Review and sign transactions from a single secure screen with Ledger Flex™

Discover now

Up your Web3 game

Ledger Academy Quests

  • Test your knowledge
  • Earn POK NFTs
Play now See all quests

The Classroom

PATHWAY I) Blockchain Sleuthing: Become a Crypto Detective

chapter 4/5

Best Tools For Blockchain Detectives

Read 8 min
Beginner
BOOK WITH PAGES

Ready to learn more about blockchain sleuthing? Learn from the best; as Feld from Boring Security dives into the tools a crypto detective might need to catch on-chain criminals.

Although only an amateur aspiring sleuth myself, one thing I’ve learned by talking to other Sleuths in this space is that there is no shortage of tools being employed to uncover information quickly for certain circumstances. The ability to leverage tools together is vital for investigations into all the different types of scams, hacks, or other interesting on-, and off-, chain events that may occur. Let’s take a look at a few of the most popular tools in use today, with special emphasis on free ones, and how you can use some of them yourself as a part of your own DYOR process and investigations.

Which Tools Do Crypto Detectives Use?

Tools generally fall into a few broad categories. Firstly, you’ll need a block explorer such as Etherscan (although some Sleuthers prefer others, or have to use others when scammers bridge to other blockchains). Some tools allow you to analyze affiliations and track movements visually. Then some tools add data enrichment to addresses and protocols, adding metadata such as names, suspicious activity levels, or simply descriptive context to a dataset.

Block Explorers

The first place most of us go to start poking around at any given story is the on-chain data. Even seasoned Sleuthers start by going to the block explorer for a specific chain. Each blockchain has its version of a block explorer that communities tend to rally around. Below is a list of some of the major EVM chains’ block explorers.

Blockchain Block Explorer
Ethereumhttps://etherscan.io/
Binance SChttps://bscscan.com/
Polygonhttps://polygonscan.com/
Avalanchehttps://snowtrace.io/
Optimismhttps://optimistic.etherscan.io/
Arbitrumhttps://arbiscan.io/
Fantomhttps://ftmscan.com/

Of course, there are Bitcoin, Solana, Cardano, and other blockchain explorers as well, so the complete list can get quite comprehensive. Oftentimes though, bad actors move funds across blockchains using bridges, so it can make these tools a bit limited as they can only track funds on their own chain!

Transaction Visualizers

It is hard to assign a categorical name for these tools, as they all focus on different features. Metasleuth, Misttrack, Breadcrumbs, and Arkham, are all relatively popular tools used to visualize blockchain data. At a high level though, each helps uncover a few things at a glance about an address:

  • What protocols and addresses they most frequently interact with
  • How many of and which tokens are passing through the address being investigated
  • Risk scores, which can be helpful for those with compliance needs


Figure 1-1: An example of Breadcrumbs’ initial search results when looking up address mrbayc.eth.

Clicking on one of these addresses drills down into that address’ interactions with it, like so:

Figure 1-2: An example of Breadcrumbs’ expanded view of activity between a protocol and address.

These tools also allow you to trace funds on a time-based scale. You can investigate addresses to discover: 

  • transactions of interest
  • how they connect to other addresses
  • what kind of transactions they are engaging in
  • when they are doing it

Oftentimes when you see screenshots of these programs on Twitter, you’ll see long chains of addresses, in various colors like this:

Figure 1-3: A Metasleuth visual of one of Quit’s addresses showing transactions to and from crypto exchanges.

Tools like these allow you to uncover correlations and patterns at a glance, whilst giving you new clues to search through. Once you find out more information about individual addresses, you can add labels and notes to them to continue to build out your investigation. Using these tools well is unfortunately out of the scope of this article. The features vary slightly between each one, and many of the Sleuthers we talked to in our interviews prefer different tools from each other and still yield amazing results!

Data Enrichment

Data Enrichment is the name of the game for almost all sleuthing tools to some extent. Enrichment adds context, making the data more consumable, easier to organize, and easier to visualize. Arguably every tool mentioned so far is a “data enrichment tool”. 

However, some focus on adding context within existing apps, making existing tools even better. Similar to extensions that show more about an NFT’s rarity or stats, these tools add context to websites or data types in the same way.

