Transparent Background

PNG

SVG

White Logo & Transparent Background

PNG

SVG

🎉 Welcome to the MetaSleuth User Manual! 🎉

MetaSleuth is a comprehensive platform designed to track and investigate on-chain assets, catering to diverse analysis needs. To facilitate a quick start with this tool, we have included four key topics in the "Getting Started" section:

1. Start by a Simple Search: Quickly find specific addresses or transactions using the search function to access relevant data and insights.

2. Start by a Shared Chart: Collaborate and build upon existing visualizations by exploring shared charts created by other users.

3. Understand the concept of nodes, which represent entities such as addresses or contracts within the blockchain network.

4. Learn about edges, which illustrate the relationships and transactions between nodes, providing context to the data you analyze.

On-chain investigations serve various purposes. You might be a law enforcement officer tracing illicit funds, a compliance officer assessing a user's financial risk, or an investor checking for potential issues with a project. You may also need to investigate a fraudulent transaction to track where your money went. In any case, the analysis always starts with an address or a transaction.

Open MetaSleuth

Using MetaSleuth requires no preparation. Simply visit our website at metasleuth.io. You don’t even need to register or log in; you’ll find the analysis entry point right away—just a simple input box.

You can enter an address, transaction hash, or ENS domain name. If you're unsure what to search for, click the search box to see popular addresses and choose one to start.

The Investigation Toolbox primarily provides filtering and editing capabilities for the data on the canvas. It consists of the following six key functionalities.

Address Filter lists all the analyzed addresses, including those displayed on the canvas and those not displayed on the canvas. Users can search for specific addresses in the filter and adjust their visualization status.

Token Filter lists all the analyzed tokens. If all transfers related to a token are displayed on the canvas, it will be represented as selected (checkbox checked); conversely, if none of the transfers related to a token are displayed on the canvas, it will be represented as unselected (checkbox unchecked). It's important to note that if only some transfers related to a token are displayed on the canvas, it will be represented as partially selected (checkbox indeterminate).

Add Address/Tx allows users to add specific addresses or transactions (intra-asset transfers) to the canvas. For more information, you can refer to the

Sometimes, you may receive a MetaSleuth analysis result shared by someone else, such as . In MetaSleuth, these links are referred to as Shared links. They allow users to view and edit the canvas associated with the shared analysis.

View a Shared Canvas

A shared canvas is essentially a snapshot of the analysis results provided by the sharer. When you open a shared link, you see the state of the entire canvas as it was when the link was created. You can click on the edges and nodes to view details, as well as check the sharer's notes. However, keep in mind that this is just one analysis result and does not represent the complete picture.

Clicking on an address node will display details such as the address label, associated tags, risk score, asset balance, and on-chain interactions. It's important to note that the asset transfers shown are only those selected by the sharer to be displayed on the canvas. To view a more comprehensive set of asset transfers, you will need to unlock the canvas for re-analysis.

The Canvas in MetaSleuth is your primary workspace for visualizing and analyzing blockchain data. It includes several key features:

1. Toolbox Overview: Access a variety of tools designed to enhance your analysis and streamline your workflow.

2. Better Layout: Enjoy an organized interface that allows for efficient arrangement of visual elements, making your data easier to interpret.

3. Customize Your Canvas: Tailor the Canvas to fit your needs by adjusting layouts, colors, and other visual settings to improve your analysis experience.

4. : Utilize keyboard shortcuts to navigate and operate more efficiently within the Canvas, saving you time during your investigations.

In MetaSleuth, edges represent the relationships between the connected nodes (addresses). Currently, there are three types of relationships displayed:

• Standard Asset Transfer: The most common relationship type, indicating the flow of assets between two addresses.

• Contract Creation Relationship: Represents the relationship between a contract creator and the created contract, labeled as 'Contract Creation'.

• Cross-Chain Asset Transfer: This relationship indicates fund interactions between a standard address node and a cross-chain bridge node, typically suggesting that the funds have been transferred across chains. Users can further explore the source and destination of the funds using the InterChain Tracer feature.

In the example provided below, we can simultaneously observe these three types of relationships.

Next, let's examine the information contained in a standard asset transfer edge.

In the example below, the edge from the node Euler Finance Exploiter 2 (0xb66cd) to KyberSwap Exploiter (0x50275e) indicates that Euler Finance Exploiter 2 sent 0.110 Ether to KyberSwap Exploiter.

Please note that MetaSleuth consolidates asset transfers of the same direction and type between two addresses into a single edge. Therefore, an edge does not represent a single transaction.

