Mastering MetaSleuth: Your Practical Guide to Tracking Cryptocurrency on the Blockchain
Ervin Zubic
0xf457
May 14th, 2024

Take your blockchain investigations to the next level! This hands-on guide will teach you how to use MetaSleuth to track crypto transactions, follow stolen funds, and expose money laundering schemes.

This article is also published on my Medium page.

In our initial article titled “Conduct Effective OSINT Investigations for Money Laundering & Sanctions,” we explored the foundations of creating a detailed profile of an individual of interest using tools like OpenSanctions and OpenCorporates.

Building on that foundation, our subsequent article, “Unmasking Crypto Money Laundering with OSINT & Blockchain Forensics,” delved into prevalent techniques of cryptocurrency laundering. We examined the essential tools for such investigations, how to set up investigative graphs, and the integration of cryptocurrency tracking graphs into broader investigative frameworks.

Following the response to that article, many of you expressed a desire for a deeper dive into tracking asset movements on the blockchain. In response, this article will focus exclusively on the practical aspects of monitoring cryptocurrency transactions on the blockchain, offering hands-on guidance to enhance your investigative skillset.

Navigating the MetaSleuth Dashboard

When you first visit the MetaSleuth homepage, you’ll find yourself welcomed by a sleek and uncluttered interface featuring just a search bar. Here, you can easily input a wallet address, transaction hash, or ENS name. While it’s possible to use MetaSleuth without logging in, this access is quite restricted and may quickly prove frustrating. To avoid any interruptions a few steps into your investigation, I strongly recommend setting up your login immediately. This proactive step ensures you won’t find yourself forced to pause and log in just when things are getting interesting.

Figure 1. The image shows the MetaSleuth website’s homepage titled “Crypto Tracking and Investigation Platform,” a search bar for entering addresses, and a sign-up button on the top right.
Figure 1. The image shows the MetaSleuth website’s homepage titled “Crypto Tracking and Investigation Platform,” a search bar for entering addresses, and a sign-up button on the top right.

Targeting Your Crypto Addresses

We’ll kick off our exploration by entering the addresses that capture our interest. For this demonstration, I’ve chosen to use an Ethereum-based address. It’s important to highlight that MetaSleuth’s versatility extends to a robust support for 13 different blockchains: Bitcoin, Ethereum, Binance Smart Chain, TRON, Solana, Polygon, Fantom, Arbitrum, Cronos, Moonbeam, Avalanche, Optimism, Base, Linea.

This extensive compatibility is crucial, particularly considering our previous discussions on how ‘chain-hopping’ is a prevalent technique in modern crypto laundering.

Before I proceed with hitting “enter,” I’ve already added the address into the search bar, but I’ll need to set some parameters first. This is a matter of personal preference, yet experience has taught me that the number of transactions associated with your targeted address can quickly make the graph unwieldy. Knowing that this address fell victim to a phishing attack, I’ll narrow the search to the days surrounding the attack. Additionally, to streamline the analysis and make it easier to follow, I’ll specifically filter for outgoing transactions, as our primary interest lies in tracking where the stolen money is headed.

Figure 2. The image displays the advanced search panel on MetaSleuth’s website, where a user can select Ethereum as the blockchain, input a specific address, and choose filters for transaction direction (IN or OUT), token type, and a specific date range before clicking “Analyze.”
Figure 2. The image displays the advanced search panel on MetaSleuth’s website, where a user can select Ethereum as the blockchain, input a specific address, and choose filters for transaction direction (IN or OUT), token type, and a specific date range before clicking “Analyze.”

Visualizing the Flow of Funds

Once you apply your settings, MetaSleuth will create a detailed fund flow graph that visually depicts the movement of funds between addresses and transactions. As you can observe, even with our filters in place, the graph remains quite busy (I’ve intentionally cut off a portion to concentrate on the essential details). To further clarify the visualization for myself, I immediately implement additional modifications. I color-coded the victim’s address in green and highlighted the tokens I’m specifically interested in tracking — USDC and DATA in this instance. Additionally, I filter out any transactions that aren’t immediately relevant, streamlining the graph to focus solely on our primary areas of concern.

Figure 3. The image displays two versions of a fund flow graph on MetaSleuth; the top graph is cluttered with multiple transactions before filters, and the bottom graph is streamlined with color coding and filters applied, focusing only on USDC and DATA tokens to enhance clarity and focus.
Figure 3. The image displays two versions of a fund flow graph on MetaSleuth; the top graph is cluttered with multiple transactions before filters, and the bottom graph is streamlined with color coding and filters applied, focusing only on USDC and DATA tokens to enhance clarity and focus.

