You check your wallet. The balance reads zero. Your stomach drops.

Before anything else: what happened to you? The actions you take in the next hour depend entirely on the type of attack. Find your situation below and go straight to that section.

What Type of Crypto Hack Are You Dealing With? First, Identify Your Attack

Not Sure Which Type? Use This Table

If you are still unsure, start with Type 2 — it is the highest-urgency scenario and the steps will not hurt if you are wrong.

Why Stolen Crypto Cases Are Rising — And Why Speed Matters

Cryptocurrency fraud has become one of the fastest-growing financial crimes on the planet. In 2025, an estimated $17 billion was lost globally to cryptocurrency scams and fraud — a record figure, according to Chainalysis’s 2026 Crypto Crime Report. In the United States alone, the FBI recorded over $11 billion in reported losses, a 22% rise year-on-year. Across Europe, more than €2.1 billion was stolen between 2023 and 2025, culminating in Europol and Eurojust dismantling a single fraud network responsible for €700 million in losses across five countries in October 2025.

2026 is accelerating the problem. In the first four months of the year, AI-powered deepfake scams alone generated $577 million in verified losses. Impersonation scams grew 1,400% year-on-year in 2025. AI-enabled operations now extract 4.5 times more money per victim than traditional scams, because the manipulation is harder to detect and the scripts are indistinguishable from reality.

The hard truth: blockchain transactions are irreversible. No authority can simply hit ‘undo.’ But the first 24 hours still matter enormously. Fast action stops ongoing losses, preserves evidence, gives exchanges a window to freeze destination accounts, and gives law enforcement the data they need to act.

Most victims waste the critical first hours in shock, Googling aimlessly — or worse, handing money to recovery scammers who prey on the desperate. This guide exists to change that.

Immediate Steps After Crypto Theft: Hours 0–1

1. Do Not Send More Crypto to the Compromised Wallet — Unless You Have Expert Assistance

This is the most common and costly mistake victims make. Once a seed phrase is exposed, sophisticated sweeper bots monitor the wallet and automatically steal any incoming funds — including ETH sent to cover gas fees — faster than any human can act.

However, do not assume remaining assets are unrecoverable.

In some cases, specialist services can execute multi-step rescue transactions during the incident itself — moving assets out of a compromised wallet before sweeper bots can act. Channels such as the Flashbots Discord exist precisely for this purpose, routing transactions in ways that bypass the mempool and reduce the risk of front-running by attackers. This is technically complex and time-sensitive. Do not attempt it alone.

For assets already stolen: these are not necessarily gone forever. Every transaction is permanently recorded on-chain. Investigators can trace stolen funds across wallets and chains — and in many cases, those funds eventually reach compliant exchanges subject to KYC requirements, or sit in wallets against which a court freeze order can be obtained.

2. Move Remaining Assets to Safety — But Choose Your Destination Carefully

If funds remain in wallets that may be at risk, moving them is urgent. But where you move them matters as much as speed.

The standard advice is to create a new wallet on a clean device with a fresh seed phrase. This is correct — eventually. But in the immediate aftermath of an incident, the full extent of the compromise is often still unknown. If malware is present on your device, a newly created wallet may itself be compromised the moment it is generated.

Consider using a regulated exchange as a temporary safe harbour instead, particularly if:

• You are unsure whether your devices are clean
• You cannot immediately access a device you are confident is uninfected
• Additional funds remain in wallets whose status is uncertain

Depositing to an exchange account you control — one with strong 2FA on a separate, trusted device — puts your assets behind the exchange’s security infrastructure while you deal with the incident. It also creates a KYC-verified record of your ownership, which can be useful for any subsequent legal process.

Once you are confident your devices are clean:

• Create a new wallet with a fresh seed phrase on a verified clean device
• Download wallet software only from the official source — fake apps are a leading attack vector globally
• Transfer assets from the exchange to the new wallet
• Never reuse the compromised seed phrase, PIN, or passwords under any circumstances

3. Revoke Malicious Token Approvals

This step applies to Type 3 — Malicious Transaction Signing only.

If you connected your wallet to a dApp, DeFi platform, or NFT site and signed a transaction, the attacker may still hold active token approval rights — meaning they can continue draining your wallet even after you think the incident is over. Unlike a seed phrase compromise, the attacker does not control your wallet outright; they hold specific permissions you unknowingly granted. Revoking those permissions cuts off their access.

