If your crypto was stolen in the last few hours, start here. Every minute counts.
What just happened to you
A wallet drainer is a type of malicious smart contract that, the moment you interact with it, transfers every token in your wallet to an attacker's address — in seconds, often before you even realize anything is wrong.
You didn't make a mistake you should be ashamed of. These attacks are engineered by professional criminals. The fake sites look identical to the real ones. The links come from compromised official accounts on X, Discord, and Telegram. Victims include developers, crypto veterans, and security researchers — not just newcomers.
What matters now is not how it happened. It's what you do in the next 72 hours.
Why 72 hours is the critical window
Stolen crypto moves fast. Within minutes of a wallet drain, attackers typically begin routing funds through intermediary wallets, decentralized exchanges, bridges, and mixers — each hop making the trail harder to follow and the funds harder to freeze.
The 72-hour window matters for three specific reasons:
- Exchange freeze requests. If stolen funds land at a centralized exchange — Binance, Coinbase, Kraken, KuCoin, and others — that exchange can freeze the deposit account if notified quickly enough. Most exchanges have compliance teams that respond to documented theft reports. Once funds are withdrawn to a non-custodial wallet or converted to cash, that window closes permanently.
- Law enforcement response time. Investigators need a transaction hash, wallet addresses, and a documented timeline to open a case. The faster they have it, the more options they have — including emergency legal process to compel exchange cooperation.
- Blockchain evidence preservation. The blockchain record never disappears, but attacker wallets go dormant. A dormant wallet with funds sitting in it is a recovery opportunity. Identifying it early — and getting a law enforcement contact assigned to the case — keeps that option alive.
1Stop the bleedingFirst 30 minutes
Revoke all token approvals immediately.
A wallet drainer typically works by getting you to sign a transaction that grants unlimited token approval to a malicious contract. Even after the initial drain, that approval may still be active — meaning the attacker can return and pull additional funds later.
Go to one of these approval revocation tools and connect your wallet:
- Revoke.cash — works across most EVM chains
- Etherscan Token Approvals — for Ethereum specifically
- BscScan Token Approvals — for BNB Chain
Revoke every approval you don't recognize. Revoke approvals you do recognize too, if you're not actively using them. The cost is a small gas fee. The risk of not doing it is another drain.
Move remaining assets to a new wallet. If you have any tokens remaining in the compromised wallet, move them to a freshly created wallet — one that has never been used before and whose seed phrase was generated on a clean device. Do not reuse any wallet associated with the compromised address.
Do not interact with the compromised wallet again unless you are specifically documenting evidence with guidance from an investigator.
2Document everythingFirst hour
Before you do anything else, build your evidence file. You will need this for every step that follows — law enforcement reports, exchange freeze requests, and forensic tracing.
Collect and save the following:
- The theft transaction hash — the transaction ID (TxID) that shows the drain. Find it on the block explorer for the relevant chain (Etherscan for Ethereum, Arbiscan for Arbitrum, etc.) by searching your wallet address and looking for the outbound transaction you didn't authorize.
- Your wallet address — the address that was drained.
- The attacker's wallet address — the recipient address shown in the theft transaction.
- Screenshots of the fake site or link — if you still have the browser tab open, screenshot it. Note the URL exactly.
- The token amounts and types stolen — list each asset and the quantity.
- The approximate time of the theft — note the block timestamp shown on the explorer.
- Any communications — if you received a DM, email, or saw a post that led you to the malicious site, screenshot and preserve it.
Put all of this in a single document — a Google Doc, Notion page, or plain text file. Label it clearly. You will share it with multiple parties.
3Report to the FBI IC3Within 24 hours
File a report at ic3.gov — the FBI's Internet Crime Complaint Center. This is the primary federal intake point for cryptocurrency theft in the United States.
Filing a report does several things:
- Creates an official record of the theft with a case number
- Makes your case eligible to be linked to broader investigations already underway
- Establishes the legal foundation needed for subpoenas and asset freeze orders
- Puts you in the system for potential restitution if the attacker is prosecuted
When filling out the IC3 report, be specific. Include your wallet address, the theft transaction hash, the attacker's wallet address, the dollar value of the loss at the time of theft, and a timeline. A vague report gets deprioritized. A specific, documented report with blockchain evidence gets taken seriously.
Save your IC3 complaint reference number. You will need it.
4Alert the exchangesWithin 24 hours
If your stolen funds landed at a centralized exchange — even partially — that exchange can freeze the receiving account. This is one of the most time-sensitive actions you can take.
To identify which exchanges received the funds, use a block explorer to follow the transaction trail from the attacker's wallet. Look for transactions going to addresses labeled as exchange deposits. Common exchange deposit address labels appear directly on Etherscan and similar explorers.
Once you've identified the exchange:
- Go to their support or compliance contact page
- Submit a detailed theft report including your wallet address, the theft transaction hash, the receiving address at their exchange, the amount received, and the timestamp
- Reference your IC3 complaint number
- Mark the subject line as URGENT — Theft Report — Fund Freeze Request
Most major exchanges have legal or compliance teams that handle these requests. Response times vary. Speed matters — the faster they receive a documented request, the more likely a freeze is possible before the funds move.
5Get a professional forensic traceAs soon as possible
A block explorer shows you where your funds went one hop at a time. A forensic trace follows the entire laundering path — across chains, through bridges, past mixers — and documents it in a format law enforcement can actually use.
