Case Studies

Context

An Italian retiree, 65 years old and resident in Piemonte, was introduced through a WhatsApp group to what was presented as a Hong Kong-based "crypto arbitrage" platform. Over six months he made fourteen deposits in USDT-TRC20 to a single on-chain address, for a total of €340,000. The interface showed growing profits, a named relationship manager, and even a small "test withdrawal" that was paid out to build trust. When larger withdrawals started being blocked behind escalating "tax" and "compliance" pre-payments, he understood he had been targeted by a pig-butchering operation.

We were contacted 52 days after the final deposit — later than ideal, but before the cashout chain had fully completed.

The challenge

By the time we opened the file, the funds had already transited three wallet hops and reached a deposit cluster at a Tier-2 Asian exchange. The scam operator had begun the fiat off-ramp but had not finished it: a portion of the balance was still on-platform. With every additional week, more of the balance would move to bank cashouts we could not claw back.

Our approach

1. On-chain tracing using Chainalysis Reactor and TRM Labs to reconstruct the full 14-deposit pattern and identify the receiving cluster at the exchange.
2. Correlation of the cashout timing with a known pig-butchering template from our internal database — this revealed two wallets shared with more than forty other victim reports we had cross-indexed.
3. Consolidation of the evidence into a single multi-victim dossier and formal submission to the competent Italian prosecutor, with a parallel compliance request to the exchange.
4. Compliance-driven preventive freeze at the exchange on the strength of the dossier, before a formal judicial order was available.
5. Parallel civil action to obtain the judicial release order required by the exchange to return funds.

Outcome

€187,000 recovered — 55% of principal — fourteen months after engagement. The remainder had already been dispersed to fiat cashouts across multiple smaller banking relationships before the freeze and was formally documented as non-recoverable in our closing report.

What made this case: the client came to us fast enough that cluster analysis still had leverage. Had we been contacted six months later the cashout chain would have completed, and the same file would have produced a zero-recovery outcome. Time is the most expensive ingredient in recovery work.

---

Context

A contested divorce before the Tribunale Civile di Milano. The wife's attorneys suspected the husband had moved significant marital assets into cryptocurrency during the eighteen months leading up to the filing, but Italian bank records showed only ordinary household transfers. The husband, under oath, denied holding any crypto.

Italian divorce courts have limited native discovery mechanisms for off-shore or self-custodial holdings. Without a targeted forensic approach, the hidden portfolio would have remained invisible to the proceeding.

The challenge

We had to build a persuasive case for a non-technical court using evidence that would survive cross-examination by an opposing expert. That meant: (1) obtaining admissible records from the right Italian exchanges, (2) establishing a defensible link between those records and an on-chain wallet, and (3) producing a report a civil judge could read, understand, and rely on.

Our approach

1. Retained as CTP (party-appointed technical consultant) for the wife's defence.
2. Drafted and filed motions through counsel to subpoena records from the three Italian exchanges most likely to have been used by the husband: Young Platform, The Rock Trading, and Coinbase Italy. Returned records showed approximately €95,000 in recent deposits.
3. Identified eight withdrawal addresses controlled by the husband from the exchange records, then clustered them to a single self-custody wallet using co-spend heuristics.
4. On-chain valuation at the date of analysis: 4.2 BTC, 31 ETH, and approximately 890,000 USDT — a total of roughly €520,000.
5. Produced a 47-page forensic report with an integrated glossary, full chain of custody, reproducible methodology, and clearly caveated conclusions. Testified in three hearings, including a structured cross-examination of the opposing party's expert.

Outcome

The court accepted our analysis in full. The judgment ordered the husband to transfer 50% of the identified holdings — approximately €260,000 at the date of transfer — to the marital estate. His subsequent appeal was dismissed.

What made this case: the report was written for a non-technical judge. Glossary integrated, diagrams clean, conclusions properly caveated. Credibility under cross-examination mattered more than any single piece of on-chain detail. A correct answer that the court cannot understand is not evidence — it is noise.

---

Context

A mid-sized manufacturing SME in Emilia-Romagna was hit by a LockBit variant. After eleven days of failed recovery attempts and pressure from lost production, the CEO authorised a ransom payment of 1.8 BTC (approximately €78,000 at the time). Operations were restored. The local prosecutor subsequently opened an investigation into the payment chain, and we were engaged as technical consultants in support of the Guardia di Finanza's Nucleo Speciale Tutela Economia.

The challenge

LockBit's Bitcoin infrastructure uses aggressive peeling-chain patterns and routinely mixes affiliate shares through CoinJoin. The ransom address was brand-new, with no OPSEC mistakes at the entry point. On its own, this file had no obvious handle.

Our approach

1. Followed the peel chain across 23 hops over four weeks of manual analysis, logging every split and every address touched.
2. Identified a Wasabi CoinJoin transaction where the ransom flow merged with outputs already flagged from a prior affiliate case in our internal dataset.
3. Applied intersection analysis across the two flows to isolate two output addresses as likely candidates for the ransom affiliate's share.
4. One of the two candidates subsequently consolidated with a previously-flagged address on HTX — the signature we had been waiting for.
5. Compliance request via MLAT channels, formally routed through the Guardia di Finanza, led HTX to freeze 0.84 BTC pending judicial release.

Outcome

0.84 BTC frozen at HTX (approximately €36,000 at the freeze date), currently pending judicial release to the SME victim. Beyond the individual case, the analysis contributed three new affiliate wallet clusters to joint EU ransomware intelligence.

What made this case: CoinJoin was supposed to be the end of the trail. It wasn't — because a separate case had already pinned down the affiliate's consolidation pattern. Investigation is cumulative. Every file feeds the next; the value of an internal dataset is measured in months, not transactions.