How a Crypto-Recovery Case Is Built: Five Scam Patterns and What Brings the Money Back

Most people meet us on the worst day of their financial lives. What happens next isn’t magic — it’s casework: intake, a trace, a freeze, and an honest read on what can actually be recovered. Here is how a crypto-recovery case is built, and the five patterns behind most of the files that cross our desk.

01 /It starts with intake — and the clock

Every recoverable case has one thing in common: someone acted before the trail went cold. The first 48 hours after a crypto theft decide a surprising amount, because stolen funds rarely sit still. They get swapped, bridged, and split, and a share of them lands — briefly — at a regulated exchange where they can still be reached.

So intake isn’t paperwork. It’s a race to fix the facts while they’re fresh: when control was lost, which wallets and platforms were involved, and every transaction hash we can pull. The cases that recover the most are almost always the ones that reached an investigator quickly. If you’re reading this in the middle of one, you can open a case and we’ll start from exactly there.

02 /The five patterns we see most

Crypto fraud reinvents its surface constantly, but the underlying mechanics are stubbornly familiar. These five account for most of what comes through the door. Each one links to a full, illustrative case file showing how the scam worked and what we were able to return — the figures are mixed on purpose, because honest outcomes are.

03 /The trace: following money off the platform

Once funds leave a wallet or exchange, they leave a record. A trace reads that record — the swaps through decentralised exchanges, the hops across bridges, the splits into fresh wallets — and separates the legs that stay reachable from the ones that don’t. Funds routed into a mixer within minutes set a low ceiling; funds that pause at a custodial address give us something to hold.

This is also where we tell people the truth early. A trace can show exactly where stolen crypto went and still not be able to bring all of it back. Knowing the difference is the job.

04 /The freeze: where money actually comes back

Recovery is rarely about “hacking back.” It’s about reaching the point where stolen value re-enters the regulated system — a KYC’d exchange deposit, a card-payment processor, a bank rail — and presenting a clean evidence trail to the people who can hold it. A timely, well-documented trace filed with the right compliance desk is the single most durable lever we have.

For mixed-method scams, like the fake-CFD case in our files, that means running two tracks at once: chargebacks on the card legs and an on-chain freeze on the crypto legs. The recovered total is what survives across both.

05 /The honest part

We don’t promise a number we can’t reach, and we never ask for an up-front “release fee” — that demand is itself one of the scams we investigate. Real outcomes range widely: some files recover most of the loss because someone moved fast and the money paused at an exchange; others recover a partial share because a drainer reached a mixer in the first block. Both are in our case studies, on purpose.

If there’s one takeaway, it’s that speed and evidence beat almost everything else. Here’s what to do before you talk to anyone.

• HOUR 0 Stop all contact with the platform and stop sending money — especially any “fee” to release funds.
• HOUR 0 Screenshot everything: dashboards, chats, wallet addresses, and transaction hashes.
• HOUR 1 Secure your phone number, email, and exchange accounts; revoke any live token approvals.
• HOUR 6 Record every transaction hash and destination address you can find — the on-chain trail is your evidence.
• HOUR 24 Report card legs to your bank and the theft to law enforcement; keep the reference numbers.
• HOUR 48 Bring it to investigators while the trail is fresh and funds may still sit at a cash-out point.