How to Investigate Any Crypto Wallet
Crypto-wallet investigation is the financial-crime side of OSINT — useful for journalists tracking ransomware payouts, fraud teams investigating chargebacks, and individuals trying to recover stolen funds. The blockchain is fully public, but tooling matters: raw blockchain explorers show transactions, while clustering tools reveal which addresses likely belong to the same entity.
Step-by-step
- 1
Identify the chain and address format
Bitcoin addresses start with 1, 3, or bc1. Ethereum starts with 0x and is 42 chars. Tron starts with T. Solana is 32-44 chars base58. Wrong-chain analysis is the #1 mistake.
Tools:Visual inspection, Skopio Wallet - 2
Pull transaction history from the canonical explorer
Bitcoin → blockchain.com or mempool.space. Ethereum → etherscan.io. Tron → tronscan.org. Solana → solscan.io. Read the entire history, especially the first incoming transaction (often reveals the funding source).
Tools:Etherscan, Blockchain.com Explorer - 3
Run the address through cluster analysis
Multiple addresses controlled by the same entity often co-spend in the same transaction. Tools like OXT (Bitcoin) or Arkham Intelligence cluster addresses likely owned by the same operator. Skopio aggregates clustering APIs.
Tools:OXT, Arkham, Skopio Wallet - 4
Check sanctions screening
OFAC, EU, UK sanctions lists include specific blockchain addresses tied to North Korean hackers, Russian oligarchs, sanctioned exchanges. Chainalysis has a free public-API for this. Skopio integrates sanctions checks automatically.
Tools:Chainalysis Sanctions API, Skopio Wallet - 5
Map flows in/out of exchanges
Exchange deposit-addresses are well-known (clustered by analysts). If your target wallet sent funds to a Binance/Coinbase deposit, that's where you'd file a subpoena to identify the owner. Skopio surfaces known exchange deposit addresses.
Tools:Arkham Intelligence, Skopio Wallet
- •Address clustering is probabilistic, not certain. A 90%-confidence cluster is still 10% wrong — don't act on cluster info alone.
- •Sanctioned-address lists update frequently. A wallet clean today may be sanctioned tomorrow. Re-screen periodically for ongoing relationships.
- •Subpoenaing exchanges to de-anonymize wallets is a legal process — investigators need standing and a valid investigation. Skopio surfaces leads, not evidence.
Skopio выполняет всё это одним запросом
Первый пробив каждый день — бесплатно. Без карты.
Learn more
Frequently asked
Is the blockchain really fully public?+
Yes for Bitcoin, Ethereum, most major chains. Privacy coins (Monero, Zcash with shielded txs) are exceptions. For mainstream chains, every transaction is permanently visible.
Can I de-anonymize a wallet without a subpoena?+
Sometimes — if the wallet ever interacted with a regulated exchange that did KYC, you'd need a subpoena to that exchange. But sometimes wallets are linked to social handles publicly (NFT projects, ENS names).
What's address clustering?+
Algorithmic grouping of addresses likely controlled by the same entity, based on transaction patterns. See our glossary entry on this for detail.
Are sanctions checks free?+
Chainalysis offers a free public sanctions API. Skopio integrates it. Commercial-tier sanctions screening (with all global lists) is paid.
Can Skopio investigate a wallet end-to-end?+
Yes — the wallet category combines transaction history + clustering + sanctions check + exchange-flow tracing in one query.
Готовы расследовать?
Первый пробив каждый день — бесплатно. Без карты. Без обязательств.