Crypto incident response means acting fast: stop further losses by revoking token approvals and moving remaining assets, preserve all evidence (transaction hashes, addresses and communications), then engage a blockchain forensics firm within hours to trace funds and request exchange freezes. Stolen funds typically reach exchanges within 24–72 hours, so speed determines recovery.
Every minute counts after a crypto theft. Funds can travel through dozens of wallets, cross chains, hit mixers, and reach an exchange withdrawal in under 24 hours. The difference between a recoverable case and a closed one is almost always how fast the victim responds. This guide gives you the exact crypto incident response playbook our investigators use — in order of priority.
Call our 24/7 emergency line or go to Emergency Response immediately. Do not wait to finish reading — our team can begin tracing within 90 minutes of your report while you secure your remaining assets in parallel.
How Fast Do Stolen Crypto Funds Move?
The blockchain moves faster than traditional banking. In the cases handled by BlockTrace investigators, stolen funds travel through an average of 4–7 intermediate wallets within the first two hours. By hour six, a significant proportion has touched at least one centralised exchange — the only point at which a freeze is realistically achievable without a court order.
Based on our caseload data:
- 0–2 hours: Funds are split across multiple wallets and begin moving through layer-2 networks or bridges to obscure origin.
- 2–12 hours: USDT and stablecoins are typically swapped to other assets; BTC is often routed through peel chains.
- 12–48 hours: Funds reach their target exchanges. Withdrawal attempts begin.
- 48–72 hours: Without a freeze, funds are withdrawn to fiat or peer-to-peer platforms. Recovery without legal action becomes very difficult.
This is why your first hour of response matters more than your first week of legal action.
Immediate Steps: Hours 0–1
Before you do anything else — before you call anyone, before you post on Reddit — do these three things in order. They take less than 10 minutes and can prevent additional losses that victims frequently suffer by acting in the wrong sequence.
Revoke All Token Approvals
If your wallet was compromised via a malicious dApp or phishing approval, the attacker may still have unlimited spending approval on tokens you hold. Use revoke.cash (Ethereum/EVM) or the equivalent for your chain to revoke all active approvals immediately — before the attacker drains remaining balances.
Move Remaining Assets to a New Clean Wallet
Generate a brand-new wallet on a device that was not involved in the compromise. Transfer all remaining assets — do not use the compromised wallet again. If your seed phrase was exposed, assume every wallet derived from it is compromised, regardless of whether it has been touched yet.
Disconnect and Isolate the Compromised Device
Take the affected device offline immediately. If malware is suspected, do not use it for anything. Do not factory-reset it yet — this destroys forensic evidence. Preserve it as-is for potential device forensics. Switch to a clean device for all subsequent communications.
Evidence Preservation: Hours 1–3
Courts, exchanges, and law enforcement require documented evidence. Your forensics team will also need this to begin tracing. Collect the following before anything changes or is deleted:
- Transaction hashes of all outgoing transfers — copy the full hash for every transaction on the compromised wallet from the moment of theft.
- Destination wallet addresses — the first wallet the funds were sent to, and any subsequent addresses you can identify.
- Timestamps — block numbers and UTC timestamps for each transaction.
- Scammer communications — every message, email, Telegram thread, WhatsApp exchange, social media DM, or phone call log. Screenshot and save locally.
- Website URLs — any fake exchange, investment platform, or dApp the attacker directed you to. Save the full URL, take screenshots of the interface.
- Your own transaction history — deposits to fake platforms, approval transactions, and any authorisation you unknowingly signed.
- Exchange records — if you sent funds from a centralised exchange (Coinbase, Binance, Kraken etc.), download your transaction history now. These records are critical for legal proceedings.
Go to Etherscan (ETH), blockchain.com (BTC), BscScan (BNB), or Tronscan (TRX/USDT) and search your compromised wallet address. Copy the page URL and screenshot every outgoing transaction. This is time-stamped public evidence.
