How Crypto Custody Breaks: Eight Scam Patterns and How Much Is Actually Recoverable

Most crypto isn’t lost to some exotic exploit. It’s lost when custody — control of the keys, or trust in whoever holds them — breaks in one of a handful of predictable ways. Here is what those breaks look like from our side of the desk, and the honest range of what can be recovered.

[01]Custody is really about control

Every crypto scam is, underneath, a custody breach. Either you are tricked into signing away control of your own keys, or you hand funds to a counterparty who never intended to give them back. The asset doesn’t vanish — control of it moves. That distinction matters, because recovery is the work of re-establishing a claim over those funds before they pass beyond reach.

On a public blockchain, the movement is visible. What decides the outcome is not whether we can see the funds — we almost always can — but whether we can reach them at a point where someone is obliged to freeze them. The eight patterns below are the ones that fill our case files, each built on an operator already documented in our scam directory.

[02]The eight breaches we see most

Each links to a full case file naming the operator involved. The recovered figures are the real outcomes from those files — not promises.

• 01Presale & token rug-pullsA token sale drains the moment it fills.31% recovered
• 02Seed-phrase drainersOne fake prompt and a self-custody wallet empties in seconds.26% recovered
• 03Collateral & lending trapsYour crypto goes in as collateral; fees come out, the loan never does.58% recovered
• 04Boiler-room trading desksFake gains, a real first withdrawal, then a wall of fees.67% recovered
• 05Romance & staking (‘pig-butchering’)Weeks of trust, then a dApp that sweeps every deposit.79% recovered
• 06Fake exchangesDeposits clear instantly; withdrawals never do.71% recovered
• 07Cloud-mining contractsA climbing ‘yield’ you must pay fees to withdraw.44% recovered
• 08Recovery scams (double-fraud)A second scam targeting victims of the first.88% recovered

Read the detailed write-ups in our custody recovery case studies. Together they show the same lesson from eight angles: the trail survives, but the window to act on it does not.

[03]What actually decides recovery

Speed. Stolen funds usually sit pooled in a consolidation wallet before they are laundered or cashed out. The first days — sometimes the first hours — are when the largest share is still frozen-in-place. The pig-butchering claimant who reported within eight days recovered 79%; the drainer victim, whose ETH was swapped within minutes, recovered 26%. The difference was almost entirely timing.

Rails. Centrally-issued assets such as stablecoins, and funds that touch a centralized exchange, can be frozen at the source. Coins swapped on a decentralised exchange or pushed through a mixer generally cannot. The same case can split both ways — which is why a number like 58% is honest and a flat ‘100% guaranteed’ is a red flag in itself.

The off-ramp. Recovery happens at the moment fraud proceeds try to become spendable money at a regulated venue. A documented on-chain trace, an attestation, and a freeze request placed before that conversion are what turn a visible trail into returned funds. Across these eight files the outcomes range from 26% to 88% — honest numbers that track how fast each victim acted and where the money went.

[04]The first 72 hours

If you think your custody has been breached, this is the checklist that protects the most recoverable value:

• Revoke any open token approvals on the affected wallet — stop the bleed first.
• Record every transaction hash, wallet address, and platform URL while it is still in front of you.
• Do not pay any ‘tax,’ ‘fee,’ or ‘release’ demand — that is the same scam continuing.
• If cards or bank transfers were involved, notify your issuer immediately to open a dispute window.
• Preserve every message, screenshot, and name used by anyone who contacted you.
• Bring the whole record to a custody-recovery desk before the funds reach an off-ramp.

One more warning. After a loss, a second wave often arrives: a ‘recovery service’ that asks for an upfront fee to ‘unlock’ your funds. That is double-fraud — we document exactly that in the AssetImperial case. A legitimate desk traces first and is transparent about odds; it never asks you to pay to release money that is already yours. If you want to see how we work before you commit anything, open a case and we’ll review the trail.