Skip to main content

This site is for educational purposes only. Nothing here constitutes financial advice.

Lesson 8 of 8
~22 minCrypto Security Bootcamp

Lesson 8 — Incident response: the first 60 minutes

Compromise indicators, triage order, evidence preservation, who to call — and why the wave of 'recovery experts' arriving 24 hours later is a second scam.

Intermediate
Evergreen
22 min readUpdated 2026-05-17Block Clarity Hub Editorial Team

If you are compromised, the first 60 minutes determine how much you keep. This lesson is the playbook: how to recognise it is happening, the order to act, what to preserve before it decays, who to call, and how to ignore the recovery-scam wave that will arrive within hours.

Recognise compromise early. The indicators that matter: outbound transactions on a wallet you did not sign for; unexpected login alerts from exchanges; sudden loss of cellular service (SIM swap signal); password-reset emails you did not request; password-reset emails you cannot read because the inbox now has rules forwarding them somewhere; new browser extensions you did not install; new SSH keys, new email forwarding rules, new browser sync devices. Check all of these the moment something feels off. Most compromises announce themselves through at least one of these signals minutes or hours before the loss completes.

Triage in this order: stop the bleeding, then preserve evidence, then report. Stop-the-bleeding means immediate revocation of approvals (revoke.cash from a clean device), moving any remaining funds in compromised wallets to a known-clean wallet on a known-clean device, changing email passwords from a known-clean device, locking exchange accounts, and contacting your mobile carrier to suspend the SIM that may have been swapped. Order matters — every second of delay is more value drained. Do not log into a potentially-compromised wallet on a potentially-compromised device to 'check what happened.' Use a clean phone or laptop.

Preserve evidence before it decays. Screenshots of every relevant page, every transaction hash, every email or DM the attacker sent, every URL of any site you interacted with in the relevant window, every wallet address involved, exact timestamps. Save them to a folder on a device that is not the compromised one. This evidence is what law-enforcement reports, exchange-fraud desks, and blockchain-analytics firms (if you later engage one through proper channels) will work from. Scammers also delete their accounts and domains within hours of detection — capture now or lose forever.

Report through the right channels. In the US: file with the FBI IC3 (ic3.gov), report to the FTC (reportfraud.ftc.gov), and contact your exchange's fraud department directly via the official site (never an emailed link). In the UK: Action Fraud (actionfraud.police.uk) and your bank if any fiat moved. In the EU: your national police's cybercrime unit and, depending on jurisdiction, the relevant data-protection authority if personal data was involved. Add any malicious addresses to Chainabuse (chainabuse.com) — the community database. None of these channels guarantee recovery; they are the entries on the record that may eventually let funds be traced or future similar attacks blocked.

Within hours of any public crypto incident, you will be contacted by 'recovery experts,' 'ethical hackers,' 'crypto lawyers,' and 'IRS specialists' offering to recover your funds for an upfront fee. They are a second scam — specifically, an entire ecosystem of operators who watch for victim-disclosure posts and engage immediately. There is no legitimate service that recovers stolen crypto for a fee. Real recovery, when it happens, happens through law enforcement seizing funds at off-ramps after attackers eventually try to cash out, sometimes months or years later. Anyone offering to recover funds within days or weeks for a payment is selling you a second loss. Block, do not engage, do not pay.

Example

The Federal Trade Commission has issued repeated warnings (2022, 2023, 2024) about the recovery-scam wave that targets prior victims. The pattern is consistent: a 'recovery firm' contacts the victim through email, LinkedIn, or a comment on a post where they disclosed the original loss; promises a 30-90 percent recovery rate; requests an upfront 'retainer' or 'wallet-unfreezing fee'; collects the payment; and either disappears or strings the victim along through further fees until the victim stops paying. Documented losses to recovery scams specifically run into the hundreds of millions of dollars per year — second-order losses on top of the original theft. The rule that defends against the entire category: legitimate fund recovery never requires an upfront payment from the victim.

Common mistakes

  • Logging into the compromised account from the compromised device to 'see what is going on.' This often gives the attacker your fresh session and additional cookies.
  • Talking publicly about a loss in detail (amount, exchange, wallet address, time) while it is still developing. You broadcast everything the recovery scammers need to target you.
  • Skipping the evidence-preservation step in panic, then having no record of the attacker's communications when you do report.
  • Engaging with 'recovery firms' that contact you within 72 hours of the incident. The faster they showed up, the more certainly they are running the second scam.
  • Not reporting because 'it would not help.' The reports do not always recover the funds, but they feed into law-enforcement and analytics work that occasionally seizes attacker wallets months later — and your report may be exactly what links your incident to a known operator.

Safety warning

If your phone suddenly has no signal and you have crypto on exchanges, the most important action in the next ten minutes is to get to a known-clean computer or another phone, log into your accounts, and change the password and disable phone-based recovery. SIM-swap attacks are usually executed against multiple of your accounts in rapid sequence. Speed is everything.

Check your understanding

Six hours after a wallet drain, someone messages you on LinkedIn claiming to be a 'crypto recovery specialist' who can recover your funds for a $2,000 retainer. What is the correct response?

Key terms covered

Sources & further reading

We prioritise primary sources. Where a topic moves quickly (regulation, security incidents), we re-check sources on the cadence shown by the page's "Next review" date.

Go deeper

Take the final quiz