Engage Blockchain Forensics: Hours 1–6
This is the most time-critical action in your entire incident response. Blockchain forensics firms have direct relationships with compliance teams at major exchanges. When a forensics firm submits a traced address and a case dossier to Binance, Coinbase, OKX, or Kraken, those exchanges take it seriously — in a way that an individual victim's report often does not receive.
What happens when you engage BlockTrace Forensics:
- We begin tracing the funds on-chain using professional-grade tools within 90 minutes of your report.
- We identify the destination exchange(s) using exchange attribution data built from years of transaction analysis.
- We prepare a formal Case Intelligence Report (CIR) with the traced addresses, transaction graph, and suspected destination accounts.
- We submit freeze requests to the relevant exchanges' compliance and AML teams via established channels.
- We provide a court-ready forensic report usable by your attorney or law enforcement.
The sooner we begin, the more wallets we can trace before they go cold — and the more likely it is that funds are still sitting in an exchange account when our freeze request arrives.
Crypto Stolen? Start Your Incident Response Now
Our forensics team begins tracing within 90 minutes. The sooner you act, the higher the chance of a freeze before funds are withdrawn.
Emergency ResponseExchange Freeze Requests: Hours 3–12
If forensic tracing identifies a destination exchange, a formal freeze request must be submitted as quickly as possible. You can attempt this yourself, but exchange compliance teams receive thousands of fraud reports and typically prioritise cases accompanied by a third-party forensic report that includes traced addresses, transaction hashes, and a documented chain of custody.
Key exchanges and their fraud reporting contacts:
- Binance: law enforcement requests via binance.com/en/support/law-enforcement — also has a direct compliance email channel for forensics firms.
- Coinbase: coinbase.com/legal/law-enforcement — accepts freeze requests from law enforcement; forensics firms can escalate through the Global Intelligence Program.
- OKX / KuCoin / Bybit: each has a compliance team reachable via their official support portal; response times vary significantly without a forensic report.
- Kraken: legal.kraken.com for law enforcement requests; forensics firms with prior relationships receive faster responses.
Important: exchanges will freeze accounts based on traced addresses in their system, not based on verbal reports. They need the specific wallet address confirmed by tracing — this is what the forensic report provides.
Law Enforcement Reports: Hours 6–24
Filing reports with law enforcement serves two purposes: it creates an official case number useful for legal proceedings, and certain agencies (FBI in the USA, Action Fraud in the UK, ACORN in Australia) can directly contact exchanges as authorities, which carries significant additional weight.
FBI Internet Crime Complaint Center (IC3)
File at ic3.gov — include all transaction hashes, wallet addresses, and scammer communications. The FBI's Virtual Asset Unit can issue subpoenas directly to US-registered exchanges. Report to your local FBI field office as well for large-value cases.
Action Fraud + National Cyber Crime Unit
Report at actionfraud.police.uk. For losses over £5,000, also contact your local police with a CAD reference number from Action Fraud. UK solicitors can apply for a Bankers Trust Order to compel exchanges to disclose account holder identity.
ACORN + Australian Federal Police
Report via acorn.gov.au and the AFP's cybercrime reporting portal. ASIC handles investment fraud; AUSTRAC can issue notices to Australian-registered exchanges.
Europol / Local Cybercrime Units
Each EU member state has a dedicated cybercrime unit. Singapore victims report to the Singapore Police Force (SPF) via iwitness.spf.gov.sg. Most jurisdictions will also accept reports from foreign nationals if the exchange is registered locally.
What Not to Do After a Crypto Theft
Victims frequently make mistakes in the aftermath of a theft that reduce the chance of recovery. Avoid these:
- Do not send more funds to the scammer. Recovery scammers actively target victims of crypto theft, posing as recovery agencies or law enforcement who need a "fee" or "tax" to release frozen funds. Legitimate recovery firms are paid on a fixed-fee or retainer basis — never success-fee-only from an unknown contact.
- Do not reset or wipe the compromised device. It may contain forensic evidence — browser history, cached keys, malware artefacts — that is critical for your case and potentially for criminal prosecution.
