Victim of a Crypto Scam? The first steps to take

Because cryptoassets can be rapidly transferred across multiple addresses, swapped into different tokens, bridged across blockchains, and moved through exchanges, taking action as early as possible is critical. The sooner steps are taken, the greater the likelihood of tracing assets, preserving evidence and identifying viable recovery routes.

Whether you have been the victim of a phishing scam, wallet compromise, exchange account takeover, fake investment platform, social engineering attack, or unauthorised transfer, it is important not to panic and to keep a level head, but it is equally important not to delay.

Below are some of the key steps to take in the immediate hours and days after discovering a crypto scam or theft.

1. Secure your Digital Presence

In many crypto fraud cases, particularly those executed over a long period of time and involving some element of social engineering, such as romance scams or pig butchering scams, fraudsters may also have gained access to your email account, bank logins, cloud storage and other linked accounts.

This should be one of your first priorities, particularly given how much of our lives are conducted online. Steps should be taken to review all your major online touchpoints, such as your email and social media accounts, online banking, cloud storage accounts, and exchange accounts. As well as changing your passwords, you should also review recent login activity where available, log out of unknown sessions, and strengthen your two-factor authentication. 

It can be sensible to set up a new, clean email address for urgent communications, especially for communications with law enforcement and legal advisers, and divert any sensitive personal emails to this new account.

It may also be prudent to notify any relevant banks and exchange platforms that you may have been the victim of a scam as they can assist with monitoring for suspicious activity and unauthorised logins.

When securing your digital presence, it is highly recommended to do this from a ‘clean’ device i.e. a device that has not been used in any communications with or effecting any transfers sent to the scammers.

2. Secure remaining crypto

If one wallet, exchange account or device has been compromised, you should not assume the rest of your holdings are safe.

Fraudsters may already know about your other wallets, seed phrases, exchange accounts or connected devices. If you still hold cryptoassets, you should urgently review whether they ought to be moved to a newly created wallet on a clean device. If you still have access on a centralised exchange, check for suspicious activity, unauthorised log in attempts, new withdrawal addresses or changes to security settings. 

This needs to be handled carefully and methodically, and where there is a real risk of further compromise or loss, urgent containment is necessary.

3. Do not delete messages, emails or transaction records

If your crypto has been stolen then every piece of evidence matters.

It can be tempting to want to delete messages, uninstall apps, or wipe devices as soon as you realise you have been targeted by a scam. However, all evidence should be preserved and deleting messages or wiping device risks destroying vital evidence.

If you were communicating with the fraudsters through a website, messaging app, social media account or email, keep backups of these communication logs and preserve them. Even small details can become useful, including usernames, profile pictures, wording and phraseology used in messages, claimed company names and payment instructions.

Preserving the evidence trail can make a very real and impactful difference in dealing with crypto fraud.

4. Do not wipe, format, or reset compromised devices

Possible signs that a device has been compromised may include unfamiliar applications appearing on the device, unusual pop-ups, unprompted command prompt windows, settings being changed without explanation, or the device behaving erratically or unusually slow.

If there is a chance your devices may have been compromised, it is natural to want to wipe and format those devices immediately.

However, compromised devices can contain important evidence. They may show whether malware was installed, whether remote access was obtained, whether a fake app was used, or whether login credentials were intercepted. In some cases, they can help show how the theft happened and whether anyone else may bear responsibility.

Best practice would be to preserve and not use any devices you suspect of being compromised at least until a forensic image can be taken. 

5. Take control of communications with the fraudsters

Once the fraud has been identified, there is often a strong instinct to confront the fraudsters or continue engaging in the hope of recovering funds. This is particularly true in cases where the scammers have perpetuated their scam over prolonged contact and have manipulated feelings of friendship or trust with the victim.

The period of time in which the victim realises they are dealing with a scam, but the fraudsters do not yet know their position has been uncovered can create a valuable window of time in which to preserve evidence, gather information, trace the movement of assets and consider next steps before the scammers are alerted and change their behaviour.