This matters because:
- Most law enforcement agencies don't have the tools or the time to trace cross-chain transactions themselves
- An investigator-grade case file dramatically increases the likelihood your case gets worked rather than filed
- Forensic documentation of the full laundering path is required evidence for exchange freeze requests, civil litigation, and criminal prosecution
ChainWatch provides this service at no cost to victims as part of our beta research program. We trace your stolen funds, identify every exchange and wallet the funds touched, build a chain-of-custody forensic report, and deliver it directly to your law enforcement contact.
Apply for Free Case Analysis6File with your local law enforcementWithin 72 hours
In addition to IC3, file a police report with your local department or sheriff's office. Even if your local department doesn't have a dedicated crypto investigator, the report:
- Creates a local case number, which some exchanges require before acting on freeze requests
- Opens the door for your case to be escalated to state or federal investigators
- Establishes documentation for insurance claims and tax loss reporting
When you file, bring your evidence document. The detective will likely have limited familiarity with blockchain — that's normal. A ChainWatch forensic case file is specifically designed to bridge that gap, giving your investigator everything they need in language they can work with.
What happens after 72 hours
If you missed the 72-hour window, don't stop. Recovery is harder but not impossible.
Attacker wallets sometimes go dormant with funds still sitting in them — waiting for attention to pass before moving. The dormant wallet from our founder's own case held funds for months. When law enforcement had a court order ready, the funds were still there.
The blockchain record is permanent. The forensic trail doesn't disappear. Cases that looked cold have been worked months and years later when the right investigator got involved.
File the reports. Get the forensic trace. Keep the case alive.
Your 72-hour checklist
ChainWatch provides forensic response and reporting services for cryptocurrency theft victims. We do not guarantee fund recovery. ChainWatch is not a law firm. All case data is kept strictly confidential.
If your theft occurred in the last few hours, contact us with subject line URGENT.
I was sitting at my desk when it happened.
A link showed up on X promoting a governance vote for Flare Network — a project I held. The site looked exactly right. The branding was perfect. The URL was close enough that I didn't catch it. I connected my wallet to vote.
In the time it took me to read the confirmation screen, $93,000 in WFLR tokens was gone.
That was the moment ChainWatch was born — though I didn't know it yet.
The First Hour Was the Worst
I refreshed the block explorer maybe twenty times, as if watching the transaction would somehow undo it. It didn't. The funds were moving. By the time I understood what had happened, the attacker had already started routing the tokens through intermediary wallets.
I didn't know what to do. I searched for resources. What I found was mostly useless — generic advice to "contact your exchange" (I didn't use an exchange, it came straight out of my wallet), blog posts selling paid recovery services of questionable legitimacy, and one FBI page that told me to file at IC3 but gave no guidance on what actually happens after that.
There was no first-response resource. No credible, specific guide for what to do in the first 72 hours. No service that would take my case and actually do something with it.
So I started learning.
What I Did in the First 24 Hours
The first thing I did right was document everything immediately. I screenshot the fake site — I still had the browser tab open. I copied the theft transaction hash from Etherscan. I noted the attacker's wallet address, the token amounts, the timestamp.
I filed at IC3 that same night. I was specific — wallet addresses, transaction hashes, dollar value at time of theft. I'd later learn that specific IC3 reports are the ones that get attention. Vague ones don't.
I contacted the Flare Network team to report the fake site. That got the phishing domain flagged. It didn't get my money back, but it stopped the next victim.
What I didn't do fast enough was revoke token approvals. I didn't know that was a thing. The malicious contract had been granted unlimited approval — I'd signed it without understanding what I was signing. By the time I revoked it, the damage was done. If you're reading this right now and were just hit: go to Revoke.cash and revoke your approvals before you do anything else.
What I Learned About How the Money Moved
In the weeks that followed, I started learning blockchain forensics. Not because I had a background in it — I'm a retired landlord from Suffolk, Virginia, with no technical training. I learned because I had to.
My co-founder Titus Claxton, who I met during grand jury duty, had the technical skills I didn't. Together we built what became ChainWatch's core capability: the ability to follow stolen funds across chains, decode bridge transactions, identify exchange deposits, and document the entire path in a format that's useful to investigators.
What we found in my case was worse than I expected — and more valuable as evidence than I'd hoped.
The attacker didn't just take my funds and cash out. The forensic trace Titus built documented 17 hops across three chains — Flare, Arbitrum, and Ethereum. Peel chains. Mixer behavior. Token substitution. And at the end of the trail: evidence of premeditation and a repeat offender who had done this before.
That trace is now a forensic case file sitting with law enforcement. It's the same format we produce for every ChainWatch case.
The Thing Nobody Tells You About Reporting to Law Enforcement
When I first contacted law enforcement, I quickly realized the problem wasn't their willingness to help. It was that they didn't have the tools.
A detective assigned to a crypto theft case typically has Etherscan, maybe some basic analytics access, and a caseload that already has them stretched thin. Handing them a wallet address and saying "my money went somewhere on the blockchain" puts all the forensic work on them. Most cases stall right there — not because investigators don't care, but because the technical barrier is too high and the resources aren't there.
What changes the equation is showing up with a completed case file. A documented forensic trace, chain-of-custody evidence, an IC3 referral package, and a clear narrative of what happened and where the money went. When an investigator can open a folder and have everything they need, cases move.
That's what we built ChainWatch to produce.
What's Happened Since
I'm not going to tell you I got my $93,000 back. I haven't — not yet.
What I can tell you is that the case is alive. The Virginia State Police have an active investigation. The forensic file is built. The attacker wallet that was identified as holding funds has been documented. When the legal process reaches the point of a court order, we'll be ready.
