How does law enforcement trace Bitcoin?

So I spent last night staring at a block explorer until my eyes literally bled—trying to track down 0.05 BTC a buddy lost to a phishing link. Total nightmare. I mapped out three hops before the funds just vanished into a massive, unlabelled wallet. It hit me hard. If a highly motivated guy with a spreadsheet hits a brick wall in two hours, exactly how does law enforcement trace Bitcoin successfully?

They recover millions. I can't find fifty bucks. Wild.

Trying to Understand the Detective Work

I totally get the public ledger concept. Everyone sees the transaction history. But tying a random alphanumeric string to a physical person sitting in a basement somewhere? That is the exact part where my brain breaks. I was reading up on the 2016 Bitfinex hack recovery, and the feds apparently used specific clustering heuristics to finally pin the suspects down. (Common-input ownership is the main one, right?)

I started compiling what I think are the standard techniques the three-letter agencies actually deploy. I really need someone to tell me if I am remotely on the right track here:

• Address Clustering: Grouping multiple inputs from a single transaction assuming they belong to one single entity.
• Exchange Subpoenas: Forcing platforms with strict KYC protocols to hand over the actual ID linked to the fiat off-ramp deposit.
• Timing Analysis: Watching network nodes to see exactly when and where a transaction was first broadcast.

But what happens when funds hit a mixer? A 2022 compliance report I found mentioned roughly 68% of illicit flows eventually wash through coinjoin protocols or offshore tumblers. Does the trail just instantly die there?

My amateur tracking roadblocks

I seriously want to learn this. If anyone here actually works in blockchain forensics or plays around with advanced tracking software—how do you actually break through a massive peel chain without losing your mind?