Follow the flow / Trace the block
Autonomous on-chain investigation

Where are the funds now?

TraceOps Labs runs an automated AI agent that traces stolen and suspicious on-chain funds, across chains and bridges, with a reconciliation-and-recovery focus, and returns an evidence-backed investigation report.

Invite-only today · intake via the TraceOps Agent Telegram bot

Detective examining on-chain evidence through a magnifying glass
6+
Chains covered
15+
Bridges resolved
14
Report sections
100%
Reproducible findings
How it works

From a single lead to a full report.

You bring one starting point and a short description of the case. The agent does the tracing and reconciliation, and returns a structured report.

01

Submit a lead

Send a wallet address or transaction hash on a supported chain to the Telegram bot, plus a short description of the suspected hack, scam, or relationship you need traced.

02

Autonomous trace

The agent decodes the source transactions, follows funds across chains and bridges, and clusters addresses, with every hop annotated with a confidence level.

03

Reconciliation

It keeps a running ledger: total source vs. traced vs. current holders vs. unresolved gap. Each address is classified as attacker, helper, bridge, collector, current holder, entity stop, depleted, or unknown.

04

Report delivered

You receive a structured investigation report at a short-lived, single-user secure link, with no dashboards to log into.

Capabilities

Built to answer one question: where did the money go?

The agent prioritizes locating material funds now, holders, balances, and paths, over writing a narrative.

Fund-flow tracing & recovery focus

Follows value from the source outward to current custody, so the report ends on where the funds are, not where they might have gone.

Cross-chain & bridge resolution

Resolves bridge legs to destination-chain custody, with a reverse-bridge check before concluding funds have stopped moving.

Wallet attribution & clustering

Groups related addresses and labels each by role, with defensible confidence rather than a single unexplained verdict.

Exploit forensics

Decodes the full source-transaction transfer set (internal txs, logs, pagination) and separates victim value sources such as vaults, pools, and lending markets from attacker contracts, including flash-loan legs.

Reconciliation ledger

Every dollar is accounted for against the source total, with the unresolved gap stated explicitly instead of quietly dropped.

Entity handling

A deposit into a CEX, bridge, or mixer is treated as an entity stop with a recovery action, not as an invitation to guess at exchange-internal movement.

Coverage

Submit a lead. We follow the money across chains.

Submit a wallet address or a transaction on any supported chain, and the agent follows the funds wherever they move, across chains and bridges.

Ethereum & EVM TRON Solana Bitcoin BNB Chain Cross-chain bridges
The deliverable

An evidence-backed investigation report.

Every case produces the same structured report, authored by the agent, preserved byte-for-byte, and delivered as a rendered page.

A few of the core sections:

TL;DR
Money Flow
Attacker Cluster
Final Destinations
Reconciliation
Recommended Actions

Reproducible by design. Every finding ships with the query bundle that produced it, so you can re-run it on your own node and get the same answer.

Evidence discipline. Verified facts, labels, and analyst inference are kept separate. The agent never invents a label, bridge mapping, balance, amount, or transaction.

Illustrative sample
TraceOps Labs · Investigation Report

Suspected drain - source wallet

CASE TA-XXXXXX · chain: multi-chain · status: illustrative

TL;DR

Funds left the source wallet through a DEX swap, bridged to a second chain, and split across several first-hop branches. Figures below are placeholders shown to illustrate structure, and do not describe a real case.


Reconciliation
Source total- - -
Traced to custody- - -
Current holders- - -
Unresolved gap- - -

Recommended actions

Freeze requests at named entity stops; watchlist entries for active branches.

Security

Handled like evidence, from intake to link.

Short-lived, user-bound links

Reports are served from private storage behind HMAC-signed links that expire in 15 minutes and are bound to the requesting user. Raw storage URLs are never exposed.

Isolated, one-off runs

Each investigation runs in isolation with cross-job memory disabled, so one case can never influence another.

Untrusted evidence model

All on-chain data, labels, and calldata are treated as untrusted evidence, never as instructions to the agent.

Get started

Under active drain, or reviewing a case?

TraceOps Labs is invite-only today. Intake runs through the TraceOps Agent Telegram bot. Request access and we’ll get you onboarded.

Contact: haoxiang@traceopslabs.xyz