I Got Scammed in Crypto — Can I Get My Money Back? A Realistic Recovery Guide
Tracing your coins is not the same as recovering them. Here’s what actually works in the first 72 hours, and the second scam to refuse.
Short version, because you are in a hurry:
| Question | Honest answer |
|---|---|
| Can I get my crypto back? | Sometimes, but only if it hit a KYC exchange and you report within ~24–72 hours. Money in a private wallet, mixer, or bridge is near-unrecoverable. |
| I can see my coins on Etherscan — doesn’t that mean I can get them back? | No. Tracing is not recovery. There is no chargeback or reverse button on-chain. |
| Where do I report? (U.S.) | File at ic3.gov (FBI IC3) and reportfraud.ftc.gov (FTC), then flag the destination exchange’s law-enforcement channel. It’s free. |
| Should I hire a “recovery service”? | No. Upfront-fee recovery agencies are almost always a second scam (10,500+ complaints, ~$1.4B in 2025). Law enforcement never charges a fee. |
| What do I gather? | TxIDs, destination addresses, exchange/platform names, timestamps, USD amounts, and full-conversation screenshots. |
1. Before you touch anything else: the next 24–72 hours decide almost everything
2. The hard truth up front: seeing your coins on Etherscan is not getting them back
3. Your one real lever: did the money land on a U.S.-reachable exchange?
4. Do this in the next hour: ic3.gov, the FTC, and the exchange’s law-enforcement channel
5. Follow the money: a destination map that sets your realistic odds
6. What kind of scam was it? Recovery routes by scam type
7. The second scam coming for you: ‘recovery agencies’ and fake law firms
8. What the numbers actually say: IC3’s $11.4B, and why a seizure is not your refund
9. One thing that can soften the loss at tax time: the IRC §165 theft-loss question
10. Close the other doors before they drain more: revoke approvals and secure the wallet
You just realized it was a scam, and the first thing you did was open a block explorer and watch your coins sitting in someone else’s wallet. That sight is doing something cruel to you: it makes recovery feel one phone call away. This guide is the honest version. It separates what you can see from what you can actually get back, walks the exact U.S. reporting steps that still matter in the first hours, and names the second scam that is already circling you. No promises, no upfront-fee “recovery” pitch, just what genuinely moves the needle and what does not.

1. Before you touch anything else: the next 24–72 hours decide almost everything
If you are reading this within a day of realizing what happened, that timing is the most
valuable thing you have. Recovery in crypto is rarely about being clever after the fact. It is
about how fast the report reaches someone who can freeze an account before the money moves
again.
Scammers do not park stolen funds. They chain them: victim wallet, then a fresh address,
then a swap, then a bridge to another chain, then a cash-out exchange in a jurisdiction that
will never answer a U.S. subpoena. Every hop that completes before your report lands is a door
that closes. That is why the practical window is measured in hours, roughly the first 24 to 72,
not in weeks.
option you might have later.
- Screenshot everything now. The chat, the “platform” dashboard, the withdrawal page, the
wallet addresses, the transaction hashes. Platforms and profiles vanish the moment they suspect
you have caught on. - Do not delete the conversation and do not confront the scammer. Tipping them off just
speeds up the cash-out. Investigators will want the thread intact. - Copy your transaction IDs (TxIDs) and the destination addresses from your wallet or the
exchange withdrawal history. Paste them into a note. This is the single most important piece of
evidence. - Write a plain timeline — dates, amounts, the platform or person’s name, phone numbers,
any bank or card transfers that fed the crypto purchase. - If your own wallet or an exchange account was touched, secure it (new device, revoke
approvals, move remaining funds). More on that near the end.
| Item | Reality |
|---|---|
| Reporting window that matters most | First 24–72 hours, before funds are moved on |
| Are exchange freezes automatic? | No. They require a law-enforcement request, subpoena, or court order |
| Typical hold once a request lands (Binance.US LERT) | About two weeks while the request is reviewed |
| If the freeze window is missed | Funds route through DEXs, mixers, or privacy coins and effectively disappear |
2. The hard truth up front: seeing your coins on Etherscan is not getting them back
Here is the part almost nobody tells you up front, and it is the whole reason this guide
exists. Being able to see your money is not the same as being able to get it back.
