Crypto Incident Response & Recovery

A coordinated response that contains the incident, traces the funds, communicates clearly, and produces a written record your team and counsel can stand behind.

• Triage and containment

  We get on a call within an agreed SLA, establish what is happening, and help you stop the bleeding, pause functions, revoke approvals, freeze admin keys, take down phishing infrastructure.

• On-chain forensics

  We trace the stolen funds across chains, mixers, and bridges. The output is the on-chain narrative your team, your investors, your community, and law enforcement need.

• Communications support

  First post, follow-up post, post-mortem. We draft, you approve. Bad communications turn a survivable incident into an unsurvivable one, this is where most teams lose more value than the exploit itself cost.

• Recovery and law enforcement coordination

  Engagement with exchanges, custodians, and law-enforcement contacts. Coordinated wallet freezes, KYC unmasking where possible, and counsel hand-off when the case crosses jurisdictions.

• 01Live incident commander on call
• 02On-chain trace report
• 03Public post-mortem draft
• 04Internal lessons-learned document
• 05Optional retainer for ongoing readiness

Timeline. Active response: hours to days. Forensics and post-mortem: 1–3 weeks. Retainer relationships are billed monthly with response SLAs.

• DeFi protocols

  DeFi protocols and DEXes

  See use case →

• NFT projects

  NFT projects, mints and marketplaces

  See use case →

• Crypto exchanges

  Crypto exchanges and trading platforms

  See use case →

• DAO treasuries

  DAOs and on-chain treasuries

  See use case →

• Web3 gaming

  Web3 games and GameFi platforms

  See use case →

• Do we have to be on a retainer to call you?

  No. We accept emergency engagements when capacity allows. Retainer clients get guaranteed response SLAs and significantly lower hourly rates.

• Can you actually recover stolen funds?

  Sometimes. Recovery depends on where the funds went, how fast we engage, and whether off-ramps cooperate. We're honest about what's realistic, and we trace everything either way, because that documentation is what enables recovery weeks or months later.

• Incident Response for DeFi: The First Hour

  When a contract is exploited or a wallet is drained, the first hour decides what the next year looks like. Here is what runs, in what order, and who does what.

  Read article →

• Broker Defense Partnership

  Announcing our partnership with Broker Defense, a firm specialised in helping crypto victims of fraud and scams. Together, we work to fight cybercrime and support those who have lost digital assets, combining on-chain analysis with international legal coordination.

  Read article →

• Bridge Security: Why Cross-Chain Bridges Get Exploited

  Bridges are the most exploited category of DeFi protocol. Here is why the architecture is hard, how the major incidents played out, and what good bridge security looks like.

  Read article →