More importantly: the infrastructure I built to fight for my own recovery is now available to every crypto theft victim who finds ChainWatch before they give up.
Why I'm Telling You This
Because you need to know it's possible to fight back.
Not guaranteed. Not easy. But possible — if you move fast, document everything, get a forensic trace, and put your case in front of the right investigators with the right evidence.
The blockchain is a permanent, public record. Your attacker left a trail. The question is whether someone follows it before it goes cold.
That's what ChainWatch exists to do.
If This Just Happened to You
Contact us with the subject line URGENT if your theft was in the last 72 hours. We'll respond the same day.
If your theft was older, apply for our free beta case analysis. We're running a limited number of cases at no charge as we validate our platform. Seven spots remain.
No fees. No recovery guarantee. Just someone in your corner who has been exactly where you are.
ChainWatch provides forensic response and reporting services for cryptocurrency theft victims. ChainWatch is not a law firm and does not guarantee fund recovery. All case data is kept strictly confidential.
If your cryptocurrency was stolen, filing a report with the FBI's Internet Crime Complaint Center (IC3) is one of the most important steps you can take — and one of the most misunderstood.
This guide walks you through exactly what IC3 is, why it matters, what to include in your report, and what happens after you file.
What Is IC3?
IC3 — the Internet Crime Complaint Center — is the FBI's centralized intake system for internet-enabled crimes, including cryptocurrency theft. It is operated jointly by the FBI and the National White Collar Crime Center (NW3C).
When you file at IC3, your complaint enters a federal database that investigators across multiple agencies can access. This matters because:
- Crypto theft cases often cross jurisdictions — your attacker may be operating from a different state or country
- IC3 analysts look for patterns across complaints, connecting individual thefts to larger criminal networks and ongoing investigations
- A documented IC3 complaint gives law enforcement the legal foundation to subpoena exchange records, request asset freezes, and open formal investigations
IC3 does not guarantee an investigation of your individual case. But filing a specific, well-documented complaint significantly increases the likelihood that your case gets attention — especially if it connects to a pattern already being investigated.
Before You File: What You Need to Gather
The difference between a report that gets actioned and one that gets filed and forgotten is specificity. IC3 receives hundreds of thousands of complaints. Reports with transaction-level detail stand out.
Before you go to ic3.gov, gather the following:
Transaction information:
- The theft transaction hash (TxID) — the unique identifier for the transaction that drained your wallet. Find it on the block explorer for your chain (Etherscan for Ethereum, Arbiscan for Arbitrum, etc.)
- Your wallet address — the address that was drained
- The attacker's wallet address — the address that received your funds
- The token types and amounts stolen
- The dollar value of the loss at the time of theft — use the price at the exact block timestamp, not a current price
Timeline:
- The date and time of the theft (use the block timestamp — it's more precise than your memory)
- How you were led to the malicious site or transaction — the fake URL, the post that shared it, the DM that sent it
Platform information:
- The name of the fake site or malicious application
- The URL (even if the site is now down)
- Screenshots, if you have them
Your information:
- Your name and contact details
- Whether you've already filed with local law enforcement (and your report number, if so)
- Whether you've contacted the relevant exchanges
How to File at IC3: Step by Step
Step 1: Go to ic3.gov
Navigate to ic3.gov and click "File a Complaint." You'll be asked to confirm you're filing for yourself or on behalf of someone else.
Step 2: Select the crime type
You'll be presented with a list of crime categories. Select "Cryptocurrency/Virtual Currency" or the closest matching option. If your theft was connected to a phishing link, you can also note "Phishing/Spoofing" as a secondary category.
Step 3: Provide your personal information
IC3 collects your name, address, phone number, and email. This information is used to contact you if investigators need additional details. It is not published publicly.
Step 4: Describe the crime — this is the critical section
This is where most victims undersell their report. Write a clear, factual, chronological account. Include:
- What you were doing when the theft occurred (e.g., "I clicked a link on X purporting to be a Flare Network governance vote")
- The exact URL of the malicious site
- What transaction you signed and what you believed you were doing
- The precise time the drain occurred (use the block timestamp)
- Your wallet address and the attacker's wallet address
- The theft transaction hash
- Every token drained and the amount
- The dollar value at time of theft
Then describe what happened to the funds after the theft, to the extent you can trace it. Even a single hop — "the funds were immediately transferred to wallet address 0x..." — is valuable.
Step 5: Add financial transaction details
IC3 has a section specifically for financial transaction information. Enter:
- The cryptocurrency type (ETH, BTC, USDC, etc.)
- The amount
- The transaction hash
- The destination address
If funds moved to multiple addresses, list each one.
Step 6: Submit and save your confirmation
After submitting, you'll receive a complaint reference number. Save this immediately. You'll need it when contacting exchanges, law enforcement, and forensic services. Write it down somewhere you won't lose it.
What Happens After You File
IC3 does not contact every complainant with case updates. Don't interpret silence as inaction.
Here's what actually happens with your report:
Analyst review. IC3 analysts review complaints and flag those with sufficient detail for further attention. Reports with transaction hashes, wallet addresses, and documented dollar values are prioritized over vague descriptions.
Pattern matching. Your complaint is cross-referenced against existing investigations. If your attacker's wallet address appears in other complaints — or matches a wallet already under investigation — your case may be elevated without you knowing it.
Referral to field offices. High-value cases or cases that match active investigations may be referred to an FBI field office for action. For cryptocurrency theft specifically, cases above a certain dollar threshold tend to get more attention, though smaller cases that connect to larger networks also receive action.
