How does law enforcement trace Bitcoin?

Sitting here staring at a messy cluster graph from OXT, completely stuck. I thought pseudonymous meant private. Clearly, I missed a massive memo.

For my junior cybersecurity capstone, I'm trying to reverse-engineer a sample transaction chain—specifically looking at how authorities actually recovered those stolen funds from the 2022 Bitfinex breach. It's maddening. The minute I hit a basic coin mixer, the trail just goes totally dark for me. My screen turns into a chaotic web of unspent transaction outputs (UTXOs) that make absolutely zero sense.

Yet, the feds somehow unpeel these transactions like a cheap onion.

I need a reality check. How does law enforcement trace Bitcoin? They aren't just getting lucky. There is a brutal, unforgiving math behind it. I've spent three nights reading up on chain heuristics, staring at block explorers until my eyes bleed, and here is my rough understanding of their toolkit so far:

• Common Input Ownership: Assuming all inputs in a single transaction belong to the exact same entity.
• Change Address Prediction: Identifying the output that bounces back to the sender rather than the payee.
• Exchange Subpoenas: Forcing fiat off-ramps to hand over KYC data when the suspect finally cashes out.

Are they basically just relying on that third bullet point, or are their algorithms actually breaking through the math of a sophisticated CoinJoin? Do tools like Chainalysis operate proprietary nodes just to vacuum up IP addresses?

I feel like I'm missing a massive piece of the puzzle regarding peeling chains.

Can any of the veterans here point me toward the actual analytical frameworks or open-source tools that mimic what agencies use? It all essentially boils down to waiting for the target to make a sloppy OpSec mistake, right?