First, the emergency steps — you can still limit the damage
If you just learned someone is in your Coinbase or other exchange account, the warning above is for later. Right now, focus on shutting the attacker out. This is account-takeover, and the first minutes matter:
- Lock the account.Use the exchange's “my account was compromised” flow to disable it. Coinbase and the major exchanges have a dedicated path to freeze a compromised account and halt further withdrawals.
- Change the password from a clean device — one you are confident is not infected — and sign out all sessions.
- Harden two-factor. Move off SMS, which is the weakest second factor, to an authenticator app or a hardware security key. A SIM swap is a common way exchange accounts fall.
- Check the linked email. If your email was hacked first, the exchange break-in likely came through it — work the full account lock-down there too.
The hard truth about “getting it back”
Acting fast can stop more from leaving. But be clear-eyed about what is already gone: a confirmed on-chain transfer is final.Unlike a bank wire, there is no central operator who can claw a crypto transaction back, and no “recovery service” has a secret line to do it. An exchange can freeze youraccount and — rarely, and only with speed plus law enforcement — help where funds are still sitting on a regulated platform. It cannot reverse a transfer that has already left to the attacker's wallet.
Why the warning above matters
Here is the trap that catches takeover victims: within days of the hack, a “recovery expert,” a fake “blockchain investigator,” or a bogus “exchange compliance officer” reaches out promising to get your crypto back — for an up-front fee. The FBI has warned about exactly this and has seized websites built to pose as crypto-recovery firms and re-victimize people. The rule that protects you: no one legitimate recovers a sent crypto transfer for an up-front fee. Anyone who promises it is running the second scam.
What actually helps
- Preserve evidence — transaction hashes, wallet addresses, dates, and screenshots of everything. This is what any real investigation or law-enforcement case needs.
- Report it for free at ic3.gov(the FBI's complaint center) and to the FTC.
- Tell the exchange in writing and follow its compromised-account process.
- Block the “recovery” contact.Do not pay a fee, a “tax,” or an “unlock” payment.
If the loss is large or headed toward a dispute or court, crypto scam recovery explains what a credentialed forensic examiner can and cannot do — trace wallet infrastructure, preserve admissible evidence, support a filing — without ever promising to get it all back. For the broader pattern of recovery-fee fraud, see why crypto “recovery services” are usually a second scam.
Sources
- Coinbase Help, My account was compromised. https://help.coinbase.com/en/coinbase/privacy-and-security/account-compromised/my-account-was-compromised
- Federal Trade Commission, What To Know About Cryptocurrency and Scams. https://consumer.ftc.gov/articles/what-know-about-cryptocurrency-and-scams
- FBI Internet Crime Complaint Center (IC3), Public Service Announcement I-081123-PSA — fraudulent crypto-recovery schemes, 2023. https://www.ic3.gov/PSA/2023/PSA230811
- FBI San Diego Field Office, FBI San Diego — Seizes Cryptocurrency Recovery Websites. https://www.fbi.gov/contact-us/field-offices/sandiego/news/fbi-san-diego-seizes-cryptocurrency-recovery-websites
- FBI Internet Crime Complaint Center (IC3), File a Complaint. https://www.ic3.gov/