Interagency sharing. IC3 data is shared with other federal agencies including the Secret Service, IRS Criminal Investigation, DEA, and Homeland Security Investigations, depending on the nature of the crime.
What you can do to accelerate it. The most effective thing you can do after filing IC3 is to bring a completed forensic case file to your local FBI field office or local law enforcement and ask them to reference your IC3 complaint number. Showing up in person with a documented forensic trace — not just a complaint number — is what moves cases from the database to an investigator's desk.
IC3 vs. Local Law Enforcement: File Both
IC3 and your local police or sheriff's office serve different purposes. File both.
IC3 gives your case access to federal investigative resources, cross-jurisdictional reach, and the database infrastructure to connect your case to larger patterns.
Local law enforcement gives you a local case number (which most exchanges require before acting on freeze requests), an assigned investigator you can follow up with, and the local legal mechanism for emergency asset preservation orders.
If your local department has limited crypto experience — which is common — a ChainWatch forensic case file is designed to bridge that gap. Investigators don't need to know how to trace blockchain transactions themselves when you arrive with a complete, documented case file.
Other Agencies to Consider
Depending on the nature of your theft, additional reporting options include:
FTC (ReportFraud.ftc.gov) — For scam-related theft, particularly pig butchering schemes and investment fraud.
CFTC (cftc.gov/complaint) — For commodity-related crypto fraud.
Your state attorney general — Many states have financial crimes units that handle crypto theft. Virginia's AG office, for example, has an active consumer protection division.
FinCEN (fincen.gov) — For suspected money laundering.
Filing with multiple agencies costs you nothing and increases the surface area for your case to connect with an active investigation.
The Bottom Line
Filing at IC3 alone is not enough to recover your funds. But not filing is a guaranteed dead end.
A specific, documented IC3 complaint is the legal foundation that makes everything else possible — exchange freeze requests, court orders, subpoenas, restitution. It takes 20 minutes to do correctly. Do it within the first 24 hours.
Then get a forensic trace. The IC3 complaint tells law enforcement what happened. The forensic trace shows them where the money went — and gives them the evidence to act.
ChainWatch provides forensic response and reporting services for cryptocurrency theft victims. We do not guarantee fund recovery. ChainWatch is not a law firm. All case data is kept strictly confidential.
One of the first questions every crypto theft victim asks is: can they find it?
The honest answer is yes — and more often than most victims expect. But what tracing can do, and what it can't, is widely misunderstood. This guide explains exactly how stolen crypto is traced, what the real limitations are, and what you need to do to give tracing its best chance of helping your case.
The Blockchain Is a Permanent Public Record
Every transaction on a public blockchain — Ethereum, Bitcoin, Solana, and most others — is recorded permanently and visible to anyone. Unlike a bank transfer, which only the sending bank, receiving bank, and account holders can see, every movement of crypto on a public chain is written into a public ledger that anyone can query.
This means the path your stolen funds took — from your wallet to the attacker's wallet, and everywhere they went after that — is already documented. It can't be deleted. It can't be altered. It exists as permanent, immutable evidence of exactly what happened.
The challenge isn't finding the evidence. The challenge is reading it.
What Tracing Actually Involves
Following stolen funds on a blockchain is not as simple as entering a wallet address and watching a map populate. Here's what professional forensic tracing actually requires:
Hop-by-hop analysis. When an attacker drains a wallet, they rarely hold the funds in one address. They move them — often immediately — through a series of intermediary wallets. Each transfer is a "hop." Tracing requires following each hop in sequence, identifying what happened at each address (did the funds split? were they swapped for a different token? were they bridged to another chain?).
Cross-chain resolution. This is where most basic tools fail. When stolen funds pass through a cross-chain bridge — moving from Ethereum to Arbitrum, for example, or from Flare to BNB Chain — the trail appears to end on the originating chain. Reconstructing it requires decoding the bridge contract's transactions on both chains and linking the outbound transfer to the corresponding inbound deposit. This is technically complex and requires chain-specific knowledge of each bridge protocol.
DEX swap decoding. Attackers frequently swap stolen tokens for different assets — converting a stolen altcoin to ETH or USDC — to obscure the trail. Each swap needs to be decoded to identify what the funds became and where they went next.
Mixer and peel chain identification. Some attackers route funds through mixers (services designed to obscure transaction origins) or use "peel chain" techniques — splitting large amounts into many smaller transactions across many wallets. Identifying these patterns requires pattern recognition across large numbers of addresses, not just linear tracing.
Exchange deposit identification. The most actionable finding in any trace is identifying that stolen funds reached a centralized exchange deposit address. Exchanges are regulated entities that maintain KYC records on their users. When a forensic trace confirms funds landed at Binance, Coinbase, Kraken, or another major exchange, that opens the door to a freeze request and — with legal process — identification of the account holder.
What the Blockchain Doesn't Tell You Automatically
Tracing confirms where funds went. It doesn't automatically tell you who controls a given address.
A wallet address is a string of characters, not a name. The blockchain records that 5 ETH moved from address A to address B. It does not record that address B belongs to a specific person.
Connecting wallet addresses to real-world identities — called "attribution" — requires one of the following:
- Exchange records. If funds touched a KYC-compliant exchange, legal process (a subpoena or court order) can compel the exchange to disclose account holder information. This is the primary path to attacker identification in most cases.
- OSINT. Open-source intelligence — publicly available information that can be linked to a wallet. This includes blockchain data correlated with known entity databases, social media, domain registration records, and other public sources.
