Request Demo

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Decrypting Crypto Bridge Transactions for Investigations

Join the Merkleverse

The rise of crypto bridges within the blockchain ecosystem has been significant, especially in 2022 and 2023. In 2022, Binance blockchain bridge experienced a loss of $570 million due to a hack. . Moving into 2023, the landscape evolved further with key trends and statistics:

  • Over $8 billion in crypto assets are bridged cross-chain every month, with Ethereum, Polygon, Arbitrum, Avalanche, and BSC being prominent chains involved. Stargate Finance leads in bridging volume with over $2.3 billion per month, offering secure and efficient asset movement across different Ethereum network based chains.
  • Polygon boasts the highest bridge Total Value Locked (TVL) with over $2.8 billion in assets. Despite the growth, bridge exploits and hacks resulted in $2.66 billion in assets lost, emphasizing the need for enhanced security measures.
  • Furthermore, the evolving landscape of laundering tactics involving crypto bridge protocols was observed in 2023. The Lazarus Group's activity surged fivefold throughout the year, with a significant portion of inflows traced back to wallets linked to cryptocurrency hacks.

Criminals increasingly favored cross chain bridge for illicit transfer, redirecting stolen funds to obscure their origins and complicate detection efforts by law enforcement and compliance teams at exchanges. This shift highlighted the need for stricter regulatory measures to prevent illicit activities through bridges.

Essentially a crypto bridge allows transfer of digital assets between multiple blockchains. Crypto bridging enhances blockchain interoperability across different chains and is a crucial infrastructure expanding blockchain utility. 

Popular use cases for crypto bridges include:

  • Cross chain transfer: Send tokens like BTC, ETH across different chains for instance, Polygon bridge to Ethereum bridge to bitcoin blockchain.
  • Support DeFi across chains: Build connected lending, trading apps across chains.
  • Liquidity: Bring external liquidity to smaller cap crypto assets.
  • Scaling: Split transactions across chains to avoid congestion.

Examples of live crypto bridge networks are Wormhole allowing transfer between Solana, Ethereum, Binance smart chain. Connext which connects multiple layer 1 and 2 Ethereum chains, and Orbitchain's Orbit Bridge focusing on bridging major layer 1 chains and orbit chain ecosystem.

Crypto bridges employ smart contracts which lock up a user's tokens on the source blockchain, and mint proxy tokens on the destination chain that are backed 1:1 with the locked assets. This transfer mechanism is referred to as peg-in/peg-out. Users can later redeem back their original assets by burning the proxy tokens if needed. 

How Crypto Cross Chain Transaction Works

Here are the key steps involved in transfers done via a decentralized crypto bridge: 

  • User initiates transfer on bridge UI: For example, sending 1 BTC from Bitcoin chain to Solana.
  • Native BTC is locked up into a vault account on the Bitcoin chain.
  • Validator nodes observe this lock event and relay messages to Solana.
  • Solana validators confirm proof of BTC lock is valid.
  • 1 BTC worth of proxy tokens "BTCx" are minted on the Solana chain.
  • User wallet on Solana is credited with BTCx tokens, backed 1:1 by real BTC locked on Bitcoin.

Validators play a crucial role relaying messages, updating states and confirming proofs across the source and destination blockchains. Consensus mechanisms like proof-of-stake are used to select validator sets. Bridge transaction steps in reverse are followed during asset redemption - user burns proxy tokens which triggers unlocking of native assets from vault accounts. 

Crypto bridges feature two-way pegging. Using the above example, Solana's native tokens can similarly be locked and ported as proxy tokens "SOLx" to the Bitcoin chain for DeFi applications. 

Visualizing and Investigating Transactions 

While blockchains inherently offer transparency into seeing wallet balances and transaction histories, making sense of the actual flow of funds between various entities and wallets is extremely complex. 

Specialized blockchain analytics tools address this by:

  • Visually trace fund flows between exchanges, mixers, gambling services.
  • Graph network to categorize entities, identify suspicious activities.
  • Risk scoring plus visualization for tracing cryptocurrency funds.

The tools rely on pattern recognition, proprietary clustering algorithms and labeled machine learning models trained on large labeled datasets of both legitimate and suspicious crypto activity. 

The visualization engine allows intuitive graphical representation of blockchain transaction flow between thousands of on-chain entities. Analysts can quickly trace funds from say a ransomware hack, through various money laundering steps like transfers across multiple exchanges, mixers and privacy coins, ultimately to an endpoint like a high risk jurisdiction exchange cashing out to fiat. At times, scammers also employ a trusted bridge network for crypto asset transfer, employing a tool that can readily identify a transaction from sanctioned entity keeps these bridges compliant with the aml/cft guidelines. Such tools heavily aid law enforcement and regulators investigating crypto fraud, theft, sanctions evasion, terror financing and other decentralized finance crimes.