To see more details about an edge, click on it to open the , then select Detail to view all transaction information.

In the transaction list, you can see that the Euler Finance Exploiter 2 has made two transactions, transferring a total of 0.111 Ether to the KyberSwap Exploiter.

Edge Colors

Edges are typically gray by default, but to help distinguish different asset transfers, MetaSleuth uses the primary color of the major tokens' icons from each chain as the edge color. This aids users in better understanding the asset flows.

Users can modify edge colors in two ways:

• Change the Color of a Single Edge: Click the canvas icon on the edge.

• Change Color for All Edges of a Token: To modify the color of all edges representing a specific token, go to the Token Filters panel in the top left corner. Click the color circle next to the token you wish to change. After selecting your desired color, all edges associated with that asset will update to the new color.

Edge Labels

Edge labels consist of three parts:

1. Index: All edges are sorted by the displayed time, with a smaller index indicating an earlier occurrence.

2. Time: The earliest timestamp of all transactions included in the edge (the time of the earliest transaction).

3. Transfer Amount: The total amount of asset transfers represented by the edge (for the selected transactions displayed on the canvas), along with the token symbol.

In MetaSleuth, the Canvas serves as the central workspace where users can visualize and analyze blockchain data. Panels are additional sections that provide detailed information and tools related to the items displayed on the Canvas. We organize it into four sections:

1. Canvas: The Canvas is the central workspace for visualizing and analyzing blockchain data, enabling interactive manipulation of nodes and edges.

2. Address Panel: The Address Panel shows detailed information about specific addresses, including transaction history and token holdings.

3. : The Edge Panel displays the connections between nodes, highlighting transaction flows and relationships.

4. : The InterChain Tracker Panel monitors cross-chain transactions, allowing users to trace asset movement between different blockchain networks.

Tracking and analyzing on-chain assets often revolve around fund flows, making the layout of the canvas crucial. It not only affects the efficiency of analysis but also impacts the presentation of the analysis results. MetaSleuth has specifically provided a layout adjustment toolbar, which offers the following functionalities:

Manual Layout allows users to manually adjust the position and alignment of nodes on the canvas. Users can drag and reposition nodes to create a customized layout that suits their analysis needs.

Automatic Layout automatically arranges the nodes and edges on the canvas in an optimized layout, enhancing the visual clarity and organization of the fund flow diagram.

Adjust Spacing allows users to globally adjust the spacing between nodes, creating a more compact or expanded layout.

Undo and Redo enable users to manage and revert changes made to the canvas during the analysis process. Please note that there is a limitation on the number of steps allowed for Undo and Redo, which is set to a maximum of three steps.

Center the Graph allows you to align and center the entire canvas, bringing it into view and restoring overall control. This functionality is particularly useful when you want to refocus and have a complete view of the graph without any elements being cut off or hidden.

Full Screen allows you to immerse yourself fully in your analysis and investigation. Give it a try!

• Ctrl / Cmd + Z: Undo

• Ctrl / Cmd + Shift + Z: Redo

• Ctrl / Cmd + F: Search

• Ctrl / Cmd + Shift + Click: Multi-Select nodes

• Ctrl / Cmd + Shift + Drag: Multi-Select nodes

Investigations can be complex and have multiple entry points. For example, if you want to investigate a case involving four separate addresses, you can add them to the canvas using this feature.

When you add addresses, they will be placed on the canvas without any immediate analysis, allowing you to perform analyze, expand, or load more operations later. On the other hand, when you add transactions, MetaSleuth will retrieve the inner asset transfers of those transactions and display them all on the canvas.

When clicking on any edge on the canvas, an edge list panel will expand.

In this panel, you can view all asset transfers between two addresses (based on the currently available data). Each edge is uniquely identified by (from, to, asset). To view specific transfer data, you need to click on "Detail" to enter the Transaction List Panel. For example, clicking on (Poloniex 4, Poloniex Exchange Exploiter, Ether) in the above example would allow you to view all transaction details on the canvas involving the transfer of Ether from Poloniex 4 to Poloniex Exchange Exploiter, as shown below.

The fund flow in MetaSleuth consists of nodes and edges, where the "nodes" represent addresses on the blockchain, also referred to as wallets or accounts.

There are two types of nodes on the MetaSleuth canvas:

1. Standard Address Nodes: These are displayed as rounded rectangles.

2. Resolvable Bridge Nodes: These are represented as octagons.

To access the account settings page, click the User avatar icon on the top right corner, then Account Settings.

In account settings, users can:

• Update username (alias)

• Reset password

You can export the relevant data, such as transaction details, asset transfers, or analysis results, in a suitable format. MetaSleuth supports various export options, including CSV and PNG, depending on your needs.

