How does law enforcement trace Bitcoin?

So I've been staring at a public block explorer for three straight hours trying to track down exactly where a friend's stolen funds went—and frankly, my brain is completely melting.

Back in late 2022, my buddy lost about 0.14 BTC to a nasty clipboard hijacker script. Feeling confident, I figured I could play amateur sleuth. I tried applying basic common-input ownership heuristics (you know, assuming all inputs in a single transaction belong to the exact same entity). It worked perfectly for exactly two hops. Then the trail vanished completely into what looks like a massive offshore exchange hot wallet. Dead end.

Hitting the On-Chain Brick Wall

That frustrating little roadblock really got me thinking—how does law enforcement trace Bitcoin when things get this messy? I mean, I know the federal agencies aren't just blindly clicking around public ledgers hoping for a lucky break, right? They obviously possess massive proprietary data feeds and serious subpoena power.

From what I gather, the pros rely on a few specific methods, but I'm absolutely missing the secret sauce here. Here is my current understanding of their forensic toolkit:

• KYC Subpoenas: Matching strict exchange withdrawal logs directly to specific user IP addresses.
• Address Clustering: Running automated heuristics to group millions of seemingly disconnected wallets into single known entities.
• Change Tracking: Following tiny leftover UTXOs to catch surprisingly sloppy operational security.

Where I'm Totally Stuck

If a criminal aggressively bounces their stash through a non-custodial CoinJoin setup or simply swaps it out for Monero via an anonymous bridge, does the forensic trail actually survive? I read a 2023 threat intel report claiming authorities successfully de-anonymized roughly 68% of heavily mixed darknet funds using purely timing analysis—but that sounds incredibly high to me.

Are any of you full-time forensic guys willing to explain what actually happens after the funds hit a sophisticated mixer? Do investigators just wait years for the thief to eventually slip up and cash out at a heavily regulated fiat off-ramp?