How Ethereum differs from Bitcoin

Bitcoin uses a UTXO (Unspent Transaction Output) model — funds exist as discrete chunks that are consumed and created with each transaction. Ethereum uses an account model — each address has a balance that increases or decreases with each transaction, similar to a conventional bank account.

This distinction matters for tracing. Bitcoin tracing focuses on following specific UTXOs through the transaction graph. Ethereum tracing focuses on account balances and the flow of value between addresses through both direct ETH transfers and smart contract interactions.

ERC-20 token transactions

The majority of transaction volume on Ethereum is not in ETH itself but in ERC-20 tokens — tokens built on top of the Ethereum blockchain using a standard contract interface. This includes major stablecoins (USDT, USDC, DAI), wrapped assets (WBTC), and thousands of other assets.

ERC-20 token transfers are recorded differently from ETH transfers on the blockchain. They appear as interactions with the token's smart contract rather than direct value transfers. This means that tracing USDT movements, for example, requires querying the Tether contract's event logs rather than simply looking at ETH transaction values.

This is an important limitation of basic blockchain explorers and simple tracing tools — they may show ETH movements clearly while missing significant USDT or USDC flows that are critical to the investigation.

Stablecoins in fraud investigations

Stablecoins — particularly USDT (Tether) and USDC (Circle) — have become the preferred currency for many fraud operations. Their stability makes them practical for large-scale laundering, and their prevalence across multiple blockchains (Ethereum, Tron, Solana, BSC) provides additional chain-hopping opportunities.

Both USDT and USDC have a significant investigative feature that native cryptocurrencies lack: blacklisting. Both Tether and Circle maintain lists of addresses that are blocked from transacting their tokens. An address on the Tether or Circle blacklist is a very strong indicator of prior enforcement action, fraud involvement, or sanctions compliance — the issuers typically only blacklist addresses in response to law enforcement requests or sanctions.

Blacklist checking: Checking whether any address in a trace appears on the USDT or USDC blacklist is a standard step in professional Ethereum investigation. A match is one of the most significant findings a trace can produce.

DeFi protocol interactions

The Ethereum ecosystem hosts hundreds of DeFi protocols — decentralised exchanges, lending platforms, yield farms, and bridges. Funds flowing through fraud or money laundering operations frequently interact with DeFi protocols, particularly for:

  • Currency swaps — converting ETH to stablecoins or vice versa using Uniswap, Curve, or similar DEXs
  • Mixing via DeFi — using liquidity pools in ways that create attribution ambiguity
  • Cross-chain bridging — moving assets to other blockchains using bridge protocols

Each DeFi interaction leaves a traceable record on-chain. A skilled investigator can follow funds through complex DeFi interactions, though this requires significantly more analytical effort than simple ETH transfers.

Tornado Cash and OFAC-sanctioned mixers

Tornado Cash was the dominant Ethereum mixing protocol until its OFAC designation in August 2022. It allowed users to deposit ETH or ERC-20 tokens and withdraw equivalent amounts from a new address, with the cryptographic link between deposit and withdrawal concealed using zero-knowledge proofs.

Contact with Tornado Cash — either as a depositor or a recipient — is a significant investigative finding. It demonstrates either an attempt to conceal fund origins or (in the case of innocent recipients) potentially receiving funds that originated from criminal activity. Post-OFAC designation, any interaction with Tornado Cash also creates direct sanctions exposure.

Using Etherscan for investigation

Etherscan (etherscan.io) is the primary blockchain explorer for Ethereum and provides several investigative tools:

  • Transaction history — all ETH and ERC-20 transactions for an address
  • Token transfers — ERC-20 movements separate from ETH transactions, crucial for stablecoin tracing
  • Internal transactions — value movements triggered by smart contract calls
  • Contract interactions — all DeFi protocol interactions for an address

Professional investigation uses Etherscan in conjunction with the Etherscan API to automate data collection across multiple addresses and hops, significantly accelerating the investigation process.