How we checked this
We reviewed the linked sources and keep this page updated when the record changes. Use the source list below to verify the details.
What to Preserve Before a Fake Trading Site Vanishes From the Web
Source-tracked CryptoRescue article.
Short answer
If you suspect a trading or investment site is fraudulent, preserve the records that identify the site, the payment trail, and your communications before anything changes or disappears. Save the full URL, visible page details, wallet or payment information, account screens, and a simple timeline of what happened. Official cybersecurity bodies also consistently advise caution around suspicious online activity and account compromise, so stop sending more money and avoid sharing passwords, seed phrases, or remote access while you collect evidence.
Context
When a suspicious site goes offline, changes domains, or stops responding, the most useful evidence is often whatever you already control: your browser history, screenshots, emails, payment records, and device-side traces. That is why an evidence-first response matters. In practice, the goal is not to prove everything immediately, but to preserve enough detail to support later reporting, review, and reconstruction of events.
A practical rule is to separate site claims from records you can preserve directly. A dashboard balance or profit figure may be part of the story the site showed you, but the stronger records are the ones tied to your own devices, accounts, and payment activity. Cybersecurity guidance from official public bodies supports a cautious approach: preserve what you can access safely, reduce further exposure, and secure accounts if compromise is possible.
Why speed matters
Suspicious websites, contact forms, and chat routes can change quickly. Even if you cannot preserve everything, saving the exact web address, visible payment instructions, and your message history early gives you a stronger starting point than relying on memory later. Official cyber-safety guidance also supports acting promptly when suspicious online activity could put accounts or devices at further risk.
What usually disappears firstThe first things to become harder to verify are often the site pages you visited, the support route you used, and the wording of payment or verification demands. If a page changes, a screenshot with the full address bar visible is usually more useful than a tightly cropped image with no URL or context.
What may still remain usefulEven if a site later vanishes, your own records may still help document what happened. That can include saved emails, browser history, screenshots, account notifications, payment confirmations, wallet or exchange history, and any notes you made while the site was live.
Step-by-step guide
Start with the full domain and the exact pages you used. Save the complete URL for any login, deposit, withdrawal, support, verification, or account page you can still access. Also preserve page titles, contact details shown on the site, and any company or licensing claims displayed there. A screenshot is better when it includes the address bar and a visible timestamp.
2. Preserve your payment trailNext, save every payment-related record you control. That includes wallet addresses, exchange withdrawal confirmations, bank or card references if fiat was involved, and any payment instructions the site or its operator sent you. If the site showed a deposit destination or a payment demand on-screen, capture that page as it appeared.
3. Preserve your communicationsSave chats, emails, usernames, phone numbers, and any invite links or profile names connected to the contact. Keep message timestamps where possible. If you have call logs, voicemail, or voice-note records linked to the same contact, preserve those too. The point is to keep identifying details and the sequence of requests, not just isolated screenshots of a few messages.
4. Preserve your account and dashboard screensCapture the pages that show your account name or ID, claimed balance, withdrawal attempts, support replies, error messages, and any new payment demands. These screens may help document the narrative the site presented to you, even if the figures shown there are not independently verified by the site itself.
5. Write a simple timelineTurn scattered records into a short chronology: first contact, first payment, later payments, withdrawal attempt, any new demand, and the moment the site changed, blocked you, or disappeared. A plain text timeline can make your evidence easier to review than a folder of unlabeled screenshots.
Practical preservation checklist
- Stop all new payments immediately.
- Save the full URL of each relevant page and capture screenshots with the address bar visible.
- Preserve payment instructions, wallet details, and confirmation records you already have.
- Save chats, emails, phone numbers, usernames, and timestamps.
- Capture dashboard pages, withdrawal screens, error messages, and fee demands.
- Write a short timeline while events are still fresh.
- Back up your files in more than one place if you can do so safely.
- If you may have exposed account access or installed something suspicious, prioritize account and device safety next.
