Crypto Investigator Jobs

Crypto Investigator Jobs (2026)

Updated: 2026-05-28 · Reading time: ~10 min · Editorial team, web3.career


If you want to trace crypto for a living in 2026, there are more open roles than ever — and most of the SERP collapses them into one ambiguous job title. There are actually three distinct sub-markets, each with different pay, different tooling, and different gatekeeping. This guide names them.


We name the employers, the platforms investigators actually use day-to-day, and what each path pays. We also cover the parts most job boards skip: clearance tiers, certifications worth their cost, and the realistic pivot from AML or federal LE into this work.




The short answer


A crypto investigator job is an on-chain forensics role — tracing transactions across blockchains, linking wallets to entities, and writing reports for law enforcement, compliance teams, or litigation. In 2026, the top employers are Chainalysis, TRM Labs, Elliptic, Merkle Science, and crypto-exchange compliance teams at Coinbase, Binance, and OKX. Pay runs $51K–$220K depending on employer and seniority.




Crypto Investigator Jobs (2026) — contextual 1



What a crypto investigator actually does


A working week is mostly two activities. The first is tracing — running a forensics platform against a starting address, following flows across exchanges, mixers, bridges, and DeFi protocols, then attributing the destination clusters to known entities. The second is writing — turning a trace into a report a compliance team, a prosecutor, or a court can act on.


Beyond those two, the day-to-day mix depends on employer:


  • Investigating specific case types: ransomware, pig-butchering scams (and adjacent investment fraud), exchange hacks, account takeovers, terrorism finance, sanctions evasion.
  • Producing written intelligence — typed reports, court-grade exhibits, internal compliance briefs.
  • Serving as expert witness in litigation. Less common, but the pay tier above hits $300–$700/hr.
  • Liaising with law enforcement (FBI, Secret Service, IRS-CI, FinCEN, Europol, and equivalents in other jurisdictions).
  • Building public-facing intelligence — TRM, Chainalysis, and Elliptic all publish quarterly reports built on investigator findings.


Scale the work up from Etherscan-by-hand. Investigators at top firms run multi-chain traces across Bitcoin, Ethereum, Tron, Solana, and bridge protocols, sometimes within the same case.


What this role does not look like


A few common misconceptions about the work, mostly carried over from how the role is portrayed in podcast hype:


  • It is not "hacker hunting." Investigators do not break into systems; they read what the chain already shows. Offensive security is a different career path entirely.
  • It is not always glamorous. Long stretches are spent labelling addresses, writing internal QA notes, and updating attribution databases. The dramatic seizure announcements are the outputs of months of mundane tracing.
  • It is not Solidity work. Smart contract review is its own discipline (see the smart contract security auditor path). Investigators read transactions, not contract source.
  • It is not anonymous. Most senior investigators publish under their real names, present at conferences, and treat the public-facing profile as part of the job.


Crypto Investigator Jobs (2026) — contextual 2



The three sub-markets


Most SERP pages collapse "crypto investigator" into one job. It isn't. There are three sub-markets with different hiring norms and different ceilings.


  • Blockchain analytics firms
    Examples: Chainalysis, TRM Labs, Elliptic, Merkle Science, Crystal, NAXO
    What they pay: $100K–$220K + equity
    What they want: Investigations background, on-chain fluency, report writing
  • Crypto-native compliance teams
    Examples: Coinbase, Binance, OKX, Kraken, Tether, Gemini
    What they pay: $91K–$160K + equity or tokens
    What they want: AML and SAR experience, Chainalysis or TRM tooling
  • Government and contractors
    Examples: FBI, Secret Service, IRS-CI, FinCEN, state task forces, Treliant, K2 Integrity
    What they pay: $80K–$130K + benefits and (sometimes) clearance
    What they want: Investigator credentials, LE background, ability to obtain clearance


Each sub-market has its own promotion ladder and its own external recruiting signal. Analytics firms hire most heavily from federal LE and senior AML. Compliance teams at exchanges promote from junior fraud or KYC roles internally. Government roles often require US citizenship and a background investigation that can take 6–12 months.


For the broader compliance career picture, see crypto compliance careers. If you're targeting Coinbase specifically, Coinbase compliance and AML roles covers their hiring funnel.



The tool stack hiring managers test on


Crypto investigations is a tooling-heavy role. Job listings test for specific platforms by name. Read enough of them and a pattern emerges.


Forensics platforms (paid, enterprise):


  • Chainalysis Reactor — the most-named platform; the closest thing to an industry default.
  • TRM Labs platform — strong in sanctions, terrorism finance, scam disruption.
  • Elliptic Lens — strong UK and EU footprint; common at European exchanges.
  • Crystal Expert — wide adoption among smaller firms and government contractors.
  • Merkle Science Tracker — growing fast; common in APAC compliance teams.


