Bitcoin transactions do not contain your name. That is where the assumption of anonymity begins, and where it stops being accurate.
The blockchain is a permanent, public, searchable ledger. Every Bitcoin transaction ever made is recorded on it and visible to anyone with an internet connection. The addresses on that ledger are pseudonymous — strings of characters with no name attached. But pseudonymous is not anonymous. The moment you create a link between a wallet address and your real identity, that link is permanent and retroactive. Every transaction that address ever made is now connected to you.
That link gets created in one place almost every time: the exchange.
The KYC Moment
To buy or sell Bitcoin through any regulated platform — Coinbase, Binance, Kraken, Bitvavo — you are required to verify your identity. This is not optional. Under EU AML regulations and the Financial Action Task Force's Travel Rule, crypto-asset service providers are legally required to collect your full name, residential address, date of birth, and a scanned identity document. Most major exchanges also require a selfie alongside the document.
This data is held in the exchange's systems. Your wallet address is recorded alongside it. The result is that the exchange now holds a direct mapping: this wallet address belongs to this named person at this address with this passport number.
From that point forward, every transaction made by that wallet is traceable to you — not in theory, but in practice, using free public tools that any investigator, journalist, or due diligence analyst can access without special authorisation. Blockchain explorers like Blockchair and Etherscan show every transaction, every counterparty address, every amount, every timestamp. Forensic platforms like Chainalysis and Breadcrumbs.app visualise the transaction graph across multiple hops. The methodology is not exotic. It is taught in law enforcement training courses worldwide.
The investigative sequence is straightforward: identify a wallet address associated with a target, trace it to an exchange deposit or withdrawal, issue a legal request for KYC records — or in many cases, use OSINT to identify the exchange from transaction metadata alone. The chain from wallet to identity can be established in under four steps.
The Exchange Is Also a Breach Risk
There is a second problem that most people have not considered. The identity documents you submitted to an exchange — passport scan, proof of address, selfie — are now held on that exchange's servers. Those servers can be breached.
This is not hypothetical. Major exchanges have experienced significant data incidents. In 2019, Binance confirmed that KYC data from its verification partner had been stolen and offered for sale, with the hacker threatening to release hundreds of thousands of images. In 2022, BlockFi confirmed that a third-party vendor was breached, exposing customer data.
The pattern is consistent with the Odido breach dynamic covered in our earlier briefings. An organisation collects sensitive identity data as a compliance requirement. That data is held in systems that are subsequently compromised. The person who provided the data had no visibility over the risk they were accepting at the time.
You cannot retrieve a document scan once it has been submitted. You cannot remove your passport details from an exchange's historical records. The data exists, and it exists somewhere you do not control.
The Bitcoin Paradox: Completely Public, Commonly Misunderstood
Bitcoin is the most transparent financial system ever created. The entire transaction history of every address is public and permanent. When investigators need to follow financial flows, Bitcoin is significantly easier to trace than traditional bank transfers — which require legal process to access, may be subject to bank secrecy laws, and can be obscured by correspondent banking chains. A Bitcoin transaction is immediately visible on a public ledger accessible without any legal authority at all.
This is well understood by law enforcement. It is less well understood by the people who use it.
In May 2021, Colonial Pipeline paid 75 Bitcoin — approximately $4.4 million — to the DarkSide ransomware group to regain access to its systems. Within a month, the FBI had traced the payments across multiple wallet addresses, identified the holding wallet used by DarkSide's affiliates, and seized 63.7 Bitcoin. Deputy Attorney General Lisa Monaco's statement at the press conference was direct: "The old adage 'follow the money' still applies." The FBI used Chainalysis's blockchain analytics tools to map the transaction graph. Every hop was visible on the public ledger. The attackers were, in the assessment of investigators, overconfident that the money could not be traced.
The Silk Road case in 2013 established the same principle a decade earlier. Ross Ulbricht built an entire darknet marketplace on Bitcoin, processing millions in transactions. The case against him was built partly from blockchain analysis, partly from a single slip: an early transaction through Mt. Gox — a then-active exchange — which linked a wallet address to an email address. That email address was Ulbricht's real one. One connection was sufficient.
The lesson in both cases is identical. It is not that Bitcoin transactions are difficult to trace. It is that people often believe they are, until they are not.