- Do not publicly post wallet addresses or transaction details yet. On-chain, attackers can see you watching them. Sophisticated attackers monitor their victim wallets and will accelerate fund movement if they detect active pursuit.
- Do not use the compromised seed phrase on any new wallet. Assume the seed is permanently compromised.
- Do not wait. Every hour without a forensics engagement reduces the probability of a successful freeze.
After posting about a crypto theft online, many victims are immediately contacted by fake "recovery specialists" who charge upfront fees and disappear. Verify any recovery firm independently. BlockTrace Forensics is listed in the EU Blockchain Observatory and operates under a fully documented engagement process with written contracts before any fee is charged.
Legal Options: 24–72 Hours
If exchange freeze requests are successful, the next step is preserving that freeze through legal action before it expires. Most exchanges will hold a freeze for 14–30 days pending a formal legal order. Your legal options depend on jurisdiction:
- Norwich Pharmacal Orders (UK/HK/Singapore): Compel exchanges to disclose the identity of the account holder who received your funds. Often the fastest route to identifying a suspect.
- Bankers Trust Orders (UK): Freeze and preserve funds held at a UK-registered financial institution pending civil proceedings.
- TRO (Temporary Restraining Order, USA): Applied for in federal or state court, can freeze exchange accounts in coordination with the FBI.
- Anton Piller Orders (Australia/Canada): Search and seizure orders for digital evidence.
- Civil litigation: In jurisdictions where the suspect's identity is known, direct civil suits for asset recovery are possible.
Our Legal Support team works alongside crypto litigation attorneys in the USA, UK, Australia, Singapore, and Hong Kong. We prepare the forensic report in a format that is court-admissible and accepted by the relevant local courts.
How to Retrieve Stolen Bitcoin Specifically
Bitcoin's UTXO model makes it particularly well-suited to forensic tracing. Unlike EVM chains, Bitcoin does not support token approvals — meaning thefts are typically direct transfers rather than approval exploits. The tracing process differs slightly:
- Peel chain analysis: BTC thieves commonly send funds through a long chain of single-use addresses, "peeling" small amounts off at each hop. Our tools map the entire graph automatically.
- Exchange clustering: The destination exchange wallet cluster is identified by cross-referencing known exchange address lists. We can often identify the specific exchange within hours of theft.
- OFAC-sanctioned mixer detection: If funds touch Tornado Cash equivalents or sanctioned mixers, this is documented and reported to OFAC, which can apply additional pressure to exchanges handling those funds.
- Lightning Network: BTC moved to Lightning Network is harder to trace. However, most Lightning transactions ultimately settle back on-chain, where they become visible again.
Frequently Asked Questions
How long does crypto incident response take?
The forensic tracing phase typically takes 24–72 hours for a comprehensive report. However, the exchange freeze request is submitted immediately upon identifying a destination — this happens in parallel with the full report, not after it.
Can I retrieve stolen crypto myself without a forensics firm?
You can file reports and contact exchanges yourself, but without a forensic report containing traced addresses, exchanges will treat your report as low-priority. The exchange compliance teams who act on freeze requests operate on specific internal protocols that third-party forensic reports are designed to meet.
Does blockchain forensics work for USDT on Tron (TRC20)?
Yes. TRC20 USDT is actually one of the more traceable assets because Tron transactions are fast, cheap, and all visible on-chain. Tether (the issuer) also has the ability to freeze USDT directly on its smart contract level — our team has a submission pathway to Tether's compliance team for TRC20 freeze requests on top of exchange-level freezes.
What if funds have already gone through a mixer?
Mixing obscures but does not eliminate traceability. Post-mix funds still need to reach an exchange to be converted to fiat. Our tools track heuristic clustering pre-mix and monitor post-mix wallets for exchange deposits. Cases where funds have been mixed take longer but are not untraceable.
Ready to Begin Your Crypto Incident Response?
Our investigators are available 24/7 — confidential and no-obligation, with a response within 30 minutes.
Talk to an Investigator
