Investigation · part 2 · the person

Locate him. Stop him.

The wallet address is one thread. This is the other, and it doesn't care if his crypto is brand new. Everything below is passive info-gathering and legitimate reporting we can mostly do ourselves, then hand the package to the people who make the arrest.

◆ the lead move

The canary token

A file or link with an invisible beacon baked in (via a tool like canarytokens.org, free). We send it through the channel he's already using, framed as something he'll open, a payment receipt, a document, a photo. The instant he opens it, it phones home. It never touches his device and runs no code. It's a read-receipt that also reports where he opened it from.

his IPcity / regiondevice + OSbrowsertimezoneexact open time

Track A · locate + de-anonymize

Turn how he contacts the victim into who and where he is.
📄

Canary document / link DIY

The beacon above, delivered through his own channel. Multiple forms: a PDF, an image, a tracking link, even an email pixel.

→ his IP + physical location + device, the biggest single break
✉️

Email header analysis DIY

If he emails, "show original / raw headers" often exposes the originating IP, the mail server, and his email client.

→ origin IP + mail infrastructure
📱

Phone-number OSINT DIY

Carrier, region, and whether it's a burner or VoIP number (Google Voice / TextNow is itself a tell). Reverse-lookup for linked social accounts.

region + burner tell + linked identities
🔎

Username + handle sweep DIY

People reuse handles. Search his username across platforms to surface his other profiles, sometimes a real one.

his other accounts
🖼️

Reverse image search DIY

Run his profile photo or any image he sends. Either it links to his other accounts, or it's a stolen/stock photo, which tells us he's a catfish and narrows the profile.

real accounts, or a catfish confirmation
💬

Conversation intel DIY

His reply times reveal his timezone. His slang, language, and mistakes narrow his region and origin. Preserve every message.

timezone + region + behavior profile

Track B · stop + disrupt

Cut off his ability to keep doing this, while the identity work runs.
🚫

Report his account DIY

Extortion breaks every platform's rules. Report the account to WhatsApp / Telegram / wherever, with the evidence, to get it banned and kill his channel.

his channel removed
❄️

Flag + freeze the crypto DIY + them

Report the address to Chainabuse and scam databases (warns others, exchanges auto-block it). If it hits a known exchange, request a freeze. Tether, the USDT issuer, can blacklist an address on a law-enforcement request.

funds flagged / frozen
📵

Report the number DIY

Report the phone number to the carrier and anti-fraud lines so it gets flagged or cut.

number flagged
🔐

Lock down the victim DIY

Assume he may hold leaked data or account access. Change passwords, turn on 2FA everywhere, secure the accounts. This removes his leverage.

his leverage neutralized
👮

Formal report them

File with the police / national cybercrime unit. This is what unlocks the subpoena power to pull his KYC identity and move on him.

the legal power to unmask + arrest
How the work splits

We do most of it. They finish it.

We gather (canary + OSINT)+ We disrupt (report + lock down) We package the evidence They unmask + freeze + arrest
⚠ Stay on the right side of it

Everything here is passive info-gathering and legitimate reporting, the tools a victim is allowed to use. We do not hack his device, retaliate, threaten, or harass. That flips us from victim to offender and puts you at risk. And do not pay him to "trace it", the canary and the OSINT do that without funding him.

Locate through the channel. Disrupt his operation. Document it. Hand it over.