By NHI Mgmt Group Editorial TeamPublished 2026-05-12Domain: Cyber SecuritySource: Chainalysis

TL;DR: A survey of over 800 public sector employees globally on cryptocurrency investigations found the report focused on perceptions, regional differences, resource constraints, and the expected rise in crypto involvement in criminal cases over the next five years, according to Chainalysis. The practical issue is not crypto adoption itself, but whether investigative teams can sustain the tooling, training, and operating model required to follow it.


At a glance

What this is: This report examines how government agencies view cryptocurrency investigations and highlights the operational constraints shaping their ability to respond.

Why it matters: It matters because investigative programmes now need repeatable workflows, trained staff, and evidence-handling discipline for crypto-related cases, even when the topic sits outside traditional IAM and NHI controls.

By the numbers:

👉 Read Chainalysis's 2024 State of Cryptocurrency Investigations Report


Context

Cryptocurrency investigations create a governance gap between fast-moving financial activity and slower public-sector investigative processes. Teams can have access to blockchain data and case intelligence, but still struggle with resourcing, training, and repeatable methods for turning that data into admissible evidence.

For identity and access teams, the intersection is indirect but real: investigative access, case management permissions, and chain-of-custody controls still need clear ownership. The report is best read as an operating-model signal for agencies that are building capability around a domain that is becoming more operationally demanding, not less.


Key questions

Q: How should agencies organise access to crypto investigation cases?

A: Agencies should assign access by role, case stage, and jurisdiction, then remove permissions when the case closes. Investigative systems need the same least-privilege discipline as any sensitive enterprise platform because evidence, identities, and partner data all become audit concerns. Case access should be reviewable and time-bounded.

Q: Why do crypto investigations become slow even with good tooling?

A: Tooling shortens analysis, but investigations still slow down when teams lack trained analysts, repeatable workflows, and clear approval paths. The bottleneck usually sits in human coordination, evidence handling, and case governance. That is why operational maturity matters as much as analytics quality.

Q: What do public-sector teams get wrong about blockchain intelligence?

A: They often treat blockchain intelligence as the whole solution instead of one part of a larger investigative process. The tool can surface patterns, but teams still need case management, evidence preservation, and trained analysts to turn those signals into defensible findings.

Q: What should agencies do when crypto case volume starts rising?

A: They should expand training, tighten case access controls, and standardise the investigative workflow before volume forces improvisation. If case demand rises faster than governance, teams will create backlog, inconsistent evidence handling, and avoidable accountability gaps.


Technical breakdown

Why crypto investigations strain public-sector operating models

Blockchain investigations are not just a technical lookup exercise. Analysts must correlate wallet activity, exchange touchpoints, and off-chain evidence while preserving provenance and explainability. That means investigative work depends on repeatable process, access control, and evidence handling as much as on analytics. When agencies lack enough trained staff, even strong tooling does not solve the bottleneck because the limiting factor becomes the workflow around the tool, not the tool itself.

Practical implication: agencies need documented investigative workflows, case access controls, and reviewable evidence handling before scaling blockchain analysis.

Blockchain intelligence tools and investigative throughput

Blockchain intelligence tools help analysts cluster wallets, trace flows, and surface links across transactions that would be impractical to assemble manually. Their value increases when teams already know what they are looking for and can move quickly from alert to case development. In practice, the tool does not replace investigative judgement. It compresses the time needed to form a defensible theory of the case and reduces the amount of manual triage required to get there.

Practical implication: invest in tools that reduce manual triage, but pair them with analyst training and clear escalation thresholds.

Training, permissions, and case governance in crypto work

Crypto investigations create a subtle identity and access problem inside the agency itself. Analysts, supervisors, and external partners often need different levels of access to cases, intelligence, and evidentiary records. Without lifecycle-managed permissions, teams can accumulate unnecessary access, making review harder and raising accountability risk. This is where IAM discipline matters even in a non-IAM article: the case environment still needs governed identities, least privilege, and auditability.

Practical implication: apply least-privilege access and audit logging to investigative systems, not just to production security tools.


NHI Mgmt Group analysis

Crypto investigations are becoming an identity and governance problem, not just an intelligence problem. Agencies can buy data feeds and analytics, but they still need governed access to cases, evidence, and partner data. That creates a familiar control question for security leaders: who can see what, when, and under what approval path? In public-sector operations, investigative maturity is as much about access governance as it is about blockchain visibility.

The report points to a capability gap that many organisations underestimate. Surveyed agencies are looking at future crypto-related case growth while already facing resource and timeframe pressure. That combination usually produces process drift, informal workarounds, and inconsistent documentation unless ownership is explicit. The implication for practitioners is straightforward: investigation workflows need to be designed as a governed service, not as ad hoc analyst effort.

