Overview

The Educational Laboratory of Financial Investigations delivers specialized training on investigating financial crimes involving cryptocurrencies and virtual assets. The curriculum has been developed iteratively with direct input from practitioners across eight Ukrainian law enforcement agencies and refined through collaboration with international blockchain analytics experts.

Training is structured in two levels — Foundational and Advanced — and is designed for investigators, prosecutors, operational officers, and analysts working on financial crime, anti-corruption, national security, and asset recovery cases. All practical exercises use licensed professional tools in a controlled training environment.

---

Foundational Level

The foundational program provides a comprehensive introduction to blockchain technology, cryptocurrency ecosystems, and the regulatory landscape — equipping participants with the knowledge base required for any investigation involving virtual assets.

Module F1: Blockchain Architecture and Transaction Fundamentals

Core concepts of distributed ledger technology as they apply to financial investigations:

• UTXO model (Bitcoin and derivatives) vs. account-based model (Ethereum and EVM-compatible chains): structural differences and their implications for transaction tracing
• Transaction lifecycle: from creation through mempool to confirmation; understanding confirmations, block height, and finality
• Block explorers as investigative tools: reading transaction data, identifying inputs/outputs, tracking address balances and transaction histories
• Hash functions, Merkle trees, and consensus mechanisms — at the level relevant to understanding investigative tool outputs (not developer-level)

Module F2: Keys, Addresses, and Wallets

How cryptocurrency ownership and control work, and what this means for seizure and evidence:

• Public/private key pairs, seed phrases, derivation paths
• Address formats across major blockchains (Bitcoin legacy, SegWit, Bech32; Ethereum; TRON; stablecoin addresses)
• Custodial wallets (exchange-held) vs. non-custodial wallets (self-custody): investigative implications for seizure procedures and evidence collection
• Hardware wallets, software wallets, browser extensions, paper wallets — recognition and handling in field operations

Module F3: Token Classification and the MiCA Framework

Understanding the asset types investigators encounter:

• Cryptocurrencies (Bitcoin, Ethereum), stablecoins (USDT, USDC, DAI), utility tokens, governance tokens, NFTs
• Classification under the EU Markets in Crypto-Assets Regulation (MiCA): asset-referenced tokens, e-money tokens, other crypto-assets
• Practical relevance for investigators: how token type affects tracing, seizure feasibility, and jurisdictional considerations

Module F4: Exchanges, Service Providers, and Regulatory Frameworks

The institutional ecosystem of cryptocurrency and the regulatory tools available to investigators:

• Centralized exchanges (CEX): order books, KYC/AML procedures, law enforcement request portals, data available through mutual legal assistance
• Decentralized exchanges (DEX): automated market makers, liquidity pools, on-chain transaction records — what can and cannot be traced
• Other service providers: OTC desks, peer-to-peer platforms, payment processors, crypto ATMs
• Regulatory frameworks: FATF Travel Rule, KYC/KYT requirements, VASP registration and obligations under EU AML directives
• Ukrainian regulatory context: current legal status of virtual assets, reporting obligations, cooperation with the State Financial Monitoring Service

---

Advanced Level

The advanced program builds on foundational knowledge to address the techniques criminals use to obscure cryptocurrency flows, the professional tools available to counter them, and the legal procedures for seizing and preserving digital asset evidence.

Module A1: Transaction Obfuscation Techniques

How illicit actors attempt to break the tracing chain, and how investigators can identify and work through these techniques:

• Peel chains: Automated splitting of funds through hundreds of sequential transactions; pattern recognition and clustering approaches
• Mixers and tumblers: Centralized mixing services, their operational patterns, and investigative indicators
• CoinJoin: Decentralized transaction mixing (Wasabi Wallet, JoinMarket, Whirlpool); the difference between equal-output and variable-output CoinJoin; limits of deanonymization
• Cross-chain bridges: Moving funds between blockchains (e.g., Bitcoin → Ethereum → Tron) to exploit gaps in tracing tool coverage; bridge protocols and wrapped assets
• Privacy coins: Monero (RingCT, stealth addresses), Zcash (shielded transactions), Dash (CoinJoin-based PrivateSend) — current state of traceability and investigative approaches
• Chain hopping and layering: Multi-stage laundering through combinations of the above techniques

Module A2: Anti-Detection Methods

Tools and methods used to circumvent identification controls:

• KYC drop accounts: purchased or stolen verified accounts on exchanges; indicators of drop account usage
• Anti-detect browsers: fingerprint spoofing tools (Multilogin, GoLogin, Dolphin Anty) and their role in operating multiple exchange accounts
• No-KYC exchanges and instant swap services: identification of services operating without verification; what investigative data can still be obtained
• DEX-based laundering: using decentralized protocols to exchange illicit funds without identity verification; front-running, sandwich attacks, and MEV as investigative data sources
• VPN and Tor usage: limitations of IP-based attribution in cryptocurrency investigations

Module A3: Blockchain Analytics Platforms

Practical, tool-based training using licensed professional software:

