What is blockchain forensics and how does it actually work?

Blockchain forensics is the discipline of attributing on-chain activity to real-world entities. Every Bitcoin and Ethereum transaction is public, but addresses are pseudonymous. Forensics joins three layers:

1. Heuristics — common-input ownership, change-address detection, peel chains, and timing clustering group addresses into entity wallets.
2. Attribution — labeled datasets connect those clusters to exchanges, mixers, ransomware operators, sanctioned entities, darknet markets, and known scam campaigns.
3. KYT (Know Your Transaction) graphs — risk scoring of every counterparty an address has touched.

For recovery cases, the practical output is a report showing: where the funds left your control, every hop they took, which entities received them, and what enforcement avenues exist at the receiving end. Tools that practitioners use include Chainalysis Reactor, TRM Forensics, Elliptic Investigator, and specialist boutiques like Nethertrace that focus on victim-side investigations rather than compliance.