Your Crypto Exchange Has Been Hacked — What to Do Next
You wake up to a frozen exchange. Withdrawals are paused. There's a 'security incident' notice. The longer you wait, the more clearly you become what the law treats you as by default — an unsecured creditor, last in line. The work of the first 48 hours is to refuse that default position and move into an active claimant role. Shield Law Firm has represented over 50 exchange-hack victims, both on Indian platforms and on international insolvency tracks.
Send your exchange handle and balance — confidential triage.
WhatsApp the partners1. What actually happens during an exchange hack
| Phase | What you typically see |
|---|---|
| Hack | Hot-wallet drain by an external attacker |
| Detection | Unusual outflows; exchange pauses withdrawals |
| Announcement | Carefully worded 'security incident' / 'investigation underway' notice |
| Blame phase | Technical glitch / external attacker / partner fault narratives |
| Restructuring | In severe cases — moratorium, scheme of arrangement or insolvency |
| Customer freeze | Withdrawals can stay frozen for months or years |
2. The first 48 hours
- If withdrawals are still open even briefly — withdraw to self-custody. Do not trade.
- Lock down evidence: balance screenshots before/after, full transaction history export, exchange notices, your KYC.
- Send a formal written demand — not just a ticket — asking for hack details, restoration timeline and insurance position.
- Find the other claimants. Public Telegram groups and WhatsApp aggregations are where collective action takes shape.
- File the FIR — IT Act 66 (hacking), BNS cheating provisions, PMLA where laundering is alleged.
- Engage forensics independently — do not wait for the exchange's own report.
A formal legal notice usually does what tickets cannot.
Speak to a partner3. Recovery — the legal sequence
- IStep 1FIR with the cyber cell
Hacking, cheating and where applicable PMLA — registered at the cyber cell with jurisdiction over the exchange.
- IIStep 2Independent on-chain trace
Forensic mapping of stolen funds across hops; identification of receiving exchanges.
- IIIStep 3Court-ordered freeze
Magistrate / Sessions Court directs the destination exchange to freeze and disclose KYC.
- IVStep 4Writ against the home exchange
Where the exchange is non-cooperative — High Court writ for disclosure and restoration.
- VStep 5Class action
Where the loss is large and dispersed, a coordinated class proceeding becomes the most efficient route.
- VIStep 6Insolvency claim
Where the exchange enters bankruptcy or restructuring, file an unsecured-creditor claim with full proof of holdings.
4. What recovery realistically looks like
| Scenario | Indicative recovery |
|---|---|
| Insured exchange honours liabilities | 80 – 100% |
| Funds traced & destination exchange freezes | 40 – 60% |
| Insolvency / restructuring claim | 10 – 30% |
| Funds laundered through mixers / privacy coins | Under 5% |
The decisive variables are speed, the destination exchange's cooperation, and whether the home exchange has any insurance, reserves or restructuring runway. The first two are within your control if you act fast.
5. Why Shield for exchange hacks
- Active crypto practice — not a one-off; on-chain evidence is normal currency for us.
- Working relationships with forensic partners and freeze-order experience against major exchanges.
- Class-action experience domestically and coordination with international insolvency counsel.
- Honest framing of probable recovery — no recovery guarantees from us, ever.
Mention 'Exchange hack' for priority partner response.
Contact Shield Law FirmFrequently asked
FAQ- It depends on the cause and on insurance. With insured exchanges or where stolen funds are traced and frozen at a destination exchange, recovery can be partial to substantial. In bankruptcy scenarios, expect 10–30% over a 1–3 year horizon.
- Yes — the FIR creates legal pressure, opens forensic and freeze options, and is often a prerequisite for any later civil or insolvency claim. We have filed multiple such complaints and they meaningfully change posture.
- Where funds are traced quickly and a freeze sticks, partial recovery within 3–6 months. Insolvency or class-action tracks typically run 12–36 months.
- Often yes — through a coordinated victim group. Many small claimants together have the leverage and economics that one small claim does not. We help marshal these groups regularly.
