Skip to main content

This site is for educational purposes only. Nothing here constitutes financial advice.

Lesson 6 — Evidence preservation: what to capture before it decays

Phishing sites get taken down. Discord conversations get deleted. Mixers obscure attacker wallets. The first day is when evidence is recoverable; the second day is when most of it isn't.

Intermediate
Evergreen
22 min readUpdated 2026-05-17Block Clarity Hub Editorial Team

After a compromise, the chain itself preserves transaction data permanently — but almost everything else decays fast. Fake sites get taken down (sometimes by the operator, sometimes by hosting providers). Discord and Telegram conversations get deleted by the impersonator. Attacker wallets fund-shuffle through mixers within minutes. Emails get filtered or deleted. The evidence that matters for reporting, for exchange compliance, for civil litigation, and for criminal prosecution has a half-life measured in hours. This lesson is the capture playbook.

**Transaction-chain evidence** is the most durable but the easiest to under-capture. For every unauthorised transaction, record the transaction hash (txhash), the from-address, the to-address, the amount, the token contract address, the chain, and the block timestamp. Save the block-explorer URL (Etherscan, Solscan, etc.) for each transaction. If the attacker chain-hops through bridges or mixers, follow the trail one or two hops and record those hashes too — investigators downstream will appreciate that you've already mapped the immediate flow.

**Approval / signature evidence** is what proves intent in drainer cases. Most wallets log signature requests; if yours does, export the log. Screenshot the approval-viewer (revoke.cash, etherscan token-approval-checker) showing the unauthorised approvals before you revoke them — this proves what the attacker had authority to do. The signature payload itself, if you saved a wallet log, contains the EIP-712 message that authorised the attack — that is the strongest possible evidence for civil cases.

**Communication evidence** is the most volatile. Take screenshots of every relevant DM, Discord conversation, email, SMS, and call log. For email, save the full message including headers — in Gmail: Show original; in Outlook: View headers. Headers reveal the actual sending IP and routing, which is often more useful than the visible 'from' address. For Discord, screenshot the user profile alongside the conversation — once the account is reported, the profile data may be wiped. For Telegram, the same.

**Site evidence** is the second-most-volatile. Take full-page screenshots of any fake site you visited. Use a tool like SingleFile (browser extension) to save a complete static copy of the page. Note the URL and IP address (`nslookup` or `host` on the URL). Capture the SSL certificate details — sometimes attackers reuse certificates across multiple fake sites, which is forensically valuable. Save any JavaScript that ran in the page if developer tools were open. Submit the URL to Google Safe Browsing, PhishTank, and Cisco Talos so other users get warned within hours.

**Device evidence** matters for malware-vector compromises. If the compromise traces to a device-level issue (malicious browser extension, compromised dev environment, etc.), preserve the device state: full-system image if technically possible (most users won't have this capability), browser-extension list, recent process logs. Don't 'clean' the device until evidence is preserved — antivirus cleanup destroys the forensic trail that would identify the malware family.

**Provenance is the meta-evidence.** For each piece of evidence captured, record when it was captured, by whom, and how. Cryptographic timestamping isn't usually necessary, but a simple log — 'captured by [name] at [UTC timestamp], stored at [location]' — makes the evidence usable in formal proceedings. The forensic principle is chain-of-custody: every piece of evidence has a known journey from the moment it was captured.

**Where to store evidence.** Three rules. One: not on the device that was compromised. Two: in at least two physical locations or services so a single accident doesn't destroy everything (a local encrypted folder plus a separate cloud provider you trust). Three: with a clear filename convention you'll understand a year later when the case is finally reviewed — `2026-05-17_phishing_email_full_headers.eml`, not `screenshot_482.png`.

Example

A 2024 case study from a Chainalysis Reactor case file: a victim of a drainer attack captured their txhash within 20 minutes, the attacker address, and the receiving exchange's deposit address that was the next on-chain hop. They also screenshot the Etherscan token-approval page showing the spender address before revoking. With this evidence package, the exchange's compliance team — receiving the report 90 minutes after the incident — was able to freeze the deposit before it cleared internal settlement. About 60% of the original loss was recovered. A similar case without the txhash chain and approval evidence was filed three days later; the funds had moved through three mixers and one cross-chain bridge by then, and nothing was recoverable. The preservation discipline didn't change the technical attack — it changed which side of the recovery line the case fell on.

Common mistakes

  • Capturing only the first transaction. Attackers chain-hop quickly; the next two hops are usually the recoverable points.
  • Screenshotting without URLs and timestamps in the frame. A screenshot of a fake site without the URL bar visible is worth much less than one with it.
  • Saving evidence to the same device that was compromised. Move evidence off the affected device immediately.
  • Cleaning malware off a device before forensic capture. Antivirus removal destroys evidence that identifies the malware family and the actual entry vector.
  • Underestimating email headers. The visible 'from' is trivially forgeable; the headers contain the actual routing IPs, the SPF/DKIM/DMARC outcomes, and the real origin domain.
  • Discarding evidence because 'they'll never catch the attacker anyway.' Evidence has cumulative value — your case may be the one that joins a pattern an agency is already tracking, and the attacker's prior victims may collectively fund a civil action.

Check your understanding

You've just been the victim of a drainer attack. Among the evidence types you can capture, which has the shortest 'capture half-life' — meaning it decays from useful to useless fastest?

Key terms covered

Sources & further reading

We prioritise primary sources. Where a topic moves quickly (regulation, security incidents), we re-check sources on the cadence shown by the page's "Next review" date.

Go deeper