How investigators can follow the money in cryptocurrency cases

By Jason Tucker, CPA, CFF, CCE, PI

Cryptocurrency still carries an air of mysticism for many investigators. It’s often portrayed in headlines as something untraceable, hidden in the “dark web,” or reserved for cybercrime specialists. The reality is far more practical: with some focused training and the right tools, any motivated detective can add crypto tracing skills to their investigative toolkit. And in today’s environment, that’s no longer optional, it’s essential!

Criminals have been progressively shifting into cryptocurrency since its inception because they recognize its advantages. Unlike cash, which can be seized during a traffic stop, or bank accounts, which can be frozen with the right court order, crypto is digital, borderless and — if investigators don’t know what to look for — difficult if not impossible to seize if properly secured. The gap between what offenders understand and what most law enforcement can trace has become a shield for criminals. Closing that gap doesn’t require million-dollar forensic labs. It requires proper training, tools, the right mindset and the confidence to treat crypto just like any other financial lead.

| RELATED: The case for proper court-tested training in crypto investigations

Why this matters for every investigator

We know most crime is financially motivated. Some estimates suggest as high as 80%-90%. If a suspect has something to gain, there’s usually money flowing in the background. Historically, investigators have followed the proceeds of crime by looking for bank accounts, cash, hard assets, or property. Increasingly, those funds are bypassing traditional channels and being funneled into cryptocurrency and FinTech applications like PayPal, Cash App, Venmo, Zelle, etc.

Finding the money is often the strongest evidence tying a suspect to a crime. It’s one thing for a witness to testify that John Doe ran a scam or received funds for criminal activity. However, tying a suspect to the illicit proceeds in court through an immutable digital trail will undoubtedly strengthen cases, add prosecutable charges, and create leverage during plea negotiations or prosecution. Following the money remains one of the primary pillars in an investigation, however, as technology advances, the trail has become increasingly complex to follow.

If the proceeds of crime aren’t sitting in a bank or a shoebox of cash, there’s a rising likelihood they’ve been converted to crypto or are sitting in a FinTech app on the suspect’s mobile phone. That’s where many cases hit a dead end today, not because the trail is impossible, but because the investigators aren’t trained to follow it and they lack the tools to trace the funds.

What crypto investigations really look like

Forget the mysticism. At its core, a crypto investigation looks a lot like traditional fraud work:

• On-ramps and off-ramps: Criminals need to move money in and out of the crypto ecosystem. That means credit cards, bank transfers and payment apps on the way in, and cash-outs through exchanges, ATMs, crypto payment services, or peer-to-peer transfers on the way out. Each of those creates subpoena targets and investigative opportunities to identify the suspect and possibly seize or freeze the funds.
• Following the addresses: Every wallet address is like a bank account number. Transactions are permanently recorded on a public blockchain that anyone can view. Instead of subpoenaing the bank for balances, you investigate the public ledger like a global bank statement.
• Identifying the person: The hardest part isn’t tracing the coins — it’s connecting wallets to real-world identities. That’s where OSINT, subpoenas, FinTech apps, cyber investigative techniques and even good old surveillance come into play.
• Seizing the funds: Done correctly, cryptocurrency can be frozen or seized through hardware wallet seizure or by a warrant to centralized exchanges, stablecoin issuers, or custodial wallets, often with fewer hurdles than seizing property.

Training for the front line

Crypto investigations should not be siloed to financial crimes or cybercrime units. The case volume is already too high, and criminals know that if they can “go crypto,” they’ve bought themselves time and possibly a technical firewall of identification and protection from seizure. Patrol officers and detectives will increasingly be the first ones taking reports of crypto fraud, scams, or ransom payments.

The good news is that with focused training and tools, investigators don’t have to be computer scientists or financial analysts to succeed. They need practical instruction on:

• Collecting wallet addresses, transaction IDs and payment app details at the first point of contact.
• Running a preliminary trace using blockchain intelligence tools to trace where funds went.
• Knowing when and how to subpoena exchanges, payment apps and banks.
• Using OSINT and social media to provide context that supports linking on-chain activity to real-world investigative findings.
• Recognizing red flags that suggest further financial crimes may be hidden in crypto.

That kind of training can be delivered in an accessible way and scaled across departments. When investigators learn by doing — running traces, connecting wallets, writing subpoenas — the mysticism fades, and confidence grows.

Key takeaways for investigators

• Crypto isn’t magic — it’s a public ledger. Every transaction leaves a permanent, time-stamped record of where the funds originated, where they were sent and how much was sent.
• Victims are everywhere — from elder scams and romance fraud to business email compromise, crypto touches all communities.
• Think familiar, not foreign. Tracing crypto mirrors traditional fraud work: follow the money, identify the choke points, build the human link.
• Early evidence matters. Collect wallet addresses, transaction IDs and receipts at the first report; delays make recovery harder.
• Exchanges are pressure points. Criminals need to cash out somewhere. Subpoenas to exchanges can uncover real-world IDs.
• Training = confidence. With practical skills, any motivated investigator can start preliminary tracing and avoid dead-ending cases.
• Don’t leave it to “cyber” alone, as the case volume is too high. Patrol officers and detectives will increasingly be first on scene for crypto crimes.
• Most crime is financially motivated. Estimates show 80%–90% of crimes have financial motives, and illicit proceeds are increasingly being funneled into cryptocurrency.
• Follow the money = prove the crime. Tracing the financial proceeds of an offense is often the strongest evidence tying a suspect directly to the act.
• If it’s not in the bank, check the blockchain. When traditional sources don’t show the proceeds, there’s a rising likelihood those funds were converted to crypto.

Conclusion

The prevalence of crypto assets holding criminal proceeds is on the rise and only becoming more accessible to the average criminal. The gap between criminals and investigators in the cryptocurrency space is broad and only getting worse, but can be reversed if law enforcement makes training a priority. The tools exist. The methods are proven. The missing piece is giving everyday investigators the confidence to treat crypto cases as an extension of their existing skills.

When we demystify cryptocurrency and treat it as another financial trail, we empower officers to hold offenders accountable, recover stolen funds and protect victims.

About the author

Jason Tucker, CPA, CFF, CCE, PI, is a forensic accountant and the founder of ESTOC Advisors, a forensic intelligence and investigations consulting firm specializing in financial crimes, intelligence gathering, cryptocurrency tracing and risk management. He also provides, crypto forensics, training and expert support services to local, state and federal law enforcement agencies.