Thefts and fraud involving cryptocurrencies are not uncommon reasons for contacting our agency. In most cases, people fall victim to professional criminals. Even in such cases, there are chances to recover the funds.
It should be noted that significant difficulties in investigating cryptocurrency thefts are associated not only with identifying the perpetrators but also with collecting evidence of their criminal activities, even when they are identified. Law enforcement agencies play a crucial role in this, but they often lack the necessary expertise. In this regard, coordinating the investigation process with our involvement becomes especially important.
For quality service related to investigating crypto incidents, our detective agency cooperates with a leading player in the CIS market, a Skolkovo resident company, which has extensive experience in this field and necessary contacts among representatives of major cryptocurrency exchanges and other market players.
The agency’s team takes on part of the investigation related to OSINT and deanonymization, while blockchain analytics are handled by engaged specialists.
In matters of investigating cryptocurrency thefts, whether targeted theft or fraud designed to affect an unlimited number of people (for example, through phishing domains of popular crypto wallets), rapid response to the incident is especially critical. The very first action to take is to block the assets to prevent their conversion into fiat currency, after which the chances of fund recovery become as high as possible.
Below you can find a description of the service; however, if you have become a victim of a crime, we recommend contacting us as quickly as possible for consultation to undertake urgent measures for the initial analysis of the incident and response actions.
So, the very first thing to do in case of cryptocurrency theft is to take measures to block it (if possible). First, it is necessary to find out where the funds ended up — on a private address, sent to a P2P exchanger, or located on an exchange account.
Experience in investigating cryptocurrency incidents shows that in 9 out of 10 cases criminals use exchanges to cash out assets. We have established contacts with most of these, allowing us to quickly block funds and prevent further withdrawals.
Therefore, after receiving a theft report, we first conduct a blockchain analysis, the details of which we will describe further. Based on the analysis, a report is prepared, which is used to submit a request to the exchange (in case the assets were withdrawn through it), as well as to file a complaint with law enforcement agencies (having such a report simplifies the process of initiating a criminal case). The report can be prepared in both Russian and English if you need to contact police abroad.
Depending on the specific case, actions may vary, but the general scheme for investigating cryptocurrency theft looks as follows:
For investigations, we use a flagship product developed by a Russian IT company, our partner, which allows visualization of transaction graphs and identification of the final recipient of cryptocurrency, regardless of the number of chain links the perpetrator might use to obscure the trail.
A regular user sees the blockchain like this:
As we see the blockchain:
Sometimes, in pursuit of supposed anonymity, perpetrators create a huge number of transit cryptocurrency addresses through which stolen crypto is passed. But the tools we use allow us to identify the final recipient even in this case.
A vivid example is an investigation by our partners where scammers created over 100 thousand transit addresses to confuse the trail. Such cases would be impossible to investigate using an ordinary blockchain explorer.
Our partners’ proprietary development allows detection of asset transfers between addresses, flows through DEXs to other blockchain networks. The result of such analysis answers the question of where exactly the funds settled, whether they were withdrawn through regulated exchanges or P2P exchangers, and whether mixers were used. All this enables organizing further work with law enforcement by sending appropriate requests to establish the perpetrators’ digital traces.
After conducting interviews and clarifying all circumstances of the theft, in parallel with blockchain analysis, we start examining the digital traces of the perpetrators. Typically, these include messenger correspondence and websites (for example, a pseudo-exchange site or a phishing clone of a popular cryptocurrency wallet).
Analysis of the correspondence between the victim and the criminals helps to reveal valuable information for the investigation (used nicknames, websites, messenger IDs, blockchain addresses, and other payment details). After that, all obtained data is enriched using OSINT methods.
In rare cases, the aforementioned actions are sufficient to identify the perpetrators. However, if you have fallen victim to professional criminals, usually further work is required to obtain additional leads.
Sometimes this may be the perpetrator’s IP address or other digital identifiers. But to obtain these, it often requires developing a full-scale operation. For this, we thoroughly study all available information about the perpetrator, the nature of their actions, motivations, individual characteristics, etc., with the aim of provoking them to respond to our bait, during which they might reveal themselves.
In our practice, there is a case when six months after stealing a large sum, the scammer made only one mistake out of greed, which ultimately led to his successful identification. It’s always gratifying to receive such messages in private from the perpetrator himself when he realizes what happened:
And a few hours before that, as a result of a successfully conducted information operation, we learned his personal phone number and exact geo-location. That was enough.
The final stage of the investigation (if you are not ready to pay for our constant involvement at all stages) is the preparation of recommendations for further actions, including recommendations for law enforcement agencies on directing and formulating requests to the necessary authorities. Depending on the circumstances of the case, we may recommend filing a report with authorities located in:
To date, neither the Investigative Committee nor the Ministry of Internal Affairs has enough competent specialists to conduct such investigations, and our report will significantly simplify their work — only the necessary requests to exchanges, exchangers, domain registrars, and advertising platforms promoting phishing sites will need to be sent, and further measures taken after receiving responses to these requests.
This is the main question on the victim’s mind. Unfortunately, we cannot give an answer until an investigation has been conducted. Even if information about the individuals involved in the theft is obtained and they are blocked, it is not always possible to recover the funds.
However, if it involves a significant amount, it is definitely worth trying, since there is positive experience, including successful work by law enforcement and judicial authorities. In some cases, there is an opportunity to influence the perpetrators to return the funds.
Important! We do not take cases with damage amounts less than 5 million RUB.