Evidence table: what to save, why it matters, and common mistakes
| Evidence item | Why it matters | Where to find it | Common mistake |
|---|---|---|---|
| Full URL and domain | Identifies the exact site and page you used | Browser address bar, browser history, saved tabs | Saving only a cropped screenshot |
| Payment instructions | Shows how the site directed money or crypto | Website deposit page, email, chat messages | Ignoring the exact address or reference used |
| Chat records | Preserves requests, threats, and contact identifiers | Messaging apps, SMS, email inbox | Keeping only a few screenshots, not the account details |
| Dashboard and withdrawal screens | Documents the story the site presented to you | Account area, support pages, notifications | Treating the displayed balance as independently proven |
| Timeline notes | Makes the sequence easier to review later | Your own notes, document, or email draft | Relying on memory after access is lost |
Myth vs reality
Reality: Screenshots help, but they are stronger when paired with the full URL, visible timestamps, payment records, and communication history.
Myth: “The dashboard proves the money is still there.”Reality: A dashboard record may still be worth saving, but it should be treated as part of the site’s claim, not as the only record that matters. Your own payment and account records are usually more dependable evidence to preserve.
Myth: “I should wait and see before collecting anything.”Reality: Delay can make evidence harder to capture if pages change, accounts are blocked, or access disappears. Official cyber-safety guidance generally supports acting quickly when suspicious online activity could create further risk.
Reader examples
Good evidence would include the exact deposit page URL, a screenshot showing the payment instructions, the confirmation from the account or service you used to send funds, and a note of the time you made the transfer.
Example 2: The “advisor” contacted you through chat and kept changing instructionsGood evidence would include the username or profile name, the full message thread or as much of it as you can safely preserve, timestamps, and any linked payment requests or site pages sent in the conversation.
Example 3: The site demanded another payment before a withdrawalGood evidence would include the exact wording of the demand, the page URL, the amount requested, the payment destination shown, and the message or screen that said your account was blocked or pending.
What not to do while collecting evidence
- Do not send more money to “unlock,” “verify,” or “release” the account.
- Do not share seed phrases, private keys, passwords, or one-time codes with anyone claiming to help.
- Do not install software or grant remote access just because the site or contact says it is required.
- Do not rely on one device or one screenshot folder if you can safely make a backup.
If device compromise is possible, secure access first
If you entered sensitive credentials into a suspicious site, installed software from it, or granted remote access, treat the situation as a broader security problem, not just a bad website. Official cybersecurity guidance supports moving quickly to protect accounts and reduce further exposure.
High-level safety priorities include:
- stop interacting with the suspicious site or contact;
- change passwords from a safer device where appropriate;
- review the security of your email and financial accounts;
- follow official public cybersecurity guidance for suspected compromise in your region.
What to do next after preserving the records
Once you have saved the key records, organize them into a simple report package: site details, payment records, communications, dashboard images, and your timeline. Clear records can make later review and reporting easier, even though preserving evidence does not guarantee recovery or any particular outcome.
You can also keep a copy of your materials for official reporting, platform abuse complaints, or support inquiries connected to your own accounts. Keep expectations realistic, stay cautious about anyone who contacts you privately with instant “recovery” promises, and avoid exposing more personal data than necessary.
FAQ
A screenshot is useful, but it is stronger when paired with the full URL, timestamps, messages, and your own payment or account records.
Should I save the balance shown on the site?Yes, as part of the record of what the site showed you. But preserve it alongside your own payment, communication, and account records rather than treating the screen alone as complete proof.
What should I save first if I only have a few minutes?Start with the exact URLs, screenshots showing the address bar, payment instructions, message history, and any account or withdrawal pages that mention new demands or restrictions.
Should I keep talking to the operator to get more proof?Usually the safer priority is to preserve what you already have and avoid further payments, installs, or credential exposure.
Sources
- CERT Polska — official cybersecurity warnings and public guidance.
- NASK — official cybersecurity and network-safety information.
- Gov.pl: Cybersecurity — official public-sector cybersecurity guidance.
- CryptoRescue Spanish index — internal site source available in the verified source pack.
Update log
- 2 Jul 2026Published with source tracking and reader-safety context.
- CorrectionsIf a source changes or a claim needs clarification, this page can be updated from the editorial desk.