Subscribe to the Non-Human & AI Identity Journal

How should investigators prove who controlled a cryptocurrency wallet?

Investigators should combine blockchain tracing with identity records from exchanges, device evidence, two-factor authentication logs, message timestamps, and any physical-world artefacts tied to wallet use. Wallet movement alone rarely proves control. The strongest cases show a consistent chain from on-chain activity to a named person, with corroboration at every step.

Why This Matters for Security Teams

Proving control of a cryptocurrency wallet is not the same as proving that a wallet address was used in a transaction. Investigators need evidence that links on-chain activity to a real-world actor, and that link often depends on custody records, authentication events, endpoint artefacts, and communications metadata. For security, fraud, and legal teams, the issue is evidentiary integrity: if attribution is weak, the case can fail even when the blockchain trail is clear. The NIST Cybersecurity Framework 2.0 is useful here because it reinforces disciplined evidence handling, access governance, and incident response discipline.

Practitioners often miss that wallet control can be shared, delegated, or transient. A person may control a wallet through a browser session, a hardware device, a custodial account, a mobile app, or a compromised authentication factor. That means investigators should avoid treating a single artefact as dispositive. Best practice is to build an attribution chain that survives challenge: who had access, which device was used, what account authenticated, and what supporting artefacts confirm that sequence. In practice, many security teams encounter disputed wallet ownership only after assets have already moved and log retention is too weak to reconstruct control.

How It Works in Practice

Effective attribution starts with blockchain tracing, but it does not end there. The on-chain record shows movement, timing, counterparties, and clustering patterns, while off-chain evidence establishes who could have initiated those actions. Investigators should preserve exchange records, KYC files, login history, withdrawal approvals, MFA events, device fingerprints, IP logs, session tokens, and support tickets. Where available, endpoint evidence can be highly probative: browser history, wallet extension state, seed phrase storage indicators, hardware wallet connection logs, or mobile app artefacts can all strengthen the chain of custody.

Good cases usually combine multiple layers of corroboration:

  • Exchange or custodian records showing account registration and access history.
  • Authentication logs tying wallet activity to a specific user session or device.
  • Message timestamps or email exchanges that align with transfer timing.
  • Physical-world artefacts such as seized devices, written seed phrases, or transaction notes.
  • Network evidence such as IP addresses, VPN patterns, or geolocation inconsistencies.

Investigators should also separate possession from control. A wallet may be technically accessible to one person but operationally used by another, especially in shared business settings, custody arrangements, or criminal networks. Where two-factor authentication is involved, proof often depends on whether the second factor was enrolled, stored, or approved by the same actor who initiated the transfer. Guidance from identity assurance frameworks such as NIST SP 800-63 helps investigators think about authentication strength, but it does not replace attribution-specific evidence. These controls tend to break down in self-custody environments with no provider logs and short-lived device artefacts because the evidentiary trail collapses once the endpoint is wiped or reset.

Common Variations and Edge Cases

Tighter attribution standards often increase investigative cost and delay, requiring organisations to balance evidentiary strength against the speed needed to freeze assets or support prosecution. Current guidance suggests that the acceptable proof threshold depends on context: civil disputes, criminal cases, internal fraud investigations, and sanctions reviews do not all require the same burden of proof. There is no universal standard for this yet, so investigators should document the intended use of evidence from the outset.

Edge cases are common. A wallet may be controlled through a multisig arrangement, a shared treasury process, a custodial exchange, or an automated agent that can sign transactions under predefined rules. In those scenarios, the right question is not simply “who owned the address?” but “who had authority, who executed the action, and who could override it?” That distinction matters especially where an AI Risk Management Framework mindset is needed for systems where automation, delegation, or agentic tooling influences transaction initiation. Investigators should also be careful with privacy-preserving wallets, mixers, and cross-chain bridges, because these can obscure transaction paths without proving that control is impossible to establish. The strongest approach is to preserve evidence early, map every off-chain dependency, and treat attribution as a multi-source reconstruction rather than a single log review.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATLAS and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.RM-03 Wallet attribution depends on disciplined risk decisions and evidence governance.
NIST SP 800-63 IAL2 Identity assurance helps assess how strongly a wallet user was tied to a real person.
NIST AI RMF GOVERN AI-assisted or delegated wallet workflows need accountability and traceability.
MITRE ATLAS Adversarial tradecraft can hide control through deception, automation, or layered proxies.
OWASP Agentic AI Top 10 Agentic tooling can initiate or approve transfers without a human directly signing each step.

Use a formal evidence governance process so attribution claims are documented, reviewable, and defensible.