Crypto Forensics, Theft Recovery, and Scam Investigation

Crypto Forensics in Plain English

Cryptocurrency moves across public ledgers. Every Bitcoin transaction, every Ethereum swap, every Tron USDT transfer, every Solana hop leaves a permanent record that anyone with the right tools can read. That is what crypto forensics is built on. It is the discipline of taking a wallet address, a transaction hash, or a victim's exchange withdrawal record and reconstructing where the money went, who controls the downstream addresses, and what evidentiary story those movements tell a judge, an arbitrator, an insurance adjuster, or a prosecutor.

Blockchain evidence is not magic. It does not tell you the attacker's real name on its own. It does not decrypt a privacy coin. It does not undo a signed transaction. What it does do is establish a chain of custody for the funds themselves, connect wallet clusters to known services, and narrow the search for a human-behind-the-wallet to a finite list of off-ramps that a subpoena can investigate further.

Petronella Technology Group focuses crypto forensics work on three deliverables. First, the fact pattern: a reconstructed timeline of what the attacker did, across which chains, with which amounts, ending at which wallets or exchanges. Second, the legal leverage: the subpoena targets, the freeze candidates, the regulated counterparties that can be compelled to help. Third, the evidentiary product: a report your attorney can attach to a motion or a complaint, and testimony if the case goes that direction. Craig Petronella is Digital Forensics Examiner #604180, with CMMC-RP, CCNA, and CWNE credentials, running this work out of the firm's Raleigh office since 2002. For broader context on how on-chain evidence integrates with security architecture, see blockchain security.

Crypto Theft Recovery: The First 48 Hours

If you are reading this within a day or two of losing crypto, the clock is the most important variable in your case. Do not try to "just see if it comes back." Do not fund a second wallet from the compromised machine. Do not sign anything new from a device you think is compromised. Do not reformat the phone or laptop that was used when the theft happened. Every one of those instincts is understandable and every one of them destroys evidence that your case will need later.

Immediate evidence preservation checklist

1. Screenshot every exchange login history, withdrawal record, and 2FA reset notification.
2. Export your wallet transaction history from every app or exchange involved. Include CSVs and the raw transaction hashes.
3. Preserve the compromised device. Do not wipe it, do not reinstall, do not "run a cleaner." Put it in airplane mode and set it aside.
4. Save every email notification from exchanges, wallet providers, and your mobile carrier. Email headers matter, not just the body.
5. Lock down every other account (email, exchange, 2FA app, password manager) from a clean device.
6. Contact your carrier to confirm whether a SIM port or port-out attempt is logged. Request the records in writing.
7. File an IC3 report at the FBI's internet crime complaint portal. Keep the complaint number.
8. Call Petronella Technology Group at (919) 348-4912 to walk the fact pattern and decide the next move.

What happens next in a typical 48-hour engagement

Our first hour with you is evidence intake and a rapid chain walk. We take the stolen-funds transaction hash or the attacker wallet address and trace the first several hops across whatever chains are involved. The question we are answering in that first pass is straightforward: where are the funds now, and are they sitting at a regulated counterparty where legal process can reach them? If the answer is yes, we move fast. Your attorney drafts the emergency motion and the subpoena, we provide the technical attachments, and the exchange's legal team is the next step. If the answer is no, because the funds already moved through a bridge or a mixer, we recalibrate the realistic goal of the engagement: evidence preservation, law enforcement referral support, and insurance or civil claim groundwork rather than an immediate freeze.

Cross-chain tracing is its own skill. A theft that starts on Ethereum can exit to Tron in fifteen minutes through a bridge, then convert to USDT, then move through three more wallets, then deposit to a foreign exchange. Each of those hops needs to be reconstructed carefully. Skipping hops or misreading a bridge event can destroy the chain of custody story a report needs. We take the time to do this properly. For victims who want the dedicated conversion-focused walkthrough, see crypto theft recovery.

Pig Butchering Scam Recovery

Pig butchering, known in the Mandarin source language as sha zhu pan, is the most financially destructive crypto scam pattern of the current era. It is patient, it is scripted, and it targets educated, professionally successful victims far more often than the stereotypical "naive internet user." The scam's structure is what makes it devastating: the con is not a quick grab, it is a two-to-six month trust build followed by a controlled slaughter.