Switch payment method between card and crypto

To switch between the Card and Crypto payment methods, you will need to resubscribe after the current billing cycle ends.

To facilitate the process of tracking funds for users, MetaSleuth has a built-in InterChain Tracker. The InterChain Tracker automatically identifies potential cross-chain asset transfers when users analyze addresses. It also provides a one-click tracking feature to trace the cross-chain asset transfers on the other side. For more information on how to use it, you can visit the .

Currently, MS supports automatic parsing of cross-chain bridges such as Across, Multichain, cBridge, Hop, PolyNetwork, Stargate, Synapse, WormHole, Optimism Gateway, Polygon Pos Bridge, Avalanche Bridge (partial support), and RenBridge (partial support).

For further information on bridges and cross-chain transfers, please visit .

The Load More feature provides you with complete control over selecting the data to display on the canvas. It retrieves asset transfers for a target address but does not automatically paint them. You can carefully select the ones you want to show by examining the name tag, risk information, interaction direction, and other details in the Address Panel.

You have the option to upload your watermark and place it anywhere on the canvas. Additionally, you can attach a hyperlink to your watermark, allowing it to direct viewers to your website.

In MetaSleuth, effective account and data management is essential for a personalized experience. This section includes:

• Manage your account details, including password changes and security options to ensure your account remains secure.

• Customize your user experience by adjusting settings such as notification preferences, display options, and language choices.

• Access and manage your data, including viewing your activity history and exporting relevant information for your records.

MetaSleuth offers a range of plans for user selection. For specific plan details, please refer to: .

We also provide two payment options: Card and Crypto. Users can manage their subscribed plans and billing information below:

1. : Quickly adjust your subscription plan to fit your needs, whether upgrading or downgrading.

2. : Easily update your payment details to ensure uninterrupted service and avoid payment issues.

MetaSleuth offers three different Team Plans for you to choose from, which you can explore at: https://metasleuth.io/plans.

Please note that team Plan subscriptions do not accept crypto payments.

Understand the team plans

Team Plans in MetaSleuth are based on seats, which represent the number of individuals who can join your organization. For example, if you have 10 seats and 6 are occupied, you can add 4 more individuals.

Charge by seat

MetaSleuth charges for all seats on your account, regardless of whether they are being used. For instance, if you have 5 seats and 4 active users, you will be billed for all 5 seats, even if one seat is unfilled.

Manage your seats

Team admins can increase or decrease the number of seats by clicking on "Update Seats" in the billing section of the Team settings. Please note that the total number of seats cannot be less than the number of occupied seats.

Upgrade or add seats

If you add seats or upgrade your team plan, the additional costs will be applied immediately to your current billing period.

Downloade or remove seats

When you remove seats or downgrade your plan, these changes will take effect in your next billing cycle.

Feel free to reach out us at [email protected] if you have any questions or need further assistance!

To enhance the clarity and presentation of your analyses, MetaSleuth offers several features:

• Memo: Add notes to your visualizations to provide context or explanations for specific data points, making it easier to remember key insights.

• Labels: Use labels to identify and categorize different elements within your workspace, allowing for quick recognition and organization of your data.

• Custom Watermark: Personalize your visualizations with a custom watermark, which adds a professional touch and helps maintain ownership of your work.

Upgrade plan

You can upgrade your plan at any time by visiting the Pricing page, selecting your desired plan, and clicking "Upgrade."

When upgrading to a higher plan mid-billing cycle:

• You will be charged immediately for the new plan.

• The amount due will be prorated based on the remaining time in your current billing cycle.

• The new plan takes effect immediately, and the billing cycle remains the same.

If you switch to a longer billing interval:

• You will be charged immediately for the new plan.

• The amount due will be reduced by a prorated amount based on the time remaining in your previous billing period for your current plan.

• The new plan takes effect immediately, and the billing cycle changes right away.

Downgrade plan

Currently, MetaSleuth does not provide the option to downgrade while an active subscription plan is in effect. If you need to downgrade, we kindly ask that you cancel your current subscription first and then resubscribe after the current billing cycle.

Cancel subscription

Your MetaSleuth subscription, whether monthly or annually, will renew automatically until you cancel it.

You can cancel anytime by clicking User avatar icon -> Subscription -> Manage Billing.

On the Stripe page, click Cancel subscription to unsubscribe. After you cancel, you’ll still have access to all the paid features until the end of your billing cycle.

To access the user data management page, click the User avatar icon on the top right corner.

