Last Updated: February 2026
A stolen cryptocurrency transfer sits in the mempool for an average of ten minutes before a Bitcoin block confirms it – and in that window, investigators can extract information that disappears the moment the transaction is mined. The mempool, where every unconfirmed transaction waits for block inclusion, broadcasts data that the confirmed blockchain never records: propagation timing that reveals originating IP addresses, fee adjustments that expose sender behavior, and replacement transactions that leak which output is the payment versus the change. Research published in 2025 demonstrated that mempool timing analysis alone can deanonymize transaction originators with over 95% accuracy across Bitcoin, Ethereum, and Solana.
Yet most blockchain forensic guides skip the mempool entirely, treating investigation as something that starts after confirmation. That gap costs investigators critical intelligence. This is the part of the chain that talks before it goes silent.
What Investigators Need to Know
- Mempool propagation timing can link transactions to originating IP addresses with 81-95% accuracy, even without exchange KYC data
- Replace-by-Fee transactions create a forensic differential – comparing original and replacement reveals which output is the payment, breaking sender privacy
- The Black Thursday attack proved mempool manipulation at scale – attackers used “Hammerbots” to steal $8.32 million from MakerDAO through deliberate mempool congestion
- Private mempool routing now exceeds 50% on Ethereum, creating a new forensic blind spot that investigators must account for
- Real-time compliance monitoring generates alerts within seconds of broadcast, enabling exchange freezing before stolen funds confirm
What Is the Mempool and Why Does It Matter for Investigations?
The mempool – short for memory pool – is the waiting room for unconfirmed transactions. When a user broadcasts a Bitcoin or Ethereum transaction, it propagates across thousands of nodes, each maintaining their own copy of pending transactions. Miners or validators select transactions from this pool to include in the next block, typically prioritizing those with higher fees.
For blockchain forensic investigators, the mempool provides a real-time feed of activity that the confirmed blockchain strips away. Once a transaction is mined into a block, the blockchain records the inputs, outputs, fee, and block timestamp – but not when the transaction was first broadcast, which node relayed it first, whether it replaced an earlier version, or how it propagated across the network. That pre-confirmation metadata is where some of the strongest attribution signals live.
Analysts at Crypto Trace Labs describe the mempool as “the investigation window that most analysts ignore because it requires infrastructure most firms do not run.” Capturing mempool data requires operating full nodes across multiple geographic locations, archiving every transaction as it arrives, and timestamping propagation patterns before they vanish at confirmation. The firms that invest in this infrastructure gain access to intelligence that retrospective chain analysis cannot replicate.
How Do Investigators Use Mempool Timing to Trace Transactions?
Every transaction propagates through the peer-to-peer network in a measurable pattern. The node that first broadcasts a transaction sends it to its connected peers, who relay it to their peers, creating a wave of propagation that spreads outward from the origin point. Investigators running strategically placed nodes across different geographic regions record when each transaction first arrives at each location.
The timing differentials between nodes reveal directionality. If a transaction reaches a Frankfurt node 200 milliseconds before reaching a Tokyo node, the originator is likely closer to Frankfurt. With enough observation points, investigators triangulate the originating node’s approximate location – and in many cases, its IP address.
A 2019 IEEE study by Biryukov and Tikhomirov demonstrated that cross-layer analysis combining network propagation patterns with transaction characteristics achieved 81.3% accuracy in matching transactions to originator IP addresses – a 30% improvement over prior methods. More recent research published in 2025, titled “Time Tells All,” pushed this further. By monitoring RPC traffic patterns alone, researchers achieved over 95% deanonymization success across Ethereum, Bitcoin, and Solana – requiring zero transaction fees and no cooperation from wallet providers or RPC services.
This matters for cryptocurrency fraud investigations because it provides an attribution path that does not depend on exchange KYC records. Combined with ISP subpoenas, mempool timing analysis can link a transaction to a physical location and ultimately an individual – even when the funds never touch a regulated exchange.
What Does Replace-by-Fee Reveal to Forensic Analysts?
Replace-by-Fee (RBF) allows a sender to replace an unconfirmed transaction with a new version paying a higher fee. Since Bitcoin Core 24.0 enabled full RBF, any unconfirmed transaction can potentially be replaced – a change that weakened zero-confirmation security but created a new forensic signal.
When an investigator captures both the original transaction and its replacement, the difference between them is informative. Typically, the fee increases while the outputs remain mostly the same. But if an output amount changes between versions, that output is almost certainly the change address – because the sender adjusted the fee by reducing their own change, not by reducing the payment to the recipient. This differential analysis breaks one of the key ambiguities in UTXO pattern analysis.