Diving Deeper into Transaction Details

Having applied some basic graph hygiene, we can clearly see that the fake phishing address transferred the stolen funds to AirSwap. To delve deeper into this particular transaction, click on the ‘asset transfer edge’ on the canvas, then select ‘details’ from the edge list to access a list of transactions. Locate and copy the transaction hash for this specific transfer.

Figure 4. The image captures a segment of a fund flow graph in MetaSleuth, where a user has clicked on an edge connecting a phishing address to AirSwap, revealing a detailed transaction list below the graph that includes transaction hashes and amounts, with an option to view more details or copy specific transaction hashes.
Figure 4. The image captures a segment of a fund flow graph in MetaSleuth, where a user has clicked on an edge connecting a phishing address to AirSwap, revealing a detailed transaction list below the graph that includes transaction hashes and amounts, with an option to view more details or copy specific transaction hashes.

By incorporating this transaction into the ‘Add Address’ feature, we facilitate a comprehensive examination of the asset transfers involved, thereby deepening our understanding of the transaction’s details.

Figure 5. The image illustrates the user interface of MetaSleuth with an ‘Add Address/Tx’ button highlighted, where a user is inputting an Ethereum transaction hash into a dialog box to add it to an ongoing analysis of fund flows, visually connecting this transaction to others in the graph.
Figure 5. The image illustrates the user interface of MetaSleuth with an ‘Add Address/Tx’ button highlighted, where a user is inputting an Ethereum transaction hash into a dialog box to add it to an ongoing analysis of fund flows, visually connecting this transaction to others in the graph.

With these insights, we now possess a full overview of the token swapping process. The phishing address exchanged USDC and DATA tokens through AirSwap and successfully acquired 14.58 ETH, shedding light on the dynamics of the fraudulent activities.

Figure 6. The image highlights a section of a transaction graph where the Fake_Phishing11227 address successfully exchanged USDC and DATA tokens for 14.58 Ether from AirSwap, as indicated by the transaction detail in the graph.
Figure 6. The image highlights a section of a transaction graph where the Fake_Phishing11227 address successfully exchanged USDC and DATA tokens for 14.58 Ether from AirSwap, as indicated by the transaction detail in the graph.

Following the Trail of Suspicious Activity

To further trace the movement of the funds, simply replicate the steps we’ve already taken. Start by setting the date range that interests you and then add the relevant addresses or transaction hashes using MetaSleuth’s ‘Add Address’ feature. This approach enables you to monitor subsequent transactions linked to those addresses. By persistently applying this method, you’ll be able to track the flow of funds across multiple nodes and unravel the relationships between the various entities involved in the chain.

Monitoring and Alerts

Finally, remember that you can set up alerts to actively monitor funds that haven’t been transferred yet. By enabling monitoring, you’ll receive email notifications for any relevant asset transfers. To do this, click on the node or address you want to keep an eye on, select the specific tokens you’re interested in, and then click ‘Start’ to begin monitoring. This feature ensures you’re promptly informed of all pertinent transactions.

Figure 7. The image shows the MetaSleuth interface where a user is configuring alert settings for a specific address labeled as ‘Fake_Phishing11227,’ selecting transaction criteria such as token type and amount, with an option to receive email notifications.
Figure 7. The image shows the MetaSleuth interface where a user is configuring alert settings for a specific address labeled as ‘Fake_Phishing11227,’ selecting transaction criteria such as token type and amount, with an option to receive email notifications.

Final Thoughts

I hope this article serves as a helpful starting point for using MetaSleuth. This tool is just one of the many invaluable resources available to investigators delving into the complex realm of blockchain transactions. As the world of cryptocurrency develops, so too will the tools we use to monitor it. If you’ve experimented with other tools, feel free to share your experiences in the comments below. Your insights could benefit the entire community, offering us all a chance to explore additional resources.

Thank you for reading, and catch you next time.

Explore Next

Discover how blockchain is transforming industries on the Blockchain Insights Hub. Follow me on Twitter for real-time updates on the intersection of blockchain and cybersecurity. Subscribe now to get my exclusive report on the top blockchain security threats of 2024. Dive deeper into my blockchain insights on Medium.

Subscribe to Ervin Zubic
Receive the latest updates directly to your inbox.
Mint this entry as an NFT to add it to your collection.
Verification
This entry has been permanently stored onchain and signed by its creator.
Arweave Transaction
X3nL4xglgLq4h9d…Na1Mt6x7WMemMus
Author Address
0xf457Ef3C52900d1…64E552bEA52F9da
Content Digest
B7CayronajbgFdF…h2HeC1WPVdgeDq8