TRM Labs Triage: how do we use it to identify a QR code, receipt, or partial address from a photo during an investigation?

Quick Answer: TRM Labs Triage lets you rapidly turn a photo of a QR code, receipt, or partial address into an actionable lead by extracting on-chain identifiers and linking them to wallet addresses, transactions, and counterparties. In practice, you upload or capture the artifact, Triage parses the image, surfaces any addresses or payment details, and pivots you directly into a full cross-chain investigation in TRM.

Why This Matters

When you’re staring at a screenshot from a victim’s phone, a printed receipt from an exchange kiosk, or a blurry QR code from a fraudster’s chat, your job is simple: convert that artifact into a lead you can trace. Historically, that meant manual transcription, guesswork on chains and assets, and painful trial-and-error across block explorers. TRM Labs Triage compresses that workflow into minutes—so you can investigate, monitor, and detect high‑risk activity without losing time at the very start of the case.

Key Benefits:

• Faster lead conversion: Turn photos, screenshots, and PDFs into traceable wallet addresses and transactions in a few clicks.
• Reduced manual error: Avoid mis-keyed characters and missed digits when handling partial addresses or fuzzy QR code captures.
• Direct pivot to cross-chain tracing: Move from a single QR or receipt into full cross‑chain visualizations across 190+ blockchains and 1.9B+ assets.

Core Concepts & Key Points

Concept	Definition	Why it's important
Triage artifact intake	Using TRM Labs Triage to ingest non‑structured artifacts—images, screenshots, PDFs—containing QR codes, receipts, or partial addresses.	This is often the first touchpoint in a crypto case: victim evidence rarely arrives as a clean wallet address.
Identifier extraction	Parsing the artifact to surface wallet addresses, transaction hashes, payment URLs, or invoice data tied to the QR code or receipt.	Automates what investigators previously did by hand, preserving fidelity and speeding time-to-first-lead.
Investigation handoff to TRM	Pivoting from a decoded address or hash into TRM’s core platform for cross-chain tracing, risk scoring, and case building.	Connects a single data point to a complete operating picture—flows, entities, risk categories, and potential seizures.

How It Works (Step-by-Step)

In a real investigation, you rarely start on-chain—you start with the artifact. TRM Labs Triage is designed to plug directly into that reality.

1. Collect and prepare the artifact

   • Gather the evidence from the victim or source:
     • Photo or screenshot of a QR code shared in a scam chat.
     • PDF or image of a crypto ATM or exchange receipt.
     • Screenshot of a partial address from a wallet app or block explorer.
   • Preserve metadata where possible (time, device, chat context) for your broader case file, but focus Triage on the visual content itself.

2. Upload into TRM Labs Triage

   • Open TRM Labs Triage from your TRM environment.
   • Upload the image or PDF, or paste a screenshot directly if your workflow supports it.
   • Triage runs automated analysis to detect:
     • QR codes (static or dynamic payment codes).
     • Alphanumeric strings aligned to wallet/address formats or TXIDs.
     • Structured payment fields embedded in formatted receipts (amount, asset, timestamp, reference IDs).

3. Identify and confirm the address or transaction

   Once the artifact is processed, Triage surfaces candidate identifiers:

   • For QR codes:
     • Decodes the QR into underlying data: a wallet address, a payment URI, or an invoice link.
     • Highlights the resolved address and any parameters (amount, asset type, chain).
   • For receipts:
     • Extracts printed wallet addresses, transaction IDs, exchange reference numbers, and timestamps.
     • Flags any fields that match known address formats across supported blockchains (190+).
   • For partial addresses:
     • Identifies the visible segment (e.g., “0xA3…7b9C”) and validates it against on-chain patterns.
     • Allows you to confirm the prefix/suffix with the victim (e.g., via their wallet app) to reduce ambiguity.

   You then:

   • Validate the extracted data against the artifact (quick visual check).
   • Select the address/transaction you want to pursue.
   • Save it as a starting point in your case notes or directly in TRM’s case management, if enabled.