Open Etherscan, or any block explorer, paste your transaction hash, and you can watch your
coins sit in the thief’s address like they are behind glass. That visibility feels like a lead.
It feels like proof that should force someone to hand it over. It is not. A public ledger records
who holds what; it grants no one the power to reverse a transfer.
Crypto has no chargeback. When you pay with a credit card and get scammed, the card network
can claw the money back from the merchant because a bank sits in the middle with the authority to
reverse it. On-chain, there is no bank in the middle and no reverse button. A confirmed
transaction is final by design. “Tracing” and “recovery” are two different problems: tracing is a
data question that blockchain analytics firms are genuinely good at; recovery is a legal and
custodial question that depends entirely on whether the coins ever land somewhere a real authority
can reach.
followed?) is usually yes. Recoverability (can it be returned to you?) is usually the harder
question, and the honest answer is often no. Anyone who blurs the two — “we traced it, so we can
get it back” — is setting you up.
3. Your one real lever: did the money land on a U.S.-reachable exchange?
Strip away the noise and your realistic odds come down to one American variable: did the stolen
money land on, or pass through, an exchange that U.S. law enforcement can actually reach, and did
it get there while there was still a balance to freeze?
Centralized exchanges run KYC. They hold customer funds, they have a compliance team, and they
respond to subpoenas and court orders. That combination is the only real lever an ordinary victim
has. If the trail ends at a Coinbase, Kraken, Binance.US, Bybit, or similar deposit address, there
is at least a mechanism: a law-enforcement request can put a hold on that account. It is not a
guarantee, the balance may already be gone, and the exchange will not act on your say-so alone —
but a lever exists.
If instead the trail ends at a self-custody wallet the thief controls, or disappears into a
mixer or a cross-chain bridge, there is no one to serve and no account to freeze. The coins are as
gone as cash handed to a stranger who walked into a crowd. This is not defeatism; it is the
structure of the system, and pretending otherwise is how the second scam gets its foot in the
door.
The quick self-check
- Trail ends at a KYC exchange, reported fast: a freeze is possible. Move now.
- Trail ends at a private wallet / mixer / bridge: report it for the record and for
pattern-matching, but set your expectations near zero.
4. Do this in the next hour: ic3.gov, the FTC, and the exchange’s law-enforcement channel
In the United States, your primary channel is the FBI’s Internet Crime Complaint Center. File
online at ic3.gov. It is free, it is the federal intake point that routes complaints to the
right field office, and it is the record investigators and exchanges will look for. Then add a
report at the FTC’s reportfraud.ftc.gov, which feeds federal and state consumer-protection
databases.
In the next hour, in this order
- File the IC3 complaint at ic3.gov. Be specific and include every TxID, wallet address,
platform name, phone number, email, and the dollar amounts with timestamps. Vague complaints go
nowhere; a complaint with clean on-chain evidence is something an agent can act on. - Report to the FTC at reportfraud.ftc.gov. This does not replace IC3; it widens the paper
trail and helps map the operation across victims. - Contact the destination exchange’s law-enforcement / compliance channel if you know the
funds landed there. You cannot order a freeze as a customer, but you can flag the deposit address
and get a case reference so that when law enforcement’s request arrives, the exchange already has
context. Binance.US, for example, works law-enforcement freeze requests through its LERT (Law
Enforcement Request Tracker) process, which can hold an account for roughly two weeks while the
request is reviewed. - If money moved through your bank, wire, or card first, call that institution’s fraud
line immediately. The fiat leg sometimes has a reversal window that the crypto leg never will.
transaction IDs, every destination address, the exchange or platform names, exact timestamps, the
amounts in USD, and screenshots of the full conversation and any fake “account” dashboard. Assemble
this once and reuse it for every report.