Crypto case handling exposes a named concept we should take seriously: investigative access sprawl. When multiple teams, jurisdictions, and external partners touch the same case environment, permissions tend to accumulate faster than they are reviewed. That weakens auditability and makes it harder to prove who handled what evidence. Identity governance principles still apply here, even if the subject matter is blockchain rather than enterprise IAM.

Training is the difference between capability and theatre. The report ties better outcomes to investment in blockchain intelligence solutions and comprehensive training, which is consistent with what mature security programmes learn in other domains. Tooling without disciplined use produces shallow outputs, while trained analysts can turn incomplete signals into defensible leads. For public-sector teams, the practical conclusion is that process, permissioning, and training need to be funded together.

Regional variation matters because investigative readiness is not uniform. If agencies in different regions hold different levels of optimism and capability, then cross-border cases will inherit uneven process quality and inconsistent evidentiary standards. That should influence how teams structure collaboration, escalation, and records retention. Practitioners should assume multi-jurisdiction investigations will fail at the seams unless governance is explicitly harmonised.

What this signals

The practical signal for readers is that investigative capability is becoming an operating-model issue. Agencies that do not treat permissions, evidence handling, and training as part of the same control system will struggle to scale crypto investigations without creating audit gaps.

Investigative access sprawl: this is the pattern where case systems accumulate more users, more partner access, and weaker review discipline over time. The implication is familiar to identity teams even when the workload is not a classic IAM programme: if access is not lifecycle-managed, accountability erodes quietly.


For practitioners

  • Separate investigative access by role and case stage Grant analysts, supervisors, and external partners only the case access they need for the current stage of work. Review permissions at case closeout and remove inherited access from shared evidence repositories and blockchain intelligence platforms.
  • Document the blockchain investigation workflow Define intake, triage, enrichment, escalation, and evidence preservation steps so investigators do not improvise under pressure. Keep the workflow reviewable so managers can measure where cases stall and where approvals slow progress.
  • Pair blockchain intelligence with analyst training Train investigators to interpret transaction graphs, exchange touchpoints, and off-chain indicators in a consistent way. Measure whether training changes case quality, not just tool usage, and make refresher training part of the operating cadence.
  • Build auditability into case systems Log access, evidence handling, and decision points inside the systems used for investigations. Audit trails should show who viewed a case, what they changed, and when evidence moved between teams or jurisdictions.

Key takeaways

  • Crypto investigations are constrained less by the existence of blockchain data than by the governance needed to use it well.
  • The report’s survey of over 800 public sector employees shows that agencies are trying to build capability under resource and time pressure.
  • The decisive controls are training, case access governance, and auditability, not analytics alone.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Investigative case access needs least privilege and account governance.
NIST SP 800-53 Rev 5AC-6Least privilege is central to controlled access across case and evidence systems.
CIS Controls v8CIS-5 , Account ManagementAccount lifecycle control supports audited access to sensitive investigation tools.

Use CIS-5 to review and revoke excess accounts across case management and intelligence systems.


Key terms

  • Blockchain Intelligence: Blockchain intelligence is the use of analytics and enrichment data to trace cryptocurrency transactions, identify entities, and connect wallet activity to real-world behaviour. It supports investigations, but it does not replace case management, evidentiary discipline, or trained analysis.
  • Investigative Access Sprawl: Investigative access sprawl is the accumulation of unnecessary or poorly reviewed permissions across case systems, evidence stores, and partner collaboration tools. It weakens accountability, makes audits harder, and increases the chance that sensitive data is seen or handled by people who no longer need it.
  • Chain of Custody: Chain of custody is the documented record showing who collected, accessed, transferred, or modified evidence and when. In digital investigations, it is essential for proving integrity and admissibility because the value of evidence depends on being able to show it was handled consistently and transparently.

What's in the full report

Chainalysis's full report covers the operational detail this post intentionally leaves for the source:

  • Public-sector survey breakdowns by region, useful for comparing investigative maturity across jurisdictions
  • Resource constraint findings that show where agencies struggle most in day-to-day case handling
  • Future trend expectations for crypto involvement in criminal cases over the next five years
  • Practical guidance on how blockchain intelligence tools support investigations and training programmes

👉 Chainalysis's full report covers regional survey insights, investigative challenges, and the path forward for agency teams.

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, workload identity, and identity lifecycle discipline. It helps security practitioners connect access governance to the broader control problems that shape modern security programmes.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-05-12.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org