The following is an anonymized, text-only version of a real case report concluded in 2025. Heartland Blockchain Advisors was brought in to investigate the blockchain activities of the respondent as part of a divorce proceeding.

The petitioner's father contacted me and provided transactions from Crypto.com, a cryptocurrency exchange. This account definitively represents transactions and assets from the respondent, and the account is tied to his bank account, government identification, and more.

Cryptocurrency Exchanges: A cryptocurrency exchange is like an bank that facilitates cryptocurrency transactions. They provide a gateway between traditional financial rails like banks and credit cards and decentralized currencies. Exchanges function like banks and are subject to all regulations associated with financial management - Anti-Money Laundering (AML), Know Your Customer (KYC), and all tax documentation based upon the jurisdiction of the customer. Exchanges also provide custody services for users, where they hold cryptocurrency on behalf of the customer, but the customer is not actually in control of the private keys (passwords) to send their own transactions.

The export provided 2175 transactions, ranging from deposits of fiat currency (dollars), cryptocurrency purchases using traditional currency, internal transactions (like buying or selling crypto all hosted on the exchange), and withdrawals & deposits from non-custodial wallets sending & receiving cryptocurrency from the respondent's account.

All activity on the exchange is open and subject to subpoena, so our efforts to find any missing cryptocurrency are focused on activity where the assets were sent off of the exchange to a private, self-custody wallet.

On Custody: Blockchains allow anyone to create a wallet, like a bank account. "Custody" is the term that identifies if an account is privately owned by a user or whether the assets are managed by a custodian like an exchange. Self-custody wallets can send and receive cryptocurrency without any permission as long as the user has their seed phrase or private key (complex passwords).

Cryptocurrency was withdrawn from Crypto.com to privately held wallets starting on 1/1/2022 up to the last documented transaction in this export in April of 2024. The withdrawals took place on at least 12 blockchains:

1. Bitcoin

2. Ethereum

3. Polygon (Ethereum Layer 2)

4. Solana

5. Cardano

6. Polkadot

7. Ripple

8. Algorand

9. Stellar

10. Avalanche

11. Tezos

12. Binance Smart Chain

With activity on 12 separate blockchains covering dozens of tokens (currencies), it can be interpreted that the respondent is well-versed in the nature of blockchain transactions and the self-custody of digital assets.

In addition, the respondent has reported having assets stored on a Ledger hardware wallet, also known as a cold-storage wallet. The respondent admitted to funding his cold storage wallet through exchange withdrawals in his deposition on January 15, 2025. His testimony definitively claims ownership of wallets associated with his withdrawal activity from exchanges.

On Cold Storage: Cold Storage is any wallet where the private keys are generated by a device that is not web-based. In theory, this means that the private key has never been exposed to the open web, and therefore is far more secure than wallets created on web-based protocols. Cold storage wallets are a degree more complicated than wallets that can be created instantly on mobile apps, web browsers, and browser extensions.

After initial investigation, it became clear that other exchanges beyond Crypto.com were associated with the respondent. This was identified by several behaviors, including receipts from other known exchanges, inter-exchange transfers, and intermediary wallets linking exchanges.

The first behavior was withdrawal wallets definitively tied to his Crypto.com address also receiving on-chain transactions from other known exchanges. Because all blockchain transactions are public, major exchange wallets are publicly known. Here, we were able to see that the respondent's withdrawals went to wallets that also received direct withdrawals from Binance, Foxbit, and other known exchanges.

Second, some of the withdrawals from the Crypto.com transaction document were transactions made to other exchanges' known wallets. This is how people can send cryptocurrency from one custodial account to another without moving the assets on-chain, and is most commonly internal transactions by the same entity.

Third, withdrawal addresses receiving cryptocurrency from the respondent's Crypto.com account would often send money to a second wallet, where the assets would idle before then being moved to another exchange. This activity is commonly done to try to obfuscate the sources of cryptocurrency from exchanges, where transactions are documented for tax, legal, and compliance purposes.

Upon requesting further information from the respondent and sending subpoenas to the other exchanges, it was revealed that the respondent did, in fact, have accounts at these exchanges. It should be noted that these exchanges and their activity were not included in the transaction data initially reported to us, and could be inferred that this withholding of data is potentially in violation court-mandated discovery process.

To date, subpoena and records provided by the respondent only contain transaction data through 2023, so the rest of our investigation is focused on public on-chain data to identify the types and amounts of cryptocurrency that has not been revealed in discovery to date.

