If you were scammed in Bitcoin, the single most important action is a triage sequence: stop further losses, secure every exposed account or key, preserve evidence, and report through the right channels in the right order. Bitcoin transactions are irreversible once confirmed on the blockchain, so correct containment in the first hour matters far more than panic, negotiation, or paying anyone who promises recovery. The FBI's Internet Crime Complaint Center logged 181,565 cryptocurrency-related complaints in 2025 with reported losses of $11.4 billion (source: FBI). This guide walks through every step of damage control, evidence collection, reporting, and rebuilding after a Bitcoin scam.
Researched and written by the BloFin Academy editorial team with AI-assisted drafting. Primary sources include the FBI IC3 2025 Internet Crime Report, FTC consumer-protection guidance, and the Chainalysis 2026 Crypto Crime Report. All facts independently verified against agency publications and blockchain documentation current as of April 2026.
What should you do in the first 10 minutes after discovering a Bitcoin scam?
Stop all communication with the scammer, record every transaction detail you can see on screen, and secure any accounts or keys that may be exposed. The first 10 minutes determine whether you lose only what is already gone or everything you still hold. Every additional minute of access for an attacker widens the damage.
The 10-minute emergency checklist
Work through this list in order. Skip nothing.
Cut contact immediately. Do not click new links, do not install "support" software, do not respond to threats or promises. Scammers create false urgency to keep you acting before thinking.
Determine whether your seed phrase or private key was exposed. If you typed a seed phrase into a website, shared it in a message, or read it to someone, your wallet is permanently compromised. Jump to the seed-phrase section below. You have minutes, not hours.
Record the transaction ID (TXID) and recipient wallet address. Open your wallet or exchange transaction history and copy both values exactly. You will need them for every report you file.
If this involves an exchange account: Log in from a clean device, freeze withdrawals if the exchange supports it, reset your password, rotate your two-factor authentication method, and open an urgent support ticket.
If you paid via bank card or wire transfer: Contact your bank or card issuer immediately and flag the transaction as fraud. Card chargebacks have time windows, often 15 to 60 days depending on the issuer, and wire reversals are sometimes possible same-day if caught before settlement (source: Consumer).
Do not wipe your device yet. You need evidence stored on it.
What to record before changing anything
Before you reset passwords, switch devices, or close accounts, capture these details:
Full TXID (transaction hash) of every fund transfer you made
Recipient address (the scammer's wallet)
Exact amount in BTC and approximate fiat value at the time
Date and time with your timezone
Screenshot of the wallet or exchange confirmation screen
Name of the wallet software or exchange you used
This information is permanently recorded on the Bitcoin blockchain and is required for exchange reports, law-enforcement filings, and any future legal proceedings.
How do you identify which type of Bitcoin scam happened?
Not every scam requires the same response. Identifying the scam type in under two minutes routes you to the correct containment steps. Use the five branches below and follow the first one that matches your situation.
The Chainalysis 2026 Crypto Crime Report estimated that crypto scams generated over $17 billion in losses during 2025, with impersonation scams growing more than 1,400% year over year driven partly by AI-generated content (source: Decrypt). Knowing the scam type helps you assess exposure and prioritize.
Branch A: Seed phrase or private key exposure
You shared your seed phrase, recovery phrase, or private key with someone, typed it into a website, or entered it into software you did not verify. Your wallet is permanently compromised. Go to the seed-phrase migration section immediately and move any remaining funds to a new wallet.
Branch B: Exchange account compromise
Signs include login alerts from unknown locations, your email or phone number changed without authorization, withdrawals you did not make, or complete lockout. Go to the exchange-compromise section and lock the account.
Branch C: Voluntary transfer to a scam address
You sent Bitcoin to what you believed was a legitimate investment, service, or person, but it turned out to be fraud. No seed phrase was shared, no malware was installed, and your accounts still function normally. Focus on evidence collection and reporting.
Branch D: Remote-access software or device compromise
You gave someone control of your computer via AnyDesk, TeamViewer, or similar tools, your mouse moved on its own, or you installed "wallet recovery" or "support" software. Shut down the device immediately. Assume every password and secret entered on that device is compromised. Create a new wallet on a different, clean device and rotate all credentials.
Branch E: Someone claiming they can recover your lost funds
This is almost certainly a recovery scam. According to the FBI’s 2025 Internet Crime Report, recovery-scam complaints generated $1.4 billion in losses. Block and report the contact. Do not engage, pay, or provide information.
Safety rule: If you are unsure which branch fits, assume seed-phrase exposure (Branch A). That triggers the most protective response. If it turns out your keys were not exposed, you lost only some time. If they were exposed and you did not act, you risk losing everything.