Go to Revoke.cash or use Etherscan’s token approval checker. Review all active approvals and revoke anything suspicious or unrecognised immediately.

If you have a Type 1 or Type 2 incident:

• Type 1 (Romance/Pig Butchering): Your wallet approvals are not the issue. Skip this step and focus on exchange reporting and documentation.
• Type 2 (Seed Phrase Compromise): Revoking approvals will not help — the attacker has full wallet control. Your priority is evacuating remaining assets and abandoning the wallet entirely, as covered in Step 2.

4. Scan and Clean Every Device

Wallets are rarely compromised through brute force. The entry point is almost always a device or a human: malware, a phishing site, a fake app, or a manipulated signing request. Until your devices are confirmed clean, any financial action you take remains at risk.

Start with a full malware scan:

• Run reputable antivirus or anti-malware software on every device you used to access the wallet
• Check every device — desktop, phone, and tablet
• Do not trust a clean scan result alone — sophisticated keyloggers and remote-access trojans are designed to evade standard detection

In any serious case: format the device completely.

A full format — wiping the drive and reinstalling the operating system from scratch — is the only method that guarantees removal of persistent malware. Before formatting:

• Back up important files to an external drive or secure cloud storage — documents, photos, anything irreplaceable
• Do not back up executable files, application installers, or anything downloaded around the time of the incident — these may carry the infection
• Reinstall the operating system from official media only
• On mobile: a factory reset is the equivalent step

Secure Your Accounts After a Crypto Hack: Hours 1–3

5. Secure All Connected Accounts

Do all of the following from a clean, uninfected device — not the device you used to access the compromised wallet.

Your attacker likely has more than your wallet seed. Access to your email, exchange accounts, or cloud storage enables them to deepen the attack, reset passwords, and intercept recovery communications. If your device is compromised, any password you reset on it is visible to the attacker the moment you type it.

First: disconnect the compromised device from all accounts.

Most major services — Google, Apple, exchange platforms — allow you to view and terminate all active sessions remotely. Do this before resetting passwords, so the attacker’s existing session is invalidated rather than just joined by a new one.

Then, from a clean device:

• Reset passwords on every linked account — email, exchange logins, cloud storage
• Enable two-factor authentication (2FA) everywhere, using an authenticator app rather than SMS
• Visit HaveIBeenPwned.com to check if your credentials were exposed in a wider data breach
• If any bank-linked transactions were affected, call your bank immediately and report them as unauthorised

A clean device means:

• A phone or computer you are confident was not used to access the compromised wallet
• A fresh browser profile on a device that has been scanned and confirmed clean
• Ideally a device belonging to someone you trust, used temporarily for this purpose

6. Contact the Destination Exchange

Use a blockchain explorer (Etherscan for Ethereum-based assets, Blockchain.com, or the relevant chain explorer) to trace where your funds were sent. Then act immediately:

• Contact the exchange’s fraud or compliance team with the attacker’s wallet address and all transaction hashes
• Most legitimate exchanges globally require KYC verification to cash out — the attacker’s identity may already be on file
• The sooner you report, the higher the chance the exchange can flag or freeze the account before funds are moved again
• Contact every exchange where the funds appear, across every chain

How to Report Stolen Cryptocurrency: Hours 3–12

7. Build Your Evidence File

This documentation is essential for law enforcement, regulators, and any future recovery. Capture and save every piece of information you can:

• Transaction IDs (hashes) — the unique fingerprint of each unauthorised transaction
• Wallet addresses — yours and every destination address funds were sent to
• Clear description of the incident 
• Screenshots of your wallet, blockchain explorer results, and any communications
• Phishing links, emails, fake platforms, or messages that may have triggered the compromise
• The value of stolen funds in your local currency at the time of the incident

Follow the money trail on a blockchain explorer. Even if direct recovery is not possible, tracing funds to a known exchange or flagged scam cluster provides actionable intelligence for investigators.

8. Report to Your National Authorities

Reporting is not pointless — it creates case files, enables asset tracing, and in coordinated operations has directly led to account freezes and arrests. File a report with every relevant body in your country.

