The development of blockchain technology has created a great paradox in the digital era: absolute transparency comes with the illusion of anonymity. While many users still believe that wallet addresses in the form of complex hashes are a shield that protects identities, the on-chain reality shows a completely different picture. According to experts at Tan Phat Digital, tracking crypto wallets no longer requires super techniques like in fantasy movies; Instead, it is a systematic process of data analysis, using address clustering algorithms, real-time monitoring, and exploiting off-chain data leaks. Threat actors, from individual MEV profiteers to nation-state-sponsored cybercriminal groups like the Lazarus Group, have turned blockchain into a playground of relentless surveillance. This report will delve into the technical mechanisms hackers use to identify, track, and ultimately expropriate a target's assets by exploiting the core properties of the public ledger.
The Technical Foundation of Surveillance: Address Clustering and On-Chain Analysis
The core of wallet tracking begins with the ability to link multiple seemingly separate addresses to a single entity through heuristic methods (true-false test). Blockchain, especially systems based on the UTXO (Unspent Transaction Output) model such as Bitcoin and Cardano, provide structural clues that hackers can exploit to break anonymity.
Multi-input Heuristic
This is the most important technique in address clustering. The basic principle is based on the structure of a blockchain transaction: when an entity wants to send an amount of money larger than the balance of a single address, they must pool multiple UTXOs from different addresses they control into a single transaction. To do this, the sender must provide valid signatures for all of those input addresses, which mathematically proves that a single entity holds the private keys for all of these addresses.
Hackers use algorithms like Union-Find to group these addresses into clusters. As a result, from just a single transaction, a hacker can identify the entire wallet "ecosystem" of an individual or organization. Studies show that the average entity controls about 9.67 addresses on the Cardano network, and this number is even higher for entities that are active on Bitcoin.
Change Address Heuristic
In the UTXO model, every time a transaction is made, the entire balance of the input UTXO must be spent. If the amount sent is less than the total input, the remainder will be sent to a "change address". Modern wallet software often automatically generates a new address for each return transaction to protect privacy, but hackers can identify them through specific behavioral patterns:
Address status: The address has often never appeared on the blockchain before, helping hackers identify this as a new address of the same owner.
Output structure: Only appears identifies a new address among the outputs, distinguishing it from the actual recipient's address.
Transaction value: Usually has an odd number of decimals compared to the round amount sent, allowing the hacker to predict the victim's residual cash flow.
Timing rule: The address is generated concurrently with the original transaction, permanently linking the new address to the address cluster old.
Determining the return address allows hackers to maintain constant surveillance even as victims try to disperse assets to new wallets. This is a systematic identification process, making manual anonymization efforts useless against automated analysis tools.
See more: Blockchain Explorer is what?
Sweeper Bots: Automated predators in Mempool
Once hackers have obtained the victim's private key or seed phrase, they often do not act immediately if the current balance is low or if the assets are in illiquid tokens. Instead, they deploy Sweeper Bots (coin scanning robots) to monitor wallets 24/7.
Gas Fee Race and Mechanism
Sweeper Bot works based on monitoring the Mempool—a queue where transactions wait to be confirmed by miners or validators. When a user notices that their wallet is compromised and tries to deposit a small amount of money (for example, ETH or BNB) as a gas fee to withdraw other valuable assets, the bot will detect this deposit transaction as soon as it is released to the network.
Immediately, the bot will create a withdrawal transaction of its own, targeting the newly deposited money or valuable tokens in the wallet. The bottom line is that hackers will set extremely high gas fees (Gas_{hacker} > Gas_{user}) to ensure miners will prioritize their transactions first. In the structure of Ethereum and equivalent EVM networks, the order in which transactions are executed in a block depends largely on the fees users are willing to pay. This makes a "front-running" attack unavoidable for common users.
MEV and Maximum Value Extraction
Wallet tracking is not limited to wallets whose keys have been stolen. Professional hackers also monitor the wallets of "Whales" to implement MEV (Maximal Extractable Value) strategies. Through GPS (Generalized Profit-Seeker) bots, hackers scan pending transactions, simulate their results, and perform Sandwich attacks.
In a Sandwich attack, the hacker places his transaction at both ends of the victim's transaction:
Front-run:Buy tokens first to push up the price.
Victim Transaction Victim:Executes a buy order at an inflated price, further increasing price pressure.
Back-run:The hacker immediately sells to profit from the price slippage suffered by the victim.
The scale of these operations is immense, with estimates of millions of dollars in profits extracted every day on the single Ethereum network.