Acting too quickly or emotionally may forfeit that advantage by tipping off the fraudsters that you are aware of their scam. When fraudsters become aware that they have been exposed, this may prompt them to try and move and dissipate assets quicker.

One approach is to pause communications without raising suspicion or tipping the fraudsters off. For example, indicating that you will be unavailable or on holiday for the next few weeks, which allows for a neutral pause of engagement with the scammers.

6. Report to Law Enforcement

As with any crime, you should report it promptly to law enforcement. Usually this will include reporting the matter to your local police force, Action Fraud, and in some cases the NCA.

Reporting the matter creates an official record and a crime reference number which can be useful for subsequent legal action.

It is recommended to engage with your local police force as much as possible, although public authorities do not always move at the speed required for crypto cases. Police resources and expertise in relation to crypto matters can vary greatly between forces, which may affect the speed and effectiveness of their response.

7. Get specialist legal advice early

Crypto fraud and asset recovery is a specialist area that sits at the point where law, technology and speed all matter.

A lawyer with experience in cryptoasset disputes can help assess the facts, preserve the evidence, engage with law enforcement, exchanges and other third parties, coordinate tracing work, and advise on all options available. 

The route to recovery usually begins by tracing the stolen cryptoassets and identifying which centralised exchanges or third party intermediaries they have been through. 

Scammers will often seek to convert stolen crypto into fiat, and these centralised exchanges often provide the ‘off-ramp’ where these conversions take place and are withdrawn. For that reason, identifying these centralised exchanges and third party intermediary platforms is a key step in the recovery process.

Taking the example of centralised exchanges, they typically depend on established payment rails and banking infrastructure in order to operate and receive or send payments to users. Those payment rails exist within a regulated environment, and as such, centralised exchanges will often have systems and internal procedures in place to identify suspicious activity, freeze accounts, and make information requests.

Once the relevant exchanges or intermediary platforms have been identified, the legal team can move quickly to alert them to the position and seek specific protective steps. Depending on the circumstances, that may include requesting relevant accounts be frozen to preserve assets still held within them, together with seeking disclosure of account activity and the identity of the users operating those accounts.

This information obtained can then be used to trace the onward movement of assets and inform the next stage of the recovery strategy. 

8. Stay calm and seek support

Discovering that you have been the victim of a scam can be deeply distressing. It is important to recognise it is not your fault. Many crypto scams are carried out by sophisticated operations designed to present a convincing appearance of legitimacy, often through professional looking websites, persuasive communications, and carefully managed interactions over time.

Victims will often feel embarrassment and may instinctively want to deal with matters privately. That reaction is entirely understandable. However, if possible, it is usually better not to try to carry the situation alone. Sharing what has happened with trusted friends or family can be an important step, both practically and emotionally, and can help ensure that someone is looking out for your welfare at a time when you may be under considerable stress.

The emotional impact of fraud should not be underestimated. If you are feeling very low, anxious or overwhelmed, it is important to seek appropriate medical or mental health support.

Caution should be exercised when turning to online forums or communities for support. While some may be well-intentioned, such spaces can attract further bad actors looking to further exploit victims at their most vulnerable. 

In particular, so called “recovery scammers” may claim that they can recover stolen cryptoassets or that cryptoassets have already been traced and frozen and can be released on payment of a fee. In some cases, the recovery scam may be carried out by those behind the original fraud.

Final Thoughts

Although cryptoasset fraud can be fast moving and highly distressing, victims should take confidence in the fact that recovery is often achievable. Cryptoassets leave a detailed and permanent digital trail, and with informed action, it is very possible to identify where assets have gone, preserve the position, identify those responsible, and take meaningful recovery steps. Acting quickly and seeking advice from specialist lawyers well versed with cryptoasset recovery matters is integral to giving any claim the best possible chance at success and meaningful recovery.