- Cross-case correlation. If the attacker's wallet has been used in previous thefts, and those cases have been documented, patterns in the attacker's infrastructure can confirm a repeat offender and add to a growing profile.
None of these attribution methods are available to a victim working alone with a block explorer. They require forensic tooling, investigative experience, and in the case of exchange records, legal authority.
Real Examples of What Tracing Has Accomplished
Tracing isn't theoretical. Here's what it has produced in documented cases:
Fund freezes at exchanges. In multiple documented cases, forensic traces identified stolen funds reaching centralized exchange deposit addresses. Exchange compliance teams, presented with documented trace evidence and theft reports, froze the receiving accounts before funds were withdrawn. In our own case, a partial freeze was secured at ChangeNOW based on forensic documentation of the laundering path.
Attacker identification. Several high-profile crypto theft cases have resulted in arrests after forensic tracers followed funds to exchange accounts and law enforcement obtained account holder records through legal process. The 2022 Bitfinex hack case — $4.5 billion in stolen Bitcoin recovered — started with exactly this methodology.
Dormant wallet discovery. Attackers sometimes move funds partway through a laundering path and then go dormant — leaving funds sitting in an intermediary wallet while waiting for law enforcement attention to pass. A complete forensic trace documents these wallets. When law enforcement eventually secures a court order, the funds may still be there.
Criminal prosecution support. Forensic traces have been submitted as evidence in federal cryptocurrency theft prosecutions. The chain-of-custody documentation — a hash-chained audit log of every analytical step — is what makes a trace admissible as evidence rather than just an informal analysis.
What Makes a Trace Actually Useful to Law Enforcement
Not all traces are equal. A screenshot of Etherscan showing one hop is not a forensic case file.
What law enforcement needs — and what makes a trace actually actionable — is:
Chain of custody. Every step of the analysis needs to be documented in a way that can be verified and defended. What data sources were used? What methodology? What tools? A professional forensic trace includes a tamper-evident audit log that answers these questions.
Plain-language conclusions. Investigators aren't blockchain experts. A forensic report needs to translate technical findings into clear conclusions: "The stolen funds moved from the victim's wallet to attacker address X, were bridged to Arbitrum via LayerZero, swapped from WFLR to ETH via Uniswap, and deposited at a Binance deposit address on [date] at [time]."
Open leads clearly labeled. A credible forensic report distinguishes between what is confirmed and what is suspected. If a portion of the trail was obscured by a mixer and the investigator couldn't follow it further, that should be stated explicitly — not presented as a dead end or glossed over.
IC3 / FBI submission formatting. The report should be structured for submission to the FBI Internet Crime Complaint Center and formatted in a way that integrates cleanly with federal investigative processes.
This is the standard ChainWatch holds every case file to.
The Limits of Tracing
Honest answer on what tracing can't do:
It can't reverse transactions. Blockchain transactions are final. Tracing documents where funds went — it doesn't move them back.
It can't pierce true privacy coins. Monero and similar privacy-focused cryptocurrencies are designed to obscure transaction trails. If stolen funds are converted to Monero and moved, the trail effectively ends there with current technology.
It can't compel exchanges to act. A forensic trace identifies that funds reached an exchange. It doesn't force the exchange to freeze them. That requires legal process — a law enforcement request, a court order, or in some cases a well-documented victim complaint to a responsive compliance team.
It takes time. A complete forensic trace of a multi-hop, cross-chain laundering path takes hours to days of skilled analysis. This is why the 72-hour window matters — getting the trace started quickly keeps more options open.
What You Should Do Right Now
If your crypto was stolen, the most important thing you can do is get a professional forensic trace started as quickly as possible.
ChainWatch provides forensic tracing at no cost to victims as part of our beta research program. We follow your stolen funds from the initial theft transaction to wherever they come to rest, document the complete path with chain-of-custody evidence, and deliver a law enforcement referral package ready for IC3 submission and local LE hand-off.
This is the same forensic methodology that produced a complete 17-hop trace in our founder's own case — identifying premeditation, a repeat offender, and a dormant attacker wallet still holding funds.
Or contact us with subject line URGENT if your theft was in the last 72 hours.
ChainWatch provides forensic response and reporting services for cryptocurrency theft victims. We do not guarantee fund recovery. ChainWatch is not a law firm. All case data is kept strictly confidential.
You invested in a project. The team seemed legitimate. The roadmap looked real. Then one day — the website is gone, the Telegram is deleted, the developers have vanished, and your investment is worth nothing or close to it.
This is a rug pull. It is one of the most common forms of crypto fraud, and it is far more traceable than most victims realize.
What Is a Rug Pull?
A rug pull occurs when the creators of a cryptocurrency project — a token, an NFT collection, a DeFi protocol, or a liquidity pool — deliberately abandon the project and abscond with investor funds.
There are two main types:
Hard rug pull. The developers drain the liquidity pool or smart contract treasury in a single transaction, convert the funds to ETH or another liquid asset, and disappear. This happens fast — sometimes within hours of a project launch. Victims are left holding a token that is now worthless because all liquidity has been removed.
Soft rug pull (slow rug). The team gradually sells their token allocation over time — often while continuing to post updates and maintain the appearance of legitimacy — until they've exited their position. The token price collapses slowly. By the time victims recognize what happened, the developers are long gone with their profits.
Both are fraud. Both leave a forensic trail on the blockchain.
Why Rug Pulls Are More Traceable Than You Think
A rug pull requires the developers to move money. That movement is recorded permanently on the blockchain.