• Crystal Blockchain (licensed and deployed at the Laboratory): real-time transaction tracing, address clustering, risk scoring, entity identification, visualization of fund flows, generation of investigation reports
• Comparative overview of major platforms: Chainalysis Reactor, Elliptic Navigator, TRM Labs Forensics — capabilities, coverage, and typical use cases
• Interpreting analytics outputs: confidence levels, attribution accuracy, known limitations
• Combining on-chain analytics with off-chain intelligence: correlating blockchain data with exchange records, OSINT, financial intelligence reports

Module A4: Legal Frameworks for Cryptocurrency Seizure

Practical legal procedures for Ukrainian investigators and prosecutors:

• Seizure of cryptocurrency under Article 170 of the Criminal Procedure Code of Ukraine: procedural requirements, court orders, technical execution
• Seizure from custodial wallets (exchange cooperation, freeze orders) vs. non-custodial wallets (private key acquisition, hardware wallet handling)
• Multisig wallet seizure procedures: scenarios involving multiple key holders, threshold signatures
• Chain of custody for digital evidence: documentation requirements, forensic imaging, hash verification, court admissibility standards
• International cooperation: mutual legal assistance requests to exchanges in foreign jurisdictions; Europol/Interpol channels; direct law enforcement cooperation agreements

Module A5: AI-Assisted Blockchain Analysis

Emerging tools and methods at the intersection of artificial intelligence and cryptocurrency investigation:

• Machine learning approaches for pattern detection: identifying suspicious transaction clusters, anomaly detection in blockchain data
• AI-assisted entity classification and attribution
• Natural language processing for OSINT correlation with on-chain data
• Current capabilities and limitations: what AI tools can reliably do today vs. vendor marketing claims
• Ethical and legal considerations: admissibility of AI-derived evidence, bias in training data, human oversight requirements

Module A6: International Standards and Compliance Frameworks

Aligning investigative practice with evolving global standards:

• FATF 2025 updated guidance: three compliance pathways for virtual asset regulation
• EU AML/CFT framework: 6th Anti-Money Laundering Directive, Transfer of Funds Regulation (recast), MiCA enforcement provisions
• Cross-border coordination: FATF mutual evaluations, MONEYVAL assessments, Ukraine’s alignment trajectory with EU acquis (Chapter 4 — Free movement of capital; Chapter 24 — Justice, freedom and security)

---

Training Methodology

Practice-Oriented Approach

All training is built around practical exercises rather than lectures. Participants work with real blockchain data (anonymized where necessary) using licensed analytical tools in a controlled training environment. Case studies are drawn from real investigative scenarios adapted for the Ukrainian and Eastern European operational context.

Train-the-Trainer Model

The pilot training program (February–March 2026) validated a train-the-trainer approach: over the course of a month, STU faculty members trained under invited international lecturers and Crystal Intelligence experts within the UCIF project framework, developing their own training materials. These materials were then delivered to law enforcement practitioners from eight agencies during the capstone training event on 23–24 March 2026. This model is designed to create a multiplier effect — building a permanent pool of qualified trainers at the university who can deliver blockchain analytics instruction to successive cohorts of LEA officers.

Hybrid Delivery

Training is delivered in both on-site and online formats, ensuring accessibility for law enforcement participants across Ukraine. The hybrid model was successfully tested during the February 2026 guest lecture and has proven effective for reaching participants in regions with security or mobility constraints.

Licensed Tools Environment

Practical sessions are conducted using the Laboratory’s licensed software:

• Crystal Blockchain — on-chain analytics and transaction tracing
• i2 Analyst’s Notebook — link analysis and intelligence visualization
• Orbis and YouControl — corporate structure analysis and business intelligence

This ensures that participants train on the same class of tools they will encounter in professional investigative settings, rather than on simplified academic simulations.

---

Target Audience

The training programs are designed for:

• Investigators from financial crime, anti-corruption, and cybercrime units
• Prosecutors overseeing cases involving cryptocurrency-related offenses
• Operational analysts working on financial intelligence and asset tracing
• Asset recovery specialists responsible for identifying, seizing, and managing digital assets
• Compliance officers in regulatory and supervisory bodies

Participants are not expected to have technical backgrounds in computer science or software development. The curriculum is structured to build from foundational concepts to advanced investigative techniques, with each module designed to be accessible to practitioners with law enforcement, legal, or financial backgrounds.

---

Curriculum Development

The training curriculum is continuously updated to reflect:

• Evolving criminal typologies (new laundering techniques, emerging threat vectors)
• Regulatory developments (FATF updates, EU legislative changes, Ukrainian legal reforms)
• Advances in blockchain analytics tools and AI-assisted investigation methods
• Practitioner feedback from law enforcement participants

The curriculum development process benefits from direct input from eight Ukrainian law enforcement agencies, ensuring that training content remains relevant to real investigative needs. International partnerships with Crystal Intelligence, DAI Global/UCIF, and guest experts from iSanctuary and Cryptoforensic Investigators provide additional perspectives on global best practices and emerging trends.

---

Related Pages

• Educational Laboratory of Financial Investigations — Main Page
• Events & Activities
• Partners & Cooperation