Monero: The Privacy Works. The Perception Doesn't.
Monero is a different situation. Unlike Bitcoin, Monero uses cryptographic techniques — ring signatures, stealth addresses, and RingCT confidential transactions — that genuinely obscure transaction flows on the blockchain. The on-chain trail is effectively unreadable without the private keys involved. Chainalysis, which successfully traces Bitcoin transactions at scale, has publicly stated that Monero presents significant technical barriers to blockchain forensics.
So for the person who values financial privacy, Monero actually delivers it at the technical level. The problem is what it signals.
Monero became the preferred currency of dark web marketplaces precisely because it works. AlphaBay, the largest dark web market before its 2017 takedown, switched to accepting Monero over Bitcoin because Bitcoin's traceability had made it a liability for vendors. Ransomware groups have increasingly demanded Monero over Bitcoin for the same reason. The IRS offered a $625,000 bounty in 2020 for anyone who could crack Monero's privacy layer — a signal of how seriously law enforcement regards it as an obstacle to tracing criminal proceeds.
This is the reputational problem. For a compliance analyst, due diligence investigator, or journalist conducting background research, the appearance of Monero in financial history raises an automatic flag — not because the transactions can be read, but because of who uses it and why. The association is now structural. By July 2027, the EU will enforce a complete ban on privacy coins under its Anti-Money Laundering Regulation (AMLR). Seventy-three exchanges globally have already delisted Monero. Kraken removed it from the European Economic Area in 2024. Binance followed. The regulatory posture of multiple jurisdictions now treats Monero as inherently associated with activity that requires concealment from authorities.
The person who uses Monero for entirely legitimate reasons — financial privacy, concern about data aggregation, a preference for keeping wealth out of commercial surveillance systems — arrives in a due diligence report in the same category as someone using it to receive ransomware payments. The transaction content is unreadable. The fact of usage is visible. The flag is automatic.
The two apparent options — Bitcoin (traceable, "normal") and Monero (private, flagged) — are not actually the privacy choice most people think they are making.
Europol and the Limits of Evasion
In November 2025, Europol coordinated the takedown of Cryptomixer under Operation Olympia — a service that had been operating since 2016 specifically to break the transaction trail on the Bitcoin blockchain. Mixing services work by pooling funds from multiple users and redistributing them at random intervals, making it difficult to trace specific coins from origin to destination. Cryptomixer processed an estimated €1.3 billion in Bitcoin over its nine-year operation — used by ransomware gangs, payment card fraudsters, drug traffickers, and weapons traders.
German and Swiss authorities, with Europol's on-site forensic support, seized three servers, took down the domain, and recovered more than €25 million in Bitcoin. Eurojust established a joint investigation team for real-time sharing of evidence across jurisdictions. Twelve terabytes of data were seized — transaction records, user data, and operational infrastructure that investigators stated would contribute to further arrests.
The Cryptomixer seizure followed Europol's earlier dismantling of ChipMixer in 2023, which had processed more than $3 billion in Bitcoin since 2017. The pattern is consistent: mixing services extend the time required to trace Bitcoin. They do not make it untraceable. The 12-terabyte data seizure from Cryptomixer contains records that will link wallet addresses to the users who submitted them. Those users believed the service was protecting their anonymity. The records now sit on law enforcement servers.
The Bridge Between Your Wallet and Your Name
The most common misconception about blockchain tracing is that it requires breaking encryption or compelling an exchange to hand over records. In many cases, neither is necessary. The investigative process begins with open sources — and one point of connection is sufficient.
A wallet address posted anywhere online, once, is permanently searchable. Google indexes forum posts from 2013. Bitcoin address search tools like IntelX and Bitcoinwhoswho index addresses against every public mention across social platforms, forums, dark web archives, and paste sites. If a wallet address appears alongside a username, and that username appears anywhere connected to a real name — a LinkedIn profile, a GitHub commit, a conference speaker page, an email in a data breach — the connection between identity and full transaction history is established without any legal process at all.
The investigative sequence is the same one used in any OSINT investigation. Identify the wallet address. Search it across blockchain explorers and open-source intelligence tools. Find any public mention that links it to an online identity. Trace that identity across platforms until a real name appears. Then run the full transaction history of the wallet — visible on the public ledger — against that name.