On Chain Investigation

On Blockchains: A blockchain is a public ledger. While Bitcoin is the most well-known, there are hundreds of other blockchains. What they have in common is that they are all decentralized ledger systems, allowing for people to freely move tokens (currencies) among one another with no permission or centralized authority required. In almost all cases, transactions are public and contain layers of metadata that provide details about the transaction. Consider blockchains like different currency systems, like the SWIFT banking financial system. Some blockchains have only one supported token, like Bitcoin; while others can support unlimited tokens, like Ethereum that supports ETH, USDC, Tether, Chainlink, and many other well-known tokens.

Bitcoin

Known Bitcoin transactions are simple, with withdrawals from Crypto.com, Binance, and Foxbit, all ending in a known wallet containing .02 BTC.

This investigation believes that a 2024 transaction ledger from Binance and Foxbit will reveal additional self-custody Bitcoin wallets, but this hasn't been made available to us to date.

Ethereum

Ethereum withdrawals were made to self custody wallets over years. They moved to an intermediate wallet where they were directed to a Binance account or another self-custody wallet. In some trails, assets were forwarded in coordinated movements across as many as four self-custody wallets before being routed to an exchange wallet.

In the longest trail, a single transaction from Crypto.com was made to the final wallet, tying this trail of activity to the respondent. The final withdrawal from this chain was 7 ETH.

Other tokens with similar transaction patterns as the ETH remain stored in the first intermediary wallet with balances of 150 LINK, 150 UNI, 1,400 CRV, 9,000 CHZ, 75 AXS, and 200 SAND.

Polygon

Polygon is an Ethereum Layer 2, meaning that it uses the same addresses and mechanics of Ethereum, but offers significantly lower transaction fees by grouping transactions and securing them all on the Ethereum network in bulk. the respondent's Polygon activity emulates that on Ethereum, with the exact same transaction flows, dates, and exits. As of writing, the last known Polygon address holds 2,000 POL.

Solana

The respondent's activity on Solana consists of known withdrawals from ID-linked accounts at Binance and Crypto.com. They all went to the same self-custody address and remained for years before all moving on 10/3/2024 to an intermediary wallet before moving again 10/14/2024 with a final exit amount to a known exchange wallet amounting to 225 SOL.

Cardano

The respondent's Cardano activity is similar to Solana, with ID-linked withdrawals from Crypto.com, Binance, and Foxbit. The assets remained in the same wallet until 12/1/2024, where they all moved to another self-custody wallet, where it all remains currently. In our opinion, these assets are likely in the custody of the same entity that received the initial withdrawals. The amount totals 10,000 ADA.

Polkadot

The respondent's Polkadot activity is consistent with other chains, with ID-linked withdrawals from Crypto.com, Binance, and Foxbit. The assets remained in the same wallet until 10/3/2024. Interestingly, half of the transferred balance was moved on 1/20/2025, 5 days after the respondent's deposition. The final wallet still holds 200 DOT while another 200 DOT was transferred to a known exchange wallet on 1/20/2025.

Ripple

The respondent's exchange-linked Ripple withdrawals accumulated in a single wallet before all being moved on 10/3/2024, where they remain today. The total amount is 13,000 XRP.

Algorand

The respondent's exchange activity shows withdrawals from Binance and Crypto.com to a single address until 10/3/2024, where it was transferred to another self-custody wallet. The total balance is 25,500 ALGO.

Stellar

The respondent's exchange activity shows withdrawals from Binance to another wallet. This wallet has activity that is inconsistent with the respondent's other activity, indicating another potential exchange or a third-party service. The total amount transferred from Binance to this wallet is 14,000 XLM.

Avalanche

The respondent's exchange activity shows a withdrawal from Binance to the respondent's intermediary wallet that shares the same address as aforementioned activity on Ethereum and Polygon, with exchange-tied withdrawals supplementing balances as recently as 12/1/2024. The final balance of 275 AVAX was moved to an exchange wallet on 10/14/2024 with remnants of recent withdrawals remaining in the withdrawal wallet totaling 7 AVAX.

Tezos

The respondent's exchange activity shows a single withdrawal to a self-custody Tezos wallet on 12/26/2023. Those assets were then forwarded to a new self-custody wallet on 10/3/2024, where the assets remain. The balance is 500 XTZ.

Binance Smart Chain (BSC)

The respondent's exchange activity shows withdrawals from Crypto.com to the same address as all other Crypto.com withdrawals with the Ethereum-style naming convention. The withdrawals all flow to the same intermediary address on 10/5/2024. BSC supports multiple tokens, and the final amounts are resting in the second intermediary address totaling 3,100 IOTA, 375 EOS, and 10 ILV.