Private Labels

This section includes the private name tag of addresses and private notes of transactions. All private labels are displayed in a table list format, where users can search, edit, and export labels.

Saved Charts

In this section, users can access all saved charts, and options to search, delete, and edit are available.

Shared Links

In this section, users can access all shared links, with options to delete, edit expiration time, and edit information. Please note that shared links are snapshots of charts, and edits cannot update the content of a shared link.

Once you have conducted your analysis and gathered relevant information, it is essential to compile your findings in a comprehensive manner. MetaSleuth has some great features to help you compile your findings effectively.

When you come across words that can enhance understanding of the charts and the underlying story, simply utilize the Memo feature.

During the analysis process, you can add private labels to addresses and transactions to record your own understanding of the specific address or transaction. These private labels serve as personal notes or annotations.

In contrast to private labels, MetaSleuth also provides default public labels supported by the BlockSec Address Label Library. These public labels offer standardized and publicly recognized tags for addresses, helping you gain additional insights or information about specific addresses or transactions.

Looking for specific direction tracking? Use Expand, the single-direction version of Analyze.

To access the preference settings page, click the User avatar icon on the top right corner, then Preference.

Chart Settings

The settings in the chart settings will affect how the canvas is displayed globally.

Amount Display Format

This setting primarily applies to the display of token amounts within the canvas.

• The Standard Format (e.g., 1,099,999.99 Ether) is the default display format.

• The Abbreviated Format (e.g., 1.099M Ether) can shorten the displayed text, making the layout within the canvas more compact in certain situations.

Automatically Hide Suspicious Token Transfers

When you turn on this setting, the fund flow will deselect (not display in canvas) those edges which contain suspicious token transfers by default.

Watermark

You can customize your watermark and manage the display of the MetaSleuth watermark here.

Custom Watermark

You can upload a logo or image to create a custom watermark that represents them or their organization. You can also add a URL link to the uploaded watermark, which allows others to visit the link when clicked. After uploading, you can add this custom watermark to their charts to identify your work. This feature is available to subscribers of the Pro Plan and higher.

Remove MetaSleuth Watermark

Subscribers to the Pro Plan or above have the option to remove the MetaSleuth Watermark from their Canvas. By turning on the switch, the watermark can be removed globally.

Subscription

Get Supported Chains

Get Risk Indicators

Get Address Risk Score

When tracing funds, the appearance of a cross-chain bridge node on the canvas indicates cross-chain transfers. To explore further, simply click on this bridge node or the connecting edge to open the InterChain Tracer Panel.

The illustration below shows an example of the InterChain Tracer Panel. Here, the ExactlyProtocol Exploiter is depicted using the Across bridge to transfer Ether from the Optimism network to the Ethereum blockchain.

Within the InterChain Tracker Panel, each entry represents a cross-chain transaction, providing key details such as the source and destination transactions, as well as the assets transferred. If cross-chain relationships have not yet been traced, information will only be available on either the source or destination side.

Are you wondering how to discover transactions on the respective chain? Which chains and addresses are involved in sending or receiving? By clicking "Track," users can utilize MetaSleuth's automated cross-chain tracking capabilities. Once the analysis is complete, cross-chain asset transfers on the other side will be displayed in the panel and automatically highlighted on the canvas.

If you encounter any unsupported, inaccurate, or failed cross-chain resolutions, we encourage you to provide feedback by selecting the "Report Bug" option located in the bottom right corner of the panel. Your input is invaluable in helping to enhance the tracking experience!

In MetaSleuth, users can utilize the following features to efficiently and effectively trace funds:

1. : Examine transaction details and patterns to gain insights into fund flows.

2. : View incoming and outgoing transactions to understand the movement of assets.

3. : Retrieve additional transaction data to ensure a comprehensive overview.

In MetaSleuth, the "Save and Share" feature enhances your workflow by allowing you to:

• : Securely store your analysis and visualizations for future reference.

• Easily share your findings with team members or stakeholders to foster collaboration and discussion.

• : Export your data and insights in various formats, making it convenient to present your work.

To improve how we collect and present data, we limit the number of records shown by features like Analyze. Usually, we display only the most recent few hundred transfer records. While these limits can make tracking and analysis harder, we have introduced the Data Explorer feature to help.

In the address panel, we now show the number of transfers we have retrieved and the total number of transfers available. This helps you understand the data retrieval status for each address and make better decisions about what to do next.

Subscription

The BlockSec AML API Service offers two main sets of APIs, providing services for and , respectively.

Our API is authenticated using the API key. To ensure the security of your data, please do not share your API key with anyone.

How to get the API Key?