What should you do if your seed phrase or private key was exposed?
Once an attacker knows your seed phrase or private key, that wallet is permanently unsafe. Any funds remaining in it can be stolen at any moment. Migration to a new wallet is mandatory, not optional, and speed matters more than anything else.
From an operational standpoint, key-exposure incidents produce the most urgent support tickets any platform handles. The window between exposure and total wallet drain is often measured in single-digit minutes because attackers run automated sweeper scripts that monitor exposed keys around the clock.
Step-by-step wallet migration
Create a new wallet on a clean device. Use a device that was not involved in the scam, or one completely wiped and reinstalled. Download wallet software only from official sources. Verify the download hash if the provider publishes one. Do not create the new wallet on the same device where the old seed phrase was exposed. For guidance on choosing wallet software, see the wallet verification guide.
Write down the new seed phrase on paper. Do not type it, email it, photograph it, or save it to any cloud service. Store the paper in a physically secure location away from the device.
Verify you control the new wallet. If time permits, send a tiny test amount (0.0001 BTC) to the new wallet and confirm arrival. This catches address-entry mistakes before you move larger amounts.
Move remaining funds from the old wallet to the new wallet. Prioritize speed over fee savings. Pay a higher transaction fee to get confirmation in the next block (roughly 10 minutes) rather than waiting hours for a low-fee transaction. Each minute funds remain in the compromised wallet is risky.
Mark the old wallet as permanently unsafe. Never send funds to it again, never reuse any of its addresses. The attacker holds your private key indefinitely.
Mistakes that cost people everything
Do not use "recovery" software found through web searches. Most of these tools are phishing vehicles designed to steal your new seed phrase.
Do not delay migration to gather evidence. Evidence matters, but preventing total loss matters more.
Do not assume the attacker has not noticed. Automated scripts test exposed keys within minutes of receiving them.
Do not use the same browser, device, or operating system to create the new wallet if that environment was involved in the scam.
If your funds are already gone, no technical method can retrieve them from a self-custody wallet. Proceed to evidence preservation and reporting.
What should you do if your exchange account was compromised?
A compromised exchange account is different from a compromised private wallet. The exchange is a custodian and can take actions impossible on a self-custodial wallet: freeze the account, reverse pending withdrawals that have not yet left the platform, lock login attempts, and verify your identity to restore access.
However, once a cryptocurrency withdrawal has been broadcast to the blockchain and confirmed, even the exchange cannot reverse it. The exchange's authority ends at its own internal ledger.
First-hour actions
Action | Why it matters |
|---|---|
Log in from a clean device (not the one that may be compromised) | Prevents the attacker from capturing your new credentials |
Freeze or lock withdrawals through account security settings | Stops funds from leaving while you regain control |
Reset password to a new, unique, 20+ character string via a password manager | Eliminates the old credential |
Rotate two-factor authentication to an authenticator app, not SMS | SMS is vulnerable to SIM-swap attacks |
Open an urgent support ticket with the subject line "Account Compromised" and include your TXID, timestamps, and a one-sentence summary | Gets your case into the priority queue |
Review connected API keys and revoke anything unrecognized | API keys can bypass normal login protections |
SIM-swap detection
If the attacker gained access by convincing your mobile carrier to port your phone number to their SIM, you may have lost control of SMS-based authentication across multiple accounts. Signs include sudden loss of cell service, receiving unexpected SMS verification codes, or email alerts that your recovery phone was changed. In 2025, a landmark arbitration ordered T-Mobile to pay $33 million after a single SIM swap drained a customer's cryptocurrency holdings (source: Keepnetlabs). Contact your carrier immediately, request a port-out PIN, and ask them to lock your account against unauthorized porting.
What the exchange can and cannot do
Can do: Freeze your account, reverse pending internal transfers, verify your identity and restore access, flag the receiving address if funds went to another account on the same platform.
Cannot do: Reverse cryptocurrency transactions already confirmed on the blockchain and sent to external wallet addresses.
On the operations side, the speed of the initial support ticket consistently determines the range of actions an exchange can still take. Reports filed within the first hour reach the compliance team while internal transfers may still be reversible; reports filed days later typically arrive after funds have already left the platform.
How do you preserve evidence correctly after a Bitcoin scam?
Before you reset your phone, reinstall your operating system, or close any accounts, capture evidence. Law enforcement, exchanges, and any potential legal proceedings require specific, timestamped documentation. Preserving evidence first and wiping devices second is non-negotiable.
