By NHI Mgmt Group Editorial TeamPublished 2026-05-20Domain: Cyber SecuritySource: Chainalysis

TL;DR: Investigators in Italy traced more than €1 million in undeclared capital gains tied to Bitcoin Ordinals and BRC-20 activity, showing that even technically complex digital asset schemes leave a usable on-chain trail when paired with blockchain intelligence, according to Chainalysis. The case reinforces that transparency, not novelty, remains the investigative constraint.


At a glance

What this is: This is a case study on how investigators traced a multi-year crypto tax evasion scheme involving Bitcoin Ordinals and BRC-20 tokens back to a suspect’s wallet cluster and exchange records.

Why it matters: It matters to IAM, fraud, and compliance teams because the same identity bridge that exposes crypto flows also shows how KYC, exchange controls, and transaction mapping can connect pseudonymous activity to a real person.

👉 Read Chainalysis' analysis of the Italy Ordinals tax evasion case


Context

Crypto tax evasion is often treated as a problem of obscurity, but the operational issue is usually identity linkage rather than pure transaction visibility. Public blockchains can preserve the movement of value, while exchanges and KYC records provide the path back to a real-world person. That makes blockchain analytics relevant not only to investigators, but also to compliance teams dealing with identity assurance across regulated financial flows.

This article focuses on Bitcoin Ordinals and BRC-20 tokens as a case study in how new asset formats are used to obscure taxable gain, not because the assets themselves are inherently illicit. The suspect’s use of a hardware wallet, address rotation, and exchange off-ramps is typical of many pseudonymous financial crime patterns, even when the underlying technology is novel.


Key questions

Q: How should investigators trace crypto activity when wallets use many addresses?

A: They should cluster addresses using transaction behaviour, funding patterns, and common-input-ownership heuristics, then validate those clusters against exchange records and other off-chain evidence. Multiple addresses do not equal multiple owners. The strongest attribution comes from combining on-chain analysis with identity data from regulated services.

Q: Why do regulated exchanges matter in crypto tax investigations?

A: Regulated exchanges are where pseudonymous blockchain activity most often becomes attributable through KYC records, withdrawal logs, and disclosure processes. On-chain data shows movement, but exchanges can connect that movement to a named person or entity. That makes them the critical identity bridge in many investigations.

Q: What do teams get wrong about novel crypto asset classes?

A: They often assume new formats such as Ordinals or token inscriptions are inherently harder to trace than traditional transfers. In practice, novelty changes the workflow, not the ledger’s transparency. Analysts still have a permanent transaction record, which can be combined with exchange data and behavioural patterns to reconstruct the scheme.

Q: Who is accountable when crypto gains are hidden through pseudonymous wallets?

A: Accountability usually sits with the individual or entity controlling the wallets, but investigators often need exchange cooperation to establish it. For compliance programmes, that means KYC quality, record retention, and disclosure readiness are not administrative details. They are the controls that determine whether attribution is possible.


Technical breakdown

How Ordinals and BRC-20 activity creates a traceable on-chain cycle

Bitcoin Ordinals assign serialised inscriptions to satoshis, while BRC-20 tokens use those inscriptions to represent fungible assets without a conventional smart contract layer. That means the asset logic can look unusual to a casual observer, but the transaction graph still exists on a public ledger. Investigators can reconstruct funding, minting, listing, sale, and reinvestment cycles by following UTXO movement and repeated wallet behaviour. The technical novelty changes the shape of the trail, not the existence of the trail.

Practical implication: investigators should model novel token standards as traceable transaction graphs, not as anonymity layers.

Why hardware wallets and address rotation do not break attribution

Hardware wallets improve key custody, but they often generate multiple receiving addresses to preserve privacy. In Bitcoin’s UTXO model, that fragmentation can make activity appear disconnected when it is actually controlled by one entity. Common-input-ownership heuristics help analysts cluster addresses that are likely managed together by observing which inputs are spent in the same transaction. This is probabilistic, not absolute, but it is often enough to connect wallet clusters to a suspect’s broader activity pattern.

Practical implication: forensic teams should combine wallet clustering with exchange records and off-chain evidence before treating address rotation as effective concealment.

Why centralized exchanges remain the identity bridge in crypto investigations

Blockchain addresses are pseudonymous, not anonymous. The point where a user deposits, withdraws, or off-ramps through a regulated exchange is usually where identity becomes visible through KYC records and disclosure processes. That creates an identity bridge between on-chain behaviour and a named individual. For compliance and investigative work, this is the decisive control point because the ledger shows value movement, while the exchange often supplies the attribution layer.

Practical implication: treat exchange onboarding and disclosure processes as the critical join point between blockchain evidence and real-world identity.


Threat narrative

Attacker objective: The objective was to generate taxable income from novel digital assets while keeping the gains hidden from tax authorities and law enforcement.

  1. Entry occurred through the suspect’s use of a hardware wallet and structured on-chain activity that masked ownership across multiple receiving addresses.
  2. Escalation came from repeated inscription, listing, sale, and reinvestment cycles that converted novel token activity into undeclared capital gains.
  3. Impact was the accumulation of more than €1 million in concealed gains and the laundering of attribution through pseudonymous wallet activity until investigators correlated exchange records.

NHI Mgmt Group analysis

Blockchain transparency is now the counterweight to crypto novelty. The article shows that new token standards do not remove forensic visibility, they simply change the analytical workload. Investigators still need clustering, exchange attribution, and behavioural pattern recognition, which makes blockchain intelligence a governance issue as much as a technical one. For practitioners, the lesson is that obscurity claims should never be accepted as a control.

