When Bitcoin Disappears into a Mixer, Is the Trail Really Lost?
This investigation was conducted by the Token Recovery team, with the blockchain analysis and demixing methodology developed collaboratively by Guglielmo Anfossi and Benjamin Brooks.
One of the most common assumptions in cryptocurrency investigations is that once stolen Bitcoin enters a mixer, the case is effectively over.
Many forensic reports reach the same conclusion:
“The assets entered a mixing service. Further tracing is not possible.”
We reached that same point in this case. However, we didn’t stop there.
Instead of asking how to follow individual coins, we asked a different question entirely. That shift in perspective allowed us to identify the wallet cluster responsible for moving thousands of stolen bitcoin through a cryptocurrency mixer.
Understanding Bitcoin Mixers
Bitcoin mixers exist for one purpose: to make blockchain tracing far more difficult. Rather than sending cryptocurrency directly from one wallet to another, a mixer combines deposits from many users into a shared pool, then redistributes bitcoin through numerous withdrawals. As a result, deposits and withdrawals are deliberately disconnected. On-chain, there is no obvious transaction linking a specific deposit to a specific withdrawal. For blockchain investigators, this is one of the toughest environments in cryptocurrency forensics.
The Investigation
The stolen bitcoin came from a virtual asset service provider and sat untouched for several years before suddenly moving again. Rather than heading to another exchange or wallet, the funds were sent into a Bitcoin mixer. At that point, conventional transaction tracing effectively ended.
Thousands of withdrawals left the mixer during the relevant period, and each one looked almost identical. None carried identifiable labels, direct links, or an obvious path back to the attacker. This is where many investigations stop. Ours did not.
A Different Way of Looking at the Problem
Rather than trying to identify which withdrawal belonged to the attacker, we focused on something the mixer could not disguise: mathematics. A cryptocurrency mixer can obscure transaction relationships, but it cannot violate accounting principles. At any point in time, the total balance held by the mixer can only consist of two components:
- funds deposited by the threat actor
- funds deposited by every other user
Those two balances must always add up to the mixer’s total holdings, and neither can ever fall below zero. That simple constraint became the foundation of our investigation.
Reconstructing the Mixer’s Balance
Using blockchain forensic analysis, we reconstructed the mixer’s activity across the relevant period. Every transaction fell into one of three groups: deposits attributed to the threat actor, deposits attributed to unrelated users, and withdrawals whose ownership the mixer had intentionally obscured.
From there, we tested the data under two mathematical extremes.
Testing the first extreme
First, we assumed every unknown withdrawal belonged to the threat actor. This pushed the threat actor’s theoretical balance to its lowest possible value, and eventually that balance reached zero. At that moment, any additional withdrawal could no longer belong to the attacker — it had to belong to someone else.
Testing the second extreme
Next, we reversed the assumption and treated every unknown withdrawal as belonging to other users. Eventually, the balance for everyone else also reached zero. From that point onward, any remaining withdrawals were mathematically forced to belong to the threat actor.
This wasn’t a probability model, and it wasn’t statistical inference. It was a constraint imposed by simple arithmetic: the mixer could hide ownership, but it could not create or destroy balances.
From Mathematics to Attribution
The mathematical analysis narrowed the investigation to a specific withdrawal window. However, identifying the exact wallet cluster still required blockchain intelligence. Using blockchain data together with Caudena’s wallet clustering capabilities, we analysed withdrawal activity during that period. Rather than examining transactions individually, we grouped withdrawals into wallet clusters and compared them against the largest depositors into the mixer.
One cluster immediately stood apart: its transaction volume exceeded every other participant by a wide margin. We then systematically ruled out the remaining high-volume depositors, including the second-largest participant, based on their deposit and withdrawal behaviour. Only one wallet cluster remained consistent with both the mathematical reconstruction and the observed blockchain activity — and it belonged to the threat actor.
Why This Investigation Worked
The irony of this case is that the attacker’s greatest strength became their greatest weakness. They tried to hide a very large quantity of stolen bitcoin inside a relatively small cryptocurrency mixer, and the volume they introduced into the pool became impossible to conceal mathematically. Had the attacker spread the assets across larger mixing services, or over a much longer period, the analysis would have been far more difficult. Instead, their own transaction volume created constraints that let us reconstruct exactly what the mixer was designed to hide.
Blockchain Forensics Goes Beyond Transaction Tracing
This case highlights an important principle in cryptocurrency investigations: successful blockchain forensics is rarely about following one transaction after another. It combines blockchain analytics, mathematical reasoning, wallet clustering, behavioural analysis, and investigative methodology. Even where direct transaction attribution becomes impossible, other forensic techniques can sometimes narrow the possibilities until only one explanation remains — and that is exactly what happened here.
We didn’t identify the attacker because the blockchain explicitly revealed them — we identified them because the mathematics of the mixer left no other plausible outcome.
Final Thoughts
Cryptocurrency mixers are among the most challenging obstacles in blockchain investigations. They’re specifically designed to obscure the movement of digital assets and frustrate investigators. Yet this case shows that “untraceable” doesn’t always mean “uninvestigable.” By combining blockchain intelligence with innovative forensic methodologies, investigators can sometimes recover meaningful attribution even when conventional transaction tracing hits its limits.
As cryptocurrency investigations continue to evolve, so too must the techniques used to analyse them. Sometimes the blockchain tells the story. Sometimes the numbers do.
Author
Guglielmo Anfossi
Guglielmo operates on high-complexity blockchain investigations, focusing on escalation cases that require deep protocol-level analysis and structural interpretation of on-chain activity beyond standard tooling. His work centres on adversarial behavior mapping and the analysis of obfuscation strategies within DeFi ecosystems, including non-linear fund flows and malicious smart contract design.
If you have suffered a significant crypto theft or are locked out of your wallet: