Back to Blog

Best Wallet Tracker in 2024: How to Use MetaSleuth to Track Stolen Funds

MetaSleuth
May 30, 2024

In this tutorial, we will guide you through the basic functionalities of MetaSleuth by tracing the stolen funds in a phishing transaction. Together, we will explore how to use MetaSleuth to analyze transactions, track specific funds, and monitor untransferred funds.

MetaSleuth Tutorial - Use MetaSleuth to track the stolen funds in a phishing transaction

We have identified a phishing transaction on the Ethereum network with the hash 0x2893fcabb8ed99e9c27a0a442783cf943318b1f6268f9a54a557e8d00ec11f69. Now, let's delve into our analysis.

Getting Started

Begin by visiting the MetaSleuth platform at https://metasleuth.io/. Choose Ethereum as the network and input the transaction you're interested in. For our case, we'll use the following transaction hash: 0x2893fcabb8ed99e9c27a0a442783cf943318b1f6268f9a54a557e8d00ec11f69.

Main functional components

Once the transaction analysis is complete, you will be directed to the MetaSleuth analysis page, where you can see all the asset transfers that took place in the transaction. If the analysis target is an address, the displayed information will be more complex. We will cover address analysis in a separate tutorial.

In addition to the central asset transfer graph, the page includes various other functional components. Here is a simplified diagram, and you are encouraged to explore their specific usage during the analysis process.

Track the funds

The transaction we are focusing on involves only one asset transfer: Address 0xbcd131, which is the victim, transferred 2586 MATIC to Fake_Phishing180627.

To continue tracking the destination of the stolen MATIC tokens, it's straightforward. Simply select the Fake_Phishing180627 address node and click on the "+" button on the right side of the node.

This feature is called Expand outgoing and allows you to trace the assets sent from this address. In most cases, this feature provides the desired data. However, for addresses with a high transaction volume, you may need to utilize advanced features such as Advanced Analyze and Load More to obtain the required data.

After clicking the "+" button, we can see numerous outgoing Ether transfers from Fake_Phishing180627. But what about the MATIC we want to track?

Filter the canvas

MetaSleuth does not display all the data it retrieves on the canvas to ensure a clean and readable representation of the overall fund flow. However, MetaSleuth provides various tools to help users locate the desired data and add it to the canvas. In this case, we can utilize the Token Filter to add all the MATIC asset transfers obtained by MetaSleuth to the canvas.

After confirming, we can see an additional MATIC transfer on the canvas, originating from Fake_Phishing180627 and going to Uniswap V3: MATIC. This is exactly the stolen funds we are tracking.

When it comes to assets sent to decentralized exchanges (DEX) like Uniswap, our focus is not on the MATIC tokens transferred out from the address Uniswap V3: MATIC, but rather on the assets obtained by Fake_Phishing180627 through the swap action on Uniswap.

So, what assets did Fake_Phishing180627 receive through this swap? Let's investigate this swap transaction to find out.

Add specific data

First, we need to determine the transaction to which the MATIC transfer from Fake_Phishing180627 to Uniswap V3: MATIC belongs. Click on the asset transfer edge on the canvas, and in the Edge List that appears below, click on Details to access the Transaction List. Find the transaction hash for this transfer and copy it.

Then, we can add this transaction to the canvas using the Add Address / Tx functionality located in the top left corner of the canvas. This will allow us to explore the asset transfers that took place within this transaction and gain a clearer understanding of its contents.

After adding it, all the asset transfers within this transaction will be visible on the canvas. It becomes clear that Fake_Phishing180627 swapped MATIC for 0.944 Ether through Uniswap. This 0.944 Ether is the asset we need to track further.

Track specific funds

Among the various Ether transfers originating from Fake_Phishing180627, which ones should we track?

By clicking on Fake_Phishing180627, you can observe the asset transfers associated with this address in the left-hand address panel. You might have noticed that there is more data available here compared to what is displayed on the canvas (as mentioned earlier, MetaSleuth emphasizes simplicity and readability in the fund flow diagram and does not show all data by default).

The transaction where Fake_Phishing180627 swapped MATIC for Ether occurred on 2023-06-18 at 14:57:11. Therefore, our primary focus should be on Ether token transfers that occurred after this specific time. To filter the data, we can utilize the filter function.

Within the filtered results, it is evident that approximately 6 minutes after the swap action, 1.4 Ether was transferred from the address Fake_Phishing180627 to the address 0x8bae70. This transfer likely contains the funds we are seeking to trace.

