Advanced On-Chain Forensics: How to Trace Stolen Assets Across Bridges and Mixing Services

When the IoTeX ioTube bridge was compromised on February 21, 2026, and $4.4 million in assets began moving through THORChain toward Bitcoin addresses, the incident provided a real-time masterclass in the challenges of tracing stolen cryptocurrency across complex cross-chain paths. With Bitcoin trading at approximately $68,000 and Ethereum near $1,970, the stolen assets represented significant value — and the attacker laundering methodology demonstrated both the power and the limitations of modern on-chain forensics.

This tutorial walks through the advanced techniques used by blockchain analysts to track stolen assets across bridges, decentralized exchanges, and mixing services, using the IoTeX incident as a practical case study. Whether you are a security researcher, compliance professional, or advanced user seeking to understand how funds move after a hack, this guide provides the technical framework for following the money across chains.

The Objective

The goal of on-chain forensics in the aftermath of a hack is to establish the full path of stolen funds from the initial compromise to their current resting place. This involves identifying the attacker wallet addresses, tracking every subsequent transaction, flagging interactions with bridges and mixers, and correlating on-chain activity with off-chain intelligence such as exchange Know Your Customer records and IP address data.

In the IoTeX case, the forensic objective was complicated by the attacker use of multiple chains. The initial compromise occurred on the IoTeX chain, funds were bridged to Ethereum, moved through THORChain for cross-chain swapping, and ultimately held on Bitcoin addresses. Each chain transition introduces a break in the transaction graph that requires separate analysis and correlation.

Prerequisites

This tutorial assumes familiarity with blockchain explorers such as Etherscan for Ethereum and mempool.space for Bitcoin. You will need access to a block explorer that supports the chains involved in the investigation — for cross-chain analysis, tools like Blockscout for EVM-compatible chains and specialized THORChain explorers are essential.

For programmatic analysis, you should have a working knowledge of Python and access to blockchain data APIs. Etherscan provides a free API tier suitable for individual transaction analysis, while services like Chainalysis and Elliptic offer commercial-grade tools for large-scale investigations. The open-source tool BTcrecover can assist with address clustering analysis.

Understanding of basic DeFi mechanics is required, including how token approvals, liquidity pools, and bridge contracts function. Without this foundation, distinguishing between normal DeFi activity and laundering patterns becomes extremely difficult.

Step-by-Step Walkthrough

Step 1: Identify the attack entry point. The IoTeX investigation began when onchain investigator Specter flagged the initial draining of approximately $4.3 million from the ioTube bridge contract. The first step is locating the transaction where funds left the compromised contract — in this case, the attacker used the stolen owner key to call administrative functions on the TokenSafe contract, transferring bridged assets including USDC, USDT, WBTC, WETH, and IOTX to attacker-controlled addresses.

On Etherscan, search for the compromised contract address and sort transactions by timestamp around the known attack window. Look for unusually large outgoing transfers, particularly those directed to newly created addresses with no prior transaction history. The attacker address 0xe6a191a894dd3c85e3c89926e9f476f818ee55d9 was identified as the primary destination for minted CIOTX tokens.

Step 2: Map the fund movement chain. Once you have identified the attacker receiving addresses, trace each outgoing transaction. In the IoTeX case, the attacker moved stolen assets through several intermediary wallets before reaching THORChain. Each hop should be documented with transaction hash, timestamp, value, and destination address. Pay particular attention to transactions interacting with known bridge or swap contracts, as these represent chain transitions.

Use the internal transaction analysis feature on Etherscan to capture transfers that occur within smart contract calls, not just top-level transactions. Many attackers use contract-level transfers that do not appear in standard transaction lists but are visible in the internal transactions tab.

Step 3: Track cross-chain transitions. When funds move through THORChain, the forensic trail splits across chains. THORChain operates as a cross-chain liquidity protocol — users deposit assets on one chain and receive equivalent value on another. To follow the trail, identify the THORChain inbound transaction on the source chain, then locate the corresponding outbound transaction on the destination chain using the THORChain transaction memo and the associated THORChain transaction ID.

In the IoTeX incident, Beosin Alert reported that the attacker moved through THORChain and was holding stolen assets on Bitcoin addresses. Tracing this required identifying the Bitcoin output addresses from THORChain swaps and then monitoring those addresses for subsequent movement. Four newly created Bitcoin wallets were found holding approximately 66.77 BTC worth $4.29 million, untouched as of February 23.

Step 4: Identify clustering patterns. Address clustering involves determining which addresses are controlled by the same entity based on transaction patterns. Common clustering heuristics include common input ownership — where multiple inputs to a single Bitcoin transaction likely belong to the same wallet — and change address identification. On Ethereum, address clustering is more straightforward since each externally owned account has a unique address, but smart contract interactions can still reveal operational patterns.

Look for addresses that interact with the same set of protocols in the same sequence, use similar gas price patterns, or are funded from the same source. These patterns can reveal the attacker operational infrastructure even when individual addresses appear unrelated.

Step 5: Monitor and document. Once you have mapped the fund trail, set up monitoring alerts on all identified addresses using blockchain explorer notification features or API-based monitoring scripts. Document your findings systematically, including screenshots of key transactions, address relationships, and timeline of events. This documentation is essential if the investigation leads to law enforcement involvement or legal proceedings.

Troubleshooting

The most common challenge in cross-chain forensics is losing the trail at a bridge transition. When funds move through a decentralized bridge, the relationship between source and destination transactions is not always recorded in a single database. In these cases, look for matching amounts, timestamps within a narrow window, and any memo data attached to bridge transactions that might contain routing information.

Privacy-focused tools like mixers and privacy chains can break the forensic trail entirely. If funds enter a mixer, the best approach is to monitor the mixer output for patterns that match the known deposit amount and timing. Statistical analysis of mixer outputs can sometimes correlate deposits with withdrawals, but this requires sophisticated tooling and is unreliable for small amounts distributed across many outputs.

When transaction volume is overwhelming — as in cases where attackers split funds across hundreds of micro-transactions — use clustering algorithms to group related activity before attempting manual analysis. Tools like GraphSense and BlockSci provide open-source frameworks for large-scale blockchain graph analysis.

Mastering the Skill

On-chain forensics is a rapidly evolving discipline that rewards continuous learning and practical experience. To advance beyond this tutorial, practice tracing transactions on public hack post-mortems published by firms like Halborn and PeckShield. The Rekt leaderboard provides a comprehensive database of DeFi exploits with documented attack paths that serve as excellent training material. Engage with the blockchain security community on platforms where researchers share real-time analysis during active incidents. The IoTeX investigation demonstrated that collaborative on-chain analysis — with multiple researchers contributing findings in real-time — dramatically accelerates the speed and accuracy of fund tracking. As cross-chain infrastructure becomes more complex, the demand for skilled on-chain investigators will only grow, making this one of the most valuable technical skills in the cryptocurrency ecosystem.

Disclaimer: This article is for educational purposes only. On-chain forensics should be conducted in compliance with applicable laws and regulations. Always consult with legal professionals before undertaking investigations that may involve law enforcement coordination.