When a developer drains a liquidity pool, the funds move from the pool contract to a developer wallet. From there, they typically get converted to ETH or a stablecoin, bridged to another chain, and eventually routed toward a centralized exchange for cash-out. Every one of those steps is a transaction — and every transaction is traceable.
What forensic tracing looks for in a rug pull case:
- Developer wallet identification. The deployer address of the project's smart contract is public. All transactions from that address — including the rug itself — are visible on the blockchain.
- Liquidity drain transactions. The exact transaction that removed liquidity from the pool is documented, timestamped, and linked to the receiving wallet.
- Fund flow post-drain. Where did the money go after the rug? Which wallets, which bridges, which exchanges?
- Exchange deposit identification. If the funds reached a centralized exchange, that's the most actionable finding — it opens the door to a freeze request and, with legal process, identity disclosure.
- Premeditation evidence. Forensic analysis of the smart contract code and transaction patterns often reveals whether the rug was planned from the start — honeypot mechanics, hidden admin functions, pre-minted developer allocations — all of which strengthen a fraud case.
1Document Before the Trail Cools
The first thing to do after recognizing a rug pull is document everything, immediately.
Save the following:
- The token contract address — find it on the DEX where you bought the token (Uniswap, PancakeSwap, etc.) or on the block explorer
- The project's original website URL — even if it's now offline, the URL itself is evidence. Check archive.org (the Wayback Machine) to capture archived versions of the site before they're gone
- The liquidity drain transaction hash — find it by looking at the token contract address on the block explorer and identifying the transaction that removed liquidity
- The developer wallet address — the address that deployed the contract and/or received the drained funds
- Screenshots of the project's social media, Telegram, Discord, and any communications with the team — save these before accounts are deleted
- Your purchase transaction hash — proof that you invested
- The dollar value of your investment at time of purchase
The Wayback Machine at archive.org can retrieve cached versions of websites that have since been taken down. Do this immediately — the cache may disappear.
2Identify Whether This Is a Coordinated Fraud
Rug pulls are rarely isolated incidents. Most serial rug pullers operate multiple projects, often in rapid succession, using the same developer wallets, the same contract templates, and the same playbook.
A forensic trace of the developer wallet often reveals prior rugs — the same address that drained your project may have drained three others in the preceding months. This cross-case evidence is powerful for law enforcement because it establishes a pattern of criminal conduct rather than a single incident.
If you can identify other victims of the same developer — through crypto fraud communities on Reddit, X, or Telegram — coordinate with them. Multiple victims filing IC3 reports referencing the same wallet address significantly increases the priority of the case.
3File with the FBI IC3
Go to ic3.gov and file a complaint. Include:
- The token name and contract address
- The developer wallet address
- The liquidity drain transaction hash
- The dollar value of your loss at time of investment
- A description of the project and how you came to invest
- Screenshots of any communications with the team
- Your purchase transaction hash
Be specific. A report that includes contract addresses and transaction hashes is dramatically more useful than one that says "I invested in a token and lost money."
If you know of other victims, mention it in your report and encourage them to file separately — each referencing the same developer wallet address.
4Report to the Platform Where You Bought
If you purchased the token on a centralized exchange, report the fraud to that exchange's compliance team. Most major exchanges have processes for flagging fraudulent tokens and can freeze associated accounts if they receive documented reports quickly enough.
If you bought on a DEX like Uniswap or PancakeSwap, report the fraudulent token to the DEX interface team — most have a token flagging mechanism. While DEXes can't freeze funds, flagging the token prevents future victims and creates a record.
Also report to:
- CoinGecko and CoinMarketCap — both have fraud reporting mechanisms and can flag or delist fraudulent tokens
- The blockchain's native security team — Ethereum, BNB Chain, and others have security contacts for reporting fraud
- Your state attorney general — many states have financial fraud divisions that handle crypto cases
5Get a Forensic Trace
A forensic trace of a rug pull follows the developer wallet from the drain transaction through every subsequent hop — identifying where the money ended up and whether it reached a traceable exchange.
This is what converts your IC3 report from a complaint into an actionable case file. When law enforcement has a complete forensic trace documenting the drain, the laundering path, and the exchange destination — along with evidence of prior rugs by the same developer — a case can move.
ChainWatch provides forensic tracing at no cost to victims as part of our beta research program. We analyze the developer wallet, document the complete fund flow post-rug, identify exchange deposits, and deliver a law enforcement referral package ready for IC3 submission.
Apply for Free Case AnalysisWhat Recovery Actually Looks Like in a Rug Pull Case
Realistic expectations matter.
Most likely outcome with no action: The developer moves on to the next rug, your funds are laundered through an exchange and cashed out, the case goes cold.
Most likely outcome with documented action: Your IC3 report and forensic trace go into the federal database. If the developer runs future rugs, the pattern connects to your case. When law enforcement identifies a suspect — often through an exchange account disclosure — your case may be included in a prosecution with restitution proceedings.
Best-case outcome: The forensic trace identifies that funds are still sitting at a centralized exchange deposit address, a freeze request is honored, and law enforcement secures a court order. This happens — not in every case, but in documented cases where victims acted quickly and had forensic documentation.
The key variable is whether you filed a specific, documented report and got a forensic trace before the developer moved everything to a non-custodial wallet or cashed out. Speed matters.
