Our Investigative Process
A proven methodology for rapid incident response, thorough forensics, and coordinated recovery actions. Transparency and speed are core to everything we do.
Six-phase investigation workflow
Our structured approach ensures nothing is overlooked while maintaining urgency where it matters most: the first 24-72 hours after an incident.
Phase 1: Initial Assessment (0-6 hours)
Immediate intake and triage. We speak directly with victims, collect preliminary evidence (transaction IDs, wallet addresses, screenshots), and perform a rapid technical assessment of the incident scope.
- Document incident timeline and affected parties
- Identify asset types and blockchain networks involved
- Assess urgency and recovery probability
- Establish communication protocols and escalation procedures
Phase 2: Incident Mapping (6-24 hours)
Rapid forensic analysis to map fund flows, identify attacker wallets, and pinpoint potential cash-out points. We use real-time monitoring to detect ongoing movement.
- Trace transactions through contracts, DEXs, and bridges
- Identify exchange deposits and intermediary wallets
- Detect clustering patterns to isolate attacker infrastructure
- Flag time-sensitive actions (upcoming withdrawals, bridge transactions)
Phase 3: Deep Technical Analysis (24-72 hours)
Comprehensive examination of smart contracts, smart contract behavior, and exploitation mechanics. Determine root cause and assess whether recovery mechanisms exist.
- Static code analysis for backdoors and vulnerabilities
- Event log analysis and transaction sequencing
- Behavioral profiling of attacker transactions
- Determine if owner keys or pauses can facilitate recovery
Phase 4: Evidence Packaging (48-96 hours)
Prepare court-ready and exchange-ready evidence packages. This includes detailed forensic timelines, address clustering maps, verified transaction sequences, and legal affidavits for exchange cooperation.
- Create forensic reports with visual flow diagrams
- Build evidence timeline with timestamp verification
- Prepare subpoena requests for targeted exchanges
- Draft legal affidavits and declarations
Phase 5: Multi-Party Coordination (72-336 hours)
Execute recovery strategy through coordinated action. Engage exchanges for emergency holds, work with legal counsel for subpoenas, coordinate with law enforcement, and explore owner interventions.
- Submit emergency takedown requests to exchanges
- File legal motions for provisional remedies and asset freezes
- Coordinate with law enforcement (FBI, IRS-CI, Secret Service)
- Explore smart contract-based recovery options (owner functions, pauses)
Phase 6: Ongoing Monitoring & Updates (336+ hours)
Continue monitoring for new transactions, maintain legal coordination, and provide regular status updates to victims. Recovery may take weeks or months, but persistent effort yields results.
- Monitor attacker wallets for further movement
- Track legal proceeding milestones
- Coordinate follow-up evidence submissions
- Report recovered or frozen assets to victims
Key decision points
Throughout the investigation, we assess specific factors to prioritize efforts and determine the most effective recovery strategy.
Exchange identification
Do we know which exchange holds attacker funds? If yes, direct legal action becomes viable. If no, continued tracing is necessary.
Smart contract controls
Can the original deployer pause, burn, or reverse transactions? Owner intervention is often the fastest recovery mechanism.
Regulatory cooperation
Which jurisdictions are involved? Certain exchanges and countries are more responsive to legal requests than others.
Timeline & urgency
Has the attacker already withdrawn? Cash-out speed determines whether prevention or post-fact recovery is possible.
Budget & ROI
Is the incident value sufficient to justify investigation costs? We provide transparent cost-benefit analysis upfront.
Victim cooperation
Are victims willing to pursue legal action? Some strategies require direct victim involvement and testimony.
Communication & transparency
We provide regular updates to clients throughout the investigation. Weekly status reports detail findings, actions taken, and next steps.
What you can expect
- Initial assessment within 6 hours of intake
- Detailed incident map within 24 hours
- Weekly status updates during active investigation
- Transparent cost estimates and fee structure
- Clear explanation of recovery probability and timelines