To generate an API key, begin by . Once registered, access the panel in the Settings section to quickly get your API key.

When your HTTPS request is successful, you will see the following four main fields in each response.

MetaSleuth Address Monitoring is designed to provide real-time tracking of fund inflows and outflows at specific addresses. We strive for comprehensive monitoring coverage and high availability through the following optimizations:

• Multi-Chain Support: We support major blockchains including Ethereum, BSC, Solana, Arbitrum, Polygon, Optimism, Avalanche, and Fantom, allowing users to monitor activities across multiple chains.

• Multi-Asset Monitoring: We cover the majority of asset types on these chains, enabling users to track a variety of digital assets they care about.

• Flexible Rule Configuration: Users can set precise monitoring rules to track asset transfers, minimizing unnecessary notifications and distractions.

• Easy Management: Users can easily create, pause, resume, and delete monitoring rules, allowing for flexible management of their monitoring targets.

• Timely Notifications: To ensure users are promptly informed of asset transfers, we offer an email notification service, ensuring no important updates are missed.

Address Asset Monitoring

For EVM-compatible chains, this service supports monitoring native tokens and assets that comply with mainstream token protocols (e.g., ERC-20, ERC-721, BEP-20) for any address. For the Solana chain, it supports monitoring native tokens and any specified SPL tokens.

Monitoring Rule Configuration

To achieve precise asset transfer monitoring, users can configure rules based on token type, direction, and amount:

• Token Specification: Users can specify tokens down to the protocol level (e.g., native, ERC-20, ERC-721, BEP-20) and specific tokens (e.g., designated USDC contract address).

• Direction Options: Monitoring can be set for incoming (IN), outgoing (OUT), or both (ALL) transfers.

• Amount Range: Users can specify a range for the amount of tokens to monitor. The minimum value for fungible tokens is set at 0.001, with no upper limit.

Monitoring Rule Management

Configured monitoring rules can be viewed in the Dashboard. The displayed information includes monitoring targets, operational status, creation time, restart time (if paused), and the number of events that met the criteria during monitoring. Users can perform actions on monitoring tasks, including pausing, restarting, editing, and deleting.

Monitoring Event Notification

In the Dashboard, users can view all events related to a monitoring task. An event typically represents an asset transfer and includes information such as the transaction time, transaction hash, direction of transfer, counterpart, asset, and amount. If users have configured their email and enabled notifications, they will receive email alerts for these events.

Analyze (Intelligent Analysis)

The default analysis feature of MetaSleuth. In addition to retrieving basic asset transfer data, Analyze incorporates intelligent techniques to facilitate the user's analysis process. Therefore, we also refer to it as "Intelligent Analysis."

You can access the Analyze feature in two main ways: through the search box on the homepage or by selecting an address node on the canvas.

Users can join a team to collaborate, sharing data such as labels, saved charts, shared links, and monitors within that team. Each user is restricted to being a member of just one team.

Create your team

To start collaborating, create a team first. All teams need a subscription.

Click 'Create a New Team', set up your team information, and select a plan to begin.

Add team members

Team admin can invite other MetaSleuth users to join Your Team from the 'My Team' section in the Team settings.

Each team member can have one of the following roles:

• 👀 Viewer: Can view data in the Team Workspace, including labels, charts, and monitoring data. Does not use a seat in the Team.

• ✍️ Editor: In addition to the above, can create, edit, and delete team data, use Team Plan features for investigation.

• ⚙️ Admin: In addition to the above, can manage the team and its members. The Admin role is exclusive to the team creator.

The team admin can manage team members on the team settings page, where they can invite or remove team members and modify their roles.

Team data

Collaborate in workspace

Data created by users within the team context is automatically saved in the team workspace, accessible to all team members. Within this shared workspace, team members can collaborate, viewing and editing data according to their role-specific permissions.

Share personal data with team

After joining a team, users can share data from their personal accounts with the team. Users can share their address labels, saved charts, shared links and monitors with the team for collaboration.

Sharing data with the team is equivalent to duplicating a copy of the data within the team. Changes made to the data in personal and team contexts do not impact each other.

Switching contexts

As a team member, you can switch between personal and Team contexts. Labels and charts created in the team context are owned by the team, not you personally.

Individual and team subscriptions are distinct. Switching contexts alters your permissions and credit usage. In the individual context, you access personal plan features and spend personal plan credits. In the team context, you utilize team plan features and credits.

Advanced Permission

Advanced Permission gives teams more control over access management by enabling custom roles and fine-grained permission settings. With this feature, Admins can create roles with specific permissions and assign them to team members—ensuring each person has access to exactly what they need, and nothing more.