Blockchain artifacts
Full TXID for each transaction
Your sending address
Scammer's receiving address
Amount sent in BTC and approximate fiat value
Timestamp with timezone
Number of confirmations
Screenshot of a block explorer (Blockchain.com, Blockchair.com, or mempool.space) showing the transaction
Communication records
Screenshots of all messages from the scammer with visible timestamps
Platform used (email, Telegram, WhatsApp, Discord, social media, etc.)
Scammer's username, email address, or phone number
Full URLs of any websites involved, not just clickable link text
Exported conversation threads where possible, not just individual messages
Email evidence
Full email headers (most email clients have a "show original" or "view source" option)
Email confirmations from your exchange or wallet showing the transaction
Any login-alert or security-notification emails
Account activity
Screenshots of exchange login history and IP addresses
Withdrawal history showing unauthorized transactions
Device list from your exchange's security settings
Any API keys or connected apps you do not recognize
Website and scam materials
Screenshots of the scam website as it appeared to you
Archive check at archive.org to establish when the domain was active
Any documents the scammer sent: fake contracts, investment plans, job offers
Preservation rules
Do not edit or crop screenshots. Note the exact date and time you captured each item. Save everything to external storage (USB drive or a separate, secure cloud account) before wiping any device. Keep both digital copies and printed hard copies of critical items. You may need this documentation months or years later if law enforcement makes an arrest or you pursue civil action.
Where should you report a Bitcoin scam, and in what order?
Not every organization can act equally. Report to the highest-leverage parties first, then work down the list. Speed matters for the first two tiers because exchanges can sometimes freeze funds before the scammer withdraws.
Tier 1: Exchange and wallet provider (can stop ongoing losses)
If you have sent funds from an exchange, report the scam to that exchange's support team with the TXID, recipient address, amount, date, and a brief factual description. If you can identify that the scammer's receiving address belongs to another exchange (high transaction frequency, recognizable address patterns), submit a fraud report to that exchange as well. Many major exchanges maintain dedicated abuse-reporting forms.
Template report message:
> Subject: Fraud Report - TXID: [full TXID]
>
> On [date], I sent [amount] BTC to address [scammer's address] based on a fraudulent [investment offer / impersonation / other]. Transaction ID: [TXID]. Sending address: [your address]. Receiving address: [scammer's address]. Amount: [BTC amount]. Date/time: [timestamp with timezone]. Evidence attached: [list attachments]. Please investigate and freeze these funds if they remain in your custody.
Tier 2: Bank or telecom provider (if fiat or identity is at risk)
If you purchased the Bitcoin with a bank card or wire transfer, report the fraud to your bank. Card transactions may be reversible within the chargeback window. If you suspect a SIM swap, contact your mobile carrier and request a port-out lock.
Tier 3: Law enforcement (creates the official record)
File a complaint with the FBI's Internet Crime Complaint Center at ic3.gov (source: Ic3). Provide transaction details including cryptocurrency addresses, amounts, dates, and transaction hashes. The IC3 feeds reports into databases that law-enforcement agencies use to build cases. The FBI's Operation Level Up program notified 3,780 victims in 2025 and prevented an estimated $225.9 million in losses by proactively intervening while scams were still in progress (source: Fbi).
Also file a report with your local police department. A police-report number strengthens exchange claims and insurance filings.
Tier 4: Regulatory bodies (government agencies track patterns)
FTC: Report at reportfraud.ftc.gov. The FTC feeds complaints into the Consumer Sentinel Network, which hundreds of agencies access to identify repeat offenders (source: Reportfraud).
SEC: If the scam involved an investment scheme or token offering, file a tip at sec.gov/tcr.
CFTC: If cryptocurrency derivatives or futures were involved, report at cftc.gov/complaint.
State regulators: Many states have dedicated crypto-fraud trackers. California's DFPI Crypto Scam Tracker, for example, catalogs reported schemes by type and entity name (source: Dfpi).
What to say in every report
Be factual, specific, and concise. Include the TXID, addresses, amounts, and dates. Describe what was promised and what actually happened. Attach evidence. Request a case number or ticket number. Avoid emotional language; it does not speed investigation and can obscure relevant facts.
How do recovery scams work, and how do you avoid them?
After a Bitcoin scam, victims become immediate targets for a second round of fraud: fake "crypto recovery" services. These operations are often run by the same networks that executed the original scam, or by separate criminals who purchase victim lists. The FBI reported 10,516 recovery-scam complaints with $1.4 billion in losses in its 2025 Internet Crime Report.
