What we’ve brought home.
Twelve featured case files from our team — identifying details redacted, methods declassified.
Twelve featured recoveries.
Different vectors, different jurisdictions, different recovery rates. Every case is real; identifying details have been redacted at the client’s request.
FAKE REGULATED BROKER
An investor sent stablecoins to a polished offshore platform that named a real-looking but unverifiable license. We graphed the operator wallet across two L1s, traced the consolidator address to a tier-2 exchange, and engaged compliance with a documented chain-of-custody packet. KYC unmasking obtained, partial wire-back through court-ordered exchange cooperation. Closed in 2 weeks.
PIG-BUTCHERING / FAKE DEFI
A mid-six-figure loss to a romance-investment hybrid routing through a counterfeit DeFi protocol. Funds bridged to Tron and parked in a sweeper wallet. Frozen at the off-ramp exchange after a 48-hour KYC freeze petition. Recovered 73% in 2 weeks; the rest had already been off-ramped to OTC desks we couldn’t reach.
WALLET DRAINER / PHISHING
Phishing approval drained a hot wallet across multiple ERC-20 tokens. We ran token-level tracking through the drainer’s consolidator, identified the centralised exchange that received four of the seven tokens, and triggered a freeze before consolidation. Partial recovery (52%) through legal action; the remaining tokens had already been swapped to USDT and bridged. 2 weeks.
SIM-SWAP EXCHANGE TAKEOVER
A SIM-swap attacker reset 2FA on a major exchange account and withdrew BTC and ETH within a 90-minute window. We caught the trace inside 6 hours of the report, engaged the exchange’s incident-response team with a documented intrusion timeline, and froze the destination wallet before the attacker could off-ramp. One of our fastest recoveries — 5 days total.
ROMANCE SCAM (TELEGRAM)
A six-month relationship cultivated entirely over Telegram ended with the victim wiring USDT to a series of “customer-service wallets” labelled as a bonus-tier upgrade. We mapped the operator’s address rotation across BSC and Tron, identified a Lithuanian off-ramp exchange, and worked with local counsel to obtain a wallet freeze. 64% recovered in 3 weeks.
FAKE ICO TOKEN PRESALE
Our most complex case to date and the only one to break our 3-week ceiling. A multi-investor case file: the lead investor pledged $1.9M to a presale wallet that distributed nothing. We graphed the operator wallet across three jurisdictions, located the founder via on-chain identity links to a separate KYC’d exchange account, and engaged civil counsel for an injunction. The on-chain work closed in two weeks; the back-and-forth on the FIAT settlement, class-member distributions, and final wire-backs ran 2 months end-to-end.
NFT MARKETPLACE APPROVAL DRAIN
Malicious approval signed via a spoofed mint page; the attacker drained six high-value NFTs and the wallet’s stable balance. We negotiated direct returns of two NFTs through reputable marketplace flagging, traced the stablecoin out to a Curve→bridge→exchange path, and recovered the bulk of the value through a coordinated marketplace + exchange freeze. 2 weeks.
MINING CLOUD PONZI
Operator marketed cloud-mining contracts paying 4% weekly. Victim invested across 14 deposit rounds. By the time we were engaged, ~80% of inflow had already been off-ramped through high-volume P2P traders. We recovered what was still on-chain, supported regulator filings, and coordinated with two state AGs. Realistic outcome — 38% — but better than the alternative. 3 weeks.
RECOVERY-SCAM RE-VICTIM
Victim of an earlier broker scam was approached by a “recovery agency” demanding $34K in upfront fees to unlock the original loss. We caught the second scam in real-time, traced the upfront fee to the exact same operator infrastructure, executed a coordinated freeze and counsel demand, and returned the full $34K. The original broker loss is a separate active case. The fastest recovery on file — 5 days.
DEFI RUG PULL / LIQUIDITY DRAIN
A small-cap DeFi token added liquidity, ran six weeks of marketing-driven inflows, then drained the pool in a single transaction. We followed the developer wallet through Tornado Cash and identified an exit address consolidating into a tier-2 exchange off-ramp. Recovered 58% through coordinated exchange engagement and a class-action settlement. 2 weeks.
OTC DESK COUNTERPARTY FRAUD
A high-six-figure OTC trade where the counterparty wired the fiat leg but never delivered the crypto. We graphed the receiving wallet across three chains and traced the operator’s funding pattern back to a small unregulated exchange in the EU. Recovered 79% through direct counterparty negotiation and counsel pressure. 2 weeks.
TELEGRAM PUMP & DUMP
Coordinated pump scheme using a tokenized “investment pool” on Telegram. Victim deposited $112K across two rounds. We mapped the pump operator’s address rotation, identified a Belize-based off-ramp, and engaged international counsel for an interim freeze. Half the loss recovered, the other half had already cycled through OTC traders we couldn’t reach. 2 weeks.
Recovery outcomes vary case to case. Past results are not a guarantee of future outcomes.
Could be the next case file.
If you’ve lost crypto to a broker, drainer, romance scam, ICO, or recovery scam, our team reviews every signal within one business day.