Case Study: South West Regional Cyber Crime Unit investigates £20M cryptocurrency theft and recovers stolen funds with Nuix Bitcoin Extractor

Regional Cybercrime Unit Investigates £20 Million Cryptocurrency Theft With Self-Developed Nuix Bitcoin Extraction Script

The South West Regional Cyber Crime Unit needed a faster, more reliable way to find Bitcoin addresses and private keys hidden in terabytes of seized digital evidence as cryptocurrencies became central to organized crime. Using Nuix software in its digital forensics workflow—including Nuix Workstation for ingestion and Nuix Investigate for review—the unit sought to replace slow, manual keyword and specialist-driven searches that missed modern wallet formats and mobile extractions.

A SWRCCU investigator built the Nuix Bitcoin Extractor using Nuix’s API, combining Ruby and Python scripts to extract, checksum-validate and blockchain-verify addresses from mobile devices, PCs, laptops and cloud data. Leveraging Nuix’s broad data support, the tool processed millions of items rapidly (roughly 5–10 minutes per million indexed items), helped identify suspects in a £20 million cryptocurrency theft, and enabled recovery of some stolen funds; Nuix now makes the extractor available to its user community.

South West Regional Cyber Crime Unit

Harry F

Digital Forensic Investigator