fatcousin
// investigation guide

crypto theft / wallet drain - methodology

crypto theft is not generic malware. it is usually a signed transaction: unlimited token approval on a fake dapp, a sweeper contract that fires within seconds, or exported seed material. evidence is on-chain (tx graph, contract bytecode) plus browser history showing which site the victim visited. recovery is almost never technical; your job is scope, attribution hints, and a clean timeline for law enforcement and exchanges.

what evidence exists and how fast it dies

artifactvolatilitytime to loss
on-chain transactionsimmutablenever, but attribution decays as funds move
wallet browser history / extensionspersistent on devicelost on reimage or cache clear
phishing site URL / WHOISpersistentsite may go offline within hours
CEX deposit address labelsrolling at exchangesubpoena latency; act while hot wallet flagged
victim signed message / approval tximmutablerevoke only affects future; past approval stands
exported seed / private key on diskvolatilesecure-delete or reimage removes it

the first 10 minutes

  1. record victim wallet address(es) and chain(s). do not ask them to sign anything else.
  2. pull the drain transaction hash from the wallet or block explorer. save UTC timestamp.
  3. export token approval list for the victim address (revoke.cash-style export or explorer API dump).
  4. save the malicious dapp URL from browser history before the tab is closed.
  5. screenshot wallet UI showing loss amounts. secondary to on-chain proof.
  6. identify CEX deposit addresses in the drain path if visible on explorer.
  7. preserve browser profile and extension list from the victim machine.
  8. check for exported seed files or clipboard malware indicators on the endpoint.
  9. file exchange law-enforcement requests if funds hit a known hot deposit. time-sensitive.
  10. begin the path below.

the path

  1. 1. ethereum tx decoder

    raw signed txs or export json. decodes approve, transferFrom, and sweeper drain calls with spender and token amounts.why first: the drain is on-chain. you need the approval tx hash and unlimited allowance before interpreting wallet UI screenshots.

  2. 2. smart contract bytecode analyzer

    drainer contract bytecode or verified source export. flags delegatecall sweeper patterns and hidden owner functions.why second: malicious dapps hide behind proxy bytecode. decode what the victim actually authorized.

  3. 3. crypto tx graph

    multi-chain tx export. builds hop graph from victim wallet through consolidator and CEX deposit addresses.why third: single-tx view misses the 90-second sweeper chain across tokens and routers.

  4. 4. crypto transaction graph

    csv adjacency from block explorer export. correlates addresses, amounts, and timestamps across chains.why fourth: investigators often only have spreadsheet exports. this normalizes them into one graph.

  5. 5. bitcoin tx decoder

    raw btc tx hex or explorer json. parses inputs, outputs, and fee for peel-chain follow-on.why fifth: victims often hold residual BTC. drain may continue on UTXO chain after ERC-20 loss.

  6. 6. bitcoin address clustering

    victim UTXO set + co-spend heuristics. groups change outputs and peel addresses under one actor cluster.why sixth: peel chains split value across many addresses. clustering collapses the trail for reporting.

  7. 7. crypto mixer pattern detector

    btc txs with equal-output shapes. scores CoinJoin / mixer-like obfuscation on post-drain consolidation.why seventh: actors launder through mixer-shaped txs. flag before you assume CEX is the final hop.

  8. 8. private key format detector

    exported key material from victim machine or phishing page capture. identifies WIF, hex, mnemonic fragments.why last: some drains use exported keys directly. confirms seed leak vs approval-only compromise.

common false leads

  • the victim was hacked via malware. many drains are pure approval phishing with a clean laptop.
  • unlimited approval is revocable so funds are safe. revocation stops future sweeps, not past drains.
  • the receiving address is the attacker. it is often a router or consolidator; follow the graph.
  • mixer tx means untraceable. mixer-shaped patterns still produce IOCs and timing for LE packages.
  • NFT loss equals wallet compromise. check whether only ERC-20 approvals were signed.

what we can tell you, what we can't

we can tell you:

  • approval and drain transaction decoding from raw chain exports
  • sweeper contract bytecode indicators
  • multi-hop tx graphs across tokens and chains
  • mixer-shaped BTC patterns and address clustering heuristics
  • private key format identification in captured files

we can't tell you:

  • recover stolen funds. exchanges and law enforcement only.
  • deanonymize mixer users with certainty. probabilistic patterns only.
  • prove criminal intent. legal counsel territory.
  • label every address as a named service without your intel feeds.

handing it off

  • law enforcement / IC3: drain tx hashes, approval tx, malicious contract address, dapp URL, timeline UTC, graph export.
  • exchange abuse desk: deposit address, amount, block height, victim KYC if account holder.
  • outside counsel: preservation log for browser history and wallet exports.

further reading

reference investigation

synthetic fixture voss-wallet-drain: unlimited USDC approve on fake yield dapp, 90-second sweeper drain, BTC peel plus mixer-shaped tx, seed voss-wallet-drain:v1. compare output via npm run check:flagship.

proof page: /forensics/proof/voss-wallet-drain · fixture download: evidence zip · case playbook: case type tools

run the crypto theft kitforensics home
ready