Europe

• Europol European Cybercrime Centre: europol.europa.eu/report-a-crime
• 🇩🇪 Germany: Bundeskriminalamt (bka.de) + BaFin (bafin.de)
• 🇫🇷 France: Cybermalveillance.gouv.fr + AMF (amf-france.org)
• 🇳🇱 Netherlands: politie.nl + AFM (afm.nl)
• 🇪🇸 Spain: Guardia Civil Telematic Crimes + CNMV (cnmv.es)
• 🇮🇹 Italy: commissariatodips.it + Consob (consob.it)
• 🇧🇪 Belgium: police.be + FSMA (fsma.be)
• 🇨🇭 Switzerland: ncsc.admin.ch + FINMA (finma.ch)

North America

• 🇺🇸 USA: FBI Internet Crime Complaint Center — ic3.gov
• 🇺🇸 USA: Commodity Futures Trading Commission — cftc.gov/complaint
• 🇨🇦 Canada: Canadian Anti-Fraud Centre — antifraudcentre-centreantifraude.ca

Asia-Pacific

• 🇦🇺 Australia: ReportCyber — cyber.gov.au + ASIC (asic.gov.au)
• 🇸🇬 Singapore: Singapore Police Force — police.gov.sg/iwitness
• 🇭🇰 Hong Kong: HKPF Cyber Security & Technology Crime Bureau — police.gov.hk

Middle East & Africa

• 🇦🇪 UAE: Dubai Police eCrime — ecrime.ae
• 🇿🇦 South Africa: South African Police Service — saps.gov.za

Latin America

• 🇧🇷 Brazil: SaferNet Brasil — safernet.org.br
• 🇲🇽 Mexico: CONDUSEF — condusef.gob.mx

Always file with your local police as well. You will need a crime reference number for insurance claims, tax purposes, and legal action. In many jurisdictions, capital losses from theft may be tax-deductible.

9. File a Police Report

Even if you believe recovery is unlikely, a formal police report is not optional. It creates a legal record, enables insurance claims, may have tax implications, and positions your case for inclusion in coordinated law enforcement operations. Cross-border operations like Europol’s takedowns are built on aggregated victim reports.

Identify the Attack and Explore Recovery Options: Hours 12–24

10. Identify How You Were Compromised

Understanding your attack vector serves two purposes: it helps prevent a repeat, and it gives investigators the context they need to trace what happened. You do not need a complete reconstruction at this stage — but an initial high-level classification is itself a meaningful action, not just reflection.

Ask yourself these questions:

• Did someone contact you and direct you toward an investment opportunity? → Social engineering / romance fraud / pig butchering
• Did you enter your seed phrase or recovery words anywhere online? → Seed phrase phishing or exposure
• Did you connect your wallet to a site and sign a transaction you did not fully understand? → Malicious contract approval or drainer
• Did you download a wallet or exchange app that behaved unexpectedly? → Fake app / seed phrase capture
• Was your seed phrase stored digitally — in email, cloud storage, or a notes app? → Seed phrase exposure via data access

Each vector points toward a different evidence trail and a different investigative priority. A romance scam leaves a social media and communication paper trail. A malicious contract approval leaves an on-chain signature. A fake app may be traceable to a distribution network.

If you cannot determine the vector yet, document everything and let an investigator help you reconstruct it. An incomplete picture is not a reason to delay reporting.

11. Contact a Professional Investigations Firm — The Sooner the Better

If you are uncertain how you were compromised, investigators can help establish that too. Reconstructing the attack vector — from on-chain data, transaction history, contract interactions, and communications — is part of the investigative process, not a prerequisite for it.

What a legitimate forensic firm actually does:

• Traces stolen funds across wallets and chains using professional-grade tools
• Helps identify the attack vector and builds a timeline of the incident
• Produces evidence reports suitable for law enforcement and legal proceedings
• Coordinates with exchanges and regulators to support freezing orders
• Works alongside lawyers and law enforcement — not instead of them

What legitimate firms never do:

• Cold-contact victims through social media, WhatsApp, Telegram, or email
• Ask for upfront fees before any work is scoped
• Request your private keys, seed phrases, or wallet access
• Promise guaranteed recovery or specific outcomes
• Claim special back-channel access to exchanges or blockchains

Your Global 24-Hour Emergency Checklist

How to Protect Your Crypto Wallet From Future Attacks

Once the crisis is contained, rebuild with stronger defences:

• Use a hardware wallet for any meaningful holdings, and pair it with a wallet interface that supports manual dApp whitelisting — such as Rabby. A hardware wallet keeps your private keys offline, eliminating the most common attack vectors. But hardware alone does not protect against malicious transaction signing: if you approve a malicious contract, the hardware wallet will sign whatever you tell it to. Whitelisting dApps manually means you only interact with platforms you have explicitly approved, adding a critical layer of protection against drainer sites and fake dApp interfaces.
• Use a dedicated email address for crypto accounts, entirely separate from your daily email, secured with multi-step authentication using an authenticator app rather than SMS. On every exchange you use, whitelist your withdrawal addresses — most major platforms allow you to restrict withdrawals to a pre-approved list, requiring separate confirmation to add new addresses. This means that even if an attacker gains access to your account credentials, they cannot immediately move funds to an address you have not explicitly authorised.
• Store your seed phrase offline only — written on paper, in a secure physical location, with no digital copies whatsoever.
• Verify platforms against official registries — in the EU, check the ESMA MiCA register; in the US, check FinCEN and CFTC registrations; in Australia, ASIC’s registered entities list.
• Never disclose your holdings publicly — across every jurisdiction, targeted attacks follow publicly visible wealth.
• Audit your token approvals regularly at Revoke.cash — wallets accumulate unnecessary permissions over time, even without a hack.

Can Stolen Crypto Actually Be Recovered? A Realistic Assessment

Direct recovery of stolen crypto is not guaranteed — we will not pretend otherwise. But it is not the same as saying nothing can be done.

Blockchain’s permanent, public ledger means every transaction is traceable. Law enforcement agencies globally — from the FBI to Europol to Singapore’s Commercial Affairs Department — have seized crypto, frozen exchange accounts, and made arrests in cases that began with a single victim’s report. Coordinated operations have taken down networks worth hundreds of millions. Those outcomes started with documentation and reporting.

The more victims report — with complete, accurate transaction data — the stronger the aggregate case for intervention. Report everything. Document everything. Act fast.

Frequently Asked Questions

Can stolen cryptocurrency be recovered?

In many cases, yes — partially or fully. Because every transaction is permanently recorded on the blockchain, stolen funds can be traced even across multiple wallets and chains. When those funds reach a regulated exchange with KYC requirements, legal mechanisms exist to freeze and recover them. Recovery is not guaranteed and depends heavily on how quickly you act, but it is not impossible.

How long do I have to act after crypto is stolen?

Every hour matters. The first 24 hours are critical for three reasons: exchanges can freeze destination accounts before funds move further; rescue transactions for remaining assets in compromised wallets close quickly; and evidence — on-chain data, communications, phishing links — is freshest. After 48–72 hours, laundering chains have typically progressed further and options narrow significantly.

Should I report stolen crypto to the police?

Yes, even if you believe recovery is unlikely. A police report creates a legal record, enables insurance claims, may have tax implications in many jurisdictions, and positions your case for inclusion in coordinated law enforcement operations. Many cross-border seizures — including Europol’s major takedowns — are built on aggregated individual victim reports.

What is the difference between a crypto recovery scam and a legitimate firm?

Legitimate forensic investigation firms conduct blockchain tracing, produce evidence reports for law enforcement, and coordinate with exchanges to freeze assets. They have named leadership with verifiable backgrounds, registered legal entities, and transparent processes. Recovery scammers cold-contact victims, promise guaranteed outcomes, request upfront fees or private keys, and have no verifiable identity. If someone contacts you unsolicited offering to recover your funds, they are a scammer.

What does a blockchain forensics investigation actually do?

A blockchain forensics investigation traces stolen funds across wallets and chains using professional analysis tools, identifies where assets currently sit and who controls them, reconstructs the attack vector, and builds an evidence package suitable for use in legal proceedings and law enforcement referrals. It is the prerequisite step for any legal recovery action.

Is it worth hiring a crypto recovery firm for a small loss?

Professional forensic investigations involve significant resources and are most viable for losses above a certain threshold. For smaller losses, the most impactful actions remain: reporting to national authorities, reporting to destination exchanges, and filing a police report — all of which are free and contribute to the aggregate intelligence that enables larger enforcement actions.

About Token Recovery

Token Recovery is a global digital-asset investigations firm operated by Themis Recovery Switzerland AG, registered in Zug, Switzerland. Our team is led by professionals with 20+ years of experience across UK law enforcement and private practice, specialising in blockchain forensics and digital asset recovery.

We work alongside law enforcement and legal teams — not instead of them.

We never request private keys, seed phrases, or upfront fees. We do not cold-contact victims.