4. Pivot into a full TRM investigation

   The power of Triage is not just decoding—it is the handoff to full blockchain intelligence:

   • Click through from the identified address or TX into TRM’s main investigation workspace.
   • TRM immediately:
     • Screens the wallet or transaction against 150+ risk categories (e.g., scams, ransomware, darknet markets, sanctions, terrorism financing, mixers).
     • Surfaces any prior exposure to high‑risk services, mixers, or sanctioned entities.
     • Visualizes the flow of funds from this address across chains, including via bridges, DeFi protocols, and exchanges.
   • You can then:
     • Trace the flow of funds end‑to‑end, cross-chain, through millions of hops if needed.
     • Identify downstream exchanges or off-ramps where law enforcement or compliance teams can intervene.
     • Build an evidentiary trail—screenshots, timelines, entity annotations—for subpoenas, SARs, or charging documents.

5. Monitor and coordinate for action

   Once that first address is live in TRM, you can:

   • Set up continuous monitoring on the wallet for new activity, with alerts when funds move to or from high‑risk entities.
   • For law enforcement, leverage TRM Deconflict (for verified investigators) to:
     • Check if another agency is already looking at the same wallet or cluster.
     • Avoid duplicative work and deconflict operational plans.
     • Connect with other investigators working adjacent cases that touch the same actors or infrastructure.

Common Mistakes to Avoid

• Treating the artifact as “nice‑to‑have” instead of the primary lead:
  Investigators sometimes jump straight to generic typologies (“investment scam”) and skip the QR or receipt. Use Triage early—the artifact is often the cleanest link to the fraudster’s infrastructure.

• Assuming the QR or receipt is chain‑specific without verification:
  A QR code or receipt might represent Bitcoin, Ethereum, TRON, or another chain—and the same fraudster often reuses patterns across chains. Let Triage decode and validate the chain/asset type before you start tracing in the wrong ecosystem.

• Overlooking partial addresses because “it’s not complete”:
  A visible prefix/suffix can still unlock a case when combined with victim device evidence and TRM’s entity attribution. Capture and process partials; don’t discard them.

• Failing to immediately pivot to monitoring once an address is identified:
  Once you have an address, set up alerts. Waiting to monitor gives bad actors more time to move funds across chains, mixers, and DeFi protocols.

Real-World Example

An elderly victim reports a “tech support” scam. The only concrete evidence they can offer is:

• A screenshot of a QR code the scammer sent via a messaging app.
• A photo of a printed receipt from a crypto ATM where they were instructed to deposit $5,000.

The investigation team uses TRM Labs Triage:

1. They upload the QR screenshot. Triage decodes it into a TRON address with a specified USDT amount.
2. They upload the ATM receipt. Triage extracts a BTC address and a transaction reference ID.
3. Both addresses are pivoted directly into TRM’s investigation platform.

TRM’s cross‑chain analytics reveal:

• The TRON address is part of a cluster previously associated with a known global tech support scam network.
• Funds from both the TRON and BTC addresses converge through a series of cross‑chain swaps, then consolidate at a central exchange deposit address.
• That exchange address is already linked to prior scam reports and is flagged under multiple risk categories.

Armed with this, the team:

• Submits a targeted data request and emergency freeze request to the exchange.
• Files SARs referencing the same destination entity, strengthening the pattern for the FIU.
• For law enforcement, registers both addresses in TRM Deconflict, discovering that another agency is investigating a related romance scam tied to the same cluster—enabling joint action.

The case that began with “just a QR code and a crumpled receipt” becomes a coordinated effort to trace, freeze, and ultimately disrupt a broader scam network.

Pro Tip: Always preserve and process every version of the artifact—original photo, forwarded screenshot, PDF, or in-app capture. Subtle differences (timestamps, cropping, resolution) can impact what Triage can extract and may reveal multiple addresses or payment paths reused by the same actor.

Summary

TRM Labs Triage is built for the messy reality of crypto investigations: evidence arrives as QR codes, receipts, screenshots, and partial addresses—not polished wallet strings. By ingesting those artifacts, extracting identifiers, and handing them off seamlessly to TRM’s cross‑chain analytics covering 190+ blockchains and 1.9B+ assets, investigators can move from “I have a photo” to “I have a traceable trail” in minutes. That speed and fidelity directly translate into better outcomes—earlier freezes, stronger cases, and safer markets.

Next Step

Get Started