RBF also creates a fraud vector that investigators encounter in theft cases. An attacker sends a low-fee transaction to a merchant accepting zero-confirmation payments, receives the goods or service, then broadcasts a replacement redirecting the funds to their own address. Mempool monitoring systems detect this pattern by flagging transactions where the replacement changes the destination address rather than simply bumping the fee.
Crypto Trace Labs monitors for RBF-based fraud across active investigations, particularly in cases involving point-of-sale cryptocurrency payments where merchants rely on fast transaction acceptance without waiting for block confirmation.
How Did Mempool Manipulation Enable the $8.32 Million Black Thursday Theft?
The single most documented case of mempool exploitation occurred on March 12, 2020 – “Black Thursday” – when COVID-19 panic crashed cryptocurrency markets and attackers exploited the chaos through deliberate mempool manipulation.
MakerDAO’s lending protocol uses automated liquidation auctions when collateral values drop below required thresholds. Under normal conditions, competing “keeper” bots bid against each other, ensuring liquidated collateral sells near market price. The system depends on keeper transactions reaching miners promptly.
Attackers deployed what Blocknative’s forensic analysis termed “Hammerbots” – automated systems that flooded the Ethereum mempool with strategically priced transactions. The attack worked through three simultaneous mechanisms: stuck transactions blocking subsequent sends from the same address, mempool “compression” reducing the pool of actionable transactions with sufficient gas, and Hammerbots amplifying congestion beyond organic market-driven levels.
The result was devastating. Of 3,994 liquidation auctions during the event, 1,462 – 36.6% – were won with bids of zero ETH. Attackers claimed $8.32 million in MakerDAO collateral for effectively nothing. Legitimate keeper bots could not get their competing bids mined because the mempool was saturated with attacker transactions at strategic fee levels.
Blocknative captured the entire event in their mempool archive and published the forensic dataset for community analysis. The case proved that mempool manipulation is not theoretical – it is a documented attack vector with eight-figure financial impact. For forensic teams, it also demonstrated that mempool data archives are essential evidence. Without Blocknative’s real-time capture, the manipulation mechanism would have been far harder to reconstruct after the fact.
Which Tools Support Real-Time Mempool Monitoring?
The tool landscape for mempool forensics has shifted significantly. Blocknative, which produced the definitive Black Thursday forensic analysis, ended support for its Ethernow mempool explorer in March 2025 as the company pivoted toward gas estimation infrastructure. That gap leaves investigators choosing between open-source solutions and commercial platforms with different strengths.
| Tool | Type | Chains | Forensic Use | Limitation |
| mempool.space | Open source | Bitcoin | Real-time tx visualization, fee analysis, self-hostable for private monitoring | Bitcoin only, no attribution layer |
| Chainalysis KYT | Commercial | 15+ chains | Real-time alerts within seconds, risk scoring, used by FBI/Europol | Acts on broadcast tx, not raw mempool propagation data |
| Elliptic Navigator | Commercial | 50+ chains, 250+ bridges | Real-time wallet screening, ML risk models, FATF Travel Rule compliance | Compliance-focused, less granular mempool analysis |
| Bitquery Mempool API | API service | Ethereum, BSC | Low-latency streaming of pending tx, programmable queries | Requires custom tooling to build forensic workflows |
| Custom node infrastructure | Self-built | Any | Full propagation timing, IP logging, complete mempool archive | High infrastructure cost, requires distributed global nodes |
The most capable forensic operations combine commercial platforms for broad monitoring with custom node infrastructure for deep mempool intelligence. Chainalysis KYT and Elliptic handle compliance-grade screening at scale, while self-hosted nodes provide the propagation timing and IP data that commercial tools do not expose. Cross-chain investigations require monitoring mempools on each chain independently – there is no single tool that covers all UTXO and account-model chains simultaneously.
What Is Changing About Mempool Forensics?
Three developments are reshaping what investigators can and cannot extract from mempool data.
Private mempool routing is exploding. On Ethereum, private transaction submission – where users send transactions directly to block builders rather than broadcasting to the public mempool – grew from 31.8% in November 2024 to over 50% by February 2025. This trend accelerated after MEV sandwich attacks extracted $289.76 million in 2025 alone, accounting for 51.56% of total MEV volume. Users route privately to avoid being front-run, but the side effect is that investigators lose visibility into pre-confirmation transaction data. Private routing is itself a forensic signal – it indicates the sender deliberately avoided public mempool observation – but the timing and propagation data that enables deanonymization disappears.
FATF Travel Rule compliance is driving real-time monitoring adoption. The EU’s Transfer of Funds Regulation took effect in December 2024, requiring Virtual Asset Service Providers to collect and share sender and recipient details before or during transactions. This regulatory mandate means exchanges must screen transactions at broadcast time, not after confirmation. The compliance infrastructure this requires – real-time mempool monitoring, counterparty risk scoring, and automated alerting – creates forensic capabilities as a byproduct. Approximately 90% of VASPs were expected to meet Travel Rule requirements by mid-2025 according to Notabene’s compliance report.