Identity resolution is the real control plane in crypto crime investigations. On-chain tracing can show what moved, but it cannot by itself show who moved it. The regulated exchange, KYC record, and disclosure order form the identity bridge that turns pseudonymous activity into an accountable subject. For compliance teams, that makes onboarding quality and disclosure readiness part of the investigative surface.

Token novelty creates a false sense of concealment. Ordinals and BRC-20s do not break the ledger model, they exploit unfamiliarity with it. That creates a gap between operational complexity and actual anonymity, which is where many illicit schemes try to hide. The practitioner conclusion is to assess unfamiliar asset classes through traceability, not novelty.

Wallet fragmentation is a recognition problem, not a concealment guarantee. Multiple addresses and self-custody tooling can complicate initial review, but they do not eliminate linkability when transaction inputs and downstream behaviour are analysed together. This is a useful reminder that pseudonymity is a weak privacy model once adversaries can correlate patterns at scale. For investigators, the implication is to invest in clustering methods and evidence fusion.

Declaring assets, not just tracking them, is becoming the governance boundary. The case demonstrates that tax evasion increasingly sits at the intersection of digital asset analytics, financial compliance, and identity verification. The field needs to treat undeclared on-chain value as a lifecycle problem that spans acquisition, custody, exchange, and reporting. For practitioners, the actionable point is to close the gap between transactional visibility and regulated identity assurance.

What this signals

Identity evidence is becoming the decisive layer in financial crime analysis. As more value moves through pseudonymous systems, the control question shifts from whether the ledger is visible to whether the identity bridge is intact. That makes KYC, exchange governance, and disclosure operations more important to compliance outcomes than the novelty of the asset class itself.

Crypto investigations now reward correlation over singular proofs. No single wallet or address proves ownership, but clustered behaviour, off-ramp records, and public subsidy data can together create a defensible attribution narrative. For practitioners, the programme signal is clear: integrate transaction monitoring with identity assurance and case management instead of treating them as separate disciplines.


For practitioners

  • Map wallet clusters before assuming anonymity Use transaction-input analysis and behavioural grouping to link rotated addresses to a single control set, then validate those clusters against exchange records and off-chain evidence.
  • Treat exchange off-ramps as identity checkpoints Prioritise KYC quality, disclosure responsiveness, and record retention at centralized exchanges, because those are the points where pseudonymous activity becomes attributable.
  • Flag novel token standards in tax and fraud workflows Build review rules for Ordinals, BRC-20, and similar emerging formats so investigators do not dismiss unusual asset flows as technically opaque but financially benign.
  • Correlate self-custody with subsidy or benefit claims When public funds, grants, or subsidies are in play, compare declared income against wallet activity and asset sales to identify concealed capital gains or unreported revenue.

Key takeaways

  • This case shows that Bitcoin Ordinals and BRC-20 activity can still be traced when investigators combine blockchain analytics with exchange records.
  • The scale matters because more than €1 million in undeclared gains was identified through wallet clustering and off-ramp attribution.
  • The practical control is not trying to hide the ledger, but strengthening identity linkage, KYC quality, and investigative correlation across custody points.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AA-1Identity assertion and attribution are central to turning on-chain traces into accountable subjects.
NIST SP 800-53 Rev 5AU-6Audit review supports correlation of transaction evidence and disclosure records.
GDPRArt.32Personal data in KYC and disclosure workflows requires secure handling and access control.

Strengthen identity assurance at exchange and custody points so wallet activity can be linked to real entities.


Key terms

  • Bitcoin Ordinals: Bitcoin Ordinals are a method for assigning serial numbers to individual satoshis and attaching data to them through inscriptions. They create a new kind of asset expression on Bitcoin, but they still produce traceable transactions on a public ledger that analysts can follow.
  • BRC-20 Tokens: BRC-20 tokens are an experimental token format built on Bitcoin Ordinals using text-based inscriptions to represent fungible assets. They do not rely on traditional smart contracts, which makes them unusual operationally, but still subject to blockchain analysis and transaction tracing.
  • Common-Input-Ownership Heuristics: Common-input-ownership heuristics are analytical methods used to infer that multiple blockchain addresses are controlled by the same entity when they spend inputs together in a transaction. The technique is probabilistic, not absolute, but it is often enough to build a defensible wallet cluster for investigation.
  • Identity Bridge: An identity bridge is the point where pseudonymous technical activity becomes linked to a real-world person through records such as KYC data, account logs, or disclosure orders. In crypto investigations, exchanges often provide this bridge by connecting wallet activity to named account holders.

What's in the full article

Chainalysis' full analysis covers the investigative detail this post intentionally leaves at the pattern level:

  • Step-by-step reconstruction of the wallet cluster that investigators built from the seized Ledger device.
  • How common-input-ownership heuristics were used to resolve address fragmentation into one controlling entity.
  • The full inscription-to-sale-to-reinvestment cycle that produced the undeclared capital gains.
  • How exchange KYC records and disclosure orders turned pseudonymous on-chain activity into a named suspect.

👉 The full Chainalysis article covers the wallet tracing logic, exchange attribution path, and case details.

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, IAM, and workload identity. It helps practitioners connect identity controls to the operational risks that shape modern security programmes.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-05-20.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org