Red flags for recovery scams
They contacted you first. Legitimate law enforcement and attorneys do not cold-call scam victims.
They claim they can "reverse" or "unlock" blockchain transactions. This is technically impossible for confirmed Bitcoin transactions.
They demand upfront fees paid in cryptocurrency or wire transfer.
They request your new seed phrase, private key, or remote device access.
They promise guaranteed recovery or specific dollar amounts returned.
They send fake legal letters, court orders, or government-agency documents.
They create artificial urgency: "the window closes in 24 hours."
They claim insider connections at exchanges or federal agencies.
Five actions that guarantee further loss
Never pay upfront fees for recovery services. Legitimate attorneys work on contingency or standard hourly billing, never crypto prepayment.
Never share your new seed phrase or private key with anyone claiming to help.
Never allow remote access to your computer.
Never send additional funds to "unlock" or "release" your original loss.
Never click links in unsolicited messages from anyone claiming to represent a recovery company.
How scammers find you after the first loss
Your contact information often ends up on "sucker lists" traded among criminal networks. If you posted publicly about your loss on Reddit, X, or forums, scammers will find that post and reach out. Recovery pitches typically arrive within days or weeks of the original incident.
Legitimate vs illegitimate recovery paths
Licensed attorneys (verifiable through your state bar association) who specialize in cryptocurrency disputes are the only private-sector actors with a credible track record. They do not guarantee outcomes, they do not ask for crypto payments, and they operate under professional-conduct rules. Everyone else claiming recovery capability is, with overwhelming probability, running a scam.
How do you rebuild your security after a Bitcoin scam?
Containment is done. Now rebuild a setup that resists the same attack and the follow-up scams that target recent victims.
Device cleanup (first 12 hours)
If the device was compromised: wipe and reinstall the operating system completely. Do not trust malware scans alone.
Update to the latest OS version with all security patches.
Uninstall any software the scammer asked you to install.
Identity and accounts (first 24 hours)
Rotate passwords for all financial accounts (exchange, bank, email) using a password manager generating unique, 20+ character strings.
Enable two-factor authentication everywhere using an authenticator app (Google Authenticator, Authy), not SMS. SMS-based 2FA is vulnerable to SIM-swap attacks.
Save 2FA backup codes in a secure offline location.
Review recovery email addresses and phone numbers on all accounts.
Check for unfamiliar authorized apps or API connections and revoke them.
Wallet architecture (24 to 48 hours)
New wallet created on a clean device with a fresh seed phrase.
Seed phrase written on paper and stored in a physically secure location.
For holdings over $5,000 in value: consider a hardware wallet. Devices from established manufacturers (Ledger, Trezor, Coldcard) keep your private key offline, meaning malware on your computer cannot extract it. Typical cost is $60 to $180. See the hot wallet vs cold wallet comparison for a detailed breakdown.
Old wallet addresses documented but never reused.
Test transaction sent to verify the new wallet works.
Long-term habits that reduce repeat risk
Set a calendar reminder for quarterly password review. Bookmark official exchange URLs and never follow links from emails or messages. Review account activity weekly for the first month, then monthly. Before any transaction, verify the recipient address character by character, checking at minimum the first four and last four characters. Before connecting a wallet to any website, research the site independently. Before installing any crypto-related software, verify it comes from the official source. A complete setup checklist is available in the Bitcoin security checklist.
How should you document the loss for taxes and legal records?
Clean records matter for potential tax deductions, insurance claims, and future legal proceedings. Organize this documentation even if you are not sure you will need it.
What to keep
Date you acquired the cryptocurrency and fiat value at acquisition (cost basis)
Date you lost it and fiat value at the time of loss
Amount in BTC and fiat
TXID and all addresses involved
Evidence of the scam (communications, screenshots, website captures)
Police-report or IC3 incident number
Exchange statements showing account balance before and after
Bank statements showing the original fiat purchase, if applicable
Tax considerations
In many jurisdictions, stolen cryptocurrency may be deductible as a capital loss or casualty loss. Rules vary significantly by country and situation. In the United States, consult IRS guidance (Publication 547 covers casualty and theft losses) or a tax professional about whether your loss qualifies under current rules. The key documentation is the cost basis and the fair market value at the time of loss.
Record organization
Create a dedicated folder (physical or digital) containing all evidence, labeled with the date and scam type. Make backup copies on separate storage devices. This documentation may be needed months or years later if law enforcement makes an arrest or you pursue civil action.
What habits prevent repeat Bitcoin scams?
