How Modern Crypto Actually Works Under the Hood

Digital forensics practitioners increasingly encounter cryptocurrency in their casework — ransomware payments, darknet transactions, exchange hacks and DeFi exploits all leave traces on blockchain networks that investigators must follow. But tracing those traces requires a working understanding of how modern crypto infrastructure is actually built. This guide explains the key components: the layer-2 networks that handle most transaction volume, the alternative blockchains competing with Ethereum, the cross-chain swap mechanisms that move assets between networks, the validators who confirm everything, and the algorithmic stablecoins that can destabilise entire ecosystems.

Ethereum's main chain is both the foundation of decentralised finance and its biggest bottleneck. To relieve congestion, a generation of layer-2 networks has emerged, processing transactions off the main chain and periodically posting summaries back. The Arbitrum scaling network uses "optimistic rollups" — it optimistically assumes transactions are valid and only runs a full verification if a challenge is raised. From a forensic standpoint, Arbitrum transactions are visible on its own block explorer, but the settlement proofs are recorded on Ethereum's main chain, meaning investigators need to understand both layers to follow the full trail. The layer-2 architecture also means that transaction fees are far lower, which has made Arbitrum a preferred venue for high-frequency DeFi activity that would be economically unviable directly on Ethereum.

Not every protocol builds on Ethereum. Avalanche is a fully independent blockchain ecosystem with its own consensus protocol, capable of finalising transactions in under two seconds. Crucially, Avalanche supports custom "subnets" — separate blockchain environments that share Avalanche's security but operate under their own rules. This flexibility has attracted enterprise and gaming deployments that need more control. For incident responders, Avalanche's subnet architecture means that the network a transaction occurred on may not be the Avalanche main chain; evidence may sit on a private or semi-private subnet, potentially governed by different rules around data retention and access.

Connecting these different networks creates security challenges. The most elegant trustless solution is a trustless cross-chain trade — an atomic swap. Atomic swaps use hashed time-lock contracts to ensure that either both legs of a cross-chain exchange complete or neither does, with no central custodian taking possession of funds at any point. Forensically, atomic swaps are harder to trace than exchange transactions because they leave no on-chain link between the two participating addresses on their respective chains; the only evidence of the swap is the matching hash preimage appearing on both blockchains. This makes atomic swaps attractive for privacy-conscious users and, consequently, for investigators trying to follow illicit flows.

Security across all these networks depends on the node that secures a proof-of-stake chain. Validators are economically bonded participants who propose and attest to new blocks; misbehaviour results in "slashing" — the destruction of a portion of their staked collateral. The validator set is public, and validator behaviour is observable, which has implications for chain security analysis: an investigator assessing whether a blockchain is trustworthy needs to examine the geographic distribution of validators, the concentration of staked tokens among a few large operators, and any history of slashing events. Concentrated validator sets are a single point of failure that sophisticated attackers target.

Finally, investigators have witnessed the explosive collapses that algorithmic stablecoins can produce. Unlike dollar-backed stablecoins with fiat reserves, algorithmic designs maintain their peg through mint-and-burn mechanics that depend on market confidence and arbitrage incentives. The forensic lesson from the 2022 TerraUSD collapse is that these systems can experience bank-run dynamics at blockchain speed: the death spiral that took TerraUSD from $1 to near zero happened in less than 72 hours, with billions of transactions on a network that was simultaneously experiencing validator stress. Incident responders investigating DeFi exploits and market-manipulation schemes increasingly need to understand the feedback loops between algorithmic stablecoins, the validators securing the underlying chain, and the liquidity conditions created by layer-2 activity — because all three layers interact in real time during a crisis.