This feature is designed for teams with complex collaboration needs, offering flexibility beyond the default role-based access.

Availability: Advanced Permission is available exclusively for the Team Ultra Plan.

Enabling / Disabling Advanced Permission

Only Admins can enable or disable Advanced Permission.

To enable:

1. Go to Settings → My Team.

2. Toggle on Advanced Permission.

Once enabled:

• All default roles and permissions will be disabled.

• The Admin must manually create roles and assign them to each member.

• Members without a role assignment will have no access until assigned.

To disable:

• Toggle off the feature in the same location.

• Default roles and permission settings will be restored.

Creating a Role

Admins can define roles to manage access to various features within the team workspace.

To create a role:

1. Go to the Role List section.

2. For each role, configure permissions for the following features:

Labels

• Viewable: Can only view all labels in the team workspace.

• Editable: In addition to the above, can also add、edit、delete labels.

  • All data: Can edit all labels, no matter who created.

  • Data related to member himself

Saved Charts

• No Permission: No access to saved charts.

• Viewable: Can only view all saved charts in the team workspace.

• Editable: In addition to the above, can also add、edit、delete saved charts.

  • All data: Can edit all saved charts, no matter who created.

Shared Links

• No Permission

• Viewable

• Editable

  • All data

Monitors

• Viewable: Can only view all monitor data in the team workspace.

• Editable: In addition to the above, can also add、edit、delete monitor data.

  • All data: Can edit all monitors, no matter who created.

  • Data related to member himself

Investigations

• Allowed: The member can access or use all basic and advanced investigation features.

• No Permission: The member cannot access investigation features at all.

Assigning Roles to Members

Once roles are created:

1. Go to My Team.

2. Assign a role to each member.

• Each member can be assigned multiple roles.

• Permissions from multiple roles will be merged, and the member will receive the highest permission level available across all assigned roles.

• Role changes take effect immediately.

In this tutorial, we will describe the fund-tracking functionality of MetaSleuth. During the investigation, we usually want to track the outgoing funds from an address. MetaSleuth facilitates this process by supporting tracking fund flow from one direction.

In the following, we show a real example of tracking the phishing victim to demonstrate this functionality. The address tracked is ryanwould.eth (0xc6D330E5B7Deb31824B837Aa77771178bD8e6713).

What is Fund Tracking and Why Metasleuth

From its inception, MetaSleuth aimed to provide analysts with more convenient visual analysis capabilities. After immersing in the on-chain sleuth group and Web3 community, we discovered that one of the most common tasks is tracking outgoing funds from a specific address within a defined time range.

After organizing the fund flow, utilizing memos to note details, and even adding your personal watermark, it's time to share your findings with others. You might want to share it with the media to open-source your findings or with other investigators to further the investigation.

MetaSleuth facilitates this through the 'Share Chart' feature, allowing you to easily share your analysis with others to explore the current canvas content, delve into details, and even continue editing it.

In this tutorial, we will guide you through the basic functionalities of MetaSleuth by tracing the stolen funds in a phishing transaction. Together, we will explore how to use MetaSleuth to analyze transactions, track specific funds, and monitor untransferred funds.

We have identified a phishing transaction on the Ethereum network with the hash 0x2893fcabb8ed99e9c27a0a442783cf943318b1f6268f9a54a557e8d00ec11f69. Now, let's delve into our analysis.

Input target, press 'Enter'

To begin, navigate to https://metasleuth.io/. Choose Ethereum as the network, and enter the transaction you wish to analyze. Press Enter. Now, await the data returned by MetaSleuth.

Main functional components

Once the transaction analysis is complete, you will be directed to the MetaSleuth analysis page, where you can see all the asset transfers that took place in the transaction. If the analysis target is an address, the displayed information will be more complex. We will cover address analysis in a separate tutorial.

In addition to the central asset transfer graph, the page includes various other functional components. Here is a simplified diagram, and you are encouraged to explore their specific usage during the analysis process.

Track the funds

The transaction we are focusing on involves only one asset transfer: Address 0xbcd131, which is the victim, transferred 2586 MATIC to Fake_Phishing180627.

To continue tracking the destination of the stolen MATIC tokens, it's straightforward. Simply select the Fake_Phishing180627 address node and click on the "+" button on the right side of the node.

This feature is called Expand outgoing and allows you to trace the assets sent from this address. In most cases, this feature provides the desired data. However, for addresses with a high transaction volume, you may need to utilize advanced features such as Advanced Analyze and Load More to obtain the required data.

