Effective crypto investigations start with blockchain tools

An overview of public blockchain tools for investigators and analysts

What are blockchain tools?
Blockchain tools are software applications that allow you to query, analyze, and visualize data from a blockchain. Examples include looking up a wallet address, tracking transactions, or mapping financial flows.

There are many different types of tools. Some function as simple search interfaces, displaying basic information per address or transaction. Others go further, helping to identify patterns and establish connections between addresses.

For investigative purposes, two broad categories can be distinguished:
• Publicly available tools, accessible without a subscription, requiring little or no registration. Suitable for initial exploration.
• Paid tools, such as Chainalysis or TRM Labs. These link addresses to entities, detect patterns across large datasets, and enable the visualization of relationships.

This article focuses on publicly available tools, hereafter referred to as open tools.

What do open tools do?
Open tools are publicly accessible. The underlying blockchain data is available to anyone, allowing findings to be verified and substantiated, an important aspect in legal contexts. There are different types of open tools. In this article, we discuss two: block explorers and enrichment tools.

Block explorers are search interfaces that allow you to look up blockchain data by address or transaction. Well-known examples include mempool.space and Etherscan.

With a block explorer, you can see, for example:
• how much crypto was transferred;
• when a transaction took place;
• which addresses were involved.

Block explorers primarily display raw data. They show what happened, but not who is behind it. They also do not establish connections between different addresses or identify patterns across larger datasets.

Enrichment tools add additional information to addresses and transactions by combining blockchain data with external sources. Examples include Chainabuse and Arkham.

• Chainabuse shows whether an address has previously been reported as suspicious.
• Arkham links addresses to entities such as exchanges, companies, or other known parties.

Some of these tools offer additional functionality through paid subscriptions.

In practice, most investigators start with open tools. They are quick to use and suitable for initial exploration, providing a rapid overview of financial flows and involved addresses.

As investigations become more complex, with more addresses, multiple blockchains, or intricate relationships, more advanced tools or specialized analysis are often required.

Note: results from open tools should always be assessed critically. Treat them as initial indicators, not definitive evidence.

Below are several examples of open tools.

1. mempool.space
Mempool.space is a block explorer for the Bitcoin network. It allows you to view blockchain data such as transactions, addresses, and blocks.

The tool retrieves data directly via its own Bitcoin nodes. Its source code is open source and available on GitHub.

What can you do with it?
• Look up transactions using a transaction ID.
• Explore wallet addresses, including balances and transaction history.
• View current network congestion: how many transactions are awaiting confirmation and what the current fees are.

When do you use mempool.space?
Mempool.space is particularly suitable for initial analysis. It quickly provides insight into what has happened with a given address or transaction.

Per address, you can see:
• when it was first used on the blockchain;
• which amounts were received and sent;
• which addresses are connected through transactions.

An important concept you can analyze here is the change address. In a Bitcoin transaction, one or more inputs are used. The total value of these inputs is often higher than the amount being sent. The remaining value is then returned to an address controlled by the sender, this is known as the change address.

By identifying this address, you can estimate which addresses likely belong to the same user. This helps to gradually link multiple addresses and build an initial view of the network.

You can also easily follow earlier and subsequent transactions. Additionally, it is possible to navigate the blockchain block by block and view all transactions within a specific block.

Limitations
Mempool.space also has its limitations:
• it only supports the Bitcoin network;
• addresses are not labeled (e.g., as exchange or company);
• relationships between addresses must be established manually;
• data cannot be easily exported in bulk.

For more advanced analysis, additional tooling is required.

2. Etherscan
Etherscan is a block explorer for the Ethereum network. It allows you to view transactions, addresses, and smart contracts.

Ethereum is not only used for payments, it also underpins tokens such as USDT and USDC, NFTs, and DeFi protocols. As a result, transactions are often more complex than on the Bitcoin network.

Etherscan was founded in 2015 by Matthew Tan and is one of the first explorers within the Ethereum ecosystem. The company is based in Kuala Lumpur, Malaysia.

What can you do with it?
With Etherscan, you can:
• look up transactions using a transaction ID;
• explore wallet addresses, including balances and transaction history;
• analyze token transactions, including not only Ethereum but also tokens such as USDT and USDC;
• examine interactions with smart contracts such as NFT platforms and DeFi applications;
• view labels for known addresses, such as “Binance: Hot Wallet” or “Uniswap: Router.”

How do you read a transaction?
When opening a transaction, Etherscan displays a summary at the top: the sending address, the receiving address, and the amount. This is a simplified representation of the underlying data.

