Cryptocurrency theft and fraud are not uncommon reasons for contacting our agency. In most cases, people fall victim to professional criminals. Even in such cases, there are chances to recover the funds.
It should be noted that significant difficulties in investigating cryptocurrency thefts are associated not only with identifying the offenders but also with collecting evidence of their criminal activities, even when they are identified. Law enforcement agencies play a crucial role in this, but they often lack the necessary expertise. Therefore, coordinating the investigation process with our involvement becomes especially important.
For quality service related to investigating crypto incidents, our detective agency cooperates with a leading player in the CIS market, a Russian ‘Skolkovo’ innovation center resident company, which has extensive experience in this field and necessary contacts among representatives of major cryptocurrency exchanges and other market players.
The agency’s team takes on part of the investigation related to OSINT and deanonymization, while blockchain analytics are handled by engaged specialists.
In matters of investigating cryptocurrency thefts, whether targeted theft or fraud designed to affect an unlimited number of people (for example, through phishing domains of popular crypto wallets), acting within the first hours after the incident is critical to maximizing recovery chances. The very first action to take is to block the assets to prevent their cashing out into fiat, after which the chances of fund recovery become as high as possible.
Below you can find a description of the service; however, if you have become a victim of a crime, we recommend contacting us as quickly as possible for consultation to undertake urgent measures for the initial analysis of the incident and response actions.
We specialize in investigating cases involving significant financial losses, with a minimum case threshold of $50,000.
This requirement is driven by two key factors:
Your active participation is essential. We take on cases only if you are willing to cooperate with law enforcement authorities.
Without their involvement, fund recovery is not possible — cryptocurrency exchanges, payment processors, and other entities used by perpetrators respond only to official requests.
In many cases, we recommend initiating criminal proceedings in multiple jurisdictions, as this significantly improves the chances of a successful outcome.
This is the question every victim asks — and understandably so. Unfortunately, it’s impossible to give a definitive answer until a thorough investigation is completed. Even if we identify and block the individuals involved, recovery is not always guaranteed. However, when the financial loss is substantial, pursuing recovery is absolutely worthwhile. We have documented cases where victims successfully regained their funds following persistent and well-structured investigative work.
So, the very first thing to do in case of cryptocurrency theft is to take measures to block it (if possible). First, it is necessary to find out where the funds ended up — on a private address, sent to a P2P exchanger, or located on an exchange account.
Experience in investigating cryptocurrency incidents shows that in 9 out of 10 cases criminals use exchanges to cash out assets. We have direct working relationships with most major exchanges, enabling us to freeze assets quickly before they are moved further.
Therefore, after receiving a theft report, we first conduct a blockchain analysis, the details of which we will describe further. Based on the analysis, a report is prepared, which is used to submit a request to the exchange (in case the assets were withdrawn through it), as well as to file a complaint with law enforcement agencies (having such a report makes it easier for law enforcement authorities to open a criminal case and start formal proceedings). The report can be prepared in both Russian and English if you need to contact police abroad.
Depending on the specific case, actions may vary, but the general scheme for investigating cryptocurrency theft typically includes:
For investigations, we use a flagship product developed by a Russian IT company, our partner, which allows visualization of transaction graphs and identification of the final recipient of cryptocurrency, regardless of the number of chain links the perpetrator might use to obscure the trail.
A regular user sees the blockchain like this:
As we see the blockchain:
Sometimes, in pursuit of supposed anonymity, scammers create a huge number of transit cryptocurrency addresses through which stolen crypto is passed. But the tools we use allow us to identify the final recipient even in this case.
A vivid example is an investigation by our partners where fraudster created over 100 thousand transit addresses to confuse the trail. Such cases would be impossible to investigate using an ordinary blockchain explorer.
Our partners’ proprietary development allows detection of asset transfers between addresses, flows through DEXs to other blockchain networks. The result of such analysis answers the question of where exactly the funds settled, whether they were withdrawn through regulated exchanges or P2P exchangers, and whether mixers were used. All this enables organizing further work with law enforcement authorities by sending appropriate requests to establish the offenders’ digital traces.
As a result of the entire work, you receive a detailed report with comprehensive information according to the specified structure. This report significantly simplifies the process of blocking funds to prevent their withdrawal and making a decision on initiating a criminal case and its further investigation.
After conducting interviews and clarifying all circumstances of the theft, in parallel with blockchain analysis, we start examining the digital traces of the fraudsters. Typically, these include messenger correspondence and websites (for example, a fake exchange site or a phishing clone of a popular cryptocurrency wallet).
Analysis of the correspondence between the victim and the criminals helps to reveal valuable information for the investigation (used nicknames, websites, messenger IDs, blockchain addresses, and other payment details). After that, all obtained data is enriched using OSINT methods.
In rare cases, the aforementioned actions are sufficient to identify the fraudsters. However, if you have fallen victim to professional criminals, usually further work is required to obtain additional leads.
Sometimes this may be the perpetrator’s IP address or other digital identifiers. But to obtain these, it often requires developing a full-scale operation. For this, we thoroughly study all available information about the offenders, the nature of their actions, motivations, individual characteristics, etc., with the goal of prompting a reaction in a controlled setting, which may reveal identifying information.
In our practice, there is a case when six months after stealing a large sum, the fraudster made only one mistake out of greed, which ultimately led to his successful identification. It’s always gratifying to receive such messages in private from the perpetrator himself when he realizes what happened:
Translation:
And a few hours before that, as a result of a successfully conducted information operation, we learned his personal phone number and exact geo-location. That was enough.
Translation:
When our investigation uncovers digital traces that allow us to identify or approach the perpetrators, we initiate direct contact.
Such negotiations are appropriate when:
In certain cases, we conduct communication on behalf of our company, informing the offenders that law enforcement agencies and exchanges are involved in the investigation. These messages include an offer for pre-trial settlement.
The goal of this stage is to achieve a voluntary return of the stolen assets. For the offender, contact with us often represents the final opportunity to resolve the matter without court proceedings, while for the victim, it’s a chance to recover funds more quickly and efficiently.
The final stage of the investigation (if you are not ready to pay for our constant involvement at all stages) is the preparation of recommendations for further actions, including recommendations for law enforcement agencies on directing and formulating requests to the necessary authorities. Depending on the circumstances of the case, we may recommend filing a report with authorities located in:
To date, neither the Investigative Committee nor the Ministry of Internal Affairs has enough competent specialists to conduct such investigations, and our report will significantly simplify their work — only the necessary requests to exchanges, exchangers, domain registrars, and advertising platforms promoting phishing sites will need to be sent, and further measures taken after receiving responses to these requests.