After clicking the "+" button, we can see numerous outgoing Ether transfers from Fake_Phishing180627. But what about the MATIC we want to track?

Filter the canvas

MetaSleuth does not display all the data it retrieves on the canvas to ensure a clean and readable representation of the overall fund flow. However, MetaSleuth provides various tools to help users locate the desired data and add it to the canvas. In this case, we can utilize the Token Filter to add all the MATIC asset transfers obtained by MetaSleuth to the canvas.

After confirming, we can see an additional MATIC transfer on the canvas, originating from Fake_Phishing180627 and going to Uniswap V3: MATIC. This is exactly the stolen funds we are tracking.

When it comes to assets sent to decentralized exchanges (DEX) like Uniswap, our focus is not on the MATIC tokens transferred out from the address Uniswap V3: MATIC, but rather on the assets obtained by Fake_Phishing180627 through the swap action on Uniswap.

So, what assets did Fake_Phishing180627 receive through this swap? Let's investigate this swap transaction to find out.

Add specific data

First, we need to determine the transaction to which the MATIC transfer from Fake_Phishing180627 to Uniswap V3: MATIC belongs. Click on the asset transfer edge on the canvas, and in the Edge List that appears below, click on Details to access the Transaction List. Find the transaction hash for this transfer and copy it.

Then, we can add this transaction to the canvas using the Add Address / Tx functionality located in the top left corner of the canvas. This will allow us to explore the asset transfers that took place within this transaction and gain a clearer understanding of its contents.

After adding it, all the asset transfers within this transaction will be visible on the canvas. It becomes clear that Fake_Phishing180627 swapped MATIC for 0.944 Ether through Uniswap. This 0.944 Ether is the asset we need to track further.

Track specific funds

Among the various Ether transfers originating from Fake_Phishing180627, which ones should we track?

By clicking on Fake_Phishing180627, you can observe the asset transfers associated with this address in the left-hand address panel. You might have noticed that there is more data available here compared to what is displayed on the canvas (as mentioned earlier, MetaSleuth emphasizes simplicity and readability in the fund flow diagram and does not show all data by default).

The transaction where Fake_Phishing180627 swapped MATIC for Ether occurred on 2023-06-18 at 14:57:11. Therefore, our primary focus should be on Ether token transfers that occurred after this specific time. To filter the data, we can utilize the filter function.

Within the filtered results, it is evident that approximately 6 minutes after the swap action, 1.4 Ether was transferred from the address Fake_Phishing180627 to the address 0x8bae70. This transfer likely contains the funds we are seeking to trace.

We can mark and display them on the canvas, continuing to track the assets of 0x8bae70. By doing so, we can observe that the funds eventually settle in the address 0x8de345

Monitor untransferred funds

To stay informed about the funds that have not been transferred yet, we can actively monitor them. By enabling monitoring, you will receive email notifications whenever relevant asset transfers occur. To explore additional monitoring features, please visit the MetaSleuth Monitor Dashboard at: .

Summary

Although this was a brief exploration, we hope that MetaSleuth has provided you with a convenient and smooth tracking and investigation experience. We will release more instructional material in the future and welcome your suggestions. Join our Telegram group at .

.

MetaSleuth is a crypto tracking and investigation platform. It can help monitor market movements, track fund flow of criminal activities, and DYOR to avoid scams.

🕵️ Everyone can become a sleuth in the crypto world and DYOR!

Features

• Intelligent analysis: MetaSleuth will automatically give you the most valuable interactions based on our Intelligent analysis engine for a given address.

• Cross-chain analysis: MetaSleuth supports cross-chain analysis, e.g., a token transfer from BSC to Ethereum through a bridge. All the cross-chain addresses are shown on one map.

• Sharing of the Analysis: The result can be shared (with others). Other users can further analyze the shared result, creating a collaborative community.

• Enhanced labels: MetaSleuth leverages BlockSec's address labeling system, providing enhanced labels of CEXs, scammer and hacker addresses, and other addresses we collected and verified.

Supported Chains

, , , , , , , , , , , , ,

Feedback

We value your input and would greatly appreciate any feedback or suggestions you may have. Please feel free to contact us through the social media channels listed below.

• Telegram:

• Twitter:

• Email: [email protected]

Tutorials

Multiple-Language

When you click on an address node, an address panel will expand from the left side of the canvas. In this panel, you can see the following information:

Name Tag: If an address has a public name tag supported by BlockSec or a private name tag assigned by a user, it will be displayed. For example, the "Poloniex Exchange Exploiter" in the image below.

