What to do in the first 24 hours after a crypto scam

Discovering that crypto has been stolen from you triggers a particular kind of panic, equal parts anger and shame. The first impulse for most victims is to do something dramatic: send another transaction to chase the funds, post about it publicly, or hand a wallet password to whoever offers help fastest. All three reactions make recovery harder, not easier. This guide is the checklist a senior CryptoLeek analyst would walk you through if you called us at 03:00 the night it happened.

The first 24 hours matter more than any later window. Within that period, stolen funds are most likely still sitting at the first hop where they landed, often a regulated exchange that can freeze them when escalated correctly. After 24 to 48 hours, operators typically move funds through mixers and bridges into jurisdictions with no recourse. Speed does not require panic; it requires the right small sequence of actions.

Hour 0 to 1: stop the bleeding

Three actions, in this order.

1. Stop any further transfers immediately

If you are mid-conversation with the platform, the account manager, or the "support agent" demanding one more payment, stop responding. No matter how convincing the next request is, the pattern across every documented recovery case is the same: every additional payment compounds your loss without ever producing the release you were promised. The platform is no longer attempting to deliver a withdrawal at any point.

2. Document everything before logging in again

Screenshot every conversation, every account screen, every withdrawal attempt, every fee demand, every transaction hash. Use a separate device or your phone's camera if you can; do not assume the platform will leave its own records visible. Some operators quietly delete user-side records the moment they detect a complaint, so the evidence you capture now may be all the evidence that ever exists.

3. Secure any wallets that may be exposed

If the loss happened through a wallet drain rather than a fake exchange, you must assume the attacker still holds the approval that emptied it. Move any remaining funds in that wallet to a new wallet with a freshly-generated seed phrase, immediately. Then use Revoke.cash or your wallet's own approval manager to revoke any outstanding token approvals on the compromised address. Do not send anything else to the compromised wallet to "rescue" it; automated sweeper bots monitor compromised addresses and will front-run any rescue attempt.

Hour 1 to 6: file the reports that unlock the right channels

Reports to your national fraud-reporting centre are not symbolic. They generate reference numbers that exchanges, banks, and payment processors require before they will engage with a recovery request. Without those reference numbers, escalation requests get ignored as unverified complaints. With them, you have a documented case that compliance teams can act on.

Use the right reporting body for your jurisdiction:

• United States: IC3 (Internet Crime Complaint Center) at ic3.gov
• United Kingdom: Action Fraud at actionfraud.police.uk, plus the FCA's reporting form if the operator claimed FCA authorisation
• Germany: BaFin (Bundesanstalt für Finanzdienstleistungsaufsicht) at bafin.de, plus a Strafanzeige at your local police
• Singapore: Anti-Scam Centre via the Singapore Police Force
• Australia: ScamWatch via the ACCC, plus a report to ASIC if a regulated entity was impersonated
• Canada: Canadian Anti-Fraud Centre (CAFC) at antifraudcentre.ca

If your bank or card issuer was the funding source for the deposits, notify them within the same window. Chargeback and dispute windows close fast, sometimes within 60 days for cards and much shorter for direct bank transfers. The earlier you initiate the dispute, the higher the recovery probability.

Hour 6 to 24: open a recovery case and assess your real options

By this point the reports are filed and the bleeding has stopped. Now is the moment to take a clear look at what recovery actually looks like for your specific case, because that depends almost entirely on where the funds went after they left your wallet or your exchange account.

The honest framing: recovery is realistic when stolen crypto reaches a regulated exchange or a cooperative payment processor before being laundered through privacy mixers like Tornado Cash. In those cases, exchange compliance teams can freeze the funds once they receive an evidence pack with the trace, the transaction hashes, and a formal complaint reference number. Recovery is much harder when funds went directly to a non-cooperative exchange or through a privacy mixer; in those cases, the trace still exists but no actor in the path is willing to act on it.

A free 24-hour case assessment from CryptoLeek tells you which category your case is in. We trace the funds on-chain, identify where they ended up, and give you a written yes / no / conditional verdict with the reasoning behind it. If the case is recoverable, we issue a written quote for the investigation retainer scoped to your specific case. If it is not, we tell you plainly and refer you to the appropriate regulator channel at no cost.

What not to do, no matter how much pressure you feel

Do not pay any "release fee" or "tax clearance"

Every documented case follows the same pattern: paying the fee triggers a new fee demand, not a release. The operator is in the extraction phase, not the processing phase. No legitimate platform demands pre-payment of a fee before processing your own withdrawal. Tax authorities never require pre-payment to a foreign trading platform either.

Do not respond to unsolicited "recovery firm" offers

Within hours of filing a public scam report, you will likely receive cold contact from "recovery specialists" claiming to have already located your funds and offering to help in exchange for an upfront fee. These are recovery scams, a second wave of fraud that specifically targets victims of the first. Legitimate recovery firms do not cold-call, do not require upfront payment to assess your case, and issue a written scope of work before any payment. We have a full guide to the recovery-scam pattern that you should read before engaging anyone who reached out to you.

Do not give wallet seed phrases or private keys to anyone

No legitimate recovery service, exchange, regulator, or law-enforcement agency will ever ask for your seed phrase, private key, or wallet password. Any prompt for these credentials, regardless of the surrounding context, is an immediate drain attempt. End the conversation.

What we would do if it were our case

The sequence we apply internally when a friend, family member, or referred contact loses crypto to fraud:

• Within the first hour, stop further transfers and screenshot everything before logging in again.
• Within six hours, file with the national fraud centre + (if applicable) bank dispute + (if applicable) the regulator the operator claimed to be registered with.
• Within 24 hours, open a free CryptoLeek case assessment so the on-chain trace begins while the funds are most likely still at the first hop.
• Within 48 hours, evaluate the written verdict from the assessment. If the case is recoverable, engage the retainer and the formal evidence pack and escalation work begin. If not, the regulator filings remain the path.
• Throughout, ignore every unsolicited recovery offer that arrives in your inbox or messages.

The point of the first 24 hours

Speed matters because the first hop matters. Stolen crypto moves quickly; the longer it has to travel through mixers, bridges, and offshore exchanges, the harder it becomes to trace and the smaller the set of actors willing to freeze it. The actions above are not complicated, but they have to happen in the right order, and they have to happen before the operator finishes laundering the funds.

Acting fast does not mean acting in panic. It means stopping further transfers, capturing the evidence, filing the right reports, and beginning a real investigation while there is still an investigation worth running.