fatcousin
// case type

crypto theft / wallet drain

approve-for-all phishing, sweeper bots, malicious dapps, drained hot wallets. evidence is a tx graph + the malicious contract bytecode + browser history.

tools
16
priority
H
processing
local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this case type.

  1. ethereum transaction decoderpaste raw ethereum transaction hex · rlp decode · from to value gas · erc20 calldata · runs locally
  2. bitcoin transaction decoderpaste raw transaction hex · decode inputs outputs scripts · fees · locktime · segwit · p2pkh p2sh p2wpkh · runs locally
  3. crypto tx graphpaste json csv btc hex · directed graph · hub peel fan patterns · ascii viz · stats · csv json export · runs locally
  4. crypto transaction graphdrop tx list csv · build adjacency · node edge counts · export nodes edges csv · runs locally
  5. smart contract bytecode analyzerpaste evm hex · disassemble push pop · flag delegatecall selfdestruct · opcode table · runs locally
  6. cryptocurrency mixer and tumbler detectordrop bitcoin transaction csv · apply statistical analysis to detect mixing service patterns · equal output detection · timing patterns · coinjoin identification · peel chain vs mixed funds · estimate mixing confidence · runs locally
  7. bitcoin address clusteringpaste or drop csv · extract btc addresses · common-input heuristic clustering · cluster table · export csv · runs locally
  8. private key format detectorpaste or drop a key file · identify WIF · hex · PEM · PKCS8 · BIP32 xprv/xpub · Ethereum keystore · validate format only · never derives · runs locally

also useful · secondary tools

supporting and follow-up tools. surface as the investigation widens.

  1. monero transaction structure forensic analyzerdrop monero transaction hex or json exports · parse ring signature structure · analyze ring composition · apply heuristics to identify likely true spends · detect unusual ring sizes · blockchain analysis with privacy caveats · runs locally
  2. nft metadata and provenance forensic analyzerdrop nft metadata json files or token uri exports · parse metadata · trace token history · identify mutable vs immutable storage · detect wash trading patterns · flag suspicious provenance · runs locally
  3. bip39 mnemonic validatorpaste a 12 · 18 · or 24-word mnemonic · validate BIP39 wordlist · verify checksum · identify entropy bits · detect typos · never derives keys · runs locally
  4. ethereum keystore inspectordrop an Ethereum UTC keystore file · parse address · cipher · KDF params · salt · flag weak parameters · never attempts decryption · runs locally
  5. blockchain timestamp verifierdocument sha-256 · merkle proof json · bitcoin block header · inclusion walk · verified failed verdict · runs locally
  6. browser history extractordrop a Chrome or Firefox SQLite history DB · extract URLs · visit counts · timestamps · typed URLs · export CSV · runs locally
  7. chrome extension analyzerdrop crx or manifest.json · permissions audit · content scripts · risk score · script patterns · runs locally
  8. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
// case-kit pipeline

run as a stack

skip the click-through. these presets are curated forensic pipelines you can save as a stack with one click and run on your evidence locally.

  • crypto theft — IOC + tx-graph seed

    6 steps

    drop chat exports + browser history + contract addresses → extract IOCs → merge with breach data → triage → report

    1. 01evidence-manifest-generatorfix the evidentiary state of the victim's exports before pivoting
    2. 02ioc-extractorpull wallet addresses, contract addresses, dapp URLs, malicious sites from all text inputs
    3. 03ioc-deduplicator-normalizermerge across browser history + chat + screenshots OCR transcripts
    4. 04breach-ioc-normalizermerge with any threat-intel IOC list the victim's exchange provided
    5. 05ioc-bulk-validator-and-triagescore the bundle; mixer addresses + sanctioned wallets surface as high-severity
    6. 06case-report-generatordraft a report that's a valid intake packet for a chain-analysis firm or law enforcement
// pattern-matched

related tools

tools that the manifest-classifier flagged as plausibly useful here but that aren't in the hand-curated lists above. less editorial weight — scan, don't work top-down.

ready