Shield

Traced Theft Report

← Home Delegation check
Time is the variable

Exchanges can freeze funds sitting in a deposit account. They cannot return funds that have already been withdrawn — and stolen crypto is often moved out within hours. File with the exchange and the police today, even with incomplete information. You can send them more later. You cannot get back time.

For thefts with a suspect and a cash-out point

When someone had your device, and the money went to an exchange.

This is for a different kind of theft than an anonymous drainer: someone with physical or remote access to a device took the keys — a repair technician, a support session, a shared computer, a household member — and moved the funds through a few wallets into a centralized exchange. That path is the best case you can have, because an exchange holds identity documents for the account that received your money, and a short list of people had access to your device. Both facts are things investigators can act on. Neither is something you should act on yourself.

Do these first, in this order

The first three matter more than everything on the rest of this page. Do them before you finish reading.

  1. Move any remaining funds to a new wallet

    Made on a device the suspect never touched. If the stolen keys still control anything anywhere, assume it is being watched. Do this before you tell anyone what you know.

  2. Contact the exchange that received the funds

    Use their law-enforcement or compliance channel, not normal support. State plainly: stolen funds were deposited to an account on your platform, here is the deposit address and the transaction hash, please preserve records and freeze pending withdrawals. Most exchanges will not freeze on a victim's word alone, but nearly all will preserve the account records — and that preservation is what makes the case winnable later.

    Do this even before you have a police report number
  3. File a police report and get the report number

    Local police for the physical-access crime, and your national cybercrime unit for the theft. The exchange will almost always require an official report number, and in most jurisdictions a subpoena or preservation order, before releasing account identity to anyone. Your report is what starts that.

    The report number is the key that unlocks everything else
  4. Preserve the device — do not wipe or reuse it

    Power it off and put it somewhere safe. Do not reinstall, do not run cleanup tools, do not keep using it. Forensic examination can show what was accessed and when — that is the thread tying the person who had custody to the theft. Write down the dates you dropped it off and picked it up, who you dealt with, and any receipt or work order.

    This device is the strongest evidence in the case
  5. Say nothing to the suspect or in public

    No confrontation, no online review, no naming them in the community. Tipping them off gives them time to move funds, wipe machines, and close accounts. It can also expose you to liability if the person you suspect turns out not to be the person who did it — a shop has employees, contractors, and sometimes a break-in of its own. Narrowing the suspect list is the investigators' job.

    Confrontation destroys cases and hurts innocent people

Build the report

Fill in what you know. Blanks are fine — send it anyway and follow up. Nothing you type here leaves your browser; the report is generated on your own device for you to copy into the exchange's and the police's own forms.

The victim
How access was obtained
Where the money went

Follow the funds on a block explorer, one transfer at a time, and paste each address in order. Stop when you reach an address the explorer labels with an exchange's name — that is the cash-out point, and it is the address the exchange needs.

  • Taken from — your wallet
The cash-out point

Where to send it

Send to all of these on the same day. They do different jobs and none replaces another.

Freezes the money

The exchange

Find their law-enforcement, compliance, or fraud channel — search their support site for "law enforcement request." Regular support tickets sit in a queue for days. Ask them to preserve records and hold pending withdrawals. Give them the deposit address and the transaction hashes.

Opens the case

Local police

The physical-access element is a conventional crime with a conventional suspect list, and it is what local police can genuinely investigate. Bring the device, the receipt or work order, and the dates.

Compels the records

National cybercrime unit

In the US, the FBI's IC3 at ic3.gov. Elsewhere, your national police cybercrime reporting line. They are the ones who can subpoena the exchange for the identity behind the receiving account.

Warns the next person

Chainabuse and block explorers

Report the thief's addresses so they carry a public warning label. This does not recover funds; it makes the addresses harder to use and helps analysts connect cases.

Two mistakes that end cases

Contacting the suspect. Not a message, not a review, not a mutual friend, not a post. The moment they know, funds move and drives get wiped. Let the police make the approach.

Paying a recovery service. Anyone who contacts you offering to recover stolen crypto for a fee is running a second theft targeting the people who suffered the first. No private company can reverse a blockchain transaction. Legitimate asset recovery happens through law enforcement and the courts, and it starts with the report you are writing now.

What to expect, honestly

You deserve a truthful picture rather than false hope or premature despair.

  • Recovery is possible here, and it is not likely. Cases with a named custodian and an exchange cash-out are the ones that sometimes end in charges and restitution — far better odds than an anonymous drainer. But it takes months, it depends on the exchange's jurisdiction, and most cases still end without the money back.
  • The exchange will not tell you who owns the account. They are legally barred from it. They will tell the police. This feels like a wall and is actually the system working.
  • A two-week delay between access and theft is normal. Someone who copies a seed phrase often waits, precisely so the theft does not point at the last person who touched the machine. The delay is a pattern, not an alibi — put the dates in the report and let the investigators weigh it.
  • You may be wrong about who did it. Repair shops have multiple staff, contractors, and sometimes their own break-ins. Malware picked up long before the drop-off can look identical from the outside. Report what you know to be true — who had custody, and when — and let the evidence decide the rest.
  • Prevention is the only reliable protection. A hardware wallet would have made this theft impossible: the keys never leave the device, so nobody with your laptop can take them. A seed phrase written on paper and kept out of the house is the low-cost version. Never store a recovery phrase in a file, a photo, a notes app, or a password manager on a machine you might one day hand to a stranger.