The sum of all assets in the chains above varies based on time of valuation, but the USD value is far in excess of $200,000 and could go as high $500,000 depending on documents of 2024 transactions from Binance, Foxbit, and Crypto.com.

Key Investigation Findings

The Stolen Wallet

Throughout the investigation and in the deposition, the respondent has maintained that his Ledger cold storage wallet was stolen, allegedly by the petitioner, in December of 2023.

It should be noted that across all above-cited blockchains that have transactions before that date, every withdrawal wallet continues to receive transactions after that date.

Blockchains with receipts from before the alleged date of theft with continued withdrawals after the date of theft include:

1. Bitcoin

2. Ethereum

3. Polygon

4. Cardano

5. Polkadot

6. Ripple

7. Algorand

To be clear, this indicates that if the wallet was stolen, the respondent chose to continue sending funds to the stolen wallet after the date of theft. This behavior is irrational, essentially a donation to the thief. The only rational explanation is that these blockchains and their affiliated withdrawal wallets were not related to the stolen Ledger wallet.

Blockchains and withdrawal wallets with activity aligned with other self-custody wallets, but with exit activity or withdrawal activity only after the alleged date of theft:

1. Avalanche

2. Solana

3. EOS

4. Binance Smart Chain

This shows the alleged thief of the respondent's Ledger wallet was acting in synchronization with the respondent's other withdrawal wallet activity, moving assets within 60 minutes of the respondent's moves in October 2024 or choosing to move assets to the same wallets to which the respondent's affiliated wallets were also moving assets.

With the exception of the Stellar network, every investigated withdrawal address across all blockchains either shows activity before & after the date of theft, or activity consistent across blockchains with the respondent's other activity and resulting in assets often arriving at the same address.

It is our conclusion that either the respondent's wallet has not, in fact, been stolen, or that the thief and the respondent have closely aligned interests that result in tightly correlated activity and recipients.

Activity Dates

It is our understanding that marital assets were to have been frozen on or around April 12, 2024.

Our investigation has shown activity on the following blockchains with direct relation to the respondent's exchange-verified withdrawal addresses:

1. Bitcoin

2. Ethereum

3. Polygon (Ethereum Layer 2)

4. Solana

5. Cardano

6. Polkadot

7. Ripple

8. Algorand

9. Avalanche

10. Tezos

11. Binance Smart Chain

With the exception of Stellar, every investigated blockchain and affiliated wallet has moved assets on or after the date of the financial restraining order.

Coordinated Activity

Our investigation revealed coordinated activity across wallets and across blockchains on dedicated dates. This increases confidence that the assets were managed by individuals and not third parties, and that the entity in custody is either the respondent or someone affiliated with the interests of the respondent.

While we have several examples of coordinated cross-chain activity, the majority of the respondent's assets were shifted across wallets on 10/3/2024 within minutes of one another. For brevity, we'll show this:

1. Bitcoin: 19:10 UTC confirmed (likely initiated around 18:40 UTC due to confirmation times)

2. Ethereum: 17:53 UTC

3. Polygon: 18:57 UTC

4. Solana: 18:06 UTC

5. Polkadot: 18:53 UTC

6. Ripple: 18:12 UTC

7. Algorand: 18:37 UTC

8. Avalanche: 18:26 UTC

9. Tezos: 15:23 UTC

Within minutes of one another, 9 of 12 of blockchains showed activity affiliated with the respondent's known withdrawal addresses moving assets to an intermediary wallet.

Use of Intermediary Wallets

Our investigation shows the movement of assets from one wallet to another, coordinated across blockchains in patterns that align.

There is no utility to this movement in this circumstance. It does nothing to enhance one's yield, security, or convenience. In our expert opinion, the only reason for activity like this is to try to distance oneself from exchange affiliated activity or add confusion to the process. Especially because blockchains have fees, we find little utility in this activity other than attempting to make tracing more difficult.

Conclusion

The results of our case show that the respondent has withheld transaction data in defiance of the court order, made transactions after the mandated freezing of assets, coordinated activity across blockchains to liquidate assets without proper reporting or payment to the petitioner, employed tactics to make tracing more difficult, and made untruthful statements to renounce ownership of crypto assets.

While we cannot make legal recommendations, we hope that the judge and involved authorities can use these findings to help make the petitioner whole according to the terms of the divorce proceedings.