The wallet address is one thread. This is the other, and it doesn't care if his crypto is brand new. Everything below is passive info-gathering and legitimate reporting we can mostly do ourselves, then hand the package to the people who make the arrest.
A file or link with an invisible beacon baked in (via a tool like canarytokens.org, free). We send it through the channel he's already using, framed as something he'll open, a payment receipt, a document, a photo. The instant he opens it, it phones home. It never touches his device and runs no code. It's a read-receipt that also reports where he opened it from.
The beacon above, delivered through his own channel. Multiple forms: a PDF, an image, a tracking link, even an email pixel.
If he emails, "show original / raw headers" often exposes the originating IP, the mail server, and his email client.
Carrier, region, and whether it's a burner or VoIP number (Google Voice / TextNow is itself a tell). Reverse-lookup for linked social accounts.
People reuse handles. Search his username across platforms to surface his other profiles, sometimes a real one.
Run his profile photo or any image he sends. Either it links to his other accounts, or it's a stolen/stock photo, which tells us he's a catfish and narrows the profile.
His reply times reveal his timezone. His slang, language, and mistakes narrow his region and origin. Preserve every message.
Extortion breaks every platform's rules. Report the account to WhatsApp / Telegram / wherever, with the evidence, to get it banned and kill his channel.
Report the address to Chainabuse and scam databases (warns others, exchanges auto-block it). If it hits a known exchange, request a freeze. Tether, the USDT issuer, can blacklist an address on a law-enforcement request.
Report the phone number to the carrier and anti-fraud lines so it gets flagged or cut.
Assume he may hold leaked data or account access. Change passwords, turn on 2FA everywhere, secure the accounts. This removes his leverage.
File with the police / national cybercrime unit. This is what unlocks the subpoena power to pull his KYC identity and move on him.
Everything here is passive info-gathering and legitimate reporting, the tools a victim is allowed to use. We do not hack his device, retaliate, threaten, or harass. That flips us from victim to offender and puts you at risk. And do not pay him to "trace it", the canary and the OSINT do that without funding him.