How to Collect Evidence for Crypto Fraud

1. Why Evidence Matters

Law enforcement agencies, financial regulators, and courts all require concrete evidence before they will act. A verbal account of what happened is not enough. Investigators need verifiable records: transaction hashes that can be confirmed on the blockchain, screenshots with timestamps, saved communications, and financial records showing the movement of money from your account to the scammer. Without this documentation, even the most sympathetic authority cannot build a case.

Strong evidence also serves as leverage when dealing with exchanges. If you can demonstrate that funds from a known scam address arrived at an exchange wallet, the exchange's compliance team has a regulatory obligation to investigate. The more structured and complete your evidence package, the more seriously your case will be treated.

2. Transaction Records

Blockchain transaction records are the backbone of any crypto fraud case. Every Bitcoin transaction is permanently recorded on the public ledger and can be independently verified by anyone. You need to collect the following data points for every transaction related to the scam.

What to Collect

• Transaction hash (TXID) — the unique identifier for each transaction. Find this in your exchange withdrawal history or wallet software.
• Sender address — the Bitcoin address from which funds were sent (your address or the exchange's hot wallet).
• Recipient address — the Bitcoin address that received the funds (the scammer's address).
• Amount and timestamp — the exact BTC amount and the block confirmation time.
• Subsequent hops — if you can trace where the scammer moved the funds next, record those transaction hashes as well.

How to Get Transaction Data

Use blockchain explorers such as Blockchain.com, Blockchair, or Mempool.space to look up addresses and transactions. Enter the scammer's Bitcoin address to see all incoming and outgoing transactions. Take screenshots of the explorer page showing the transaction details, and export or copy the raw transaction data. Blockchain explorers also show whether an address has been flagged in abuse databases, which strengthens your case.

3. Communication Records

Save every message exchanged with the scammer, regardless of platform. This includes emails, text messages, WhatsApp conversations, Telegram chats, social media direct messages, forum posts, and any other form of communication. For each conversation, capture the following.

Take full-page screenshots showing the complete conversation thread, including the other party's username or profile name, profile picture, and any visible timestamps. Export the conversation as a file if the platform supports it (Telegram and WhatsApp both offer chat export). Save the raw email files (EML format) for emails, as these contain header information that can help identify the sender's IP address and mail server.

Pay particular attention to any promises made by the scammer, such as guaranteed returns, specific withdrawal dates, or claims about being regulated or licensed. These representations are material to fraud charges and civil claims.

4. Website Evidence

Scam websites are typically short-lived. Once a scam is reported or enough complaints accumulate, the operators take the site down and move to a new domain. You must capture website evidence before this happens. Start with full-page screenshots of every page on the site, including the homepage, about page, terms and conditions, contact page, and any investment or account dashboards you had access to.

WHOIS and Domain Records

Look up the domain using a WHOIS service such as whois.domaintools.com or lookup.icann.org. Record the registration date, registrar, name servers, and any registrant information that is not privacy-protected. Newly registered domains are a strong indicator of fraud, as legitimate financial platforms are rarely built on domains that are only weeks or months old.

Web Archives

Submit the scam URL to the Wayback Machine at web.archive.org. This creates a permanent, timestamped snapshot of the website that cannot be altered by the scammer. If the site is already down, check whether the Wayback Machine captured it previously. You can also use archive.today as an alternative service. These archived snapshots are considered credible evidence by courts and law enforcement.

5. Financial Records

Collect all records showing the movement of money from your traditional financial accounts into cryptocurrency. This includes bank statements showing wire transfers or card payments to exchanges, exchange deposit and withdrawal history, receipts from peer-to-peer trades, and any invoices or payment confirmations from the scam operation itself. These records establish the chain of value from your legitimate funds to the scammer's wallet, which is essential for civil claims and insurance filings.

Download your full transaction history from every exchange you used. Most exchanges offer CSV export in their account settings. Keep both the CSV files and screenshots of the relevant transactions. Note the fiat currency amounts alongside the cryptocurrency amounts, as law enforcement and courts generally need the loss quantified in a traditional currency.

6. Presenting Evidence to Law Enforcement

When you file a report with law enforcement, the way you present your evidence matters. Organize everything chronologically and create a summary document that outlines the key facts: who the scammer claimed to be, how you were contacted, what you were promised, how much you sent, and where the funds went on the blockchain. Attach the supporting evidence (screenshots, transaction records, communications) as clearly labelled appendices.

A structured, well-organized evidence package signals to investigators that your case is credible and worth pursuing. Law enforcement agencies are overwhelmed with reports, and the cases that get investigated first are typically those that come with the best documentation. A ChainEvidence report is specifically designed to meet this standard, presenting blockchain analysis, domain intelligence, and risk scoring in a format that investigators can immediately work with.

7. Preservation Best Practices

Store all evidence in multiple locations. Keep copies on your local drive, an external hard drive, and a cloud storage service. Name files descriptively (for example, “2026-02-15_scammer-telegram-chat.png”) rather than using default names. Do not edit screenshots or alter any files after saving them, as this can undermine their credibility. If possible, note the SHA-256 hash of important files to prove they have not been tampered with after creation.