Fake recovery agent Telegram alert

A fake recovery agent is a second-stage scam: it targets someone who has already lost money and promises a fast recovery if the victim pays again.

The contact may claim to be a hacker, investigator, exchange insider, attorney or government partner. The core test is simple: if they demand crypto upfront before verifiable work, treat the claim as high risk.

• The agent finds the victim through a public complaint, review, social post or direct message.
• They say funds are traceable, frozen or already recovered, then introduce a fee, certificate, tax or smart-contract charge.
• After each payment, a new obstacle appears: gas, AML, insurance, court release, wallet activation or security clearance.

CryptoRescue labels this as a risk-pattern alert. The page is designed to help a reader pause, preserve evidence and avoid additional payments. It is not a finding that every similar message is from the same actor, and it is not a promise that funds can be recovered.

• Guaranteed recovery, claimed insider access or a fake law-enforcement partnership.
• Upfront crypto payment before verifiable written scope or identity.
• Pressure to keep the case private and avoid official reports.
• Requests for wallet secrets, remote access or new deposits.

One signal may be explainable. Several signals together should slow the user down. The strongest red flags are requests for seed phrases, private keys, remote access, additional crypto payments, secrecy or pressure to move the conversation away from official support.

• Stop paying and preserve the full chat.
• Separate original scam evidence from recovery-agent evidence.
• Report the recovery account, website and wallet addresses.
• Use official reporting routes instead of links sent by the agent.

The first goal is to prevent more loss. If a wallet secret was exposed, treat the wallet as compromised. If only a payment request was received, do not send the payment while you collect and verify evidence. If a transaction already happened, preserve the hash and explorer URL before chats or dashboards disappear.

• Telegram or WhatsApp handle, profile URL and screenshots.
• Payment addresses and transaction hashes for recovery fees.
• Fake certificates, dashboards, invoices or case numbers.
• The original scam timeline and the recovery-scam timeline.

Keep the original evidence and the follow-up evidence separate. Many crypto cases have two stages: the first scam and then a fake recovery, tax, legal or support scam. Mixing the timelines makes reports harder to read.

Use the warning checker when you have a platform name, domain, social handle, payment request or recovery pitch. Use the transaction lookup router when you have a wallet address or transaction hash. Use the evidence kit when you already paid, connected a wallet, signed an approval or shared documents. The order matters: first preserve the evidence, then check official sources, then decide whether the page is ready for a report or needs more evidence check.

If a known exchange, wallet or service name appears in the story, open the related service profile or research review before trusting a private support route. If the case includes a coin or network, open the coin profile and explorer context so the report says exactly which chain, token and transaction are involved.

Write the timeline in plain language: who contacted you, which site or app was used, what payment or signature was requested, what you sent, what changed after the payment, and which evidence proves each step. Avoid guessing about the attacker identity unless there is a source that supports it. It is safer to say "this account requested an AML fee" than to say "this company stole funds" without independent evidence.

That discipline protects the reader and the site. It also makes the case easier to escalate because the important details are not buried under emotion, screenshots without context or unsupported accusations.

• Do not pay a second fee because the first fee almost worked.
• Do not let a stranger control your device or wallet.
• Do not delete original scam evidence after talking to a recovery agent.

Do not let urgency make the evidence worse. A clean record of URLs, contacts, wallet addresses, transaction hashes and timestamps is more useful than a rushed payment made to test whether the contact is telling the truth.

Victims are vulnerable after a loss. Recovery scammers exploit urgency and hope, and each new payment usually deepens the loss instead of improving the evidence.

Crypto payments can be difficult or impossible to reverse once confirmed. That makes prevention, early verification and evidence preservation more important than hopeful follow-up payments to strangers.

This alert is based on consumer-protection and digital-asset fraud guidance. It intentionally avoids suggesting guaranteed recovery.