We can mark and display them on the canvas, continuing to track the assets of 0x8bae70. By doing so, we can observe that the funds eventually settle in the address 0x8de345

Monitor untransferred funds

To stay informed about the funds that have not been transferred yet, we can actively monitor them. By enabling monitoring, you will receive email notifications whenever relevant asset transfers occur. To explore additional monitoring features, please visit the MetaSleuth Monitor Dashboard at https://metasleuth.io/monitor.

Summary

Although this was a brief exploration, we hope that MetaSleuth has provided you with a convenient and smooth tracking and investigation experience. We will release more instructional material in the future and welcome your suggestions. Join our Telegram group at https://t.me/MetaSleuthTeam.

About MetaSleuth

MetaSleuth is a comprehensive platform developed by BlockSec to assist users in effectively tracking and investigating all crypto activities. With MetaSleuth, users can easily track funds, visualize fund flows, monitor real-time fund movements, save important information, and collaborate by sharing their findings with others. Currently, we support 13 different blockchains, including Bitcoin (BTC), Ethereum (ETH), Tron (TRX), Polygon (MATIC), and more.

Website: https://metasleuth.io/

Twitter: @MetaSleuth

Telegram: https://t.me/MetaSleuthTeam

Sign up for the latest updates
~$7.04M Lost: GiddyDefi, Volo Vault & More | BlockSec Weekly
Security Insights

~$7.04M Lost: GiddyDefi, Volo Vault & More | BlockSec Weekly

This BlockSec weekly security report covers eight attack incidents detected between April 20 and April 26, 2026, across Ethereum, Avalanche, Sui, Base, HyperLiquid, and MegaETH, with total estimated losses of approximately $7.04M. The highlighted incident is the $1.3M GiddyDefi exploit, where the attacker did not break any cryptography or use a flash loan but simply replayed an existing on-chain EIP-712 signature with the unsigned `aggregator` and `fromToken` fields swapped out for a malicious contract, demonstrating how partial signature coverage turns any historical signature into a generic permit. Other incidents include a $3.5M Volo Vault operator key compromise on Sui, a $1.5M Purrlend privileged-role takeover, a $413K SingularityFinance oracle misconfiguration, a $142.7K Scallop cross-pool index injection, a $72.35K Kipseli Router decimal mismatch, a $50.7K REVLoans (Juicebox) accounting pollution, and a $64K Custom Rebalancer arbitrary-call exploit.

The Decentralization Dilemma: Cascading Risk and Emergency Power in the KelpDAO Crisis
Security Insights

The Decentralization Dilemma: Cascading Risk and Emergency Power in the KelpDAO Crisis

This BlockSec deep-dive analyzes the KelpDAO $290M rsETH cross-chain bridge exploit (April 18, 2026), attributed to the Lazarus Group, tracing a causal chain across three layers: how a single-point DVN dependency enabled the attack, how DeFi composability cascaded the damage through Aave V3 lending markets to freeze WETH liquidity exceeding $6.7B across Ethereum, Arbitrum, Base, Mantle, and Linea, and how the crisis forced decentralized governance to exercise centralized emergency powers. The article examines three parameters that shaped the cascade's severity (LTV, pool depth, and cross-chain deployment count) and provides an exclusive technical breakdown of Arbitrum Security Council's forced state transition, an atomic contract upgrade that moved 30,766 ETH without the holder's signature.

Weekly Web3 Security Incident Roundup | Apr 13 – Apr 19, 2026
Security Insights

Weekly Web3 Security Incident Roundup | Apr 13 – Apr 19, 2026

This BlockSec weekly security report covers four attack incidents detected between April 13 and April 19, 2026, across multiple chains such as Ethereum, Unichain, Arbitrum, and NEAR, with total estimated losses of approximately $310M. The highlighted incident is the $290M KelpDAO rsETH bridge exploit, where an attacker poisoned the RPC infrastructure of the sole LayerZero DVN to fabricate a cross-chain message, triggering a cascading WETH freeze across five chains and an Arbitrum Security Council forced state transition that raises questions about the actual trust boundaries of decentralized systems. Other incidents include a $242K MMR proof forgery on Hyperbridge, a $1.5M signed integer abuse on Dango, and an $18.4M circular swap path exploit on Rhea Finance's Burrowland protocol.

Go Deeper with MetaSleuth Investigation

Extend your crypto compliance capabilities with Blocksec's MetaSleuth Investigation, the first platform for tracing funds, mapping transaction networks and revealing hidden on-chain relationships.

Move from detection to resolution faster with clear visual insights and evidence-ready workflows across the digital assets ecosystem.

MetaSleuth Investigation