“Crypto can be traced… if I get scammed, I’ll be able to get my money back.”

This is a common refrain from many crypto speculators.

By Jason Costain, Javloc.com21 March 2025

In this article, I’ll explain why, despite the crypto blockchain being public, crypto scam loss recovery is unlikely. I’ll also explore how fraud teams in banks and crypto exchanges can work together to help reduce losses.

Scammers often use terms such as ‘public blockchain’ and ‘traceability’ as part of their grooming tactics to persuade victims to invest in #crypto. Even worse, they exploit these terms to carry out recovery #scams, tricking victims into throwing away even more money under the false belief that their stolen funds have been traced — one of the oldest tricks in a scammer’s playbook.

So, can crypto be traced: Yes or No?

Answer: Maybe, but for the average person, the chances are slim.

The recent theft of $1.5 billion in cryptocurrency from the ByBit crypto exchange is a useful case study.

Only two weeks after the (suspected North Korean) ByBit heist, investigators told the BBC that nearly $300 million is “already untraceable.”

In just 14 days, it appears that 20% of ByBit’s stolen crypto has vanished forever, laundered through a complex set of transactions, many of which were routed via money-laundering-as-a-service crypto #tumbler providers.

This bears all the hallmarks of a sophisticated money laundering operation. The situation mirrors that of FIAT bank accounts, except that crypto exchanges typically impose weaker ID verification at setup than regulated banks.

A word on crypto tumbler services: Imagine one of those massive tumble dryers you see at your local laundrette. You chuck your soggy black crypto socks in along with everyone else’s and (for a small fee), out come some nice, dry crypto socks. The difference? They won’t be yours. You won’t be able to tell whose they are. And why would you care?

More Than Just Traceability

The likelihood of recovering stolen crypto doesn’t just depend on traceability — the attitude of crypto exchanges plays a significant role.

In the ByBit case, they criticised fellow crypto exchange eXch for not doing enough to stop the criminals cashing out, with more than $90 million successfully funnelled through eXch, earning the exchange thousands of dollars in processing fees along the way.

The BBC reported that eXch’s elusive owner, Johann Roberts, disputes this and is now cooperating. However, Roberts also stated that “mainstream companies that identify crypto customers are betraying the private and anonymous benefits of cryptocurrency.” Not exactly confidence-inspiring.

ByBit’s case makes for sobering reading. They’re one of the biggest crypto exchanges in the world, with help from some of the finest minds in the industry, yet they’ve already declared that 20% of their stolen funds have vanished.

Against this backdrop, individual victims of crypto scams stand little chance of recovering their money.

Regulation and Reality

As countries around the world begin introducing crypto regulations, the initial focus has been on improving Anti-Money Laundering and ‘Know Your Customer’ (KYC) controls.

The original cypherpunk ideals of ‘crypto anonymity’ seem to have been abandoned as many in the industry attempt to legitimise their platforms.

When considering the merits of anonymous transactions, it’s worth remembering that some of the earliest and most enthusiastic adopters of crypto anonymity were users of notorious darknet sites such as Silk Road (the original online drug marketplace) and Welcome to Video, where crypto was used to pay for child abuse images. Where are these early adopters now? Keeping a low profile, I imagine.

Thankfully, the FBI shut these sites down, in large part due to the pioneering work of #Chainalysis. Crypto transaction flows were traceable after all. Pinning destination wallets to real-world owners is often more challenging, particularly if the exchange is in a non-cooperative jurisdiction like Russia, but it’s certainly not impossible.

Lessons from the Banking Industry

The crypto industry can learn a lot from banks when it comes to tracing and recovering funds.

Speed is the most critical factor in freezing and recovering an individual victim’s scam losses — and banks figured this out a long time ago.

When a UK bank identifies that a customer has sent a payment to a scam, it uses an established industry portal to notify the receiving bank. The better banks have automated this notification process, making it closer to real-time.

Similarly, receiving banks act on these reports quickly. Some have even built ‘auto-freeze’ capabilities for accounts reported as receiving scam payments.

This process is one of the more effective money-mule prevention solutions in UK banking. Banks didn’t wait for lawmakers to tell them to do this, and let’s face it — it’s not rocket science if you’re serious about stopping scams and recovering victims' money.

Crypto firms could also adopt the simple indemnity process that UK banks use to reclaim frozen funds. A court order isn’t required, just a straightforward indemnity given by the sending bank. This ensures that if the frozen payment turns out not to be proceeds of crime, the sending bank will reimburse the receiving bank for any funds returned. In practice, this almost never happens.

This model works, and it can be scaled and automated.

In my experience, I haven’t come across a crypto exchange that operates this way.

They'll only freeze funds if requested by the police and won’t return frozen funds until they receive a court order. In reality, this approach fails victims, who struggle to get the police to investigate their cases. In the UK, fewer than 2% of fraud cases are investigated. If the crypto industry is addressing this, please get in touch.

If crypto firms want to be taken seriously as part of the global payment system, hurdles such as these need to be dismantled.

Banks should also consider extending their scam notification and recall processes beyond domestic payments to include crypto exchanges.

Collaboration is required.

Jason Costain

Jason has worked in banking fraud prevention for 25 years, leading fraud and financial crime defence teams at some of the UK’s best-known banks.+Follow @ https://www.linkedin.com/in/jason-costain-b529746/

Organisations can contact Jason via LinkedIn for a free fraud health check.

Further resources at Javloc.com