Orbit Bridge Hack

Orbit bridge developed by Orbitchain is an interoperability focused blockchain network allowing asset transfers between major layer 1 chains via Orbitchain’s Inter Blockchain Communication (IBC) Protocol. This bridges different blockchain networks that otherwise cannot communicate with each other.

In late December 2023, Orbit Chain, a popular cross chain bridge solution, fell victim to a devastating attack that led to the loss of approximately $81 million in various cryptocurrencies. The hack was executed by exploiting weaknesses in the Orbit Bridge, specifically in input validation and signature verification processes.

Using extensive graphing capabilities of Tracker, LEAs can visualize and decrypt the intricate transaction web

Hacking Methodology

The attacker managed to gain control of the Orbit Bridge by creating fraudulent signatures and withdrawing funds from multiple accounts simultaneously. Once the initial exploit was identified, the Orbit Bridge was quickly disabled to minimize further damages.

Response and Recovery Efforts

To combat the effects of the attack, Orbit Chain initiated a multi-faceted strategy, working alongside national and international law enforcement agencies, as well as cybersecurity experts. The platform also released detailed analyses of the attack, providing insights into the methods employed by the attacker. This high-profile attack highlighted the challenges faced by law enforcement when dealing with complex attacks on decentralized systems. 

Orbit Bridge Functionalities

Orbit Bridge uses a multi-signature BFT consensus mechanism for consensus and state communication between interconnected heterogeneous blockchains.  This allows faster finality compared to probabilistic finality in single chain PoS networks. Concurrent transaction processing improves throughput.

The validator node architecture separates validation logic from chain logic allowing easier integration with external blockchains. The initial release focuses on bridging major layer 1 chains, while the future roadmap includes bridging side chains in the Orbit Chain ecosystem.

Orbit Bridge validator set is strictly managed with mandatory KYC (know your customer) process. Validators risk slashing penalties for malicious actions or liveness failures. This enforces robust security. Orbit Bridge peg zones are customizable by blockchain and asset type. This allows defining asset specific redemption rules and risk parameters. For example, illiquid peg zones can specify slower withdrawal limits to hedge against fire sale attacks during network congestion.

The key components of Orbit Bridge architecture are:

  • Ethereum Peg Zone: Deposits, withdrawals and redemption of pegged assets.
  • Cosmos Peg Zone: Enables IBC connected chains to transfer assets.
  • Orbit Chain: Main chain coordination consensus and cross-chain transactions.
  • Sentinel: Monitoring layer detecting and preventing value leakage.

Orbit Bridge provides REST and gRPC APIs for easy integration. Key API capabilities offered are Websocket streams for event notifications, fetching bridged assets and transaction statuses, getting validator details, estimating transaction fees etc.

Why is Blockchain Visualization Important for Crypto Investigation

As crypto-related crime grows exponentially more complex, 74% of agencies report struggling with limitations in current blockchain investigation tools. Sophisticated blockchain forensic solutions set a new standard with robust multi-chain coverage, advanced visualization, and intuitive workflows - enabling precise attribution and recovery of stolen funds across decentralized ecosystems. 

As crypto-related crime grows exponentially more complex, 74% of agencies report struggling with limitations in current blockchain investigation tools. Sophisticated blockchain forensic solutions set a new standard with robust multi-chain coverage, advanced visualization, and intuitive workflows - enabling precise attribution and recovery of stolen funds across decentralized ecosystems. 

How visualization simplifies Investigations 

Blockchain visualization transforms complex transaction histories into an intuitive graph representation. This allows visual tracing of the flow of cryptocurrency funds between thousands of on-chain entities like user wallets, exchanges, mixers, gambling dApps etc. 

For example, consider a hacker who has stolen 10 ETH and wants to launder it. They could leverage a cross-chain bridge like Orbit to swap the ETH for BNB. The transaction would show the bridge receiving 10 ETH from the hacker's wallet, locking it up in a vault, and minting 10 BNB worth of pegged tokens on the Binance chain to the hacker. 

While the basic flow seems straightforward, visualization tools that support crypto bridges can shine a spotlight on the entire chain hopping trail. This includes tracing the original hack transaction, labeling the bridge swap as high risk, tracing further transactions done with the laundered ETH, and attributing identities to linked wallets.

Decentralized bridges like Router Protocol, Uniswap and Orbit allow users to trustlessly swap tokens between different blockchains. Let's understand the mechanics with an example on Orbit bridge.

Standard Orbit Bridge Process

[     User    ]  Execute transaction in FROM chain
[ Operator ] Relay FROM Chain transaction data to OrbitHub.
[ Validator ] Verify FROM chain transaction data and sign verification to each governance
[ Operator ] Suggest TO chain transaction parameter and data to OrbitHub
[ Validator ] Verify TO chain transaction parameter and data to BridgeContract
[ Validator ] Sign selected TO chain transaction object to BridgeContract
[ Operator ] Assemble validators-signed transaction data and execute on TO chain

Here, FROM chain will be the initial network from which funds have been sought and deposited in the Orbit bridge. TO chain refers to the destination network through which the output is expected by the depositor. 