The full details are available in the transaction data and event logs, where you can see what technically occurred within the smart contracts.

A single transaction may contain multiple underlying actions. For example, a swap via a DeFi protocol may involve multiple token transfers within one transaction.

It is therefore important not only to review the summary, but also the underlying details.

ENS (Ethereum Name Service)
Etherscan supports the Ethereum Name Service (ENS), a system that links human-readable names to addresses, such as vitalik.eth.

If you encounter such a name during your investigation, you can use it directly in the search bar.

Limitations
Etherscan also has its limitations:
• it is a commercial platform and its source code is not publicly available;
• revenue is generated in part through advertisements and paid features;
• the interface can become complex for transactions with many interactions;
• address labels are not always complete or up to date;
• Etherscan only supports the Ethereum network (other networks have their own explorers).

Analyzing Ethereum transactions requires additional attention. Due to the use of smart contracts and tokens, transactions may consist of multiple steps that are not immediately visible in the overview.

3. Arkham (intel.arkm.com)
Arkham Intelligence is an enrichment tool that links blockchain addresses to entities and visualizes financial flows. The platform was founded in 2020 by Miguel Morel.

Arkham combines on-chain data with external (off-chain) information, such as public sources and user contributions. Based on this, addresses are grouped and, where possible, linked to entities such as exchanges, companies, or other organizations.

What can you do with it?
With Arkham, you can:
• view addresses with automatically assigned labels;
• see which addresses likely belong to the same entity;
• visually track financial flows between addresses in graph form;
• explore entities and their associated addresses;
• set alerts for specific addresses (limited in the public version).

When do you use Arkham?
Arkham is particularly useful when you want to understand who may be behind an address or when you want to visualize financial flows between multiple addresses.

The public version is accessible after registration and already provides valuable insights for initial analysis.

Revenue model
Arkham’s revenue model differs from many other tools. Its core functionality is publicly available, while paid features focus primarily on API access and automated data processing.

Key considerations
It is important to remain critical of labeling. Arkham’s attributions are based on its own analyses and user-provided information. These labels are not always complete or independently verified. Treat them as indicators, not definitive evidence.

4. Chainabuse (chainabuse.com)
Chainabuse is a reporting platform for suspicious crypto addresses. Developed by TRM Labs, it allows users to report addresses in a publicly searchable database.

Reports are submitted by victims, investigators, and partner organizations worldwide.

What can you do with it?
With Chainabuse, you can:
• check whether an address has been reported previously;
• view the type of fraud and reporting dates;
• review reported damage amounts;
• report addresses on behalf of victims.

When do you use Chainabuse?
Chainabuse is often a good first check when encountering a new address in an investigation.

If an address has already been reported, you immediately gain additional context, for example, about the type of fraud or modus operandi. This can help identify patterns and potentially establish links between multiple reports or addresses.

Key considerations
Reports on Chainabuse are not verified. They are based on user input and may be incomplete or inaccurate.

Use this information as context and indication, not as standalone evidence. The same applies to reported damage amounts, which may differ from the actual situation.

Open tools remain relevant, even when paid tools are available:
• Verification, findings from paid tools can be validated against publicly available source data, which is important in legal contexts.
• Transparency, public data can be reviewed by all parties, including courts and defense, making the methodology testable.
• Accessibility, no license, no approval process, immediately usable for initial exploration or time-sensitive investigations.
• Cost, not every organization has access to paid tools, open tools enable baseline analysis without budget constraints.

When are open tools not sufficient?
Open tools reach their limits as investigations become more complex. For example:
• larger numbers of addresses;
• multiple blockchains simultaneously;
• the need for attribution, identifying who may be behind an address.

They also offer limited support when dealing with mixers or privacy coins such as Monero.

A label in Arkham or a report on Chainabuse can provide direction, but does not constitute evidence. For conclusions that hold up in court, additional analysis is required.

Three insights
• Block explorers are a starting point, not an endpoint. They present raw facts such as amounts, timestamps, and addresses.
• Each blockchain has its own explorer. First determine which network an address operates on, then begin your search.
• Results always require interpretation. Understanding blockchain data remains a human task.

Developing your expertise?
The tools in this overview are accessible to any investigator. The difference between viewing an address and truly understanding it lies in interpreting patterns. Targeted training in crypto investigations helps develop this analytical capability and provides structure and depth.

By Erwin Heuvelman | 16-04-2026

Contact us

Do you want more information about our solutions, products, training and services? Or want to contact one of our employees? Please fill out the form and we will contact you! For further questions regarding personal data we kindly refer you to our Privacy Policy and Privacy Statement.