# Advanced Analysis: Lightweight Fund Tracking

In this tutorial, we will describe the fund-tracking functionality of MetaSleuth. During the investigation, we usually want to track the **outgoing** funds from an address. MetaSleuth facilitates this process by supporting tracking fund flow from one direction.

**Video/Content:** [MetaSleuth Tutorial: Use MetaSleuth’s advanced analysis for lightweight fund tracking](https://www.youtube.com/watch?v=EH7x7BTumIQ)

In the following, we show a real example of tracking the phishing victim to demonstrate this functionality. The address tracked is *ryanwould.eth (0xc6D330E5B7Deb31824B837Aa77771178bD8e6713)*.

### What is Fund Tracking and Why Metasleuth

From its inception, MetaSleuth aimed to provide analysts with more convenient visual analysis capabilities. After immersing in the on-chain sleuth group and Web3 community, we discovered that one of the most common tasks is tracking outgoing funds from a specific address within a defined time range.

For instance, this involves tracking stolen funds from a victim's address to recover the funds, monitoring the targets of smart money for better investments, and tracking suspicious transactions for anti-money laundering (AML) purposes.

However, the fund flow from these active addresses can be extremely complex, involving multiple tokens, diverse targets, and spanning long periods. This situation does bring troubles for on-chain sleuths who must spend time extracting relevant information for their analysis.

To solve this problem, MetaSleuth has provided the most lightweight/ best user experience/ fastest solution plan among all the assistant tools.

## Tracking Details

When investigating a phishing case, the information we have is as follows.

* *ryanwould.eth (*0xc6D330E5B7Deb31824B837Aa77771178bD8e6713) has suffered considerable losses in phishing. And furious on-chain sleuth tasked with finding out where stolen funds are going and uncovering hidden phishing groups.
* Known Clues
  * Victim：*ryanwould.eth* (0xc6D330E5B7Deb31824B837Aa77771178bD8e6713)
  * Time: around 2023.02.25-2023.02.27
  * Loss Assets: unknown token, unknown amount
  * Network: Ethereum

### Step 1: Select the address

Visit [metasleuth.io](https://metasleuth.io/), select the corresponding blockchain network (the default is Ethereum), and enter the origin address of the funds, i.e., ryanwould.eth.

Metasleuth will resolve the corresponding address based on the ENS name. Then, on the search box's right side, use Metasleuth's core function, `Advanced Analyze`.

<figure><img src="/files/8SQFVHpqri6YeYWxhhnv" alt=""><figcaption><p>Entry point of Metasleuth.io</p></figcaption></figure>

### Step 2: Select the direction

After entering the Advanced Analyze Settings panel, we can choose the funds' direction and the time range. In this task, we only focus on the outflow of funds (out) and the time period around the fishing occurred (2023-02-25->2023-02-28). After completing the configuration settings, we click apply and press Enter to enter the canvas.

<figure><img src="/files/bNOJPbiEj4JLXeA74e5C" alt=""><figcaption><p>Advanced analyze setting</p></figcaption></figure>

### Step 3: Generate the first fund flow graph

That's great! Metasleuth.io quickly generates a visual graph of all outgoing fund flows between February 25, 2023, and February 28, 2023. Thanks to this function, we save a lot of data sifting time.

Moreover, leveraging the address label maintained by MetaSleuth, we can readily identify that within this brief timeframe, only two unusual fund flows were detected, both directed toward the address "Fake\_Phishing11227". These anomalous transactions involved 1,842 USDC and 519,351 DATA tokens, as depicted in the graph.

<figure><img src="/files/GVFSrjwGFT7Y7VeYItlC" alt=""><figcaption><p>The initial fund flow</p></figcaption></figure>

### Step 4: Filter interested tokens

For better display, we open the token configuration item, remove other default tokens, leaving only the stolen tokens (USDC, DATA), and then confirm our changes.

<figure><img src="/files/JpdBajelCCjf6pro8dQa" alt=""><figcaption><p>Token filter</p></figcaption></figure>

### Step 5: Extend the fund flow of interested address

The fund flow becomes extremely concise and clear. To trace the fund outgoing, we further extended the second hop of the fund transfer. In the second hop of the fund transfer relationship, we found that the phishing address "Fake\_Phishing11227" transferred the stolen funds to Airswap and exchanged tokens through Airswap.

<figure><img src="/files/TFLEFHZp8qx0pRpR9MMp" alt=""><figcaption><p>The filtered fund flow</p></figcaption></figure>

### Step 6: Process the token swap operation

Due to our token filtering configuration, we only focused on DATA and USDC, which obscured the process of token swapping. To address this, we added ETH to the token configuration and added the swap transaction (0x23f4ed07e2937c3f8f345e44ce489b8f83d2b6fdbf0697f6711ff4c7f2a55162) again. With this update, we now have a complete view of the token-swapping process. The phishing actor exchanged USDC and DATA tokens through AirSwap and obtained 14.58 ETH. At this stage (2022-02-27 22:30), solely focusing on USDC and DATA would no longer be meaningful. We need to trace the path of the acquired ETH to uncover additional phishing addresses.

<figure><img src="/files/sqmDzhMj7zjk03OW9d0T" alt=""><figcaption><p>Add transaction</p></figcaption></figure>

<figure><img src="/files/P7JM9dHnQ9n0ziikggb1" alt=""><figcaption><p>The complete fund flow</p></figcaption></figure>

### Step 7: Further filter with time range

Therefore, we continued with the Advanced Analysis of the phishing address "Fake\_Phishing11227". Similarly, we only focus on the outgoing funds, and the time range between February 27, 2023, and February 28, 2023. We proceed by clicking the "Analyze" button to proceed with the analysis.

<figure><img src="/files/5QbTgDNudl4fiGu5zhQl" alt=""><figcaption><p>Further analyze button</p></figcaption></figure>

### Step 8: Stop the investigation when finding interested recipients

We have obtained the fund destinations from "Fake\_Phishing11227" within the specified time range. It appears that there are numerous receiving addresses involved, indicating a process of distributing the illicitly obtained funds.

Among all the recipients, the addresses *"offtherip.eth"*, "Fake\_Phishing76579", and "Fake\_Phishing7064" received the majority of the distributed funds, amounting to 10.36 ETH, 8.36 ETH, and 1.85 ETH, respectively.

Based on this distribution ratio, we regard *offtherip.eth* as the most suspicious entity in this investigation and attract attention.

<figure><img src="/files/TEO7yaKuPFFGro8JYfGk" alt=""><figcaption><p>Final trace result</p></figcaption></figure>

With obtaining the unusual address "offtherip.eth", further steps may require utilizing non-blockchain techniques, such as social engineering analysis. However, in this analysis focused on on-chain fund transfers, metasleuth.io has provided a plethora of convenient technical assistance, enabling the entire analysis to be completed in less than 10 minutes.

### Conclusion

In this tutorial, we show an example of using MetaSleuth to track a phishing victim's fund flow. The summary of the analysis is as follows.

* Victim: *ryanwould.eth* (0xc6D330E5B7Deb31824B837Aa77771178bD8e6713)
* Time: 2023-02-27 22:00
* Loss Assets: 1,842 USDC, 519,351 DATA
* Network: Ethereum
* Funds Target：
  * First Hop: Fake\_Phishing 11227
  * Second Hop:
    * *offtherip.eth*
    * Fake\_Phishing76579
    * Fake\_Phishing7064
* Analysis Time consumed: <10 min


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.metasleuth.io/user-manual/tutorials/advanced-analysis-lightweight-fund-tracking.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.