5. Follow the money: a destination map that sets your realistic odds
Where the money landed sets your odds more than any other factor. This map is blunt on purpose,
because false hope is exactly what the recovery scammers sell.
| Where the funds landed / scam type | Recovery lever | Realistic odds |
|---|---|---|
| Into a centralized (KYC) exchange | Law-enforcement freeze request, court order, exchange compliance | Low to moderate, and only if reported fast |
| Into a self-custody wallet the thief controls | None in practice | Near zero |
| Through a mixer or cross-chain bridge | None in practice | Near zero |
| Rug pull (project vanished with the pool) | Class action / civil, very slow | Under 5% |
| Large protocol / exchange hack | Depends on negotiation and law enforcement, out of your hands | As low as ~0.4% |
Read that table as a filter, not a verdict on effort. Reporting is worth doing in every row,
because your complaint may connect to a larger case even when your individual coins are gone. But
if your trail is in one of the “near zero” rows, anyone promising to recover it for a fee is
telling you something the ledger says is impossible.
6. What kind of scam was it? Recovery routes by scam type
The reporting steps are the same, but the details you emphasize and the slim recovery angle
change with the type of scam. Match yours below.
Investment scams and “pig butchering”
This is the biggest category by far. A stranger or “romantic” contact builds trust over weeks,
then steers you to a fake trading or “staking” platform that shows fake profits until you try to
withdraw and get hit with “tax” or “unlock” fees. Report to IC3 with the platform URL, every
deposit address, and the contact’s numbers and handles. Your money almost always routed to
exchange deposit addresses on its way out, so flag those fast — this is one of the few scam types
where a freeze occasionally catches something.
Romance scams
Same reporting path, and the emotional aftermath is real. The recovery angle is identical to the
investment case, because the money followed the same route. Preserve the relationship history; it
helps investigators tie accounts together.
Fake exchanges and fake platforms
If you deposited to a platform that turned out to be fake, the “balance” you see in its
dashboard is a number in their database, not crypto you own. Recovery depends on where your real
deposit went on-chain. Report the domain to IC3 and the FTC so it can be taken down for the next
person.
Phishing and approval-drain attacks
Here you signed a malicious transaction or approval and a drainer emptied the wallet. The urgent
job is not recovery; it is stopping the next drain, because the approval you signed can let
them come back. Revoke approvals immediately and treat the wallet as compromised. See the
step-by-step in how to revoke token approvals, and if a seed phrase or
private key was exposed rather than just an approval, jump to what to do when
your seed phrase is exposed.
P2P trade scams
If you got scammed on an exchange’s P2P marketplace (fake payment proof, reversed bank
transfer), open a P2P dispute with the exchange inside the app at once and attach the
evidence — this is one of the rare cases with a built-in resolution process, because the
counterparty is a KYC’d user of that exchange.
withdrawal or locked your account, that is a compliance hold, not a theft — see
withdrawal frozen / account locked. If a deposit you sent never showed up,
it is usually a wrong-network or pending issue, not a scam — see
deposit not credited.
7. The second scam coming for you: ‘recovery agencies’ and fake law firms
Within days of being scammed — sometimes within hours — a second predator arrives. They find
you in the comments of a scam-warning video, in a Telegram group, or through a cold DM, and they
promise to get your money back. “Crypto recovery agency.” “Fund recovery service.” “Blockchain
tracing expert.” “We work with law enforcement.” Some even pose as a law firm that specializes in
crypto fraud. The FBI has issued repeated public warnings about exactly this, including a June 2024
alert specifically about fraudsters impersonating law firms, and reported more than 10,500 of these
recovery-fraud complaints totaling around $1.4 billion in 2025 alone.
The tell is simple and it never changes: they ask for money upfront. A retainer, a
“tracing fee,” a “gas fee,” a “tax” to release the recovered funds, an “international transfer
charge.” Pay one and another appears. It is the original scam’s structure, aimed at a victim who
has already proven they will pay.
| Red flag | What it means |
|---|---|
| Any upfront fee to “recover” your funds | Definitive sign of a recovery scam |
| Claims to be law enforcement, a law firm, or the exchange | Impersonation; the FBI warned specifically about fake law firms |
| New “tax,” “unlock,” or “transfer” fees keep appearing | Serial extortion — the money never comes |
| Asks for your seed phrase, private key, or wallet access | A direct attempt to drain what you have left |
| Shows a slick “trace report,” then goes quiet after payment | The classic disappearing pattern |
fee to investigate. (2) There is no “reversal” or “chargeback” on-chain, so anyone guaranteeing
your funds back is lying. (3) Never, ever share your seed phrase or private key with anyone
claiming to help — that is not recovery, that is the next theft. This article does not refer anyone
to a paid recovery service, because the honest ones are rare and the pattern is too dangerous to
send you toward.