Open-source and supplemental:


  • Arkham, Nansen — labels and clustering, especially for DeFi-heavy cases.
  • Etherscan, Solscan, blockchain explorers per chain.
  • OXT, Mempool.space — Bitcoin-specific analysis.


Analytics and scripting:


  • Dune queries.
  • SQL on Bitquery, Allium, or Flipside.
  • Python with pandas for batch analysis and one-off scripts.


Reporting:


  • Plain prose. Court-grade investigators format exhibits to evidentiary standards. The Chainalysis Crypto Crime Report is the most-cited industry baseline for trend framing.


Most junior listings name one or two platforms as required. Senior listings name three or four and expect transferable fluency across the rest.



The case types you'll actually work on


Different employers attract different case loads. Knowing the mix helps you target the right job listings.


  • Ransomware. The volume case type at most analytics firms. Tracing payment flows from victim wallets to exchanges or mixers; tagging operator clusters; supporting incident response and law enforcement notification. Chainalysis and TRM both publish quarterly ransomware reports built on this work.
  • Pig-butchering and investment fraud. Long-running scam operations, often originating in Southeast Asia. TRM's Scam Disruption team specializes here. Cases involve tracing victim flows through layered wallets, identifying off-ramps, and coordinating with platforms to freeze funds.
  • Sanctions evasion. OFAC SDN-list address tracing. Identifying sanction-evading flows through DEXs, bridges, and mixers. Particularly prominent at firms working with US Treasury or EU regulators.
  • Hacks and exchange exploits. Post-incident traces. Following stolen funds across bridges and L2s. The 2024 and 2025 wave of bridge hacks gave investigators years of case material.
  • Account takeovers (ATOs). Smaller-dollar but high-volume at exchanges. Most exchange compliance teams have an ATO-focused investigator track.
  • Terrorism finance. Smaller volume but higher seniority and clearance bar. Concentrated at TRM's national security desk and government contractors.



How much do crypto investigators make in 2026?


Pay depends almost entirely on which sub-market you sit in, not on your years of experience alone.


  • Junior or entry-level investigator: $51K–$91K typical for named-title roles. Often at exchanges (the OKX Web3 Fraud Investigations Analyst role lists $91K–$93K remote) or government roles. Indeed and ZipRecruiter aggregate listings sometimes show floors as low as $48K when broader title fuzziness is included.
  • Mid-level investigator: $90K–$140K. Most Chainalysis, TRM, and Elliptic IC roles at this tier. Columbia, MD government contractor density pushes some of these listings into the $51K–$114K band.
  • Senior investigator: $130K–$180K plus equity. Elliptic's Senior Cryptocurrency Investigator role in London anchors this band; TRM's Senior All Source Investigator (Scam Disruption) is in the same range.
  • Specialized or lead (e.g., national security desk): $180K–$260K plus equity. TRM's Global Investigator role on the national security tier is in this band.
  • Litigation expert witness: $300–$700/hr. A specialty path that almost always follows a senior IC track.


The 1,142 crypto security roles listed on web3.career as of May 2026 include a mix of investigator and adjacent security titles — a useful cross-reference when you're sizing the market.


For an adjacent path with similar pay structure, entry-level crypto jobs covers compliance-bench roles that can serve as a stepping stone.



Do you need clearance, a CAMS, or a CFE?


Honest answer: it depends on the sub-market, and certs matter less than most candidates think.


For government-adjacent roles: US Public Trust → Secret → TS/SCI depending on the unit. Treliant and NAXO sometimes list Public Trust as a requirement up front. Contractors supporting federal task forces may require Secret or TS/SCI. Outside the US, equivalents apply per jurisdiction.


For private-sector investigations: CAMS (ACAMS Certified Anti-Money Laundering Specialist) is the most-named credential in job listings. CFE (ACFE Certified Fraud Examiner) helps for fraud-heavy roles. CCAS (Chainalysis Cryptocurrency Investigations Specialist) is the most-named domain certification in 2026 and signals direct tooling fluency. (CipherTrace's CCI cert lingered as a "nice-to-have" on older listings but the program wound down after CipherTrace was absorbed into Mastercard — verify before listing it on a 2026 resume.)


For litigation expert-witness work: Demonstrated case experience beats certifications. The credential is the case list — typical hourly rates land in the $300–$700 range, as noted in the pay section above.