How the scam actually runs

First contact is usually a cold channel the victim did not request. A wrong-number text ("Hi Michael, are we still on for dinner?"), a LinkedIn connection from a well-dressed professional, a Telegram group invite, a Tinder or Bumble match in an unusual location, or a friendly WhatsApp introduction through a mutual contact the scammer invented. The scammer apologizes for the wrong number or the cold reach, stays to chat, and over weeks builds a friendship or a romance.

The crypto pitch arrives gently. The scammer mentions their uncle, their mentor, or their own trading strategy. They offer to show the victim a small win on a platform they use. The platform is a fraudulent website, a white-label skin on a scammer-controlled back end that displays fake balances and fake trade results. The victim deposits a small amount and sees it grow. They deposit more. The on-screen profits are enormous. When the victim tries to withdraw, the platform introduces fees, taxes, or "compliance holds" to extract more deposits. Eventually the platform disappears, or the victim is frozen out. The real-world crypto is long gone, funneled through a chain of wallets controlled by the operation.

The evidence pattern in a pig butchering case

• The initial contact thread: screenshots, timestamps, platform of origin, the number or handle used.
• The trust-build conversations: weeks of text history that show the grooming pattern.
• The fake platform: URL, login credentials, screenshots of the fraudulent dashboard, deposit instructions.
• The deposit wallets: where the victim sent funds, how quickly the funds were swept to a second wallet, and the clustering pattern of the receiving addresses.
• The off-ramp: whether the funds landed at a regulated exchange, a foreign exchange, or a mixer.

What recovery actually looks like

Pig butchering recoveries are difficult. The operations are organized, they launder aggressively, and they often run out of jurisdictions that ignore U.S. legal process. That said, meaningful outcomes happen more often than victims expect when the case is worked quickly and with the right partnerships. Exchange-side freezes on the first-hop wallets have worked when victims moved within days. Civil asset forfeiture, when law enforcement gets involved, has returned funds in cases where attribution was strong. Insurance claims and bank reversals sometimes succeed on the fiat side of the funding transactions when the victim used a card or bank transfer to buy crypto. And the forensic evidence package itself is often the difference between law enforcement taking the case seriously and the case being filed and forgotten. For the dedicated scam recovery walkthrough, see pig butchering scam recovery.

SIM Swap Attack Recovery

A SIM swap is a social engineering attack on your mobile carrier. The attacker, armed with personal information harvested from data breaches or the victim's own public footprint, calls the carrier and convinces an agent to port the victim's phone number to a SIM the attacker controls. The moment the port completes, the attacker receives the victim's SMS 2FA codes, email password reset links, and any other "security" prompt that was tied to the phone number. Exchange accounts, email, cloud storage, and wallets all fall in rapid sequence. A full SIM swap drain typically takes under an hour from port to final exchange withdrawal.

The evidence on the carrier side

SIM swap cases live and die on what the carrier knows and when they knew it. A properly served subpoena or litigation hold can produce the port request records, the agent notes, the IP address of any web-based port request, the device IMEI that received the ported number, and the call recordings or chat transcripts if the port was initiated through those channels. These records are ephemeral. Carrier retention windows vary and several carriers overwrite detailed records within 90 to 180 days. Moving fast on the carrier-side evidence request is not optional.

The evidence on the victim side

Preserve the pattern of the attack in order. The first SMS the victim did not see because the number was already ported, captured in the exchange's delivery logs. The password reset email or security alert from exchanges, timestamped. The exchange login from an unfamiliar IP or device. The withdrawal approval. The on-chain transaction hash of the stolen funds. The bridge or swap. The exit. Each of those timestamps matters because they build the narrative that the attack was account-takeover, not the victim's negligence.

On-chain work in a SIM swap case

We trace from the moment of the first stolen-funds transaction. Exchange withdrawals during a SIM swap drain are usually to a fresh wallet the attacker prepared in advance. That wallet is rarely the final destination. Funds hop quickly. Our job is to reconstruct those hops, identify the downstream exchanges, and build the subpoena target list for counsel. The dedicated SIM swap conversion page is SIM swap recovery.

Romance Scam Investigation with Crypto Element

Romance scams and pig butchering overlap, but they are not the same pattern. A classic romance scam does not always funnel the victim through a fake trading platform. Sometimes the "girlfriend" or "boyfriend" needs money for a family emergency, a business deal, a plane ticket, a frozen bank account, an inheritance about to be seized, or a customs fee to release a package. The victim sends crypto directly to a wallet address the scammer controls, and that is the entire scam.

