What to Do If Your Crypto Is Stolen: Step-by-Step Recovery Guide

Critical Actions in the First Hours After Discovery

When your crypto is stolen, every minute counts. The first 24 hours determine whether you'll recover your assets before the attacker routes them through mixers or OTC desks. Panic is the last thing you should do. Instead, follow a proven protocol we've refined across hundreds of cases in partnership with Match Systems.

The core objective at this stage is to stop the flow and preserve the evidence trail. Every action the attacker takes leaves a digital footprint on the blockchain, but the further the funds travel from the breach point, the harder recovery becomes. Your first move isn't finding who did it — it's cutting off their exit routes immediately.

Step 1. Document Everything About the Theft

Before taking any active measures, compile a complete information package:

The compromised wallet address — copy it in full, no abbreviations
Transaction hashes — all outbound transfers, even if there are multiple
Exact time of theft — accurate to the minute, preferably in UTC
Wallet screenshots — transaction history, balance before and after the incident
Correspondence with the attacker — if there was contact (phishing emails, Telegram or Discord messages)
Incident description — how the theft occurred: malicious link, fake website, seed phrase compromise

This data is essential for filing an investigation request, submitting freeze requests to exchanges, and preparing a police report. The more complete your dossier, the faster the recovery mechanism activates.

Step 2. Submit an Investigation Request

Immediately after gathering information, reach out to specialists in stolen cryptocurrency recovery. We at Crypto Reclaim provide free initial assessment: we analyze recovery probability, identify the freeze window, and map the optimal action sequence.

What happens during triage:

We check where the funds went — to an exchange, cold wallet, through a DEX or bridge
We assess asset movement speed and the risk of fiat conversion
We determine which addresses need to be flagged as criminal first
We build a response plan considering jurisdiction and incident type

You can submit a request through the website form or directly via our Telegram bot. Response comes within hours, not days — timing is critical here.

Step 3. Flag the Attacker's Addresses in Analytics Systems

As soon as we receive theft data, the flagging process begins. Attacker addresses are pushed to Chainalysis, TRM Labs, Crystal Blockchain databases, and our proprietary feeds used by major exchanges and payment services.

Why does this matter? When the attacker attempts to deposit stolen funds at a centralized exchange, the risk control system automatically blocks the operation. The funds freeze on deposit, the exchange records the transaction, and we receive notification to immediately file a freeze request.

The flagging process takes anywhere from several minutes to a couple of hours. The faster an address hits the blacklists, the higher the chance of intercepting funds before withdrawal. Learn more about the flagging mechanism in our dedicated article.

What to Do When Funds Are Already on an Exchange or Cold Wallet

The scenario unfolds differently depending on where the stolen assets currently sit. Each situation demands its own tactics.

Funds on a Centralized Exchange

This is the best possible outcome. If the money landed on Binance, Coinbase, Kraken, OKX, or any other regulated platform, we have direct communication channels with their compliance teams.

We send an official freeze request, attaching:

Analytical report on asset movement
Proof of theft (screenshots, correspondence, transaction hashes)
Police case number (if already available)

Tier-1 exchanges respond within hours. Funds are blocked pending investigation, giving us time to prepare the complete documentation package for recovery. This service is provided free of charge — what matters is acting before the attacker withdraws.

Detailed instructions for working with exchanges are in our "How to Request an Exchange Freeze" guide.

Funds in a Cold Wallet or Inactive

If stolen cryptocurrency sits on a non-custodial address with no activity signs, there's no direct way to freeze it. But that doesn't mean you should give up.

We set up real-time wallet monitoring. Any fund movement — even a transfer to an intermediate address — is instantly captured, and we receive a push notification. Once the money starts moving toward an exchange, swap, or bridge, the freeze protocol activates.

Technically, it works like this:

The address is added to our tracking system via Telegram bot or analytics platform
Every new transaction is automatically flagged, and the recipient also comes under surveillance
When touching a centralized service (exchange, payment gateway, OTC desk), an alert triggers
We submit a blocking request before withdrawal completes

Setup details are in the "Wallet Tracking: Why You Need It and How It Works" section.

