How we forensically trace THORChain swaps
THORChain allows direct swaps from BTC to ETH, BNB, and many other coins — without a centralised exchange and therefore without KYC. A challenge for investigators. A technical look at how we reconstruct the trail.
Cross-chain swaps are among the hardest challenges in blockchain forensics. As soon as coins leave a chain, classical UTXO heuristics stop helping — the trail "disappears" from the perspective of a pure Bitcoin clustering tool. THORChain is one of the most popular protocols in this space: native, decentralised, without wrapper tokens, supporting BTC ↔ ETH, BNB, AVAX, ATOM, DOGE, LTC, BCH.
In this post we show how Coinator detects THORChain swaps and — with some confidence — reconstructs them across the chain boundary.
How THORChain works (short version)
For a swap, the user deposits on the origin chain (e.g. BTC) into a vault address. THORNodes observe the deposit TX, pool it, and execute a payout on the destination chain. The vault addresses rotate regularly (churn mechanism) but are publicly announced — that is our entry point.
Key properties for forensics:
- Vault addresses are predictable and public (
thornode.ninerealms.com, etc.) - Every swap carries a memo field (BTC OP_RETURN or Ethereum calldata) encoding the destination chain and destination address
- Timing between deposit and payout is typically seconds to minutes
Our detection heuristics
Step 1 — Vault address matching
Coinator maintains a continuously updated list of all historical and current THORChain vault addresses. Any deposit to such an address is immediately flagged as a potential swap.
Step 2 — Memo decoding
The BTC deposit includes an OP_RETURN output with a memo in the format SWAP:ETH.ETH:0xRecipientAddress:MinAmount. Coinator parses this memo and extracts:
- Destination chain
- Destination address
- Minimum output (for slippage protection)
Step 3 — Timing correlation
On the destination chain, we search for the corresponding payout:
- Recipient address matches the memo
- Time window 1–15 minutes
- Amount matches (modulo fees and slippage) the deposit value converted to the destination currency
If all three match, the cross-chain link is recorded with a confidence score.
What this means in practice
An anonymised example from an investigation:
A ransomware victim pays 3.8 BTC to an extortion address. The coins are split across three peel-chain hops; then 1.1 BTC goes to a THORChain vault with memo
SWAP:ETH.ETH:0xabc.... Coinator identifies the corresponding ETH payout at0xabc...and continues on the Ethereum side — until the recipient eventually uses a DEX aggregator and exchanges the funds into stablecoins.
The reconstructed chain does not stop at the BTC/ETH boundary — for the investigator, it continues two chains further. This is the decisive difference compared to tools focused solely on Bitcoin.
The limits
As precise as the heuristic is — it is not infallible:
- If an attacker uses a "pass-through" user as a proxy (paying someone to swap on their behalf), the link becomes harder.
- With extreme slippage (e.g. on rare pool pairs), timing and amount become less unambiguous.
- Memos with malformed format lead to default refunds, which look different forensically.
This is why Coinator provides a confidence score and the underlying evidence for every cross-chain link — not a binary yes/no statement.
Chainflip, Bridgers, and others
We apply the same methodological structure (vault matching, memo/calldata decoding, timing correlation) to Chainflip and the Bridgers aggregator as well. Details on all cross-chain heuristics are available in our methodology overview.