A broken padlock on a dark surface with faint glowing fragments scattered around it under a single warm gold light
Journal/Crypto

Your Crypto Exchange Has Been Hacked — What to Do Next

By Siby Varghese & Vatan Bhatnagar9 min read

You wake up to a frozen exchange. Withdrawals are paused. There's a 'security incident' notice. The longer you wait, the more clearly you become what the law treats you as by default — an unsecured creditor, last in line. The work of the first 48 hours is to refuse that default position and move into an active claimant role. Shield Law Firm has represented over 50 exchange-hack victims, both on Indian platforms and on international insolvency tracks.

Exchange just froze withdrawals
Become a claimant, not a creditor.

Send your exchange handle and balance — confidential triage.

WhatsApp the partners

1. What actually happens during an exchange hack

PhaseWhat you typically see
HackHot-wallet drain by an external attacker
DetectionUnusual outflows; exchange pauses withdrawals
AnnouncementCarefully worded 'security incident' / 'investigation underway' notice
Blame phaseTechnical glitch / external attacker / partner fault narratives
RestructuringIn severe cases — moratorium, scheme of arrangement or insolvency
Customer freezeWithdrawals can stay frozen for months or years

2. The first 48 hours

  • If withdrawals are still open even briefly — withdraw to self-custody. Do not trade.
  • Lock down evidence: balance screenshots before/after, full transaction history export, exchange notices, your KYC.
  • Send a formal written demand — not just a ticket — asking for hack details, restoration timeline and insurance position.
  • Find the other claimants. Public Telegram groups and WhatsApp aggregations are where collective action takes shape.
  • File the FIR — IT Act 66 (hacking), BNS cheating provisions, PMLA where laundering is alleged.
  • Engage forensics independently — do not wait for the exchange's own report.
Mid-article check-in
Exchange not responding to support tickets?

A formal legal notice usually does what tickets cannot.

Speak to a partner
  1. IStep 1
    FIR with the cyber cell

    Hacking, cheating and where applicable PMLA — registered at the cyber cell with jurisdiction over the exchange.

  2. IIStep 2
    Independent on-chain trace

    Forensic mapping of stolen funds across hops; identification of receiving exchanges.

  3. IIIStep 3
    Court-ordered freeze

    Magistrate / Sessions Court directs the destination exchange to freeze and disclose KYC.

  4. IVStep 4
    Writ against the home exchange

    Where the exchange is non-cooperative — High Court writ for disclosure and restoration.

  5. VStep 5
    Class action

    Where the loss is large and dispersed, a coordinated class proceeding becomes the most efficient route.

  6. VIStep 6
    Insolvency claim

    Where the exchange enters bankruptcy or restructuring, file an unsecured-creditor claim with full proof of holdings.

Shield Law Firm — five-stage account de-freezing protocol

4. What recovery realistically looks like

ScenarioIndicative recovery
Insured exchange honours liabilities80 – 100%
Funds traced & destination exchange freezes40 – 60%
Insolvency / restructuring claim10 – 30%
Funds laundered through mixers / privacy coinsUnder 5%

The decisive variables are speed, the destination exchange's cooperation, and whether the home exchange has any insurance, reserves or restructuring runway. The first two are within your control if you act fast.

5. Why Shield for exchange hacks

  • Active crypto practice — not a one-off; on-chain evidence is normal currency for us.
  • Working relationships with forensic partners and freeze-order experience against major exchanges.
  • Class-action experience domestically and coordination with international insolvency counsel.
  • Honest framing of probable recovery — no recovery guarantees from us, ever.
Final word
Don't wait for the 'restructuring plan'.

Mention 'Exchange hack' for priority partner response.

Contact Shield Law Firm

Frequently asked

FAQ
  • It depends on the cause and on insurance. With insured exchanges or where stolen funds are traced and frozen at a destination exchange, recovery can be partial to substantial. In bankruptcy scenarios, expect 10–30% over a 1–3 year horizon.
  • Yes — the FIR creates legal pressure, opens forensic and freeze options, and is often a prerequisite for any later civil or insolvency claim. We have filed multiple such complaints and they meaningfully change posture.
  • Where funds are traced quickly and a freeze sticks, partial recovery within 3–6 months. Insolvency or class-action tracks typically run 12–36 months.
  • Often yes — through a coordinated victim group. Many small claimants together have the leverage and economics that one small claim does not. We help marshal these groups regularly.
Written by
Siby Varghese & Vatan Bhatnagar
Partners, Shield Law Firm — Karkardooma, Delhi & Indirapuram, Ghaziabad
Consult the partners