Track the information through professional Blockchain Analytics tools
Hackers are becoming increasingly sophisticated, using the same tools designed for compliance and research purposes to carry out targeted surveillance activities. Platforms such as Nansen, Chainalysis, Arkham Intelligence and Etherscan provide powerful features that allow hackers to set up automated alert systems.
Watchlist System and Real-Time Alerts
Modern analytics tools allow users to label wallet addresses and set up "Watchlist Alerts". When a target wallet performs any action—from deposit/withdrawal, to swapping tokens on a DEX, to approving a new smart contract—the hacker will receive instant notifications via Telegram, Discord, or Email.
The combination of on-chain data and entity labels helps hackers effectively classify targets:
Whales: To monitor market fluctuations or attack Sandwich.
Wallets of project developers: To detect early sell-offs or vulnerabilities in newly deployed contracts.
Wallets of victims whose information has been stolen: To wait for the time to refill gas fee assets.
Below are common tools used by hackers and analysts Applications:
Arkham: Provides Visualizer and Entity Labeling features to link wallet addresses to real identities or specific organizations.
Nansen: Specializes in Smart Money Tracking to track the cash flow of investment funds and large fish wallets.
Bubblemaps: Provides Token distribution maps to detect wallet clusters are centralizing control.
Tenderly: Supports Real-time Tracing to monitor detailed function calls within smart contracts.
Dune Analytics: Allows running custom SQL queries to deeply analyze financial behavior patterns at scale.
See more: Is blockchain completely anonymous?
De-anonymization: When IP and off-chain data go up fame
Blockchain may be anonymous, but interacting with it often leaves digital traces that hackers can use to identify users. This is the process of "De-anonymization", turning a lifeless hash into a specific person.
IP address leak through RPC services
The majority of users currently interact through browser wallets like MetaMask. These wallets send requests via RPC services like Infura. Latest research shows that attackers can perform de-anonymization with a success rate of up to 95% by exploiting the temporal correlation between TCP packets and ledger transactions.
Holding IP addresses allows hackers to:
Geo-locate: Localize targets to perform physical or phishing attacks island.
DDoS attack: Paralyzes the victim's network interaction during a critical moment.
ISP data mining: Deeper links to real identities through data leaks from third parties.
Social Engineering and Social Identity
Hackers use open source reconnaissance techniques (OSINT) to track targets on X, Discord and Telegram. Users accidentally publicizing wallet addresses to receive airdrops, linking wallets to .eth or.sol domains, creates identity anchors. Once a hacker has linked a wallet address to a social network account, all of that user's on-chain privacy is at an end.
The Art of Deception: Address Poisoning Attack
Address poisoning attack is a sophisticated tracking and fraud method, targeting the copy-paste habit and lack of vigilance of the user.
The mechanism Vanity Address Fabrication
Hackers use custom address generator software to create wallets that have the first and last few characters identical to addresses that the victim frequently interacts with. Since wallet interfaces often shorten the middle part of the address, this difference is almost impossible to detect at a glance.
Transaction History Poisoning Process
Behavior Tracking: Hackers use bots that monitor the target's transaction history to identify frequent partners.
Depositing Dust: Hackers send a quantity extremely small assets from the fake address to the victim's wallet.
Create a trap: Fake transactions appear in the latest list. When victims need to transfer real money, they easily copy the wrong hacker's address from history.
Figures from 2024 and 2025 show that the scale of this type is very large, with more than 270 million recorded attack attempts. A typical incident in December 2025 saw a trader lose nearly 50 million USDT due to a poisoned address copying error.
Exploiting Approval Permissions: ERC-20, Permit, and Permit2
Wallet tracking goes beyond the balance, but also the approval permissions (approvals) that users have granted to smart contracts. Approvals are often permanent and unlimited in number, creating huge risks.
Infinite and Permit2 Approval Risk
Many DeFi protocols require maximum approvals to save gas. Hackers track these commands via Etherscan. If they take over the frontend of the web or find a vulnerability in an approved contract, they can drain assets without any additional permission.
With standards like Permit and Permit2, approvals can be done via off-chain signatures. Hackers have taken advantage of this feature to develop phishing toolkits like Inferno Drainer:
Track and lure: Hackers use fake ads to lead victims to fraudulent websites.
Sign notification: The website requires signing a "Login" or "Verify" notification. This is essentially a Permit2 signature granting permission to withdraw tokens.
Delay: Hacker does not withdraw money immediately. They monitor wallets for days, waiting for the highest balance to make withdrawals on the chain.
Clinical case: $1.5 billion Bybit attack
In February 2025, the theft of $1.5 billion from Bybit's cold wallets was the ultimate combination of supply chain tracking and on-chain surveillance. The Lazarus group infiltrated the Safe{Wallet} system via a developer workstation.
