Resources Case Study
CASE STUDY 10 min read

Operation Atlas: From First Alert to Restraint Order in 72 Hours

How a UK law enforcement team used ShadowTrace to trace £2.3M in cryptocurrency across 3 chains, identify 14 wallets, and secure a restraint order in just 72 hours.

ShadowTrace Research
Published 3 March 2026
72
hours
From onboarding to restraint order
14
wallets
Identified and linked
3
chains
Bitcoin, Ethereum, Tron
£2.3M
In traceable cryptocurrency
1
Onboarding & Import
Platform access, wallet addresses imported, initial triage
2
Investigation & Tracing
Cross-chain fund flows mapped, clusters identified, risk assessed
3
Evidence & Submission
Court-ready packages generated, restraint order application submitted

The Challenge

A regional organised crime unit received intelligence linking a suspected fraud network to cryptocurrency holdings. The suspected funds — approximately £2.3 million — had been converted from fiat currency through a combination of peer-to-peer exchanges and over-the-counter brokers across three separate blockchain networks: Bitcoin, Ethereum, and Tron.

The unit faced a disclosure deadline. A restraint order application needed to be filed within 72 hours, or the window to freeze the assets would close. The challenge was compounded by the fact that the team had limited prior experience with blockchain investigations and no existing tooling in place.

Traditional approaches — outsourcing the analysis to a specialist consultancy or procuring a new software platform through standard channels — would have taken weeks, if not months. The team needed a solution that could be deployed immediately and produce court-ready outputs within an extraordinarily tight timeframe.

The Approach

The unit contacted ShadowTrace on a Monday morning. By lunchtime, the team had been onboarded to the platform with three investigator seats. The initial set of wallet addresses — derived from earlier financial intelligence — was imported directly into a new case workspace.

ShadowTrace's onboarding process is designed for exactly this scenario: urgent operational need with no time for lengthy procurement or training cycles. The platform interface follows the logic of a criminal investigation, so investigators could begin working immediately using familiar concepts — addresses, transactions, flows of funds — rather than having to learn compliance-oriented terminology.

A dedicated support session was provided during the first hour, walking the investigators through the core workflows: importing addresses, running automated risk assessments, and navigating the transaction graph. However, the team reported that the interface was intuitive enough that they were working independently within minutes.

The Investigation

Day 1: Triage and Initial Discovery

Within the first two hours, the team had triaged the imported addresses using ShadowTrace's automated risk assessment. The platform identified several addresses with direct exposure to known high-risk services, including a mixer service and a peer-to-peer exchange previously linked to fraud proceeds.

The initial address set of six wallets was quickly expanded. ShadowTrace's clustering algorithms identified an additional eight wallets controlled by the same entity, based on shared transaction patterns, timing analysis, and input co-spending on the Bitcoin network.

By the end of the first day, the investigators had a comprehensive map of the suspect's wallet infrastructure across all three chains. Each wallet had been assessed for risk, and the highest-priority addresses had been flagged for deeper analysis on day two.

Day 2: Cross-Chain Tracing

The investigation moved into cross-chain analysis. The suspects had moved funds from Bitcoin to Ethereum via a decentralised bridge, then converted a portion to USDT on the Tron network — a common layering technique designed to obscure the trail.

ShadowTrace's multi-chain graph allowed the investigators to follow these movements visually, maintaining a single view across all three chains. Each hop was logged automatically, creating an audit trail that documented every investigative step.

The risk scoring at each stage was fully explainable. Rather than presenting opaque numbers, the platform broke down each score into contributing factors: direct exposure to flagged services, behavioural indicators consistent with layering, and proximity to known illicit clusters. This transparency proved critical when preparing the evidence package.

The investigators also identified a pattern of structured transactions — multiple transfers of similar value sent in rapid succession — which was consistent with an attempt to avoid detection thresholds. This behavioural indicator was documented and included in the final evidence package as a supporting factor.

Day 3: Evidence and Submission

On the final day, the team generated court-ready evidence packages directly from the platform. These included:

  • A complete transaction flow diagram showing the movement of funds from origin to current holding addresses
  • Individual wallet reports with risk breakdowns and methodology documentation
  • A timeline of investigative steps with timestamps, demonstrating the reproducibility of the analysis
  • Summary narratives suitable for inclusion in the restraint order application

The evidence package was reviewed by the unit's legal team and submitted to the court that afternoon. The restraint order was granted, freezing approximately £2.3 million across the identified wallets.

The legal team noted that the quality of the documentation — particularly the explainable risk scores and the clear audit trail — significantly strengthened the application. The court was able to follow the logic of the investigation from initial intelligence through to the final conclusions without requiring specialist blockchain knowledge.

The Outcome

The investigation demonstrated several critical capabilities:

  • Rapid deployment: From first contact to active investigation in under four hours, with no prior training required
  • Cross-chain visibility: Seamless tracing across Bitcoin, Ethereum, and Tron, including bridge transactions and token conversions
  • Explainable intelligence: Every risk score and cluster identification included clear reasoning, supporting the evidential standard required for court proceedings
  • Court-ready outputs: Evidence packages generated directly from the platform met the documentation standards expected by the court

The restraint order secured the assets pending further proceedings. The investigation subsequently contributed to a broader intelligence package shared with partner agencies.

The unit has since adopted ShadowTrace as its primary blockchain intelligence platform, using it across multiple ongoing investigations. The investigators who worked the Operation Atlas case have become internal advocates, supporting colleagues across the force with cryptocurrency-related enquiries.

Key Metrics

  • Time from first contact to restraint order: 72 hours
  • Wallets identified and linked: 14 (from initial set of 6)
  • Blockchain networks traced: 3 (Bitcoin, Ethereum, Tron)
  • Traceable cryptocurrency: £2.3 million
  • Investigators onboarded: 3
  • Prior blockchain investigation experience: None

"The platform let us work at the speed the investigation demanded. We didn't have weeks to learn a new tool — we needed answers that day."

— Senior Investigating Officer (anonymised)

Case Study Law Enforcement Asset Seizure Cross-Chain Evidence
Share this article:

Related Articles

LAW ENFORCEMENT | 7 min read

From Wallet to Warrant: How Blockchain Intelligence Supports Modern Law Enforcement Investigations

Blockchain intelligence platforms are becoming essential for law enforcement — supporting faster, more defensible outcomes in cryptocurrency investigations.

Read more
RISK | 5 min read

Explainable Risk in Crypto Investigations: Why "Black Box" Scores Aren't Enough

For law enforcement, a score alone is insufficient. Investigators must understand why something is considered high risk.

Read more

Built for evidence-driven investigations

ShadowTrace provides the transparency, audit trails, and reporting capabilities that law enforcement teams need.

See how it works