How We Triage a Crypto Incident at CoinCandid

A complete breakdown of our blockchain investigation methodology

Understanding Crypto Incident Triage

When someone brings us a crypto-related case, the first step is to understand what has actually happened on-chain. Rather than relying on assumptions or second-hand explanations, we begin with facts derived directly from blockchain activity.

Our 3-Step Investigation Process

1. Initial On-Chain Assessment

We begin by examining the wallet addresses and transaction hashes provided. The goal is simple: to trace the asset movement and confirm the sequence of events.

• Asset Identification: Which specific tokens were transferred and their amounts
• Movement Tracking: Destination addresses and intermediate wallets involved
• Interaction Analysis: Whether funds interacted with exchanges, bridges, DeFi protocols, or smart contracts

2. Full Investigation and Detailed Mapping

If the case moves forward, we expand the investigation to trace every relevant transaction linked to the incident.

• Transaction Types We Track: Token swaps, cross-chain bridges, smart contract approvals, DeFi interactions
• Pattern Analysis: Linked wallets, repeated patterns, obfuscation techniques, entity clustering

3. Final Report and Next Steps

Once the analysis is complete, we assemble a clear report with:

• Written breakdown of what occurred
• Chronological timeline of fund movements
• Entity summary of platforms and addresses
• Recovery and legal options

Our Philosophy

We believe in clear communication and fact-driven analysis. Every finding in your report is backed by verifiable blockchain data. We don't make assumptions — we follow the facts wherever they lead, and we explain them in plain language so you understand exactly what happened to your assets.