Skip to main content

This site is for educational purposes only. Nothing here constitutes financial advice.

Lesson 5 — The first 24 hours: the irreversible window

After a compromise, most recoverable value is won or lost in the first day. Today: the triage order, what to stop, what to preserve, what to delay.

Intermediate
Evergreen
22 min readUpdated 2026-05-17Block Clarity Hub Editorial Team

Crypto incidents are not like credit-card incidents. There is no central authority that can reverse the transaction. The compromise window — the time between the attack starting and you stopping it — is when the entire defensive game happens. After that window closes, the chain has already recorded the loss and the chain doesn't accept arguments. This lesson is the playbook for the 24 hours after you realise something is wrong.

Minute zero: the trigger. You notice an outbound transaction you didn't sign, an unfamiliar device logged into your exchange account, a hardware wallet that no longer prompts for the PIN it should, or your phone losing cellular service unexpectedly. Whatever the signal, the assumption from this point forward is that the attack is ongoing — the funds you can still see may be moving in the next minutes. Behave accordingly.

**Step 1 (first 10 minutes): stop the bleeding.** Move from a potentially compromised device. If your laptop or phone has any chance of being the source, use a different, known-clean device for everything that follows. Open Revoke.cash or your wallet's approvals viewer and revoke every token approval on the affected wallet (gas allowing). If the wallet is on a hardware device, disconnect it. If exchange credentials were compromised, change passwords from the clean device, kill all active sessions in security settings, and disable API keys.

**Step 2 (next 30 minutes): isolate.** Identify which wallets and accounts could be reached from the compromised credential. A seed-phrase compromise reaches every derivation from that seed across every chain; that may be 20 wallets across 10 EVM chains. A device compromise reaches anything that wallet ever signed for. An email compromise reaches anything that uses that email for password reset. An attacker with one foothold usually pivots; assume pivot until proven otherwise. Move recoverable funds — funds whose private keys aren't compromised — to fresh wallets generated on the clean device.

**Step 3 (next hour): preserve evidence.** Take screenshots of the unauthorised transactions, the unfamiliar logins, the suspicious DMs, the fake site URLs. Record transaction hashes verbatim. Save the URLs you visited. If a wallet UI shows the fake approval request, screenshot it. Note timestamps. Save the original phishing email with headers (in Gmail: Show original). The clock on evidence preservation runs faster than people expect — fake sites get taken down within hours, attacker addresses move funds through mixers within minutes, Discord servers delete conversations when reported. Capture everything now, organise it later.

**Step 4 (next two hours): notify counterparties.** Contact every exchange the compromised credential could reach. Most exchange compliance teams can freeze in-flight withdrawals if you reach them inside the cancellation window — usually 30 to 60 minutes, sometimes longer. Provide the transaction hashes and your account details. Be brief and factual. If you have lost SIM service, also contact your mobile carrier to lock the account against further porting and verify what already happened.

**Step 5 (next four hours): file the formal reports.** US: FBI IC3 at ic3.gov. UK: Action Fraud at actionfraud.police.uk. EU: each member state has its own portal (Polizei in Germany, Polizia Postale in Italy, etc.); the EU's eCRIME portal is the rough equivalent of IC3 for cross-border cases. Provide all evidence preserved in Step 3. The next lesson covers what makes these reports actually trigger action.

**Step 6 (next 24 hours): refuse contact from recovery services.** Within hours of any compromise becoming publicly visible — even just by you posting in r/CryptoCurrency — you will start receiving DMs and emails from 'recovery specialists' offering to recover the funds for an upfront fee. Every single one of these is a recovery scam. We cover the pattern in detail in Lesson 8. The blanket rule: no legitimate recovery operates by upfront payment from the victim, in the first day or any day. Block these contacts and document them.

**What not to do in the first 24 hours.** Don't 'try to outsmart the attacker' by sending a transaction that might 'unlock' your funds — every documented attempt has lost more money. Don't pay 'unlock fees' on the platform that drained you — that's stage 6 of pig-butchering and works identically post-incident. Don't delete the wallet or the conversations or the phishing email; evidence will be needed. Don't blame the victim if you're supporting one — the only thing that matters in the first 24 hours is action, and shame inhibits action.

Example

A documented timeline from a 2023 case: a user notices at 8:47 PM that 18 ETH has moved from their hot wallet to an unfamiliar address. By 8:50 PM they have switched to a different laptop and revoked every approval on the affected wallet. By 8:55 PM they have moved the remaining $4,200 in tokens and one unrelated NFT (whose contract was not approved) to a fresh wallet. By 9:10 PM they have screenshot the unauthorised transaction, copied the recipient address, and saved the txhash. By 9:30 PM they have contacted Binance (where they had a corresponding deposit address) and IC3 has logged their report. The 18 ETH moved through Tornado Cash within four hours and was unrecoverable, but everything else — including a separate $4,200 balance and the NFT — was saved by the 23-minute response. The user's later post-mortem identified the original vector as a malicious browser extension installed two months earlier. The story isn't the loss; it's the speed of containment.

Common mistakes

  • Continuing to operate on the potentially compromised device while triaging. The first move is always to a different, known-clean machine.
  • Spending the first hour figuring out 'how it happened.' Forensic understanding is for later; the first hour is for stopping further loss.
  • Trying to 'rescue' funds by paying gas from a wallet that may also be drained — sometimes the attacker is watching gas-fund refills.
  • Posting the compromise publicly before notifying exchanges. Public posting alerts the recovery-scam ecosystem instantly.
  • Failing to preserve evidence because 'the police won't do anything anyway.' Evidence has value even if the immediate report doesn't lead to recovery — it builds the pattern for later prosecutions, it supports insurance claims where applicable, and it informs your bank's compliance teams.

Safety warning

Nothing in this lesson constitutes financial or legal advice. If a compromise involves significant value, contact a qualified attorney in your jurisdiction promptly — many actions in the first 24 hours have legal as well as operational consequences.

Check your understanding

You notice at 9:00 PM that one of your wallets has had an unauthorised outflow of significant value. In the first 10 minutes, which action takes priority?

Key terms covered

Sources & further reading

We prioritise primary sources. Where a topic moves quickly (regulation, security incidents), we re-check sources on the cadence shown by the page's "Next review" date.

Go deeper