User checklist
Evidence priorities
Capture URLs, transaction hashes, wallet addresses, payment requests, support chats and identity claims before anything changes.
URLs
Wallets
Tx hashes
Screenshots
Timeline
Evidence checklist
| Evidence type | What to save |
|---|---|
| Website and app | Full URL, login URL, app store link, domain spelling, screenshots of homepage and payment page. |
| Contacts | Telegram/WhatsApp handles, email addresses, phone numbers, social profiles and display-name changes. |
| Payment trail | Wallet addresses, transaction hashes, exchange withdrawal receipts, payment timestamps and requested amounts. |
| Promises and pressure | Guaranteed returns, unlock tax, liquidity fee, recovery promise, deadline pressure and threat wording. |
| Account state | Dashboard balance screenshots, withdrawal block messages, KYC requests and support ticket numbers. |
| Your actions | When you joined, what you clicked, what wallet you connected, which approvals you signed and what you revoked. |
Incident summary template
| Field | What to write |
|---|---|
| Incident type | Fake exchange, recovery scam, wallet drainer, clone domain, fake support, romance/investment scam or unknown. |
| Main service/domain/contact | Exact website, app name, handle, email, phone number and the route that led you there. |
| Money movement | Coin, chain, amount, transaction hash, destination address, exchange used and date/time. |
| Trigger event | Failed withdrawal, tax demand, account freeze, recovery offer, malicious approval, seed phrase request or support-channel switch. |
| Current risk | Remaining funds at risk, wallet still connected, approvals still open, documents shared or ongoing pressure messages. |
| Reports already filed | IC3, FTC, Chainabuse, exchange support, wallet provider, local police or regulator references. |
Evidence by scam type
| Scenario | Most useful evidence | Likely next route |
|---|---|---|
| Fake exchange / withdrawal tax | Dashboard URL, withdrawal error, tax/unlock message, support chat, deposit tx hash, destination wallet, account screenshots. | Warning checker, exchange report, IC3/FTC or local regulator. |
| Recovery scam | Original loss summary, recovery promise, fee request, claimed agency/company, wallet address, proof of contact, payment demand. | FTC/CFTC guidance, IC3, warning checker and evidence kit. |
| Wallet drainer | Suspicious URL, signed transaction/approval hash, token contract, spender address, wallet popup screenshots and approval review result. | Transaction lookup, Revoke.cash profile, wallet provider report. |
| Clone domain / fake support | Exact domain, copied brand page, chat widget, Telegram/WhatsApp/email handle, requested action and screenshots. | Binance Verify when relevant, service profile, Chainabuse and warning checker. |
| Romance or investment pitch | First contact profile, investment promise, scripts, payment sequence, pressure language and all wallet addresses. | IC3/FTC, local cybercrime report, warning checker. |
| Fake token / airdrop | Contract address, token page, claim URL, wallet prompt, social post/ad and explorer links. | Transaction lookup, wallet-drainer wiki, Chainabuse. |
Timeline template
- First contact: where the conversation began and which profile or ad led to the service.
- Registration: domain, app, account ID and the first screenshot of the dashboard.
- Deposit: coin, chain, amount, wallet address, exchange receipt and transaction hash.
- Problem: failed withdrawal, frozen account, tax demand, recovery offer or support-channel switch.
- Current state: last message, last domain seen, remaining funds at risk and what has already been reported.
Before you submit a report
- Put the incident summary at the top so a reviewer can understand the case in one minute.
- Attach raw links and screenshots, but keep private keys, seed phrases, passwords and full ID documents out of public reports.
- Use exact timestamps with timezone when possible. If not, write the local time and country.
- Keep wallet addresses and transaction hashes in plain text so exchanges and investigators can copy them.
- Separate facts from assumptions: "I sent 0.5 ETH to this address" is stronger than "they stole everything."
- Save a local copy before submitting because some portals do not show the full report after it is sent.
Where to report
| Goal | Where to report | Attach |
|---|---|---|
| Cybercrime report | FBI IC3 or the relevant national cybercrime portal | Transaction hashes, wallet addresses, website URLs, communication records. |
| Consumer/regulator warning | FTC, CFTC, FCA, SEC/Investor.gov or local financial regulator | Offer language, company claims, warning-list matches and payment demands. |
| Exchange report | The exchange used to send funds | Withdrawal receipt, transaction hash, destination address and scam narrative. |
| Wallet or abuse platform | Wallet provider support, Chainabuse or chain-specific abuse channels | Wallet addresses, chain, transaction hash and screenshots. |
| Public review or CryptoRescue tip | Only after saving evidence and avoiding doxxing/private data | Sanitized domain, pattern, dates and source links. |
What not to do
- Do not pay a recovery fee, validator charge, gas top-up, unlock tax or investigator deposit.
- Do not share seed phrases, private keys, one-time codes, ID documents or remote-access sessions with a recovery contact.
- Do not delete chats after reporting. Export or screenshot them first.
- Do not publish private personal data when posting a public warning.
- Do not assume a domain is safe because the name is absent from one warning list.
Update log
- 3 Jun 2026Published with source tracking and reader-safety context.
- CorrectionsIf a source changes or a claim needs clarification, this page can be updated from the editorial desk.