Falling for a scam does not mean you are unintelligent. Scammers are professionals at manipulation, and sophisticated operations now use AI-generated personas, deepfake video, and cloned websites that are nearly indistinguishable from legitimate ones. The difference going forward is building explicit verification rules and following them every time.
Verification rules that block the most common attack vectors
Verify on a second channel. If someone asks you to send funds or confirm sensitive information, verify their identity through a completely separate method. Log into your exchange directly rather than clicking the link in an email. Call the company's published phone number, not the one in a suspicious message.
Treat unsolicited offers as hostile. If you did not initiate contact and someone offers guaranteed returns, investment opportunities, or recovery services, the probability of fraud is extremely high. Block and move on.
Never share a seed phrase. No exchange, wallet provider, support agent, or law-enforcement officer will ever ask for your seed phrase. Anyone who asks is attempting theft. No exceptions.
Send test transactions before large transfers. Before sending cryptocurrency to any new address, send a tiny amount first (0.0001 BTC), verify it arrives at the intended destination, then send the remainder.
Never pay for promises of return. If anyone asks you to pay upfront to receive investment returns, unlock funds, or recover stolen cryptocurrency, that is fraud.
Assume unsolicited links are hostile. Go to websites by typing the URL or using a bookmark. Phishing sites frequently replicate legitimate exchange login pages character for character.
Question any promise of guaranteed returns. Ponzi schemes and pig-butchering scams promise 50%, 100%, or higher annual returns. Legitimate investments carry risk and uncertainty. If the return sounds too predictable, it is fabricated.
Treat time pressure as a red flag. Scammers manufacture urgency. Legitimate opportunities do not vanish because you took a day to verify them.
For a broader overview of scam types and social-engineering tactics, see the guides on common Bitcoin scams, social engineering scams in crypto, and Bitcoin privacy.
Frequently asked questions
Can a confirmed Bitcoin transaction be reversed or refunded?
No. Bitcoin transactions are cryptographically final once confirmed on the blockchain, which typically takes 10 to 60 minutes after broadcast. There is no chargeback mechanism, no central authority with an undo function, and no technical method to reverse a confirmed transfer. This is a fundamental design property, not a flaw. Unlike credit-card or bank-wire systems, Bitcoin settlement does not rely on intermediaries who can intervene after the fact. If you sent Bitcoin to a scammer and the transaction has confirmations, the transfer itself cannot be undone by any party.
Is there any realistic chance of recovering Bitcoin sent to a scammer?
Realistic recovery is possible only under a narrow set of conditions: the receiving address belongs to a custodial exchange, that exchange freezes the account before the scammer withdraws, and you provide clear evidence of fraud quickly enough. If the funds went to a non-custodial wallet, recovery is extremely unlikely because no third party controls the keys. Report regardless. Each report adds to the evidence base that law-enforcement agencies use to build cases, and occasionally funds are frozen in time.
What is the difference between exposing a seed phrase and sending Bitcoin once?
Exposing your seed phrase gives the attacker permanent control over your entire wallet and every address it has ever generated or will generate. They can drain all remaining funds at any moment and monitor for future deposits indefinitely. Sending Bitcoin once without seed exposure means you lost that specific amount, but your wallet and remaining holdings remain secure. Seed-phrase exposure is categorically more dangerous and requires immediate wallet migration.
What should you do if you entered your seed phrase on a website?
Assume the website captured it the instant you submitted the form. Create a new wallet on a clean device immediately, move any remaining funds from the old wallet to the new one, and never use the old wallet again. Every second counts because automated sweeper bots scan for newly exposed keys continuously. If the old wallet is already empty by the time you check, proceed to evidence preservation and reporting.
Are "crypto recovery companies" legitimate?
The overwhelming majority are scams. Red flags include unsolicited contact, upfront payment in cryptocurrency, claims to reverse blockchain transactions, and requests for your seed phrase or remote device access. The FBI specifically warned in 2025 about fictitious law firms and recovery specialists targeting prior victims. Legitimate recovery involves licensed attorneys verifiable through your state or national bar association, working on standard billing arrangements, not prepaid crypto transfers.
Researched and written by the BloFin Academy editorial team with AI-assisted drafting. Primary sources include the FBI IC3 2025 Internet Crime Report, FTC consumer-protection guidance, and the Chainalysis 2026 Crypto Crime Report. All facts independently verified against agency publications and blockchain documentation current as of April 2026.
Disclaimer: This article is for informational purposes only and does not constitute financial advice. Cryptocurrency trading involves substantial risk of loss. Past performance does not guarantee future results. Always conduct your own research and consider your financial situation before trading. BloFin does not guarantee the accuracy of third-party data referenced herein.