Compliance Risk Score: The compliance risk of an address is evaluated based on the tag information associated with the address and its interaction with other addresses. It is assessed on a scale of five levels: No Risk, Low Risk, Medium Risk, High Risk, and Critical Risk.

Address Labels: The labels associated with an address are provided by the BlockSec AML team. For example, in the given example, the address carries the label "Attacker." Other common labels include CEX, DEX, Sanctioned, Compromised, and more. These labels are used to identify specific characteristics or risk factors associated with the address, aiding in compliance and risk assessment.

Balance

The Risk Score API evaluates the risk level associated with a given address. When an address is assessed as high-risk, the API also returns detailed insights explaining the key factors contributing to that risk.

Please note that this API analyzes only the target address and its one-hop related addresses. For a comprehensive crypto-compliance solution—such as a fully featured Know-Your-Address (KYA) API—refer to the BlockSec Phalcon Compliance App, which offers a free trial account.

How is risk assessed?

When assessing the risk of an address, we take into account several key factors, including its type, attributes, associated entities, and on-chain interactions. The address type indicates whether it is an EOA (Externally Owned Account) or a CA (Contract Account). The concepts of attributes and entities are . On-chain interactions refer to the specific blockchain transactions and activities in which the address has participated.

Among the information involved in the assessment, certain factors influence the assessment strategy, while others serve as critical risk indicators that significantly affect the assessment results. The following are the leading risk indicators used in our methodology, which can also be obtained through requests to stay informed about any changes in risk indicators.

Interpreting the risk score

Based on the risk assessment algorithm mentioned earlier, we classify an address's compliance risk into five levels, represented by scores ranging from 1 to 5. A higher score indicates a higher compliance risk associated with that address.

For addresses with a score of 4 or higher, it is advisable to refrain from interacting with them. For addresses with a score of 3, it is recommended to carefully consider the accompanying indicators to determine whether it is appropriate to engage with them.

Individual risk vs. Interaction risk

Based on how we identify risks, we categorize them into Individual and interaction risks. Individual risk primarily stems from the attributes and behavior of the address itself, while interaction risk arises from the address's involvement in risky on-chain transactions.

By default, we consider Individual and interaction risks to provide the final result. However, due to the temporary lack of support for interaction risk in some networks (refer to the section) and the longer calculation time required for interaction risk, we offer the option to specify whether to include the calculation of interaction risk when requesting compliance risk for an address.

Supported networks

Subscription

MetaSleuth provides a built-in saving feature that allows you to save your current investigation progress. This ensures that you can come back to it later. Also, you can simply click on "Untitled" and modify the chart's name. This makes it easier for you to manage your data and share insights with others.

The Appearance Editing Toolbox provides the functionality to edit the appearance of nodes, edges, and memos. When you open a canvas, it will initially display a node shape editor by default. You can minimize it into a canvas chart and freely drag it around, allowing yourself more space for analysis.

Clicking on an address node will open the shape editor related to that node, allowing you to edit its shape, text color, and node color.

You can perform batch editing on addresses by holding down Shift/Ctrl (Command) and clicking on nodes to select multiple ones.

Additionally, you can select any edge on the canvas to edit it, adjusting the line type, width, and color.

By selecting a memo, you can edit the font size, color, formatting, and background color of its text.

As the name suggests, Advanced Analyze is an enhanced version of the Analyze feature. With Advanced Analyze, you have the ability to specify the exact direction, token, and date range for your analysis. By utilizing this feature, you can retrieve the desired interaction data exactly as you expect it to be.

The Address Label API enables users to fetch address labels and comprehensively understand an address from various perspectives. It currently supports more than 25 different blockchains, including Solana, Bitcoin, Tron, Ethereum, BSC and other EVM-compatible chains.

Address Label

When using our API to look up an address, we will return three types of labels to describe the address.

Entity

We use Entity to describe an address's owner or controller. If it's an EoA address, this means the entity that controls this EoA address (with the private key). For a smart contract, the entity can refer to their deployers (projects).

Entity Category

Most entities are organizations or services, while only a few represent individuals. Most entities are categorized into the following categories, which can help you understand their nature.

Attribute

We use Attribute to describe the behavior or action associated with a specific address or entity. All attributes are listed in the table below.

Name Tag

A name is utilized to describe a cryptocurrency address with human-readable information. Assigning names usually considers the entity associated with the address and its specific attributes, such as Binance Hot Wallet 1 or Vitalik 2.

Supported Networks

The Address Label API supports 25 different chains, which are listed in the chart below. We also provide an that allows you to retrieve a list of all supported chains, enabling you to stay informed about any newly added chains.

Subscription