Investigating on the Blockchain — Analytics & Red Flags *(OUTLINE + BULLET BODY)*

Last lecture we sat on the launderer's side of the table, learning the tricks. Now we switch chairs. The irony that defines blockchain investigation is this: the very transparency that makes you think laundering should be impossible is also the investigator's greatest advantage. Every transaction is recorded, permanently, on a public ledger — which means with the right techniques you can often follow the money better on a blockchain than you ever could through a maze of shell-company bank accounts. The CAMS® exam wants you to understand the *concepts* — clustering, attribution, the high-risk on- and off-ramps — and, crucially, to be honest about what on-chain analysis can't do. Let's build that mental model.

- A **blockchain** is a **distributed, append-only public ledger**: transactions are grouped into blocks, cryptographically linked, and (on public chains like Bitcoin) **viewable by anyone** via a block explorer. Records are **immutable** — you can't quietly edit history. - Addresses are **pseudonymous**, not anonymous: an address is a string of characters, not a name — but every transaction tied to it is permanently visible. The investigator's job is to connect the **pseudonym to a real-world identity**. - **Pseudonymity ≠ anonymity:** because the full transaction graph is public, patterns and links can re-identify users. This is exactly the opposite of cash, which leaves no ledger.

- **Clustering** groups multiple addresses that are likely controlled by the **same entity**. A common heuristic is **common-input ownership** (the **multi-input heuristic**): when several addresses are spent together as inputs to one transaction, they're usually controlled by the same wallet/entity. - **Change-address heuristics** and behavioral patterns further expand a cluster — analytics firms build large maps of address clusters this way. - **Attribution** is the step of **labeling a cluster with a real-world identity or service** — e.g., "this cluster belongs to Exchange X," "this address is a known darknet market," "this is a sanctioned entity." Attribution comes from **off-chain data**: KYC at exchanges, subpoenas, scam reports, OSINT, prior investigations, and analytics-vendor intelligence. - The investigative power comes from **on-chain tracing + off-chain attribution together**: trace the flow on the immutable ledger, then attribute the endpoints to named services where identities live. - Exam framing: **on-chain data shows the flow; off-chain data supplies the identity.** Neither alone is enough.

- An **on-ramp** converts **fiat → crypto** (buying with a card/bank transfer); an **off-ramp** converts **crypto → fiat** (cashing out). These are the **chokepoints** where the regulated world touches the chain. - Ramps are typically **VASPs/exchanges** that perform **KYC**, so they are where investigators (via subpoena/314(a)) can **attach a name** to an address. Following illicit funds to a regulated off-ramp is often how a case is solved. - **Higher-risk ramps:** exchanges with **weak or no KYC**, located in **non-cooperative jurisdictions**, **P2P** marketplaces, and **crypto ATMs/kiosks** with lax controls — these let value enter or exit without reliable identification. - **Off-ramp red flag:** funds with illicit on-chain history arriving at your VASP for cash-out, especially after passing through mixers, multiple hops, or high-risk services.

- **Transaction red flags:** exposure to **mixers/tumblers**, transfers to/from **darknet markets, sanctioned addresses, or high-risk gambling/scam clusters**; **peel-chain** patterns; rapid **chain-hopping**; sudden conversion into **privacy coins**. - **Counterparty red flags:** transfers to/from **unhosted wallets** with no business rationale; counterparties at **non-compliant or unlicensed VASPs**; attempts to **avoid the Travel Rule**. - **Behavioral / customer red flags:** transaction volumes **inconsistent with the customer's profile**; new accounts immediately moving **large volumes**; use of **multiple wallets/accounts** to break up activity (structuring); reluctance to provide CDD or source-of-funds info; many accounts funded from the **same source**. - **Sanctions red flags:** any interaction with an **OFAC-listed address/entity** — recall OFAC now **adds crypto addresses to the SDN list**, and screening must cover wallet addresses, not just names. - Source anchors: **FinCEN red-flag advisories** on convertible virtual currency; the **FATF "Virtual Assets — Red Flag Indicators" (2020)** report.

- **Heuristics are probabilistic, not proof.** Clustering can be **wrong** — shared-wallet services, coinjoins, and false-positive change heuristics can mis-group addresses. Clustering gives **leads**, not certainty. - **Privacy coins and strong mixing can defeat tracing.** Monero-style cryptography can make the trail genuinely unreadable; effective mixers can break attribution. - **Attribution depends on off-chain data** you may not have — without KYC, a subpoena, or vendor labels, a cluster is just unnamed addresses. The chain shows *what moved*, not always *who*. - **The fiat boundary still matters.** On-chain analytics ends where the money leaves the chain; the **off-ramp's KYC** (or lack of it) determines whether you ever get a name. - **Sunrise/coverage gaps** (uneven global Travel Rule adoption, unregulated DeFi/P2P) mean some activity has no regulated chokepoint to query. - Honest framing for the exam: blockchain analytics is **powerful for tracing flows and prioritizing leads**, but it is **investigative intelligence**, not automatic identification — combine it with traditional CDD, legal process, and judgment.

So flip the transparency around and the blockchain becomes the investigator's friend. The ledger is public and permanent; clustering groups addresses likely held by one entity, and attribution puts a real-world name on the cluster using off-chain data like exchange KYC. The on-ramps and off-ramps are where identity lives, which makes them both the highest-risk points and the place cases get solved. Red flags cluster around mixers, sanctioned and darknet addresses, unhosted-wallet transfers, and profile-inconsistent volume. But stay honest about the limits — heuristics are probabilistic, privacy coins can defeat tracing, and without off-chain data a cluster is just anonymous strings. That closes Domain 6. Next, we shift into exam strategy: decoding the CAMS® question formats and mastering the elimination technique that turns hard items into answerable ones.