Search...

Senior Blockchain Intelligence Analyst, Ransomware

TRM Labs logo
TRM Labs

TRM Labs provides a blockchain intelligence platform to help organizations investigate, monitor, and detect crypto and digital asset fraud and financial crime. They serve government agencies, financial institutions, and crypto businesses worldwide.

Distributed
About TRM Labs

TRM Labs provides a next-generation blockchain intelligence platform designed to investigate, monitor, and detect crypto and digital asset fraud and financial crime. The platform features extensive asset coverage, supporting over 200 million assets across more than 41 blockchains, including NFTs and DeFi protocols. It offers cross-chain analytics to trace the flow of funds seamlessly between different blockchains and utilizes over 150 risk categories, including FATF's money laundering predicate offenses, for customized risk scoring. TRM's data is built from a large, proprietary database of illicit activity combined with advanced data science. The company serves a global client base, including government agencies, financial institutions, and crypto businesses, helping them to safeguard the crypto financial system, maintain high standards for AML/CFT compliance, and build trust in digital assets.

View jobs by TRM Labs

Skills

About the Role

You will trace ransomware proceeds across blockchains using blockchain analytics, cyber threat intelligence, and cryptocurrency attribution to support investigations and evidentiary workflows. You will independently lead complex investigations, determine attribution, and deliver high quality intelligence. You will communicate findings clearly to government and private sector partners.

Requirements

  • 5-8+ years of professional experience in blockchain intelligence, crypto investigations, cybercrime analysis, threat intelligence, financial crime investigations, or a comparable senior analytical role.
  • Blockchain tracing expertise — Deep hands-on experience tracing funds across multiple blockchains and through laundering or obfuscation techniques such as mixers, chain-hopping, bridges, peel chains, and layered cash-out behavior.
  • Extensive investigative tradecraft — Demonstrated ability to independently run complex investigations and synthesize findings into clear written intelligence products, including investigative assessments, lead packages, fund-flow analysis, and attribution reporting.
  • Ransomware domain expertise — including a deep understanding of the broader cybercrime ecosystem and the relationships among ransomware operators, affiliates, initial access brokers, malware developers, laundering networks, and cash-out services.
  • Excellent written and verbal communication — especially the ability to turn technically complex tracing findings into understandable, actionable intelligence for government and private-sector audiences.
  • Judgment and execution — Strong judgment, curiosity, and the ability to operate effectively in a fast-moving, high-stakes environment where timing matters and outputs must still stand up to scrutiny.
  • AI fluency — Experience leveraging AI tools and large language models (LLMs) to accelerate research, surface insights, and augment analytical workflows, with the ability to critically evaluate AI-generated outputs for accuracy and relevance.
  • US Citizenship required

Responsibilities

  • Produce impactful finished intelligence on ransomware actors, affiliates, facilitators, and laundering pathways, including actor profiles, lead packages, attribution assessments, and operational reporting suitable for investigative, executive, and partner audiences.
  • Lead complex end-to-end blockchain investigations from initial seed indicators such as victim payment addresses, deposit addresses, transactions, exchange exposure, infrastructure leads, or IP-linked activity through to full attribution and actionable recovery or disruption opportunities.
  • Trace ransomware-related funds across multiple blockchains, bridges, mixers, peel chains, and nested services, identifying controllers, counterparties, cash-out services, and recovery touchpoints.
  • Correlate on-chain activity with OSINT, threat intelligence, attribution partner data, and off-chain identity or infrastructure signals to build a complete picture of adversary behavior within the broader cybercrime ecosystem.
  • Own investigative workstreams from discovery through validation, escalation, and written production, including drafting intelligence products that are source-cited, auditable, and operationally useful.
  • Support TRM’s ransomware asset recovery mission by surfacing high-quality leads, identifying seizure or freeze opportunities, and helping partners move quickly before funds are off-ramped.
  • Drive analytical leadership across active ransomware investigations by prioritizing work, maintaining rigorous standards, and mentoring other analysts without formal people management responsibilities.
  • Partner closely with internal and external stakeholders, including investigators, threat intelligence teammates, product teams, and public-sector or private-sector partners, to ensure analytical outputs reflect real investigative tradecraft and support cross-functional operations.
  • Help strengthen TRM’s ransomware coverage by contributing new attribution, refining investigative methodologies, and improving repeatable workflows for lead generation and asset recovery support.
  • Support external briefings, customer or partner engagements, and capability-building sessions where ransomware tracing, attribution, and recovery tradecraft must be explained clearly and credibly.