Active Incident? 24/7 Response →
SleuthX

Beware of recovery scams

No legitimate service can guarantee it will get your money or account back for an up-front fee.

  • The FBI warns that “recovery scheme fraudsters charge an up-front fee and either cease communication with the victim after receiving an initial deposit or produce an incomplete or inaccurate tracing report and request additional fees to recover funds.” These schemes deliberately target people who have already been scammed once.
  • Never pay an up-front feeto a company that contacts you promising to recover lost funds, accounts, or cryptocurrency — especially if they ask for payment in gift cards, wire transfer, or cryptocurrency.

FBI sources: IC3 Public Service Announcement I-081123-PSA · FBI San Diego — Seizes Cryptocurrency Recovery Websites

Scam & Fraud Recovery

How to Find Out Who Scammed You — and Where the Money Went

What each identifier — a phone number, an email, a wallet, a profile — can honestly reveal, where attribution stops without legal process, and how to build the lead package that lets police and banks act.

After a scam, two questions arrive together: who did this, and where did the money go. Both are partially answerable — and the honest version of the answer is very different from what “track down anyone” lookup tools and self-styled recovery agents advertise. This guide walks what each artifact you hold can actually reveal, where attribution stops without a subpoena, and how a digital-forensics examiner turns your evidence into a lead package that police, banks, and lawyers can act on.

Reviewed by Quinnlan Varcoe, digital-forensics examiner — July 2, 2026. Educational, not legal advice. This page is scoped to identifying the person or operation behind a scam you were the victim of — it is not a guide to tracking or surveilling a person.

What each identifier can — and cannot — tell you

Scammers hand you artifacts: a phone number, an email address, a social profile, a wallet address, a bank account they had you pay. Each has a ceiling — the point past which only legal process can go. Knowing the ceilings up front saves you from paying someone who pretends they do not exist.

The second track: following the money

Identity and money flow are separate investigations that reinforce each other. Even when a scammer’s persona is a dead end, the money went somewhere — and every rail it crossed (card network, bank wire, P2P app, crypto exchange) is an institution that keeps records and answers to legal process. Mapping the flow — amounts, dates, reference numbers, receiving accounts, wallet addresses, and the exchange where crypto landed — does double duty: it is the core of an actionable police report, and it is what your bank or card issuer needs for a dispute or recall attempt. For what each payment rail can realistically return, and the deadlines that decide it, see can you get scammed money back — honest odds and deadlines by payment method.

Identifying is not the same as recovering

A hard truth the tracing industry soft-pedals: naming a scammer does not return the money, and tracing funds does not either.Identification supports recovery — it gives police a suspect, a civil suit a defendant, and a freeze request a target — but recovery runs through institutions (banks, card networks, exchanges, courts) on their own rules and timelines. Any pitch that treats “we traced your funds” as “your funds are coming back” is selling the conflation. Tracing that ends in a report nobody can act on is the product recovery scammers sell; tracing that feeds a police case, a bank dispute, or a lawyer’s demand letter is the version worth doing.

The subpoena and KYC reality

Nearly every real attribution runs through the same gate: a regulated or record-keeping institution that will identify its customer only under legal process. Carriers, email providers, platforms, banks, and exchanges all follow this pattern. That is why the honest output of a private investigation is a lead package: preserved evidence, a documented money trail, the persona’s footprint, and the specific institutions that hold the identifying records — organized so a detective or a lawyer can send the subpoena to the right place on day one. What no private party can honestly sell you is the subpoena itself.

Preserve everything before you confront anyone

The single most common self-inflicted wound: confronting the scammer, who then deletes the profile, burns the number, and moves the funds — destroying the evidence and the freeze window at once. Before you accuse, block, or post about anyone: export the full conversations (not just screenshots), save full email headers, record every payment identifier, and write the timeline while it is fresh. Build a scam timeline the right way and keep the originals untouched — then report through the reporting hierarchy, packaged so it gets acted on.

Do it yourself, or bring in an examiner?

Much of the first pass is genuinely DIY: reverse-image searches, username cross-references, saving headers, and mapping the payments cost nothing but time. A professional examination earns its fee when the case is bigger than the free pass can carry:

Either way, the sequence is the same: preserve first, trace second, report third, and let identification feed the institutions that can actually compel answers or move money.

The red flags of a fake “we’ll find your scammer” service

Scam victims are a targeted market. The FTC, FBI, and CFTC all warn that recovery-scam operations buy victim lists and pitch exactly what you are searching for right now. Walk away from anyone who:

Primary sources

  1. Federal Trade Commission, Refund and Recovery Scams — how scammers re-target victims. https://consumer.ftc.gov/articles/refund-and-recovery-scams
  2. FBI Internet Crime Complaint Center (IC3), PSA I-062424: Fictitious Law Firms Targeting Cryptocurrency Scam Victims, 2024. https://www.ic3.gov/PSA/2024/PSA240624
  3. U.S. Commodity Futures Trading Commission, Recovery Frauds — red flags of fake asset-recovery services. https://www.cftc.gov/LearnAndProtect/AdvisoriesAndArticles/RecoveryFrauds.html
  4. Chainalysis, Blockchain Analysis: Tracing Through a Service or Exchange. https://www.chainalysis.com/blog/blockchain-analysis-trace-through-service-exchange/
  5. California Department of Financial Protection & Innovation, Crypto Scam Tracker — documented imposter and recovery-scam operations. https://dfpi.ca.gov/consumers/crypto/crypto-scam-tracker/

Meet Your Practitioner

Quinnlan Varcoe

Founder & CEO

GIAC-certified · 9 industry certifications

With operational experience across Fortune 50 security programs and the defense industrial base, Quinnlan founded SleuthX in 2022 to provide clients with the caliber of expertise typically reserved for the largest enterprises. Her work in threat intelligence and digital forensics has earned the trust of 26,000+ cybersecurity professionals who follow her analysis.

“26,000 professionals follow my work because I say what others won't — and I can back it up technically.”

Fortune 50 BackgroundDefense IndustryThreat IntelligenceDigital PrivacyIncident Response
Quinnlan Varcoe, Founder & CEO

Certified Expertise

GIAC

Finding a scammer: honest answers

Quinnlan Varcoe, Founder & CEO

Schedule Your Session

Schedule a confidential consultation

A direct conversation with Quinn, the founder and CEO who oversees every engagement. NDA-protected. No sales process. Most engagements begin within 48 hours.

Transparent pricing

Trusted by partners across the practice

DAS Health
Exhibit A Cyber
Ally Security
KIRO Group
Black Mirage
Kalles Group
Gridware
CQR
Archstone Security
Cyvergence
Sentinel Cyber
Cloud Underground
Seron Security
Hexen
Koru Risk Management
DAS Health
Exhibit A Cyber
Ally Security
KIRO Group
Black Mirage
Kalles Group
Gridware
CQR
Archstone Security
Cyvergence
Sentinel Cyber
Cloud Underground
Seron Security
Hexen
Koru Risk Management