First 24 hours after a crypto theft: the checklist that actually matters

Victims are flooded with contradictory advice. This post orders actions by leverage: safety first, then evidence, then professional help. Pair with our case process and tracing primer.

Hour zero: stop the bleeding

If any devices or seed material may be compromised, assume active access. Move surviving assets to a new wallet generated on a clean device if you can do so safely. Revoke suspicious token approvals on EVM chains where tooling exists. Rotate email passwords and exchange 2FA—not “later today,” now—because many thefts include session or SIM-adjacent follow-on attacks.

Do not install random “crypto cleaner” or “wallet repair” executables. Malware campaigns specifically target people who Google “I was hacked” minutes after a loss. If you are unsure whether your laptop is clean, use a different machine for banking and exchange logins until you have guidance.

Preserve a defensible story

Write a single chronological narrative while memory is fresh: what you clicked, what you signed, which addresses you controlled, approximate timestamps, and every transaction hash you can find. Screenshot fraudulent sites with the URL bar visible; archive pages with reputable archive tools if they are still online. Export chat logs with scammers before blocking them—lawyers and investigators need the full thread, not paraphrases.

Transaction hashes are the backbone of blockchain tracing. Collect outbound hashes from your wallet history; if you only have an explorer screenshot, transcribe the hash carefully—one wrong character wastes analyst time.

Reporting and platform tickets

File reports with local police or national fraud portals as your jurisdiction recommends, and open abuse tickets with any involved custodial platform the same day if applicable. These queues are slow, but early timestamps help. Read our companion post on where to report crypto scams for a fuller map.

Before you pay a “recovery” stranger

Impersonators monitor public posts. Anyone who DMs offering instant recovery, demands your seed phrase, or asks for a second crypto payment to “release” frozen funds is almost certainly extending the scam. Legitimate firms scope work in writing. Our FAQ lists additional red flags.

When to bring in specialists

If more than a trivial amount is gone, or funds moved through bridges and DEX aggregators, DIY explorer clicking rarely produces a package strong enough for exchanges or counsel. Early professional tracing can identify CEX touchpoints before hot wallets are swept onward—without promising outcomes nobody can guarantee. Contact us for a structured intake.