8. What the numbers actually say: IC3’s $11.4B, and why a seizure is not your refund
It helps to see the scale, because the numbers do two things at once: they show you are not
alone, and they quietly explain why individual recovery is so rare.
| Metric | Value | Source / year |
|---|---|---|
| Losses involving digital assets | $9.3B across ~150,000 complaints (up 66% YoY) | FBI IC3, 2024 |
| Investment fraud (largest category) | $6.57B | FBI IC3, 2024 |
| Pig-butchering / romance-investment scams | $5.8B across 41,557 victims | FBI IC3, 2024 |
| Total crypto fraud losses | ~$11.4B, about half of all reported U.S. fraud losses | FBI IC3, 2025 |
| Recovery-fraud (second-scam) complaints | 10,500+ complaints, ~$1.4B | FBI IC3, 2025 |
| Total internet-crime losses | $16.6B (up 33% YoY, a record) | FBI IC3, 2024 |
There is a genuinely hopeful line in this data. Through the FBI’s Operation Level Up,
6,475 victims had been proactively notified by July 2025, and the program is credited with saving
around $400.9 million. But note the detail that matters most: 77% of those victims did not know
they were being scammed when the FBI reached out. The single biggest reason recovery fails is
that people realize too late. Reading this now, early, is the advantage.
seized 61,000 BTC or forfeited $15 billion tied to a criminal network, that is a government
enforcement action against an organization. It is not a refund pipeline for individual victims, and
those funds are typically tied up in forfeiture proceedings for years. A big seizure is good news
for the rule of law. It is almost never your personal check in the mail.
9. One thing that can soften the loss at tax time: the IRC §165 theft-loss question
If none of the money comes back, there is one narrow door left that has nothing to do with the
scammer: how the loss is treated at tax time. In the U.S., a genuine theft loss can raise the
question of an IRC §165 theft-loss deduction. It is worth asking about, but it is not the
easy write-off many people assume.
The Tax Cuts and Jobs Act suspended most personal casualty and theft-loss deductions through
2025, with a carve-out that generally requires the loss to arise from a transaction entered into
for profit. That distinction — a scam dressed up as an “investment” versus a purely personal loss —
matters a lot, and it is exactly the kind of judgment a professional should make on your specific
facts. You will also need your documentation: the same TxIDs, timestamps, and the IC3/FTC report
numbers that prove the loss and when you discovered it.
qualified CPA or tax attorney before claiming anything. Do not let a “recovery” outfit file amended
returns for you — that is another way these operations extract fees and personal data.
10. Close the other doors before they drain more: revoke approvals and secure the wallet
Before you spend another day chasing what is gone, close the doors that could still be leaking.
If your wallet was involved at all, assume the attacker may still have a way back in.
- Revoke token approvals. A single malicious approval can let a drainer pull tokens again
and again, long after the first hit. Walk through it in
how to revoke token approvals. - If your seed phrase or private key was exposed, revoking approvals is not enough, because
the thief can re-approve forever. You need to move everything to a brand-new wallet created on a
clean device, in the right order. That is its own emergency:
seed phrase exposed — what to do. - If an exchange withdrawal or account got locked in the fallout, that is a compliance
hold, handled differently from a theft: withdrawal frozen / account
locked. - If you sent a deposit that never arrived and are wondering whether you were scammed, it
is usually a network or pending issue, not fraud: deposit not
credited.
Prevention is a separate subject from recovery, and it deserves its own read once the fire is
out. For now, the goal is narrow: stop further loss, get the report on file within the window, and
refuse the second scam.
FAQ: the questions every scammed American asks in the first 48 hours
Next: lock your wallet down — revoke risky token approvals →