The behavioral evidence in a romance scam is different from pig butchering because the trust-build is the whole scheme rather than the setup for a fake platform. Profile photos are stolen from real people (reverse image search almost always identifies the original). The scammer's story is geographically inconsistent (deployed military in the wrong country, oil rig worker with inconsistent time zones, surgeon stuck abroad). The video calls are avoided or faked with deepfake or short clipped loops. The urgency builds slowly, then spikes when money is requested.

The crypto trail in a romance scam

The wallet addresses the victim sent funds to are the starting point. Romance scammers sometimes reuse deposit addresses across multiple victims, which creates opportunities for clustering and for law enforcement to connect cases. We trace the victim's transfers forward, identify whether the receiving address is part of a known fraud cluster, and determine the off-ramp. In cases where the address has been used to defraud multiple victims, the class of victims is sometimes larger than the individual realizes, which can matter for how law enforcement prioritizes the case.

What recovery looks like

Romance scam recoveries are case-by-case. When the off-ramp is a regulated exchange and the wallet activity fits a larger fraud pattern, there is a path. When the off-ramp is a peer-to-peer platform or a foreign exchange, the evidentiary package becomes more about supporting a law enforcement referral than about near-term fund recovery. Either way, a clean forensic report protects the victim's record and their credibility if they later pursue civil remedies or testify in a criminal case. Dedicated scam recovery walkthrough: romance scam recovery.

Business Email Compromise with Crypto Exfiltration

Business email compromise has evolved. The textbook BEC pattern is a wire-fraud pattern: an attacker compromises a finance team inbox, watches for a pending wire, impersonates the vendor or the CFO, and redirects the wire to a bank account they control. That pattern still happens. What changed in the last several years is how attackers exit the funds. Rather than let stolen wire proceeds sit at a U.S. bank where they are recoverable, sophisticated BEC crews now flip the fraudulent wire into crypto almost immediately, often through a money mule's account or a prepaid card purchase chain, and then into a wallet they control.

The combined BEC-plus-crypto evidence pattern

• Email evidence: full mailbox audit logs, inbox rule changes, forwarding rule changes, OAuth app grants, the compromise access timeline.
• The wire-fraud instruction: the spoofed email, the changed payment instructions, the signature mismatch or lookalike domain.
• The receiving bank account: the mule account name, the bank, the holding period before the funds moved.
• The on-ramp: the exchange account or OTC desk used to convert fiat to crypto, including the KYC information on file.
• The on-chain trail: the wallet that received the first crypto deposit, and every hop from there.

BEC cases that cross into crypto are strong candidates for both criminal referral and civil recovery because the paper trail is unusually rich. The attacker leaves email evidence, banking evidence, and blockchain evidence. A good forensic product stitches those together in a single report. For the dedicated BEC recovery page, see business email compromise recovery. For the broader network-side forensic context, see data breach forensics.

Wallet Tracing and On-Chain Analysis

The practical heart of crypto forensics is the ability to walk a chain of transactions, cluster addresses that behave like a single actor, attribute clusters to known services, and produce a report that survives cross-examination. The labels change by vendor (Chainalysis, TRM, Elliptic, Crystal, and others) but the underlying methods rest on the same heuristics.

Core heuristics in cluster attribution

• Common input ownership. When two addresses co-spend inputs in the same transaction, they are almost certainly controlled by the same actor (the classic Bitcoin heuristic).
• Change address pattern detection. Wallet software creates change outputs in predictable ways. Recognizing the change output extends the cluster by one address per transaction.
• Deposit address reuse at exchanges. Exchanges assign per-user deposit addresses. Reuse patterns and the sweep to the exchange's hot wallet attribute the deposit address to a specific exchange and link external wallets to that exchange account.
• Behavioral fingerprinting. Timing patterns, amount patterns, fee preferences, and script types group addresses into a likely controlling actor.
• Known labeled entities. Public labels (sanctions lists, exchange hot wallets, ransomware payment addresses, previously adjudicated fraud clusters) anchor parts of the graph.

