addresses, and geotags on social media. As a result, the US Department of Justice charged two individuals.

Another example is Coffeezilla (Stephen Findlay). A chemical engineer by training, he began exposing scams after his mother was deceived by sellers of "miracle cures." He built his audience on YouTube.

One of his most notable works was an interview where he secured a confession from Hayden Davis—a key figure in the LIBRA token scandal. He publicly disclosed his profit, which amounted to around $113 million.

ZachXBT and Coffeezilla share not a technical arsenal but an approach: persistence and skillful handling of basic data. The entry barrier to this field is much lower than commonly believed.

The open ledger has turned de-anonymization into a craft. Tasks that were once the prerogative of intelligence agencies and compliance departments are now within the reach of an enthusiast with a laptop.

The accessibility of tools has a downside. The clearer the algorithm illustrates connections, the greater the temptation to trust it blindly. But matching addresses is merely a hypothesis, not a verdict. The tool presents the data, but the final conclusion is made by a human.