All Categories
How investigators trace money after fraud occurs and why speed matters for recovery
Following the Money
The alert hit at 2:14 PM on a Thursday. A wire transfer for $847,000 had just left Meridian Manufacturing's account, bound for a bank in Hong Kong. The payment matched an invoice from their parts supplier in Shenzhen. Except their parts supplier banked in Singapore, not Hong Kong. And the real invoice was for $84,700, not $847,000.
Forensic analyst David Chen had roughly 24 hours to trace the money before it scattered across a dozen accounts and vanished forever. He pulled the email that authorized the payment. The "from" address looked right at first glance: accounting@shenzhen-parts.com. But a closer look revealed the truth: the domain was actually shenzhen-parts.co, not .com. The .co extension looked nearly identical to the real .com address. The email headers confirmed the message had originated from a server in Romania, not from the real supplier's infrastructure at all. Classic lookalike domain attack.
The wire had already cleared. The money was gone from Meridian's account. But "gone" doesn't mean "untraceable." It means "moving fast."
This story is fictional, but the patterns are real.
Why This Matters
You've learned how payment systems work, from the authorization-settlement gap that creates opportunities, to the irreversibility of wire transfers that makes them attractive targets, to the cash-out strategies criminals use to convert stolen value into spendable money.
Now we flip perspectives. Instead of understanding how fraudsters move money out, we'll explore how investigators follow money in. This isn't about learning to conduct investigations yourself. It's about understanding what leaves traces and why, so you can recognize the patterns that matter.
The TRACE Framework
Fraud investigators often use a mental model called TRACE to structure their thinking:
Track the transaction flow. Where did the money originate? What path did it take? Where did it land?
Recognize patterns and anomalies. What behaviors deviate from normal? What timing seems suspicious? What connections exist between accounts?
Analyze supporting evidence. What digital breadcrumbs exist? IP addresses, device fingerprints, communication records, identity documents.
Correlate across systems. How do findings from one source connect to another? Can you build a timeline? A relationship map?
Execute response and recovery. What immediate actions stop the bleeding? What evidence needs preservation? Who else needs to know?
TRACE isn't a rigid checklist. It's a way of thinking about investigations that ensures nothing obvious gets missed. The best investigators move fluidly between these phases as new information emerges.
Where Money Goes After Fraud
Understanding investigation starts with understanding where stolen money actually goes. Criminals don't steal money to sit on it. They steal money to spend it. But spending stolen money directly creates evidence trails. So they launder it first.
The Layering Problem
When David traced Meridian's $847,000, he found it didn't stay in the Hong Kong account for long. Within hours, it had split into five transactions, each moving to a different bank. From there, each piece split again. Within 48 hours, the original wire had become dozens of smaller amounts scattered across accounts in Malaysia, Thailand, Vietnam, and the Philippines.
This is layering: moving money through multiple accounts and jurisdictions to obscure its origin. Each hop makes tracing harder. Each border crossing introduces different banking regulations, time zones, and language barriers. Criminals know that complexity is their friend.
Common Cash-Out Destinations
Stolen funds typically flow toward:
Cryptocurrency exchanges. Converting fiat currency to crypto creates a chokepoint that investigators sometimes catch. But once funds become cryptocurrency, they can move through mixers and tumblers that blend transactions together, making individual coins nearly impossible to trace.
Shell companies. Fake businesses with real bank accounts receive "payments" for services never rendered. The shell company then pays "contractors" or "suppliers" who are actually the criminals or their associates.
High-value goods. Luxury watches, jewelry, electronics, and gift cards convert traceable bank funds into portable, resellable assets. A $50,000 wire becomes a Rolex that sells for $40,000 cash. No banking records on the cash sale.
Real estate. In some jurisdictions, property can be purchased with minimal identity verification. The property appreciates (or doesn't), but either way the money has been transformed into a legitimate-seeming asset.
Money mules. As you learned in Fraud 101, mules are people who move money on behalf of criminals, often unknowingly. Funds split across dozens of mule accounts become nearly impossible to fully recover.
The Speed Problem
Here's what makes money-movement investigation so difficult: criminals move fast, and the financial system moves slow.
A domestic wire transfer settles instantly. An international wire takes a day or two, but once funds arrive, they can be moved again immediately. Freezing a wire requires coordination between the victim's bank, the receiving bank, potentially correspondent banks in between, and often law enforcement. In cross-border cases, add different legal systems, time zones, and bureaucratic processes.
The FBI's Recovery Asset Team uses something called the Financial Fraud Kill Chain to fast-track this coordination. In 2024, they froze $561 million in fraudulent transfers, achieving a 66% success rate when they could act quickly enough.[1] But that's out of $16.6 billion in total reported cybercrime losses. Most stolen money is never recovered because it moves faster than the system designed to stop it.
What Leaves Traces
Every transaction creates data. The question is whether that data can be accessed, correlated, and interpreted before the money disappears.