Mixer and bridge tracing

Mixers (Tornado Cash, Wasabi, Samourai Whirlpool historically) and cross-chain bridges break the simple deterministic trail. What they do not always do is break the investigation. Timing analysis, amount correlation on the output side, and behavioral consistency with known pre-mix addresses can re-establish a probable link. We are honest about the confidence level. A report that claims post-mixer attribution with certainty where only probability exists will not survive a Daubert challenge. A report that frames post-mixer work as a probability with stated methodology will.

What we do not claim

We do not claim to decrypt Monero. We do not claim to deanonymize Zcash shielded transactions. We do not claim that every trace ends in a name. We describe exactly what on-chain evidence supports, and exactly where it stops being evidence and starts being inference.

Exchange Cooperation and Subpoena Strategy

On-chain tracing tells you where the funds went. Exchange cooperation is what converts that location into a freeze, a return, or a named defendant. Every crypto recovery case worth pursuing ends at a regulated off-ramp. Knowing the quirks of each major exchange's legal process team, how they want subpoenas framed, what transaction data they need to act quickly, and what emergency procedures they recognize is the work.

The major U.S. and near-U.S. exchanges

• Coinbase. Well-developed legal process team. Responds to properly served subpoenas and to emergency freeze requests with specific transaction hashes and a clear legal basis. Preservation letters work as a first step before full subpoena.
• Kraken. Similar posture to Coinbase on U.S. matters. Their compliance team engages seriously when the subpoena is specific and the urgency is real.
• Gemini. Regulated in New York with a disciplined legal process workflow. Requests need to be precise. Fishing expeditions go nowhere.
• Binance.US and Binance global. Different entities, different cooperation profiles. Binance.US responds more like a domestic exchange. Binance global has been inconsistent historically but has improved on law-enforcement-driven requests and on clearly-framed civil subpoenas.
• Crypto.com, Bitstamp, Bitfinex, OKX, and others. Each has its own legal process posture. We do not guess. We research the specific exchange's current cooperation pattern before advising counsel on what to send.

What a good subpoena looks like

A subpoena that works in a crypto case is specific, time-scoped, and transaction-anchored. It names the deposit addresses on the exchange. It names the transaction hashes that deposited stolen funds. It requests account registration records, IP address logs, device fingerprints, KYC documentation, linked bank accounts, withdrawal addresses, and communication records for a bounded date window. Overbroad subpoenas are often resisted or negotiated down. Underspecified subpoenas miss the attribution evidence that counsel actually needs. We help your attorney draft the transaction-data attachments so the subpoena is actionable the moment the exchange receives it.

Emergency freezes versus subpoena timelines

If funds are actively sitting at an exchange, an emergency motion for a TRO or a preservation order is sometimes faster than a subpoena. The exchange's legal team can honor a properly framed preservation letter within hours. A full subpoena with document production can take weeks. When the clock matters, the preservation letter is the tool, followed by the subpoena and the court order.

Expert Witness Testimony

A crypto forensics case that goes to litigation or arbitration eventually needs a human in a chair who can explain the methodology under oath. Craig Petronella is a credentialed Digital Forensics Examiner (DFE #604180) with prior crypto-related testimony experience. The reports he produces are built to be read by a judge, challenged by opposing counsel, and defended in deposition. That means methodology sections, chain-of-custody handling, explicit separation of fact from opinion, and clear labeling of confidence levels on every attribution claim.

Daubert-aware report structure

A crypto forensic report for litigation needs to meet the standards courts apply to technical expert testimony. That means the methodology has to be disclosed, the methodology has to be one a peer in the field would recognize, the error rates and limitations have to be stated, and the conclusions have to follow from the evidence in a way an educated non-specialist can follow. We write reports that hit those standards rather than reports that read like marketing collateral for a recovery pitch.

Coordination with counsel

We work alongside your attorney, not around them. We follow the engagement letter, the litigation hold, and the communication protocols counsel sets. We draft declarations when needed. We prepare for deposition with counsel. We testify when called. We are comfortable being cross-examined on methodology because the methodology was chosen to withstand it.

Broader forensic scope

Expert witness work is not limited to crypto. Craig's digital forensics practice covers network intrusion reconstruction, endpoint forensics, email fraud, and data breach chain-of-custody. See digital forensics expert witness in North Carolina for the broader expert witness practice.

Realistic Recovery Outcomes

This is the section of the page that most crypto recovery websites skip or misrepresent. We are going to tell you the truth instead.