On February 19, 2025, hackers edited JavaScript files on the S3 server. The malware only activates when it identifies the source wallet address as Bybit's cold wallet:
Trigger = (Address_{source} == Address_{Bybit_Cold})
When the Bybit administrator executes a money transfer order, the malware silently changes the transaction content into a delegatecall command that leads to the hacker's contract, allowing them to add a withdrawal function and siphon off assets without needing any additional signatures. other.
Recognize the signs your wallet is being tracked
Immediate loss of Gas fees: A clear sign of a Sweeper Bot. If you deposit gas fees and it disappears within seconds, your wallet has your private key under control.
Frequent "Dust" Transactions: Hackers are trying to cluster your addresses or prepare for an address poisoning attack.
Unusual Message Signing Requests: Especially complex JSON formats related to Permit2 when you are using DApp.
Prevention measures from Tan Phat Digital's perspective
Although on-chain tracking is a major challenge, users can apply the following strategies to protect assets:
Account Abstraction (ERC-4337)
The introduction of smart wallets (Smart Accounts) significantly enhances security including:
Whitelisting: Only allow funds to be transferred to pre-approved addresses, completely disabling the address poisoning trap.
Transaction Limits: Set a daily withdrawal limit, preventing Sweeper Bot from draining assets immediately ie.
Paymasters: Allows gas fees to be paid with other tokens or fee sponsorship, avoiding exposure of native gas fee cash flow.
Social Recovery: Helps restore wallet access through friends or other devices, completely eliminating risks from seed phrases.
Privacy management and approval
Using solutions like Wasabi Wallet (CoinJoin protocol) helps mix transactions, disrupting the clustering algorithm. Additionally, using a private RPC node or VPN helps prevent IP leaks. Users should regularly use Revoke.cash to revoke approvals that are no longer needed.
Frequently Asked Questions (FAQs)
What is a dusting attack? Hackers send tiny amounts of cryptocurrency to millions of addresses to "tag" and track how you manage or pool these funds, thereby identifying the owners.
How does address clustering work? This is a technique of grouping many different wallet addresses that potentially belong to the same entity based on rules about transaction structure and spending behavior.
What is the Multi-input Heuristic? A rule that assumes that if multiple wallet addresses contribute funds to a single transaction, they are under the control of the same person because all private keys are needed to sign.
Can IP addresses be leaked through crypto wallets? Yes, when you use light wallets or browser plugins, your IP address can be leaked through RPC requests, helping hackers associate your real identity with the wallet address.
What does the Sweeper bot do when a wallet is hacked? It monitors the transaction queue (mempool) and immediately makes withdrawals with extremely high gas fees to usurp any of your gas fee deposits.
What is a Sandwich attack? Hackers place buy orders before and sell orders immediately after the victim's transaction to profit from price slippage created by the victim.
How dangerous is Unlimited Approval? It allows a smart contract to empty that token from your wallet at any time without you having to sign it again.
What risks does Permit2 have compared to regular Permit? Because Permit2 is very flexible and can approve multiple tokens at the same time, hackers can trick users into signing complex notices that they do not fully understand in order to withdraw funds.
How is Address Poisoning different from Dusting Attack? Dusting is used for tracking, while Address Poisoning creates an address that looks similar to the address you usually use to trick you into copy-pasting the wrong address when transferring money.
How was the $1.5 billion Bybit hack carried out? Lazarus group hackers injected malicious code into Safe{Wallet}'s cloud infrastructure, changing the interface so that users can sign commands transferring control of cold wallets to them.
What is Account Abstraction (AA)? Is the technology that turns your wallet into a smart contract capable of programming its own security logic, instead of just a simple pair of private keys.
How does ERC-4337 help prevent Sweeper Bots? AA allows setting withdrawal limits and whitelisting of receiving addresses, making it impossible for bots to withdraw all funds to an unfamiliar address immediately.
What are the disadvantages of using ERC-4337? It increases transaction complexity, leads to higher gas fees, and can increase the risk of denial of service (DoS) attacks due to complex authentication logic.
What are the best tools to track whale movements today? Nansen, Arkham Intelligence and Bubblemaps are leading tools that provide professional nominal data and cash flow visualizations.
How to completely secure your wallet from tracking? Use wallets that support CoinJoin (like Wasabi), connect via Tor/VPN, revoke approvals regularly, and never copy addresses from transaction history.
Tan Phat Digital emphasized that, in the future, on-chain privacy is no longer a simple hiding of numbers, but the ability to control data. Until security technologies like Zero-Knowledge Proofs become popular, vigilance and understanding are the most important layers of protection for every investor.
Share