Metadock

Metadock is a worthy mention in this category, particularly when it comes to enriching data on the block explorers. It’s a browser extension that adds context to sites like Etherscan, Opensea, and a growing list of websites to add a little bit more context to each one. Let’s take a look at Metadock in action:

Figure 1-4: An example view of the Boring Security Deployer address transaction history page with Metadock installed.

Notice above how it added contract names that make it a little more friendly to read, compared to pure Etherscan below, where only the approved Etherscan names are present:

Figure 1-5: An example of the Boring Security Deployer address transaction history page without Metadock.

Another cool feature of Metadock is that it lets learn more about the address you are investigating by making it easy to engage with other tools with just a simple click:

Figure 1-6: Etherscan address header with Metadock installed linking to other tools.

Some of these additional tools are helpful for Sleuthing, but others can just be helpful to get context about that particular address, such as the real dollar value contained within, accounting for NFTs and DeFi positions, as well as what approvals it might have open. 

Understanding approvals as an NFT user is vital to staying secure in the space. Check out the Boring Security Approvals article if you are unfamiliar with contract approvals.

Debank (Portfolio Viewers)

Whereas Metadock adds reputational and readability context, Debank offers financial and value context. Debank, as well as similar services Zapper and Zerion show someone’s portfolio balance. 

Some people don’t realize that they can be extremely helpful while Sleuthing, or just tracking funds as well. 

They are often used in scenarios where someone has bridged funds from one blockchain to another, perhaps multiple times. Using these portfolio visualization and management tools, Sleuthers don’t have five different block explorers as they trace an address’s bridging activity.  They can simply view the address in DeBank. 

Look at how simple a bridge transaction is when displayed in Debank below:

Figure 1-7: A view of a user bridging funds from Arbitrum to Optimism using the SynapseProtocol Bridge as shown by DeBank.

Not only did it include cross-chain context all in one place, but also it included financial (dollar value) context as well. An incredible tool to add to the toolbox when trying to better understand a transaction chain!

Social Media

Social Media and information that can connect addresses to users’ real-life identities is hugely important. Knowing the real identities of addresses that have interacted on-chain with bad actors can go a long way in tracking down the real identity of the bad actor(s).

For example, let’s imagine searching for an address that stole funds. Using Etherscan, it shows that the address did some transactions on NFTTrader with an address that has an ENS name. Upon further investigation, that ENS name appears to be connected to an Opensea profile that has an associated Twitter account. Using Twitter/X and Discord search could reveal information about addresses that transacted with the thieving address in question. In this example, you may be able to search a community Discord for any of the assets contained in the trade and Discord a Discord username for the initial scammer’s address.

Nefarious users often double back to cover their tracks by deleting tweets, but the WayBack Machine can recover that deleted information. These recovered tweets can give additional clues to the thief’s identity! The above example might be slightly confusing, so let’s take a look at the below graphic:

Figure 1-8: A figure showing a scammer’s address interacting with a known address through NFTTrader, which is then leveraged to find out more information about the scammer.

Final Thoughts on a Crypto Detective’s Toolbox

Even if you don’t have a huge interest in trying to track down bad guys, understanding these tools might give you deeper insights into how the blockchain works. Knowing how it can be explored might add some new perspectives and methods for you to employ when you DYOR (Do Your Own Research). These tools enable building a timeline of events, adding context to those events, and uncovering connections to identities on other platforms. You gain more information than you ever would have gotten by simply clicking endlessly on Etherscan, and more quickly too.

This article merely introduces the tools that some Sleuthers use to catch bad guys. We couldn’t possibly go into every nuance on how to use them, but if you’re reading this from the Ledger Classroom, the next article in the series covers more of HOW these Professional Sleuthers catch bad actors.

Have any questions or want to learn more about web3 security and stay up to date on the most current security information, scams, and tactics? Join Boring Security in its official Discord server and  check out some more of the Boring Security classes you can take!


Stay in touch

Announcements can be found in our blog. Press contact:
[email protected]

Subscribe to our
newsletter

New coins supported, blog updates and exclusive offers directly in your inbox


Your email address will only be used to send you our newsletter, as well as updates and offers. You can unsubscribe at any time using the link included in the newsletter.

Learn more about how we manage your data and your rights.