Skip to main content

This site is for educational purposes only. Nothing here constitutes financial advice.

Lesson 7 — Reporting that goes somewhere: IC3, Action Fraud, EU agencies, and exchange compliance

Most reports are filed badly and ignored. Today: how to file the report that actually triggers compliance freezes, joins pattern databases, and supports later prosecutions.

Intermediate
Evergreen
22 min readUpdated 2026-05-17Block Clarity Hub Editorial Team

The most common mistake after a crypto compromise isn't failing to report — it's filing reports so poorly that they get categorised, ignored, and never re-read. Reporting is a craft. A well-filed IC3 report can trigger an exchange freeze within hours; a poorly-filed one disappears into the queue. This lesson is about which agencies do what, and how to file in a form that actually causes the next action.

**The FBI's Internet Crime Complaint Center (IC3)** is the primary reporting destination for US victims and a useful destination for non-US victims when the attacker, the exchange, or the on-chain pivot point has US nexus. IC3 receives over 800,000 complaints per year, of which a meaningful fraction are crypto-related. They don't investigate every report individually — they aggregate, look for patterns, and refer high-volume or high-value cases to field offices. To make your report rise above the noise: include the txhashes, the attacker addresses, the exchange where the attacker deposited (this is the actionable hook), the dollar amount in USD at the time of the incident, the vector (e.g., 'wallet drainer signature on phishing site at <URL>'), and any communications. The 'pattern of behaviour' field is where you should reference if you've seen others report the same site or address — IC3's pattern-matching benefits from cross-victim corroboration.

**Action Fraud (UK)** is the equivalent UK reporting channel, run by the City of London Police. Action Fraud's response cadence is slow but their data feeds into the National Fraud Intelligence Bureau, which does refer cases to local forces. UK victims should file at actionfraud.police.uk and, separately, contact their bank's fraud team (banks have their own compliance triggers and timelines). If significant value is involved, escalating to the local police force directly — particularly the regional cybercrime unit — sometimes accelerates the response.

**EU member-state reporting.** There is no single EU-wide crypto-fraud portal at the consumer level — each member state has its own channel. Germany: Polizei online portal (each Bundesland has its own; the BKA aggregates serious cases). France: Pharos (the Plateforme d'Harmonisation, d'Analyse, de Recoupement et d'Orientation des Signalements). Italy: Polizia Postale (which runs the country's cyber-investigations). Netherlands: Politie online. Spain: Guardia Civil's cyber unit. The European Cybercrime Centre (EC3) at Europol consolidates serious cross-border cases but doesn't accept consumer reports directly — your member-state report is what feeds upward.

**Exchange compliance teams** are the fastest-acting channel and the most under-used. If the attacker's funds passed through a major centralised exchange — which most flows still do — that exchange's compliance team can freeze the deposit if you reach them inside the cancellation window. The window varies by exchange and asset but is usually 30 to 120 minutes; it is sometimes longer for stablecoins. Use the exchange's published fraud / abuse channel, not regular customer support. Include: the txhash that landed in the exchange, the from-address (the attacker's wallet), the amount, the timestamp, and the incident summary in two sentences. Brief and factual triggers faster response than narrative.

**ChainAbuse** (chainabuse.com) is a community database run jointly by major chains and analytics firms. Reporting attacker addresses there cross-pollinates to compliance teams, wallets that pull risk feeds, and other victims doing diligence on the same address. It is not a recovery channel — it is a pattern channel. Report there in addition to IC3 / Action Fraud, not instead.

**Local police** are usually the wrong first call for crypto-specific incidents because most local forces don't have the technical capability to investigate. They become the right call when (a) physical safety is also involved — wrench attacks, doxxing, swatting — or (b) total losses are large enough to justify a specialist referral. Some jurisdictions have dedicated cyber units (UK: Regional Organised Crime Units; US: state-level cybercrime taskforces) that handle the technical work; ask the desk officer for that unit rather than expecting the general officer to act.

**What makes a report rise.** Specificity. Dollar amount. On-chain hashes. Named exchanges and addresses. Date, time (UTC and local), platform. The vector in one sentence. The fewer 'I think' and 'I'm not sure' phrases, the better. Attach evidence as files where the portal allows; reference the file names in the narrative. Use plain English — investigators are not crypto experts on average, and clarity beats jargon.

**Realistic expectations.** Filing a report is rarely the cause of recovery. Filing is the cause of *being included in patterns that produce later prosecutions and freezes*. Recovery, when it happens for individual victims, almost always traces to exchange-compliance action in the first day (which depends on a fast, well-filed report to the exchange, not the police). Long-tail recovery occasionally comes from class-action civil suits or seizure-and-restitution actions out of federal cases — both of which depend on documented victims being on the record. Filing is the price of admission to either outcome.

Example

Two parallel cases from 2024, same vector (wallet drainer on a fake airdrop site), similar dollar value (~$30,000 each). Victim A filed an IC3 report within 90 minutes containing the txhash chain to a specific Coinbase deposit address, the attacker's primary wallet, screenshots of the phishing site, and an exchange-compliance email to Coinbase 45 minutes after the incident. Coinbase's compliance team froze the deposit at 96 minutes; about 70% of Victim A's funds were recovered. Victim B filed an IC3 report at week three, with no txhashes, no exchange reference, and 'I clicked a link and lost crypto.' The funds had cleared through three mixers by then; nothing was recoverable, and the report did not contribute to a pattern because it lacked the on-chain specifics. The technical attack was identical. The recoverability gap was entirely the speed and specificity of reporting.

Common mistakes

  • Filing once and waiting. File IC3 and the exchange and ChainAbuse simultaneously — different channels, different speeds, different triggers.
  • Using narrative when specificity is needed. 'I lost money to a Discord scam' triggers no automation. 'Attacker wallet 0x... received 18.2 ETH at block 19234... deposited at txhash 0x... into Binance deposit address 0x... at 21:34 UTC on 2024-09-12' triggers exchange-compliance scanners immediately.
  • Skipping the exchange-compliance contact because 'the police will handle it.' Police won't reach exchange compliance in the first-day window. You have to.
  • Filing in jurisdictions that don't apply. A US victim filing with Action Fraud UK won't be helped; a UK victim filing only with IC3 misses the channel that feeds the UK banking-fraud system.
  • Including emotional commentary. Reports are read by tired investigators. Drop the narrative tone — facts only, ordered chronologically.
  • Failing to update reports with new information. If you learn the attacker also drained other victims you've now contacted, send that as a supplementary report referencing the original case number.

Check your understanding

Within the first 24 hours of a crypto compromise where the funds were deposited into a major centralised exchange, which channel is most likely to produce actual recovery?

Key terms covered

Sources & further reading

We prioritise primary sources. Where a topic moves quickly (regulation, security incidents), we re-check sources on the cadence shown by the page's "Next review" date.

Go deeper