Every transaction the address ever made is now attributed. Every counterparty address becomes a new starting point. The graph expands outward. If any of those counterparty addresses has independently been linked to a real identity — through KYC at an exchange, a separate public mention, or a different investigation — those connections merge. This is called wallet clustering, and it is the standard methodology used by forensic analysts, journalists, and due diligence teams.
The Bitfinex case illustrates how comprehensively this works even against sophisticated actors. In 2016, Ilya Lichtenstein stole 119,754 Bitcoin from the exchange, then spent five years laundering the proceeds through mixers, AlphaBay, fake identity accounts at multiple exchanges, and layered transaction chains across five years. Every standard obfuscation technique was used. The investigation did not crack the cryptography. It found one bridge: a Walmart gift card, purchased with Bitcoin from the stolen pool, redeemed on an iPhone app registered under his wife Heather Morgan's real name. That single touchpoint gave investigators a search warrant. The search warrant uncovered cloud storage files containing the private keys to the stolen wallets, the fake identities used at exchanges, and the full transaction map. Lichtenstein was sentenced to five years in federal prison in 2024. Morgan to eighteen months.
The bridge does not need to be a gift card. It can be a forum post, a charity donation made public, a wallet address in an email signature, a payment from a named entity that appears in a company's on-chain records, or a data breach at a KYC exchange that surfaces the identity document submitted at account opening. One connection is enough. Everything else on that wallet's history follows.
Exchange breaches are particularly significant in this context because they collapse the pseudonymous structure retroactively and at scale. When Binance's KYC verification partner was breached in 2019, the exposed data included passport scans and selfies submitted during account registration — full legal name, date of birth, nationality, document number, and in many cases a residential address. Any wallet address associated with that account, and every transaction that wallet ever made, is now connected to a named, documented individual. The person who submitted that document in 2019 had no knowledge of the breach and no ability to prevent it. The linkage it created is permanent.
The question is not whether this process is theoretically possible. It is whether anyone has a reason to run it on you specifically. That answer changes depending on context: a legal dispute, a background check by a counterparty, a journalist following a financial story, a regulator reviewing a transaction that touched a flagged address at some point in its history. Most people will never face that scrutiny. Some will, at a moment they did not anticipate, over data they assumed was private.
What Can Actually Be Done
The most effective step is understanding what is already visible before someone else runs the search first. That means knowing which wallet addresses are associated with your name across blockchain explorers, breach databases, data aggregators, and public records — and what the transaction histories on those addresses reveal to anyone with a reason to look.
A PI Solutions Snapshot Scan covers cryptocurrency exposure as part of the standard audit: breach database hits including KYC exchange incidents, wallet addresses surfaced through OSINT cross-referencing, and any public data points that create a bridge between your identity and your on-chain history. The same methodology used by investigators, applied to your own profile. One-page PDF within 48 hours.
Where significant exposure exists, a full Mirror audit maps the complete picture and produces a prioritised mitigation strategy — which platforms hold your KYC data, which addresses are currently searchable, and what steps reduce the surface before it becomes relevant in a context you did not choose.
Monero's privacy is real at the technical level. The reputational and regulatory exposure it creates is also real. Bitcoin's traceability is permanent and retroactive. And the KYC data you submitted to access either of them may already have left the building. Knowing the current state of your exposure is the starting point for deciding what to do about it.
Sources
- Chainalysis — DarkSide / Colonial Pipeline ransomware seizure case study, 2021
- U.S. Department of Justice — Colonial Pipeline ransom recovery, June 2021
- Europol / Eurojust — Cryptomixer takedown (Operation Olympia), November 2025
- Chainalysis — Bitfinex hack / Lichtenstein & Morgan laundering analysis
- U.S. Department of Justice — Lichtenstein sentenced, November 2024
- Fincrime Central — EU AMLR Monero ban effective July 2027
- Coingeek — EU law banning anonymous wallets, Article 79 AMLR
- Kraken — Monero delisting announcement, European Economic Area, 2024
- IRS — $625,000 bounty for Monero tracing capability, 2020
- Binance — KYC data breach disclosure, 2019
- FBI — Silk Road / Ross Ulbricht arrest documentation, 2013
- FATF — Travel Rule guidance on virtual asset service providers