Digital Breadcrumbs
When David examined the fraudulent email, the headers told him exactly where it came from. The lookalike domain shenzhen-parts.co had been registered just two weeks earlier. The mail server's IP address pointed to a hosting provider in Romania. The WHOIS registration used obviously fake details.
None of this identified the actual criminals. But it confirmed what David already suspected: this wasn't an opportunistic attack. Someone had researched Meridian's supplier relationships, registered a convincing domain, and sent a well-timed fraudulent invoice. Professional operation.
Financial Patterns
Certain money movement patterns raise red flags not because they're definitively fraudulent, but because they're statistically unusual:
Round numbers. Legitimate business invoices rarely land on exact figures. An invoice for $100,000.00 looks different from one for $98,847.23.
Just-under thresholds. Banks must file Currency Transaction Reports for cash transactions over $10,000. So transactions of $9,999 or $9,500 suggest someone trying to stay under that limit. This behavior, called structuring, is itself illegal and a red flag.
Velocity changes. An account that typically sees three transactions per month suddenly processing thirty transactions in a week represents a behavioral anomaly.
Geographic impossibility. A user logging in from New York and then Hong Kong within an hour didn't fly. Something else is happening.
None of these patterns prove fraud on their own. Many have innocent explanations. But they're the starting points that investigators use to decide where to look deeper.
The Attribution Challenge
Even when investigators can trace where money went, proving who controlled those accounts is harder. The person who opened the mule account might be a victim themselves, recruited through a fake job posting. The shell company might list a nominee director who's never met the real operators. The cryptocurrency wallet might belong to anyone, or no one.
This is why fraud investigation often focuses on patterns across multiple incidents rather than solving individual cases. When the same techniques appear repeatedly, when the same infrastructure gets reused, when timing correlates across seemingly unrelated frauds, investigators start building pictures of organizations rather than individual crimes.
The Investigation Timeline
Understanding how investigation unfolds helps explain why timing matters so much.
The First 24 Hours
When a wire fraud is discovered, the clock starts running. Banks can place holds on accounts, but only if they know to look. The victim's bank contacts the receiving bank. If the money has already moved, they contact the next bank in the chain. Each handoff takes time.
In domestic U.S. cases, the FBI's Recovery Asset Team can sometimes coordinate freezes within hours. In international cases, the process involves multiple regulatory frameworks, different business hours, and varying levels of cooperation. Twenty-four hours can mean the difference between recovery and total loss.
Days to Weeks
As the immediate response settles, the focus shifts to evidence preservation and analysis. Investigators pull email logs, transaction records, authentication data. They build timelines. They look for connections to other cases.
This phase often reveals the broader picture. A lookalike domain used in one attack might appear in complaints from other companies. A receiving bank account might have processed similar fraudulent transfers before. Patterns emerge that weren't visible when focusing on a single incident.
Months to Years
Complex fraud investigations take time. Multi-jurisdictional cases require legal coordination across countries. Building cases against organized groups means connecting dots across dozens of incidents. Cryptocurrency tracing might require waiting for criminals to make mistakes, converting to fiat currency through exchanges with know-your-customer requirements.
Many fraud cases are never "solved" in the sense of identifying and prosecuting perpetrators. But the investigation still has value. Understanding how an attack worked helps prevent the next one. Identifying infrastructure helps disrupt ongoing operations. Recovering even a fraction of stolen funds is better than recovering nothing.
Key Takeaways
Speed determines recovery. The first 24 hours after fraud discovery are critical. Once money has layered through multiple accounts and jurisdictions, full recovery becomes unlikely.
Layering is the goal. Criminals don't steal money to keep it in one place. They immediately begin moving it through multiple accounts, currencies, and jurisdictions to obscure its origin.
Everything leaves traces. Emails have headers. Transactions have metadata. Accounts have history. The challenge is accessing and correlating that data fast enough to matter.
Patterns matter more than incidents. Individual frauds are hard to solve. But patterns across multiple incidents reveal infrastructure, techniques, and sometimes organizations.
The TRACE framework (Track, Recognize, Analyze, Correlate, Execute) provides a mental model for thinking systematically about investigations.
Key Terms
Layering: Moving money through multiple accounts and jurisdictions to obscure its origin. One of three stages of money laundering (placement, layering, integration).
Financial Fraud Kill Chain: FBI process for rapidly coordinating with financial institutions to freeze fraudulent wire transfers before funds can be moved.
Shell company: A business entity created primarily to receive and move funds, with minimal legitimate operations.
Correspondent bank: A bank that provides services on behalf of another bank, often in a different country. International wires typically pass through correspondent banks.
Attribution: The process of identifying who is actually responsible for fraudulent activity, as opposed to merely tracing where money went.
References
1. FBI IC3 2024 Annual Report↗ - Recovery Asset Team froze $561 million with 66% success rate. Via TRM Labs analysis↗.
Generated with AI assistance. Reviewed by humans for accuracy.