Most hiring teams weight an on-chain investigation portfolio plus clear writing samples above the certificate stack. The fastest way to build that portfolio without a job is to analyze a public incident — the Bybit February 2025 hack, a recent ransomware payment flow, an OFAC-listed entity's known addresses — and publish your analysis. One solid writeup beats two paper certs in most interviews.


If you're starting from zero and pacing a career switch, expect a realistic timeline of 6–12 months: a CAMS run (eight weeks), two or three published writeups (three to four months), then applications. Candidates who skip the writeups and rely on certs alone tend to take 12–18 months to land an entry-level seat. Candidates who skip certs and lean on portfolio plus prior LE or AML experience often move fastest.



Frequently asked questions


What does a crypto investigator do?


A crypto investigator traces transactions across blockchains, attributes addresses to entities like exchanges or sanctioned actors, and writes intelligence reports for compliance teams, law enforcement, or litigation. The work is part tracing, part writing, part client communication. Day-to-day cases cover ransomware, fraud, hacks, and sanctions evasion.


How much do crypto investigators make?


In 2026, pay ranges from $51K at entry-level exchange roles up to $260K at senior national-security-tier roles at analytics firms. Mid-level pays $90K–$140K. Expert witness work is hourly, $300–$700/hr, and almost always follows a senior IC track first.


Are crypto investigator jobs remote?


Many private-sector roles are remote or hybrid — Glassdoor lists 24 remote crypto investigations roles as of May 2026. Government-adjacent work tends to be hybrid because of secure facility access requirements. Exchange compliance teams often allow remote-USA or remote-EU. For more on remote norms, see remote blockchain jobs.


Do you need a degree or certification?


Useful but not required. CAMS, CFE, and CCAS help. An on-chain investigation portfolio (one or two published case writeups) plus an AML or LE background matters more for hiring than the certificate stack alone.


What software do crypto investigators use?


Chainalysis Reactor, TRM Labs, Elliptic Lens, Crystal Expert, and Merkle Science Tracker on the enterprise side. Arkham, Nansen, Etherscan, Solscan, and Dune on the open-source side. Python with pandas for batch work. SQL on Bitquery, Allium, or Flipside for chain-level queries.


How do I become a crypto investigator with no experience?


The most common path: start at exchange compliance (junior KYC, AML, or fraud analyst at Coinbase, Kraken, or Gemini), spend a year learning the tooling and case types, then move into an analytics firm. Build a public investigation portfolio in parallel. CAMS helps the resume make the first cut.



How to break in


Four common paths into this work, with the resume signal each one needs:


  • From AML or TradFi compliance. Apply to exchange compliance teams first (Coinbase, Kraken, Gemini, Binance). One on-chain investigation writeup, even on a public incident, is the differentiator.
  • From law enforcement. Apply directly to analytics firms — Chainalysis, TRM, Elliptic preferentially hire ex-LE for senior roles. Your case history is the credential.
  • From data or analytics. Build an open-source investigation portfolio. Pick a public incident, run the trace, publish the writeup with addresses and chain references. Three writeups beats one cert.
  • From new graduate. ACAMS CAMS plus an on-chain portfolio plus entry-level applications at exchanges. Public-data practice cases include the Bybit February 2025 hack flow and any recent ransomware payment chain.


For adjacent career paths, see crypto compliance careers, crypto sales jobs, and crypto law jobs.


One last note on signal: this field rewards public work more than most. Investigators who tweet their findings, publish writeups, or post Dune dashboards build a recruitable identity that hiring managers can find. The community is small enough that two or three good public threads in a quarter routinely lead to inbound recruiter conversations. Treat the open analysis as part of the job application stack, not as a side project.



Browse current crypto investigator roles


  • Live investigator and security listings on web3.career → crypto + security jobs
  • Crypto compliance careers → crypto compliance careers
  • Entry-level crypto jobs → entry-level crypto jobs
  • Crypto AML jobs → crypto AML jobs
  • Crypto law jobs → crypto law jobs




Sources: Chainalysis Crypto Crime Report (chainalysis.com), TRM Labs research (trmlabs.com), Elliptic research (elliptic.co), OFAC SDN list (sanctionssearch.ofac.treas.gov), FATF travel rule (fatf-gafi.org), ACAMS CAMS (acams.org), Glassdoor remote crypto investigations listings (May 2026), Indeed cryptocurrency-investigator listings (May 2026), ZipRecruiter Texas + Columbia MD listings (May 2026), web3.career crypto security jobs (live). Salary bands cross-referenced against named open roles at Chainalysis, TRM Labs, Elliptic, Merkle Science, Tether, OKX, Binance, NAXO, and Treliant.



Want to find a web3 job?

Receive emails of Crypto Investigator Jobs (2026)

More by Adrian
Ask me anything