After a scam, two questions arrive together: who did this, and where did the money go. Both are partially answerable — and the honest version of the answer is very different from what “track down anyone” lookup tools and self-styled recovery agents advertise. This guide walks what each artifact you hold can actually reveal, where attribution stops without a subpoena, and how a digital-forensics examiner turns your evidence into a lead package that police, banks, and lawyers can act on.
Reviewed by Quinnlan Varcoe, digital-forensics examiner — July 2, 2026. Educational, not legal advice. This page is scoped to identifying the person or operation behind a scam you were the victim of — it is not a guide to tracking or surveilling a person.
What each identifier can — and cannot — tell you
Scammers hand you artifacts: a phone number, an email address, a social profile, a wallet address, a bank account they had you pay. Each has a ceiling — the point past which only legal process can go. Knowing the ceilings up front saves you from paying someone who pretends they do not exist.
- Phone number.Public lookups can show the carrier and whether the line is VoIP — most scam numbers are — and a number sometimes surfaces a linked WhatsApp, Telegram, or payment-app profile. The subscriber’s identity sits in carrier records, which are released to law-enforcement legal process. A VoIP number registered with fake details may not resolve to a person at all.
- Email address.Full message headers (not the visible “From” name) can reveal the sending service and sometimes an originating IP. Reverse searches can tie an address to prior scam reports or reused profiles. The account owner’s registration details sit with the provider — again, legal process.
- IP address. Geolocates to a city and a network at best, and scammers work behind VPNs, proxies, and compromised machines. An IP is timeline corroboration, not an identity.
- Social profile.Photos can be reverse-image-searched (most romance-scam photos are stolen from real people), usernames can be cross-referenced across platforms, and profile artifacts often link a persona to other victims’ reports. That establishes a personaand a pattern — the human behind it still takes legal process, and the platform’s records, to name.
- Crypto wallet address.The strongest tracing artifact you hold. Every transaction is public, and funds can often be followed on-chain until they reach an exchange. Attribution stops at the exchange’s door: the account identity behind a deposit address is in the exchange’s know-your-customer records, which are produced to subpoenas and law-enforcement requests. Mixers, cross-chain bridges, and omnibus wallets can degrade or break the trail.
- Bank account or payment handle. If you paid by wire, Zelle, or another bank rail, the receiving account is fully identified — to the receiving bank. Banks disclose account-holder identity to law enforcement and to court orders, not to the person who sent the money. Receiving accounts are also frequently money mules, one hop from the actual scammer.
The second track: following the money
Identity and money flow are separate investigations that reinforce each other. Even when a scammer’s persona is a dead end, the money went somewhere — and every rail it crossed (card network, bank wire, P2P app, crypto exchange) is an institution that keeps records and answers to legal process. Mapping the flow — amounts, dates, reference numbers, receiving accounts, wallet addresses, and the exchange where crypto landed — does double duty: it is the core of an actionable police report, and it is what your bank or card issuer needs for a dispute or recall attempt. For what each payment rail can realistically return, and the deadlines that decide it, see can you get scammed money back — honest odds and deadlines by payment method.
Identifying is not the same as recovering
A hard truth the tracing industry soft-pedals: naming a scammer does not return the money, and tracing funds does not either.Identification supports recovery — it gives police a suspect, a civil suit a defendant, and a freeze request a target — but recovery runs through institutions (banks, card networks, exchanges, courts) on their own rules and timelines. Any pitch that treats “we traced your funds” as “your funds are coming back” is selling the conflation. Tracing that ends in a report nobody can act on is the product recovery scammers sell; tracing that feeds a police case, a bank dispute, or a lawyer’s demand letter is the version worth doing.
The subpoena and KYC reality
Nearly every real attribution runs through the same gate: a regulated or record-keeping institution that will identify its customer only under legal process. Carriers, email providers, platforms, banks, and exchanges all follow this pattern. That is why the honest output of a private investigation is a lead package: preserved evidence, a documented money trail, the persona’s footprint, and the specific institutions that hold the identifying records — organized so a detective or a lawyer can send the subpoena to the right place on day one. What no private party can honestly sell you is the subpoena itself.
Preserve everything before you confront anyone
The single most common self-inflicted wound: confronting the scammer, who then deletes the profile, burns the number, and moves the funds — destroying the evidence and the freeze window at once. Before you accuse, block, or post about anyone: export the full conversations (not just screenshots), save full email headers, record every payment identifier, and write the timeline while it is fresh. Build a scam timeline the right way and keep the originals untouched — then report through the reporting hierarchy, packaged so it gets acted on.
Do it yourself, or bring in an examiner?
Much of the first pass is genuinely DIY: reverse-image searches, username cross-references, saving headers, and mapping the payments cost nothing but time. A professional examination earns its fee when the case is bigger than the free pass can carry:
- DIY is usually enough when the loss is small, the evidence is simple, and the goal is a clean report to police, the FTC, and your bank.
- A digital-forensics examiner helps when the loss is large or ongoing, the trail crosses wallets and exchanges, the evidence must hold up in court, deleted data needs recovery, or a civil suit or insurance claim needs documented, repeatable findings. See digital forensics for individuals and, for crypto-specific tracing, crypto scam forensic recovery.
Either way, the sequence is the same: preserve first, trace second, report third, and let identification feed the institutions that can actually compel answers or move money.
The red flags of a fake “we’ll find your scammer” service
Scam victims are a targeted market. The FTC, FBI, and CFTC all warn that recovery-scam operations buy victim lists and pitch exactly what you are searching for right now. Walk away from anyone who:
- contacts you out of the blue already knowing about your loss;
- promises to identify the scammer or get the money back — a promise no honest service can make;
- demands an up-front fee, or payment in gift cards or crypto;
- claims a special relationship with the FBI or IC3 — the IC3 states it never refers victims to paid recovery companies;
- operates only through messaging apps, with no verifiable address, staff, or history.

