MEV patterns serve as forensic timestamps. When a sandwich attack targets a transaction – placing a front-run before it and a back-run after it in the same block – it proves that the victim’s transaction was visible in the public mempool at a specific time. For investigators reconstructing timelines, MEV activity functions as an independent timestamp verification system. Detection systems now identify sandwich patterns with 96.14% accuracy, making this data reliable enough for evidentiary purposes.
Frequently Asked Questions
Can mempool monitoring really identify who sent a transaction?
Yes, with meaningful accuracy. Propagation timing analysis identifies originating IP addresses with 81-95% accuracy depending on the method and the adversary’s node coverage. This does not directly reveal a name, but combined with ISP records, it links a transaction to a physical connection point. Law enforcement agencies use this technique alongside address clustering to build attribution cases that do not depend solely on exchange KYC data.
How long do transactions stay in the mempool?
Bitcoin transactions typically confirm within 10-60 minutes depending on fee levels and network congestion. During high-congestion periods, low-fee transactions can remain unconfirmed for hours or days. Ethereum transactions under proof-of-stake confirm in approximately 12-15 seconds under normal conditions. Mempool monitoring must be continuous because the forensic window is short – once confirmed, propagation data is lost permanently.
What is the difference between mempool monitoring and on-chain analysis?
On-chain analysis examines confirmed transactions recorded permanently on the blockchain. Mempool monitoring captures pre-confirmation data: broadcast timing, propagation patterns, transaction replacements, and fee adjustments. On-chain analysis is retrospective and permanent. Mempool analysis is real-time and ephemeral. The strongest investigations combine both – mempool data establishes timing and origin, while on-chain analysis traces fund flows after confirmation.
Can criminals avoid mempool monitoring by using private transaction routing?
Private routing through services like Flashbots Protect bypasses the public mempool, eliminating propagation timing data. Over 50% of Ethereum transactions now use private routing. However, private routing is not invisible – the transaction still appears on-chain once confirmed, and the use of private channels is itself detectable and can indicate intent to avoid observation. Private routing also does not defeat post-confirmation transaction graph analysis or exchange-level monitoring.
Do exchanges monitor the mempool for incoming stolen funds?
Major exchanges use real-time transaction monitoring platforms – primarily Chainalysis KYT, Elliptic, and TRM Labs – that generate alerts within seconds of a transaction being broadcast. These systems flag incoming transfers from high-risk addresses, enabling compliance teams to freeze deposits before funds are converted or withdrawn. This real-time capability is why speed matters when reporting cryptocurrency theft – the faster Crypto Trace Labs is engaged, the more likely we can coordinate with exchanges to intercept funds before they move further.
Is mempool data admissible as evidence?
Mempool data has not been independently tested under Daubert or equivalent standards in the way that blockchain analysis evidence has. The challenge is provenance – mempool data is ephemeral and captured by individual nodes, so establishing chain of custody requires demonstrating that the capture infrastructure was reliable and the data was preserved without alteration. Blocknative’s Black Thursday forensic archive is the closest precedent for mempool evidence being used in a formal investigative context.
Are Stolen Funds Moving Right Now?
If you suspect cryptocurrency theft is in progress – or funds have recently been stolen and may not yet be confirmed – the investigation window is measured in minutes, not days. Real-time mempool monitoring and rapid exchange notification are the difference between freezing stolen assets and watching them disappear into a mixing service.
Crypto Trace Labs operates continuous monitoring infrastructure and maintains direct compliance contacts at major exchanges. When our forensic team – led by analysts including D. Hargreaves – identifies stolen fund movement, we coordinate emergency freezing requests before transactions confirm. Our founders held VP and Director positions at Blockchain.com, Kraken, and Coinbase. We hold ACAMS certifications and MLRO qualifications across UK, US, and European jurisdictions. No upfront charge for non-custodial wallet recoveries.
Contact Crypto Trace Labs now – every minute matters when funds are still in transit.
About the Author
This guide was prepared by the blockchain forensics team at Crypto Trace Labs. Our founding members held VP and Director-level positions at Blockchain.com, Kraken, and Coinbase, bringing over 10 years of combined experience in cryptocurrency operations, on-chain analysis, and forensic investigation. Our team holds ACAMS certifications, MLRO qualifications across UK, US, and European jurisdictions, and Chartered status at Fellow Grade. We have analyzed vanity address exploitation patterns in hundreds of investigations and provided expert witness testimony on blockchain attribution methodologies in court proceedings.
This content is for informational purposes only and does not constitute legal, financial, or compliance advice. Crypto asset recovery outcomes depend on specific circumstances, regulatory cooperation, and technical factors. Consult qualified professionals regarding your situation.