Funds Went Through DEX, Swaps, or Bridges

The most complex but not hopeless case. When the attacker uses decentralized exchanges, cross-chain bridges, or swap services, the path becomes convoluted but doesn't disappear.

Our analysts:

Reconstruct the complete conversion chain (e.g., USDT → ETH → BNB)
Track movements through liquidity pools and cross-network bridges
Identify final addresses after all manipulations
Continue monitoring all branches until they touch a centralized endpoint

Even if funds split into dozens of small transfers, we keep following every thread. Sooner or later, most scammers attempt fiat conversion — and that's our entry point.

Analytical Report: Why You Can't Skip It

When you approach the police or an exchange requesting to freeze stolen funds, words alone won't suffice. You need a document proving the theft and showing the asset movement path. That's the incident investigation analytical report.

What's included in the report:

Complete transaction chain — from theft moment to current fund location
Address clustering — grouping wallets belonging to one owner
Obfuscation techniques used — mixers, tumbler services, bridges, DEX
CEX touchpoints — exchanges where stolen assets appeared
Deanonymization leads — KYC data, IP addresses, transaction metadata
Action recommendations — where to file requests, what documents to prepare

Such reports are accepted by exchanges, law enforcement, and courts. They provide ready-made evidence, enabling decisions to be made much faster.

In practice: without a report, 9 out of 10 freeze requests get ignored. With a report — most are processed within 24-48 hours. Learn more about structure and cost in the article "What Is an Incident Report and How It Improves Recovery Odds".

Filing a Police Report: How to Do It Right

Many victims postpone going to the police, considering it a useless formality. In reality — without a case number, most exchanges will refuse to freeze funds. Law enforcement is needed not so much to catch the criminal (though that's possible too), but to legitimize requests to exchanges and payment services.

What to Bring to the Station

To ensure your report is accepted and a case opened, prepare three documents:

Written statement — brief incident description with date, time, loss amount, wallet addresses, and transaction hashes
Analytical report — technical expertise on fund movement (mentioned above)
Exchange request — official document asking to provide account holder's KYC data and freeze assets

The problem is that most police officers lack tools for investigating crypto thefts. Therefore, the more complete and clear your information, the higher the probability the case won't be shelved.

We help prepare all three documents, adapt them to specific regional requirements, and when necessary, consult investigators on technical matters. Step-by-step instructions are in "How to File a Police Report: Templates and Process".

Frequently Asked Questions

How much time do I have to freeze funds after theft?

The first 24 hours are critical. After that, the probability of withdrawal through mixers or OTC sharply increases. But even if several days have passed, chances remain — we've handled cases with successful freezes after a week or more.

Can I trace stolen cryptocurrency myself?

Technically — yes, through blockchain explorers. Practically — it's difficult. Scammers use mixers, bridges, multiple transfers between addresses. Without specialized tools (Chainalysis, TRM, Crystal) and experience, you'll easily lose the trail.

Does going to the police help recover money?

Directly — rarely. But a case number is needed for exchange requests. Without it, most platforms won't freeze funds. Plus, in some cases police actually track down scammers — especially if it's a repeating scheme.

What if the attacker converted funds to fiat?

If funds went through P2P or OTC desk, the trail isn't lost. We request recipient data from the exchange (KYC, bank details), pass it to police. From there — it's law enforcement and banks' work.

How much do stolen crypto recovery services cost?

Initial assessment and triage are free. Full investigation cost depends on case complexity: number of transactions, obfuscation techniques used, jurisdiction. We quote the price after analyzing the situation.

What's the probability of recovering stolen funds?

Depends on reaction speed and where the money went. If funds are on a regulated exchange and you contacted us in the first hours — chances are high (60-80%). If time passed and money is fragmented through mixers — harder, but not impossible (20-40%).

Can you block the attacker's wallet?

A non-custodial wallet cannot be blocked — that's a blockchain feature. But you can mark it as criminal in analytics systems, and then exchanges automatically block withdrawal attempts. Effectively the wallet becomes "toxic" and useless to the scammer.