How to Protect Yourself from Future Rug Pulls
Before investing in any new crypto project:
Check the contract. Tools like Token Sniffer, Honeypot.is, and De.Fi Scanner analyze smart contract code for rug pull mechanics — hidden mint functions, blacklisting, liquidity lock bypasses. Run any new token through at least one of these before investing.
Check the liquidity lock. Legitimate projects lock their liquidity for a defined period using a third-party locker like Unicrypt or Team.Finance. Unlocked liquidity means the developer can drain the pool at any time.
Check the developer wallet history. Search the deployer address on Etherscan or BscScan. Has this wallet deployed other tokens? What happened to them? A developer who has deployed and abandoned multiple tokens is a major red flag.
Verify the team. Anonymous teams are not automatically fraudulent, but they are higher risk. Look for verifiable identities, prior project history, and credible advisors.
Be skeptical of influencer promotion. Paid promotion of low-cap tokens is endemic to the rug pull ecosystem. If a project is being heavily promoted by crypto influencers on X or YouTube, that is a signal to do more due diligence, not less.
The Bottom Line
A rug pull is not the end of the road. The developers left a trail — the blockchain recorded every transaction from the drain to wherever the funds ended up. The question is whether someone follows that trail before it goes cold.
File with IC3. Get a forensic trace. Keep the case alive.
Or contact us with subject line URGENT if your rug pull occurred in the last 72 hours.
ChainWatch provides forensic response and reporting services for cryptocurrency theft victims. We do not guarantee fund recovery. ChainWatch is not a law firm. All case data is kept strictly confidential.
If you lost money to a pig butchering scam, you are not alone — and you are not stupid. These are among the most sophisticated fraud operations in the world, run by organized criminal networks with professional scripts, fake personas, and technically convincing platforms. They are designed by experts to defeat your skepticism.
This guide explains what actually happened, what evidence you need to preserve, and what steps give your case the best chance of recovery.
What Is a Pig Butchering Scam?
Pig butchering — named after the practice of fattening a pig before slaughter — is a long-con investment fraud scheme. The scammer builds a relationship with the victim over days, weeks, or months before introducing the fraudulent investment. By the time the "investment" is made, the victim trusts the scammer completely.
The typical progression:
Initial contact. You receive a message — a wrong number text, a LinkedIn connection request, a match on a dating app, a DM on Instagram. The message is friendly and non-threatening. The scammer presents as an attractive, successful professional — often in finance, tech, or real estate — usually claiming to be based in the US or a Western country but of Asian heritage.
Relationship building. Over days or weeks, the scammer invests heavily in building trust. Conversations are warm, engaging, and personal. They share details of their life, ask about yours, and gradually become someone you look forward to hearing from. There is no pressure and no ask — yet.
The introduction. At some point, naturally and casually, the scammer mentions that they've been making good money in crypto trading. They're not trying to sell you anything — they just mention it in passing. When you express interest, they offer to show you how they do it.
The platform. The scammer directs you to a trading platform — usually a custom-built app or website that looks professionally designed and shows convincing account balances, charts, and returns. The platform is fake. Every number you see is fabricated to show you winning.
The deposit cycle. You deposit a small amount and watch it "grow." You withdraw a small amount to confirm it works. Encouraged, you deposit more. The scammer encourages you to invest larger amounts — sometimes introducing "limited-time opportunities" or "VIP tiers." Friends or family may be encouraged to participate.
The slaughter. When you try to make a significant withdrawal, you're told you owe taxes, fees, or a "deposit insurance" payment before funds can be released. These fees are a second theft on top of the first. The scammer may play along for a while longer, but eventually the platform goes dark, the scammer disappears, and the money is gone.
Why Pig Butchering Scams Are Hard to Recover From — But Not Impossible
The criminal infrastructure behind pig butchering is sophisticated. Funds typically move through multiple wallets, across multiple chains, through mixers and exchanges, and ultimately to cash-out points in jurisdictions with limited law enforcement cooperation.
But — and this matters — the crypto transactions are still on the blockchain. Every deposit you made, every wallet that received your funds, every subsequent transfer is recorded permanently and publicly.
What makes pig butchering cases recoverable is that the scale of these operations means the same criminal infrastructure gets used repeatedly. The same wallets. The same bridges. The same exchange accounts. When law enforcement and forensic investigators build a complete picture of one operation, individual victims' funds can be linked to prosecutions already underway.
Several large-scale pig butchering operations have resulted in seizures and prosecutions in recent years — with victim restitution proceedings following. Your case may connect to one of them.
1Stop Immediately and Do Not Pay Any More Fees
If you are currently being told you need to pay a tax, fee, insurance payment, or any other charge to release your funds — stop. Do not pay.
This is a universal feature of pig butchering scams. The fees are a second theft. Paying them does not release your funds — it simply takes more money from you. No matter how convincing the explanation sounds, no matter how much you've already invested, paying additional fees will not recover anything.
Cut off all contact with the scammer. Block them on every platform. Do not respond to any further messages — including messages from people claiming to be law enforcement, recovery services, or platform support. These are almost always the same criminal operation running a second scam against the same victim.
2Preserve Every Piece of Evidence
Before anything else, save everything. You will need this evidence for every report you file, every recovery attempt you make, and any potential legal proceedings.
Save the following:
- Every conversation with the scammer — screenshots of every message on every platform (WhatsApp, Telegram, WeChat, Instagram, dating apps, email)
- The fake platform's URL and any app download links
- Screenshots of your account dashboard showing your balance, transaction history, and any communications from "platform support"
- Every cryptocurrency transaction you made — the transaction hash for each deposit, your wallet address, the receiving wallet address, the amount, and the date
- The dollar value of each deposit at the time you made it
- Any phone numbers, email addresses, or social media profiles associated with the scammer
- Any bank records showing wire transfers or purchases of crypto used to fund the scam
If the platform is still accessible, screenshot everything — your account balance, transaction history, and the platform's terms and contact information. This documentation may disappear.