Recovery outcomes vary widely. Cases involving regulated U.S. or European exchanges where funds sit in an identifiable wallet within the first 72 hours have the highest potential for partial recovery through exchange cooperation and court orders. Cases where funds have been tumbled, bridged to privacy coins, or moved through foreign non-cooperating exchanges face much lower odds. We tell you honestly in the initial consult whether your case fits the profile we can help with, and we do not charge retainer for consultations we do not think will produce meaningful evidence.

The variables that actually drive outcomes

• Speed of the victim's response. Under 72 hours is meaningfully different from two weeks. Two weeks is meaningfully different from six months.
• Jurisdiction of the off-ramp. U.S. and major European regulated exchanges respond to proper legal process. Some foreign exchanges and peer-to-peer platforms do not, or respond only under specific conditions.
• Amount at stake. Law enforcement prioritization, exchange attention, and civil litigation economics all scale with the dollar amount involved. Smaller cases are not hopeless, but the practical path may be different.
• Quality of the evidence the victim preserves. A victim who preserves every artifact has a dramatically stronger case than a victim who wiped the compromised device.
• Mixer and privacy coin involvement. Funds that go through a mixer or convert to a privacy coin early in the chain are much harder to follow with the same confidence.
• Parallel law enforcement engagement. A case that has an IC3 complaint number, a Secret Service agent, or an FBI field office already engaged has tools available that civil practitioners do not.
• Insurance coverage. Some victims have cybercrime coverage through homeowner policies, business policies, or specific crypto insurance riders. That is a separate path that should be evaluated in parallel.

What we will not say

We will not tell you we recover a specific percentage of stolen crypto. We will not quote a "success rate" number because that number would be meaningless across wildly different case profiles. We will not promise a specific dollar outcome. We will not pressure you into a retainer for a case we think will not produce evidence.

What we will say in the consult

We will give you a candid read on your case. Whether the facts fit a profile where recovery or strong evidence is realistic. What the realistic goals of an engagement would be (recovery, evidence preservation for law enforcement, civil litigation support, insurance claim support, or a combination). What the scope and fee structure would look like. And if we do not think the case is one where we can add meaningful value, we will tell you that and we will suggest what other resources might fit (IC3, your carrier, your bank, your insurance carrier, the specific law enforcement contact).

Scope of Our Work and Partner Network

What we own directly

• On-chain tracing across Bitcoin, Ethereum and EVM chains, Tron, Solana, and bridge-connected networks.
• Wallet clustering and attribution analysis with confidence labeling.
• Mixer and bridge tracing with honest methodology disclosure.
• Exchange subpoena drafting support for counsel.
• Network-level evidence preservation on compromised environments (email audit logs, authentication logs, exchange access logs).
• Incident response coordination for the first 48 to 72 hours.
• Daubert-aware forensic reporting for litigation, arbitration, insurance, and law enforcement.
• Expert witness testimony (Craig Petronella, DFE #604180).

What we route to partners

• Mobile device physical imaging (Cellebrite and equivalent).
• Workstation disk imaging and Encase-based examination.
• Licensed private investigator field work (subject location, surveillance, interviews in jurisdictions requiring PI licensure).
• Traditional e-discovery platforms (Relativity, Everlaw) when a matter requires hosted document review at scale.

We coordinate the partner work end-to-end so counsel gets a single point of contact and a unified evidentiary product. The Petronella team consists of credentialed professionals, Craig Petronella (CMMC-RP, CCNA, CWNE, DFE #604180), and team members Blake Rea, Justin Summers, and Jonathan Wood (each CMMC-RP certified). The firm has been BBB A+ accredited since 2003 and has operated continuously since 2002 out of 5540 Centerview Dr, Raleigh, NC.

Related resources: prevention-side controls like zero-trust security and cryptocurrency security advisory reduce the odds a second incident happens after recovery. For organizations worried about ransomware-driven crypto demands, our companion checklist 9 ways to prevent a ransomware attack pairs well with the forensic workflow above.

Ready to Move Forward

If you are a victim, a family member of a victim, or counsel representing a victim, the next step is a 30-minute confidential consult. We will listen to the fact pattern, ask the specific questions that determine whether the case fits the profile we can help with, and give you a candid read on realistic outcomes. There is no retainer required to have the conversation.

Call (919) 348-4912 for a 24/7 crypto-theft emergency. For non-urgent consults, use the request form.