One bridge enables the movement of assets between two different blockchains through Locking/Vault, Release/Vault, Minting, and Burning contracts that exist on each blockchain. 

For example, suppose you send an Ethereum asset, 'ABC', to the Binance network. The 'ABC' asset is first sent to Ethereum's Locking contract and as soon as verification is complete, it is then passed to the Minting contract of the Binance Blockchain. Afterwards, a new 'ABC' token is issued in Binance, corresponding to the assets locked to Ethereum, by a set of validators verifying the Minting contract. The transactions of Orbit Bride have some additional processes within the basic Standard process depending on which From and To chain. 

As crypto-related crime grows exponentially more complex, 74% of agencies report struggling with limitations in current blockchain investigation tools. Sophisticated blockchain forensic solutions set a new standard with robust multi-chain coverage, advanced visualization, and intuitive workflows - enabling precise attribution and recovery of stolen funds across decentralized ecosystems. 

Hackers exploit such bridges because:

Assets are rapidly "cleaned" by converting to proxy tokens on destination chain

  • Trail goes cold as tracking asset across chains is difficult
  • Decentralized bridges have weak to no KYC requirements
  • Complex mechanics aid layering strategies to obscure audit trail

Advanced analytics can also automatically flag abnormal bridging volumes, cycling of funds across chains, and price arbitrage exploits. This simplifies investigation by separating the signal from noise and enabling investigators to quickly identify the most relevant transactions indicative of laundering via crypto bridges.

Investigating Orbit Bridge Transaction with Tracker

Tracker is tailored to monitor activity specifically on bridges like Orbit bridge by ingesting and parsing all transactions and blocks as they occur on the network. The key differentiation is a customized set of heuristics and risk identification rules encoded to detect potential suspicious patterns like cycling funds across chains via bridges, abnormal bridge transaction sizes, exploiting price arbitrages due to fragmented liquidity or assets disconnected from pegs.

All sanctioned entities are rapidly identified and any transaction is flagged abruptly

Advanced behavioral analytics identify outlier blockchain entities based on activity profiles. The visualized transaction graph produced by Tracker tool can therefore highlight high risk bridge flows to quickly catch bad actors.

Blockchain Tracing Tools for Crypto Bridge Investigations

Sophisticated criminals exploit crypto bridges to rapidly shift illicit funds across blockchain protocols, obscuring the flow of money and investigation trail. Tracker provides integrated visibility across bridges like Orbitchain, Wormhole, Connext, allowing one-click tracing of assets across chains.

Complex Blockchain Visualization

Visualizing flows between thousands of on-chain entities across heterogeneous chains is hugely challenging. Tracker simplifies investigation complexity. Intuitive visualization and filtering reveal key transactions, while advanced analytics spotlight anomalous blockchain bridges activities.

Visualization  reveals  key transactions, while advanced analytics spotlight anomalous bridge activities.

Actionable Intelligence 

Deriving meaning from massive blockchain datasets is crucial for investigations. Tracker enriches transactions with attribution, labels unusual bridge activities, provides audit trails for prosecution - enabling agencies to separate signal from noise.

Tracker in Action  

In ransomware attacks, attackers bridge funds rapidly across entities to layer illicit flows. Tracker is equipped for accelerated investigation and recovery via streamlined multi-chain analysis, visualization of fund diversion across bridges, automated labeling of suspicious bridge transaction patterns, and actionable intelligence for attributing identities.


The interoperability that crypto bridges facilitate is imperative for the greater and seamless adoption of the crypto ecosystem globally. While the significant surge in the use of crypto bridges can be attributed to the implementation of advanced blockchain technology, it has also contributed to the increase of cross chain crime. In this scenario it becomes important to use blockchain forensics for continuous tracking of funds. Merkle Science empowers law enforcement and government agencies with Tracker — a precise, user-friendly investigative tool. Tracker is equipped with enhanced attribution, extensive coverage, and advanced autographing capabilities that empower law enforcement agencies (LEAs) to detect, investigate, and prosecute crypto-related crimes with unparalleled precision.

The tool’s capabilities have been extended to cover EVM chains, Tron, and multi-chain analysis, further enhancing its investigative support.Tracker’s ability to analyze smart contracts and DeFi transactions ensures that investigators have the insights they need to do their job more effectively, regardless of the cryptocrime threat vector. In the realm of blockchain forensics and investigation, Tracker provides unparalleled precision and unrivaled insights.

Stay tuned for more updates by subscribing to our newsletter and blogs