Iron Fox is a prototype CLI tool designed to trace stolen cryptocurrency funds by analyzing transaction histories on blockchain networks. It was created to assist in tracking funds lost to a phishing attack, specifically after a malware phishing attack was planted on my computer following a LinkedIn interview or similar interaction, helping identify paths to exchanges or fiat off-ramps for potential recovery or reporting.
Starts from a given wallet address and follows outgoing transfers to map fund flows. Identifies connected addresses, including potential mixers, exchanges, or cash-out points.
Uses blockchain explorer APIs (e.g., Etherscan for Ethereum) to fetch transaction data. Supports multiple chains if configured (prototype focuses on Ethereum).
Generates reports on traced paths, including visualized graphs or text summaries. Highlights connections to known fiat cash-out services or centralized exchanges.
Allows users to input additional addresses or overrides when automated tracing stalls.
The core tracing algorithm employs a breadth-first search (BFS) approach to explore the transaction graph: Initialization: Begin with the starting address (e.g., the wallet that was hacked/exploited) and enqueue it for processing. Expansion: For each address, fetch its transaction history via API. Extract recipient addresses from outgoing transfers above a configurable threshold (to ignore dust transactions). Filtering: Skip already visited addresses to prevent cycles. Apply heuristics to prioritize significant transfers (e.g., large amounts or to known exchange deposit addresses). Termination: Stop when a maximum depth is reached, no new addresses are found, or a fiat cash-out is detected (e.g., via labeled addresses from services like Chainalysis or manual tags). Output: Builds a graph of addresses and transfers, flagging suspicious paths. This method ensures efficient exploration of recent transactions first, but may require manual adjustments for obfuscated paths like tumblers.
To optimize API calls and handle rate limits: Local Storage: Uses a simple JSON file or SQLite database to cache fetched transaction data per address. Cache Key: Address + chain ID as the key. Expiration: Caches expire after a configurable time (default: 24 hours) to account for new transactions. Hit/Miss Logic: Before API calls, check cache; if hit, use stored data; if miss or expired, fetch and update cache. This reduces redundant requests and speeds up repeated runs or iterative tracing. Additionally, the cache builds a database of prior attackers which could be used to build a network of corrupt players. It also saves on API costs by only needing to fetch info from Etherscan once for a specific block query.
This is a prototype tool, primarily built for personal use in tracing stolen funds due to the sheer amount of transactions generated from the attack. For complicated traces—such as those involving mixers, privacy protocols, or multi-chain hops— the algorithm may get stuck, requiring manual entry of additional addresses, transaction IDs, or custom filters to continue.
In its application to the creator's phishing incident, the tool successfully traced 12 accounts that connected to a fiat cash out, with the output files noting 12 detected exchanges that were found, providing valuable insights for reporting to authorities.