3File with the FBI IC3 — In Detail
Go to ic3.gov and file a complaint. Pig butchering is a federal priority — the FBI has active investigations and task forces specifically targeting these operations, and your report contributes to those investigations even if your individual case isn't assigned a dedicated agent.
Your IC3 report should include:
- A complete timeline of the relationship — when you were first contacted, which platform, how the relationship developed, when the investment was introduced
- Every transaction hash for every deposit you made
- Every wallet address you sent funds to
- The fake platform's URL and name
- The total dollar value of your loss
- All scammer contact information — phone numbers, usernames, profile names, email addresses
- Screenshots of the scammer's profile if you have them
The more specific your report, the more useful it is. FBI analysts look for common wallet addresses, platform infrastructure, and transaction patterns across hundreds of complaints. Your specific details may be the link that connects your case to an ongoing investigation.
Save your IC3 complaint reference number.
4Report to Every Relevant Platform
The crypto exchanges where you bought your crypto. Contact the compliance team at every exchange where you purchased cryptocurrency that was subsequently sent to the scammer. Report the fraud, provide your transaction hashes, and request that they freeze any associated accounts. Exchanges cannot always act on these requests without legal process, but early notice creates a record and may preserve options.
The platforms where the scammer contacted you. Report the scammer's profile on every platform they used — dating apps, WhatsApp, Telegram, LinkedIn, Instagram. These reports help platforms identify and remove fraud operations and may provide information to law enforcement.
The FTC at ReportFraud.ftc.gov. The FTC tracks investment fraud including pig butchering and shares data with law enforcement agencies.
Your state attorney general. Many states have financial fraud units actively investigating crypto investment fraud. File a report with your state's AG office in addition to federal agencies.
Your bank or financial institution. If you wired funds or used a bank account to purchase crypto, notify your bank of the fraud. In some cases, banks can initiate recovery procedures for wire transfers — the window is narrow but worth attempting immediately if the transfers were recent.
5Get a Forensic Trace of Your Funds
Every crypto deposit you made to the fake platform went somewhere on the blockchain. That destination — and every wallet the funds touched after that — is traceable.
A forensic trace of a pig butchering case typically reveals:
- The receiving wallet addresses and whether they've been used across multiple victim cases
- The laundering path — how funds were moved, mixed, bridged, and converted after receipt
- Exchange deposit addresses — the most actionable finding, because it opens the door to freeze requests and identity disclosure through legal process
- Infrastructure shared with other operations — the same criminal networks often reuse wallets and bridges across multiple scams
This forensic documentation is what converts your IC3 complaint from a data point into an actionable case file. When an investigator has a complete trace documenting where your funds went — not just that they were stolen — a case can move.
ChainWatch provides forensic tracing at no cost to victims as part of our beta research program. We follow your funds from your initial deposit through every subsequent hop, identify exchange endpoints, and deliver a court-ready forensic case file to your law enforcement contact.
Apply for Free Case Analysis6Be Extremely Cautious of "Recovery" Services
After a pig butchering scam, victims are almost universally targeted by a second wave of fraud — fake recovery services.
These services contact victims — often through the same channels the original scammer used, or through social media searches for scam victims — and claim they can recover your funds for an upfront fee. They are scams. No legitimate recovery service charges upfront fees and guarantees results.
Red flags for fraudulent recovery services:
- They contacted you unsolicited
- They guarantee recovery
- They ask for an upfront fee before doing any work
- They claim to work with or be affiliated with the FBI, Interpol, or other law enforcement
- They ask for your wallet seed phrase or private keys
Legitimate forensic services — including ChainWatch — do not guarantee recovery, do not charge victims upfront fees, and will never ask for your seed phrase or private keys.
What Realistic Recovery Looks Like
Pig butchering recovery is not common — but it happens, and it is happening more frequently as law enforcement builds expertise and criminal networks become better documented.
The most realistic path to recovery involves your funds being linked to a criminal operation that law enforcement subsequently seizes. When federal authorities seize cryptocurrency wallets connected to a pig butchering network, victim restitution proceedings follow. Victims who filed IC3 reports with specific transaction details — and who have forensic documentation linking their deposits to the seized wallets — are positioned to claim restitution.
This is not guaranteed. It is not fast. But it is real, and it is the path that has resulted in actual money being returned to actual victims.
The prerequisite is documentation. A specific IC3 report. A forensic trace. An active case on file.
You Were Not Foolish. You Were Targeted.
Pig butchering victims include physicians, attorneys, engineers, military veterans, retired executives, and financial professionals. The scammers who run these operations are trained specifically to overcome the defenses of intelligent, skeptical people. The relationship they built with you was manufactured by professionals with scripts, psychological training, and unlimited time.
What happened to you was not a failure of judgment. It was a crime, perpetrated by sophisticated criminals, against a person they specifically selected and targeted.
Fight back. Document everything. File the reports. Get the trace.
Or contact us immediately if your last transaction to the scammer was within the last 72 hours.
ChainWatch provides forensic response and reporting services for cryptocurrency theft victims. We do not guarantee fund recovery. ChainWatch is not a law firm. All case data is kept strictly confidential.
More guides are on the way. Have a situation that isn't covered here? Contact us.