Every Monday Morning, analysts at AML Union open a fresh batch of case files — wallet addresses, transaction hashes, timestamps — and begin reconstructing where someone’s money went.
The queue is getting longer.
Over the past year, enquiry volumes at the blockchain forensics firm have climbed in ways that have forced internal restructuring, new computing infrastructure and a rethink of how cases are processed. The reason is straightforward: more investors now understand that a theft recorded on a public ledger is not the same as a theft that leaves no evidence. That realisation, slow to take hold across retail crypto markets, is reshaping who gets called when funds disappear.
For years, the prevailing assumption was grim and simple. Crypto gone from a wallet was crypto gone for ever.
That assumption is crumbling. Blockchain’s defining architectural feature — every transfer logged permanently, publicly, in sequence — turns out to be exactly the property that investigators need. Each transaction carries a sending address, a destination address and a timestamp. String enough of them together and a forensic analyst can reconstruct the precise route an asset took: through exchanges, through conversion services, through dozens of intermediate wallets before finally going quiet. It is painstaking work. But it is work that can be done.
AML Union‘s process starts before any deep analysis begins. Claimants submit the basics — wallet addresses, hash identifiers, the date and approximate time of the transfer in question. Automated checks run that information against public blockchain data first, confirming the details are consistent before human analysts move further. Only then does a case proceed to forensic review.
A crucial gate. One that filters out the noise before the real work starts.
From there, investigators use blockchain analytics tools to examine clusters of wallets and sequences of transactions, paying particular attention to how assets were converted as they crossed between networks. The output, in the clearest cases, is a chronological map — sometimes spanning dozens of addresses — showing exactly where funds travelled before the trail went cold. Those maps are not just useful internally. They form the evidentiary backbone when cases escalate to legal review.
The wider sector has been building this infrastructure for years. Chainalysis and Elliptic — both now well-established businesses with law-enforcement contracts across multiple jurisdictions — demonstrated that blockchain activity could be tracked at scale and that the data could withstand scrutiny in formal proceedings. Agencies investigating ransomware payments and exchange breaches have relied on precisely these techniques. What AML Union and firms like it are doing is applying the same forensic logic to a different client base: retail investors who lost funds to scams, mistaken transfers or unauthorised access.
Meanwhile, AML Union has been upgrading its own technical capacity to keep pace with demand. Distributed processing now allows analysts to run several investigations simultaneously, examining different blockchain trails in parallel without grinding the overall workflow to a halt. New tracing modules, currently in development, are being built to handle asset movements across multiple ledger systems — a necessary step as cross-chain transactions become more common in the frauds investigators are seeing.
Security sits at the centre of the operation, executives insist — and the architecture reflects that. Access to case files requires multi-factor authentication. Stored information is encrypted and governed by tiered permission controls that limit who can view what at each stage. Regular internal audits check for irregular activity and confirm that investigation teams are following compliance procedures. None of that is incidental. In a field where the evidence itself is digital, maintaining the integrity of case data is not a procedural formality — it is the whole point.
Jurisdictional complexity adds another layer. Cryptocurrency transactions cross borders in seconds; legal frameworks do not. AML Union, maintains compliance matrices that map each stage of a case to the documentation requirements of relevant jurisdictions, a system that becomes critical when a claim involves exchanges operating under different regulatory regimes simultaneously. In practice, a single case may pass through several internal review stages — each one logged, each one templated — before any external escalation occurs.
What’s less certain, and what no forensics firm can fully promise, is what comes after the trail is mapped.
Tracing funds and recovering them are different problems. The final outcome depends on whether exchanges cooperate with information requests, on how quickly investigators started following the trail after the incident, and on the jurisdictions involved. A decade ago, victims of fraudulent transfers often had nowhere to turn. Today, the tools exist. But the tools do not guarantee the money comes back.
That tension — between what forensics can reveal and what can actually be retrieved — sits at the heart of every case file opened on a Monday morning. The trail is there. Reading it is the easy part.
